Edit tour

Windows Analysis Report
DBROG0eWH7.exe

Overview

General Information

Sample name:	DBROG0eWH7.exe renamed because original name is a hash value
Original sample name:	78f48020d8c0308bbb5c18c883b7b547adcb2674db93b85f3a9df6a20595d8bc.exe
Analysis ID:	1551074
MD5:	fa91458e80ba750fda0b41d2b88ae1b1
SHA1:	5531267d0d3b4523007803f21bc58d0de818b38b
SHA256:	78f48020d8c0308bbb5c18c883b7b547adcb2674db93b85f3a9df6a20595d8bc
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DBROG0eWH7.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\DBROG0eWH7.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

ek5v3xaskkfpqwron.exe (PID: 8148 cmdline: "C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

bsiphbvc.exe (PID: 11764 cmdline: "C:\qkcgyxexucxsiyk\bsiphbvc.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

bsiphbvc.exe (PID: 9340 cmdline: C:\qkcgyxexucxsiyk\bsiphbvc.exe MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

jqvkzish.exe (PID: 10528 cmdline: frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

bsiphbvc.exe (PID: 9128 cmdline: "c:\qkcgyxexucxsiyk\bsiphbvc.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

jqvkzish.exe (PID: 12636 cmdline: frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

bsiphbvc.exe (PID: 7332 cmdline: "c:\qkcgyxexucxsiyk\bsiphbvc.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

jqvkzish.exe (PID: 10092 cmdline: frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe" MD5: FA91458E80BA750FDA0B41D2B88AE1B1)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T13:14:59.785160+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49734	TCP
2024-11-07T13:15:38.662761+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49740	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T13:14:46.812380+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.4	49730	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T13:14:46.812380+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.4	49730	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T13:14:53.128694+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	50386	UDP
2024-11-07T13:14:53.667848+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	56856	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T13:14:52.670590+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	60022	UDP
2024-11-07T13:16:07.883078+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	49779	UDP
2024-11-07T13:17:34.417854+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	50375	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T13:14:47.836973+0100	2815568	1	A Network Trojan was detected	192.168.2.4	49731	37.97.254.27	80	TCP
2024-11-07T13:16:10.394704+0100	2815568	1	A Network Trojan was detected	192.168.2.4	49764	18.143.155.63	80	TCP
2024-11-07T13:17:29.701648+0100	2815568	1	A Network Trojan was detected	192.168.2.4	54626	199.59.243.227	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T13:14:49.767381+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.4	49732	199.59.243.227	80	TCP
2024-11-07T13:16:10.394704+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.4	49764	18.143.155.63	80	TCP
2024-11-07T13:17:29.701648+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.4	54626	199.59.243.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DBROG0eWH7.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Avira: detection malicious, Label: HEUR/AGEN.1317803
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Avira: detection malicious, Label: HEUR/AGEN.1317803
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Avira: detection malicious, Label: HEUR/AGEN.1317803

Multi AV Scanner detection for dropped file

Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	ReversingLabs: Detection: 91%
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	ReversingLabs: Detection: 91%
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: DBROG0eWH7.exe

ReversingLabs: Detection: 91%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Joe Sandbox ML: detected
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Joe Sandbox ML: detected
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DBROG0eWH7.exe

Joe Sandbox ML: detected

Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F1D8E0 GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,_rand,_rand,_rand,_rand,		1_2_00F1D8E0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ABD8E0 GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,_rand,_rand,_rand,_rand,		2_2_00ABD8E0

Source: DBROG0eWH7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DBROG0eWH7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0075A590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	0_2_0075A590
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00783691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	0_2_00783691
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F1A590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	1_2_00F1A590
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F43691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	1_2_00F43691
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ABA590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	2_2_00ABA590
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE3691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	2_2_00AE3691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E3691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	3_2_000E3691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000BA590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	3_2_000BA590
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00213691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	10_2_00213691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_001EA590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	10_2_001EA590
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00643691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	12_2_00643691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0061A590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	12_2_0061A590

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.4:54626 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.4:49732 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.4:49764 -> 18.143.155.63:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: necessarystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadernothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiredivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hearddivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordernothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 85

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: orderstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: orderstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: orderstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net

Source: Joe Sandbox View

IP Address: 37.97.254.27 37.97.254.27

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.4:56856
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.4:49731 -> 37.97.254.27:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.4:54626 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.4:49764 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.4:60022
Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.4:50386
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.4:50375
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49740

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_0075BBD0 __snprintf,socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket,

0_2_0075BBD0

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: orderstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: orderstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: orderstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net

Source: global traffic	DNS traffic detected: DNS query: hearddivide.net
Source: global traffic	DNS traffic detected: DNS query: pleasantstream.net
Source: global traffic	DNS traffic detected: DNS query: necessarystream.net
Source: global traffic	DNS traffic detected: DNS query: pleasantnothing.net
Source: global traffic	DNS traffic detected: DNS query: necessarynothing.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbottle.net
Source: global traffic	DNS traffic detected: DNS query: necessarybottle.net
Source: global traffic	DNS traffic detected: DNS query: pleasantdivide.net
Source: global traffic	DNS traffic detected: DNS query: necessarydivide.net
Source: global traffic	DNS traffic detected: DNS query: orderstream.net
Source: global traffic	DNS traffic detected: DNS query: requirestream.net
Source: global traffic	DNS traffic detected: DNS query: ordernothing.net
Source: global traffic	DNS traffic detected: DNS query: requirenothing.net
Source: global traffic	DNS traffic detected: DNS query: orderbottle.net
Source: global traffic	DNS traffic detected: DNS query: requirebottle.net
Source: global traffic	DNS traffic detected: DNS query: orderdivide.net
Source: global traffic	DNS traffic detected: DNS query: requiredivide.net
Source: global traffic	DNS traffic detected: DNS query: leaderstream.net
Source: global traffic	DNS traffic detected: DNS query: heavenstream.net
Source: global traffic	DNS traffic detected: DNS query: leadernothing.net
Source: global traffic	DNS traffic detected: DNS query: heavennothing.net
Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net

Source: bsiphbvc.exe, 00000002.00000003.1808554109.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000003.1806253851.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000002.2479587553.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601298401.0000000000769000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000002.3268654720.0000000000769000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2600559528.0000000000769000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3390978614.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000002.3561545387.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transip.eu/cp/
Source: bsiphbvc.exe, 00000002.00000003.1808554109.0000000000799000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000002.2479587553.00000000007A4000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000003.1806253851.0000000000799000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601872059.000000000073C000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2600559528.0000000000732000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000002.3268654720.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601298401.0000000000732000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3390978614.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000002.3561545387.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389569393.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.eu/knowledgebase/entry/284-start-sending-receiving-email-domain/
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.eu/knowledgebase/entry/5885/
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.eu/knowledgebase/zoeken/
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.eu/question/100000230
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.eu/question/110000577/
Source: bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.eu/services/search-domains/
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.nl/knowledgebase/zoeken/
Source: bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.nl/services/search-domains/
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.nl/vragen/110000534/
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.nl/vragen/110000572
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.nl/vragen/110000580/
Source: bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.transip.nl/vragen/198/

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	File created: C:\Windows\qkcgyxexucxsiyk\	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	File created: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g	Jump to behavior

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

File deleted: C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g

Jump to behavior

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0078480D	0_2_0078480D
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0076A119	0_2_0076A119
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0077D1A0	0_2_0077D1A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0078E9A4	0_2_0078E9A4
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00791A6A	0_2_00791A6A
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0077D24D	0_2_0077D24D
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0077DB59	0_2_0077DB59
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0077E3C3	0_2_0077E3C3
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00781450	0_2_00781450
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00790C54	0_2_00790C54
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0078E432	0_2_0078E432
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0077FD51	0_2_0077FD51
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00776653	0_2_00776653
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00769EE0	0_2_00769EE0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00783ECA	0_2_00783ECA
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0078DEC0	0_2_0078DEC0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00776687	0_2_00776687
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00785753	0_2_00785753
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0077D741	0_2_0077D741
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0077DF8E	0_2_0077DF8E
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F4480D	1_2_00F4480D
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F4E9A4	1_2_00F4E9A4
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F3D1A0	1_2_00F3D1A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F2A119	1_2_00F2A119
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F51A6A	1_2_00F51A6A
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F3D24D	1_2_00F3D24D
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F3E3C3	1_2_00F3E3C3
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F3DB59	1_2_00F3DB59
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F50C54	1_2_00F50C54
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F41450	1_2_00F41450
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F4E432	1_2_00F4E432
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F3FD51	1_2_00F3FD51
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F29EE0	1_2_00F29EE0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F4DEC0	1_2_00F4DEC0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F43ECA	1_2_00F43ECA
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F36687	1_2_00F36687
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F36653	1_2_00F36653
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F3DF8E	1_2_00F3DF8E
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F45753	1_2_00F45753
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F3D741	1_2_00F3D741
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE480D	2_2_00AE480D
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AEE9A4	2_2_00AEE9A4
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ADD1A0	2_2_00ADD1A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ACA119	2_2_00ACA119
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AD6A6D	2_2_00AD6A6D
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AF1A6A	2_2_00AF1A6A
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ADD24D	2_2_00ADD24D
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ADE3C3	2_2_00ADE3C3
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ADDB59	2_2_00ADDB59
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AEE432	2_2_00AEE432
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AF0C54	2_2_00AF0C54
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE1450	2_2_00AE1450
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ADFD51	2_2_00ADFD51
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AC9EE0	2_2_00AC9EE0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE3ECA	2_2_00AE3ECA
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AEDEC0	2_2_00AEDEC0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ADDF8E	2_2_00ADDF8E
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ADD741	2_2_00ADD741
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE5753	2_2_00AE5753
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E480D	3_2_000E480D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000CA119	3_2_000CA119
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000EE9A4	3_2_000EE9A4
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000DD1A0	3_2_000DD1A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000DD24D	3_2_000DD24D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000D6A6D	3_2_000D6A6D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000F1A6A	3_2_000F1A6A
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000DDB59	3_2_000DDB59
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000DE3C3	3_2_000DE3C3
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000EE432	3_2_000EE432
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000F0C54	3_2_000F0C54
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E1450	3_2_000E1450
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000DFD51	3_2_000DFD51
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E3ECA	3_2_000E3ECA
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000EDEC0	3_2_000EDEC0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000C9EE0	3_2_000C9EE0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000DD741	3_2_000DD741
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E5753	3_2_000E5753
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000DDF8E	3_2_000DDF8E
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0021480D	10_2_0021480D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_001FA119	10_2_001FA119
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0020D1A0	10_2_0020D1A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0021E9A4	10_2_0021E9A4
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00221A6A	10_2_00221A6A
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00206A6D	10_2_00206A6D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0020D24D	10_2_0020D24D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0020DB59	10_2_0020DB59
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0020E3C3	10_2_0020E3C3
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0021E432	10_2_0021E432
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00211450	10_2_00211450
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00220C54	10_2_00220C54
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0020FD51	10_2_0020FD51
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0021DEC0	10_2_0021DEC0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00213ECA	10_2_00213ECA
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_001F9EE0	10_2_001F9EE0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0020D741	10_2_0020D741
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00215753	10_2_00215753
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0020DF8E	10_2_0020DF8E
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0064480D	12_2_0064480D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0062A119	12_2_0062A119
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0064E9A4	12_2_0064E9A4
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0063D1A0	12_2_0063D1A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00651A6A	12_2_00651A6A
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00636A6C	12_2_00636A6C
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0063D24D	12_2_0063D24D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0063DB59	12_2_0063DB59
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0063E3C3	12_2_0063E3C3
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00650C54	12_2_00650C54
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00641450	12_2_00641450
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0064E432	12_2_0064E432
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0063FD51	12_2_0063FD51
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00629EE0	12_2_00629EE0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0064DEC0	12_2_0064DEC0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00643ECA	12_2_00643ECA
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0063D741	12_2_0063D741
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00645753	12_2_00645753
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0063DF8E	12_2_0063DF8E

Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: String function: 00AE13F0 appears 40 times
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: String function: 007813F0 appears 40 times
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: String function: 002113F0 appears 40 times
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: String function: 006413F0 appears 40 times
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: String function: 000E13F0 appears 40 times
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: String function: 00F413F0 appears 40 times

Source: DBROG0eWH7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@16/6@276/3

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_0075D460
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	1_2_00F1D460
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00ABD460
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_000BD460
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_001ED460
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	12_2_0061D460

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_00772843 __snprintf,CreateToolhelp32Snapshot,Module32First,CloseHandle,Process32Next,CloseHandle,

0_2_00772843

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_0075D460 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_0075D460

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0075D420 StartServiceCtrlDispatcherA,	0_2_0075D420
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F1D420 StartServiceCtrlDispatcherA,	1_2_00F1D420
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ABD420 StartServiceCtrlDispatcherA,	2_2_00ABD420
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000BD420 StartServiceCtrlDispatcherA,	3_2_000BD420
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_001ED420 StartServiceCtrlDispatcherA,	10_2_001ED420
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0061D420 StartServiceCtrlDispatcherA,	12_2_0061D420

Source: C:\qkcgyxexucxsiyk\jqvkzish.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: ]D87	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: U;8	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: fM	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: "}N	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: i}kN	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: 8e#!	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: Clos	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: ead	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: nel3	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: ent	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: vent	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: rSin	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: dle	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: Crea	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: eObj	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: dll	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: eHan	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: eate	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: SetE	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: Slee	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: eThr	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: Ker	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: Ker	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: Creat	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: Creat	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: SetEv	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: SetEv	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: _Wy	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: _Wy	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: _Wy	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: U;8	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: T+	0_2_007510A0
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Command line argument: #x	0_2_00782340
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: ]D87	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: U;8	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: fM	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: "}N	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: i}kN	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: 8e#!	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: Clos	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: ead	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: nel3	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: ent	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: vent	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: rSin	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: dle	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: Crea	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: eObj	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: dll	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: eHan	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: eate	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: SetE	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: Slee	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: eThr	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: Ker	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: Ker	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: Creat	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: Creat	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: SetEv	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: SetEv	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: U;8	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Command line argument: T+	1_2_00F110A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: ]D87	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: U;8	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: fM	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: "}N	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: i}kN	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: 8e#!	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: Clos	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: ead	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: nel3	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: ent	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: vent	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: rSin	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: dle	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: Crea	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: eObj	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: dll	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: eHan	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: eate	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: SetE	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: Slee	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: eThr	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: Ker	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: Ker	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: Creat	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: Creat	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: SetEv	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: SetEv	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: j1v{	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: U;8	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: j1v{	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: j1v{	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: T+	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: j1v{	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Command line argument: j1v{	2_2_00AB10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ]D87	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: U;8	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: fM	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: "}N	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: i}kN	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: 8e#!	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Clos	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ead	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: nel3	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ent	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: vent	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: rSin	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: dle	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Crea	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eObj	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: dll	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eHan	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eate	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetE	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Slee	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eThr	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Ker	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Ker	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Creat	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Creat	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetEv	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetEv	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: U;8	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: T+	3_2_000B10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ]D87	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: U;8	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: fM	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: "}N	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: i}kN	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: 8e#!	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Clos	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ead	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: nel3	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ent	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: vent	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: rSin	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: dle	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Crea	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eObj	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: dll	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eHan	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eate	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetE	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Slee	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eThr	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Ker	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Ker	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Creat	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Creat	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetEv	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetEv	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: _W"	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: _W"	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: _W"	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: U;8	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: T+	10_2_001E10A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: #!	10_2_00212340
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ]D87	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: U;8	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: fM	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: "}N	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: i}kN	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: 8e#!	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Clos	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: nel3	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: ent	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: vent	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: rSin	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: dle	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Crea	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eObj	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: dll	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eHan	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eate	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetE	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Slee	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: eThr	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Ker	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Ker	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Creat	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: Creat	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetEv	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: SetEv	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: _We	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: 6,q	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: _We	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: _We	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: U;8	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: T+	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: 6,q	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: 6,q	12_2_006110A0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Command line argument: #d	12_2_00642340

Source: DBROG0eWH7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DBROG0eWH7.exe

ReversingLabs: Detection: 91%

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

File read: C:\Users\user\Desktop\DBROG0eWH7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DBROG0eWH7.exe "C:\Users\user\Desktop\DBROG0eWH7.exe"
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Process created: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe "C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe"
Source: unknown	Process created: C:\qkcgyxexucxsiyk\bsiphbvc.exe C:\qkcgyxexucxsiyk\bsiphbvc.exe
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Process created: C:\qkcgyxexucxsiyk\jqvkzish.exe frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Process created: C:\qkcgyxexucxsiyk\bsiphbvc.exe "C:\qkcgyxexucxsiyk\bsiphbvc.exe"
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Process created: C:\qkcgyxexucxsiyk\bsiphbvc.exe "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Process created: C:\qkcgyxexucxsiyk\jqvkzish.exe frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Process created: C:\qkcgyxexucxsiyk\bsiphbvc.exe "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Process created: C:\qkcgyxexucxsiyk\jqvkzish.exe frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Process created: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe "C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe"	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Process created: C:\qkcgyxexucxsiyk\bsiphbvc.exe "C:\qkcgyxexucxsiyk\bsiphbvc.exe"	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Process created: C:\qkcgyxexucxsiyk\jqvkzish.exe frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Process created: C:\qkcgyxexucxsiyk\bsiphbvc.exe "c:\qkcgyxexucxsiyk\bsiphbvc.exe"	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Process created: C:\qkcgyxexucxsiyk\jqvkzish.exe frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Process created: C:\qkcgyxexucxsiyk\bsiphbvc.exe "c:\qkcgyxexucxsiyk\bsiphbvc.exe"	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Process created: C:\qkcgyxexucxsiyk\jqvkzish.exe frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: DBROG0eWH7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_00761B40 _malloc,_memset,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,__itow,GetCommandLineA,_strcat,__stat32i64,Sleep,__stat32i64,Sleep,Sleep,__stat32i64,GetModuleFileNameA,SetFileAttributesA,CopyFileA,SetFileAttributesA,GetCommandLineA,_strcat,GetModuleFileNameA,_strcat,_strcat,LoadLibraryA,GetProcAddress,_strcat,WSAStartup,CloseHandle,SetFileAttributesA,CopyFileA,SetFileAttributesA,Sleep,SetFileAttributesA,CopyFileA,SetFileAttributesA,__snprintf,_memset,_memset,CreateThread,Sleep,SetFileAttributesA,MessageBoxA,Sleep,CreateEventA,WaitForSingleObject,CloseHandle,

0_2_00761B40

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00781435 push ecx; ret	0_2_00781448
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00780DBD push ecx; ret	0_2_00780DD0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F41435 push ecx; ret	1_2_00F41448
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F40DBD push ecx; ret	1_2_00F40DD0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE1435 push ecx; ret	2_2_00AE1448
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE0DBD push ecx; ret	2_2_00AE0DD0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E70F9 push esi; ret	3_2_000E70FB
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E71E2 push edi; ret	3_2_000E71E4
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E1435 push ecx; ret	3_2_000E1448
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E0DBD push ecx; ret	3_2_000E0DD0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E6E05 push edi; ret	3_2_000E6E07
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E6F1E push esi; ret	3_2_000E6F20
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_002170F9 push esi; ret	10_2_002170FB
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_002171E2 push edi; ret	10_2_002171E4
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00211435 push ecx; ret	10_2_00211448
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00210DBD push ecx; ret	10_2_00210DD0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00216E05 push edi; ret	10_2_00216E07
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00216F1E push esi; ret	10_2_00216F20
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_006470F9 push esi; ret	12_2_006470FB
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_006471E2 push edi; ret	12_2_006471E4
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00641435 push ecx; ret	12_2_00641448
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00640DBD push ecx; ret	12_2_00640DD0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00646E05 push edi; ret	12_2_00646E07
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00646F1E push esi; ret	12_2_00646F20

Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	File created: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Jump to dropped file
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	File created: C:\qkcgyxexucxsiyk\jqvkzish.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	File created: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Jump to dropped file

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_0075D460 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_0075D460

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

0_2_00761B40

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,	0_2_007723B0
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,	1_2_00F323B0
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,	2_2_00AD23B0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,	3_2_000D23B0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,	10_2_002023B0
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,	12_2_006323B0

Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: _strcat,GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,_strcat,_strcat,_memset,_memset,HeapFree,FreeLibrary,		1_2_00F38C10
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: _strcat,GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,_strcat,_strcat,_memset,_memset,HeapFree,FreeLibrary,		2_2_00AD8C10

Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Window / User API: threadDelayed 820	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Window / User API: threadDelayed 1130	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Window / User API: threadDelayed 352	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Window / User API: threadDelayed 834	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Window / User API: threadDelayed 1116	Jump to behavior

Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_2-22816
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_1-22244
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe TID: 10536	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe TID: 10536	Thread sleep time: -655490s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 10532	Thread sleep count: 820 > 30	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 10532	Thread sleep time: -820000s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 10532	Thread sleep count: 1130 > 30	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 10532	Thread sleep time: -1130000s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe TID: 9124	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe TID: 12628	Thread sleep count: 352 > 30	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe TID: 12628	Thread sleep time: -782144s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe TID: 9124	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 12632	Thread sleep count: 834 > 30	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 12632	Thread sleep time: -834000s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 12632	Thread sleep count: 1116 > 30	Jump to behavior
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe TID: 12632	Thread sleep time: -1116000s >= -30000s	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe TID: 7328	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Last function: Thread delayed
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Last function: Thread delayed
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0075A590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	0_2_0075A590
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_00783691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	0_2_00783691
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F1A590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	1_2_00F1A590
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F43691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	1_2_00F43691
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00ABA590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	2_2_00ABA590
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE3691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	2_2_00AE3691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E3691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	3_2_000E3691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000BA590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	3_2_000BA590
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_00213691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	10_2_00213691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_001EA590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	10_2_001EA590
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_00643691 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64i32,__close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	12_2_00643691
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0061A590 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,_memset,	12_2_0061A590

Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Thread delayed: delay time: 50000	Jump to behavior

Source: ek5v3xaskkfpqwron.exe, 00000001.00000002.1722299142.000000000167E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: bsiphbvc.exe, 00000002.00000003.1808554109.0000000000799000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000002.2479587553.00000000007A4000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000003.1806253851.0000000000799000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601872059.000000000073C000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2600559528.0000000000732000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000002.3268654720.000000000073D000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601298401.0000000000732000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3390978614.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000002.3561545387.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389569393.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_0078195B _memset,IsDebuggerPresent,

0_2_0078195B

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_00789EFA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00789EFA

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

0_2_00761B40

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_0078FC18 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0078FC18

Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0078207E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0078207E
Source: C:\Users\user\Desktop\DBROG0eWH7.exe	Code function: 0_2_0078204D SetUnhandledExceptionFilter,	0_2_0078204D
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F4207E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00F4207E
Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	Code function: 1_2_00F4204D SetUnhandledExceptionFilter,	1_2_00F4204D
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE207E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00AE207E
Source: C:\qkcgyxexucxsiyk\bsiphbvc.exe	Code function: 2_2_00AE204D SetUnhandledExceptionFilter,	2_2_00AE204D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E204D SetUnhandledExceptionFilter,	3_2_000E204D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 3_2_000E207E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000E207E
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0021207E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0021207E
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 10_2_0021204D SetUnhandledExceptionFilter,	10_2_0021204D
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0064207E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0064207E
Source: C:\qkcgyxexucxsiyk\jqvkzish.exe	Code function: 12_2_0064204D SetUnhandledExceptionFilter,	12_2_0064204D

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_00772230 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00772230

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_0078885B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0078885B

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_0078F570 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,__malloc_crt,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0078F570

Source: C:\Users\user\Desktop\DBROG0eWH7.exe

Code function: 0_2_007600B0 GetProcAddress,GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,_strcat,CreateDirectoryA,__snprintf,__snprintf,CreateDirectoryA,_strcat,CreateDirectoryA,GetTempPathA,_strcat,CreateDirectoryA,GetTempPathA,_strcat,SetFileAttributesA,_memset,

0_2_007600B0

Source: C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	4 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
DBROG0eWH7.exe	92%	ReversingLabs	Win32.Trojan.Strobosc
DBROG0eWH7.exe	100%	Avira	HEUR/AGEN.1317803
DBROG0eWH7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\qkcgyxexucxsiyk\jqvkzish.exe	100%	Avira	HEUR/AGEN.1317803
C:\qkcgyxexucxsiyk\bsiphbvc.exe	100%	Avira	HEUR/AGEN.1317803
C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	100%	Avira	HEUR/AGEN.1317803
C:\qkcgyxexucxsiyk\jqvkzish.exe	100%	Joe Sandbox ML
C:\qkcgyxexucxsiyk\bsiphbvc.exe	100%	Joe Sandbox ML
C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	100%	Joe Sandbox ML
C:\qkcgyxexucxsiyk\bsiphbvc.exe	92%	ReversingLabs	Win32.Trojan.Strobosc
C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe	92%	ReversingLabs	Win32.Trojan.Strobosc
C:\qkcgyxexucxsiyk\jqvkzish.exe	92%	ReversingLabs	Win32.Trojan.Strobosc

Source	Detection	Scanner	Label
https://www.transip.eu/question/110000577/	0%	Avira URL Cloud	safe
https://www.transip.eu/knowledgebase/entry/5885/	0%	Avira URL Cloud	safe
https://www.transip.eu/knowledgebase/entry/284-start-sending-receiving-email-domain/	0%	Avira URL Cloud	safe
https://www.transip.eu/question/100000230	0%	Avira URL Cloud	safe
https://www.transip.eu/services/search-domains/	0%	Avira URL Cloud	safe
https://www.transip.eu/knowledgebase/zoeken/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
7450.bodis.com	199.59.243.227	true	false	high
orderstream.net	37.97.254.27	true	false	unknown
returnbottle.net	18.143.155.63	true	true	unknown
pleasantstream.net	18.143.155.63	true	true	unknown
leaderstream.net	unknown	unknown	true	unknown
degreeanother.net	unknown	unknown	true	unknown
answerappear.net	unknown	unknown	true	unknown
requirebottle.net	unknown	unknown	true	unknown
requirebusiness.net	unknown	unknown	true	unknown
requiredivide.net	unknown	unknown	true	unknown
glassmanner.net	unknown	unknown	true	unknown
ordernothing.net	unknown	unknown	true	unknown
orderappear.net	unknown	unknown	true	unknown
variousdivide.net	unknown	unknown	true	unknown
pleasantnothing.net	unknown	unknown	true	unknown
requireappear.net	unknown	unknown	true	unknown
difficultanother.net	unknown	unknown	true	unknown
requireanother.net	unknown	unknown	true	unknown
forwardappear.net	unknown	unknown	true	unknown
necessarymanner.net	unknown	unknown	true	unknown
pleasantappear.net	unknown	unknown	true	unknown
leadernothing.net	unknown	unknown	true	unknown
answeranother.net	unknown	unknown	true	unknown
returnstream.net	unknown	unknown	true	unknown
hearddivide.net	unknown	unknown	true	unknown
leadermanner.net	unknown	unknown	true	unknown
heavybottle.net	unknown	unknown	true	unknown
heavydivide.net	unknown	unknown	true	unknown
necessarybottle.net	unknown	unknown	true	unknown
difficultbusiness.net	unknown	unknown	true	unknown
orderanother.net	unknown	unknown	true	unknown
glassanother.net	unknown	unknown	true	unknown
difficultappear.net	unknown	unknown	true	unknown
heavenanother.net	unknown	unknown	true	unknown
difficultmanner.net	unknown	unknown	true	unknown
variousbottle.net	unknown	unknown	true	unknown
glassbusiness.net	unknown	unknown	true	unknown
heardmanner.net	unknown	unknown	true	unknown
forwardbusiness.net	unknown	unknown	true	unknown
gentlenothing.net	unknown	unknown	true	unknown
necessarybusiness.net	unknown	unknown	true	unknown
orderbusiness.net	unknown	unknown	true	unknown
orderdivide.net	unknown	unknown	true	unknown
heavenmanner.net	unknown	unknown	true	unknown
heardappear.net	unknown	unknown	true	unknown
requiremanner.net	unknown	unknown	true	unknown
glassappear.net	unknown	unknown	true	unknown
necessaryanother.net	unknown	unknown	true	unknown
heavystream.net	unknown	unknown	true	unknown
returndivide.net	unknown	unknown	true	unknown
degreebusiness.net	unknown	unknown	true	unknown
answerbusiness.net	unknown	unknown	true	unknown
variousnothing.net	unknown	unknown	true	unknown
orderbottle.net	unknown	unknown	true	unknown
gentledivide.net	unknown	unknown	true	unknown
heardbusiness.net	unknown	unknown	true	unknown
gentlestream.net	unknown	unknown	true	unknown
pleasantmanner.net	unknown	unknown	true	unknown
necessaryappear.net	unknown	unknown	true	unknown
pleasantbottle.net	unknown	unknown	true	unknown
heavenstream.net	unknown	unknown	true	unknown
forwardmanner.net	unknown	unknown	true	unknown
pleasantbusiness.net	unknown	unknown	true	unknown
requirestream.net	unknown	unknown	true	unknown
degreeappear.net	unknown	unknown	true	unknown
heavenbottle.net	unknown	unknown	true	unknown
heavendivide.net	unknown	unknown	true	unknown
heavynothing.net	unknown	unknown	true	unknown
necessarydivide.net	unknown	unknown	true	unknown
ordermanner.net	unknown	unknown	true	unknown
forwardanother.net	unknown	unknown	true	unknown
leaderbottle.net	unknown	unknown	true	unknown
variousstream.net	unknown	unknown	true	unknown
pleasantanother.net	unknown	unknown	true	unknown
returnnothing.net	unknown	unknown	true	unknown
necessarynothing.net	unknown	unknown	true	unknown
answermanner.net	unknown	unknown	true	unknown
heavennothing.net	unknown	unknown	true	unknown
leaderdivide.net	unknown	unknown	true	unknown
degreemanner.net	unknown	unknown	true	unknown
pleasantdivide.net	unknown	unknown	true	unknown
necessarystream.net	unknown	unknown	true	unknown
leaderanother.net	unknown	unknown	true	unknown
requirenothing.net	unknown	unknown	true	unknown
gentlebottle.net	unknown	unknown	true	unknown
heardanother.net	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	bsiphbvc.exe, 00000002.00000003.1808554109.0000000000799000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000002.2479587553.00000000007A4000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000003.1806253851.0000000000799000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601872059.000000000073C000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2600559528.0000000000732000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000002.3268654720.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601298401.0000000000732000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3390978614.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000002.3561545387.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389569393.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.transip.eu/question/110000577/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://transip.eu/cp/	bsiphbvc.exe, 00000002.00000003.1808554109.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000003.1806253851.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000002.00000002.2479587553.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2601298401.0000000000769000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000002.3268654720.0000000000769000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 00000009.00000003.2600559528.0000000000769000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3390978614.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000002.3561545387.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.transip.eu/knowledgebase/zoeken/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.transip.nl/vragen/110000572	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.transip.eu/knowledgebase/entry/284-start-sending-receiving-email-domain/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.transip.eu/services/search-domains/	bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.transip.nl/vragen/198/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.transip.eu/question/100000230	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.transip.nl/knowledgebase/zoeken/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.transip.nl/services/search-domains/	bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.transip.nl/vragen/110000534/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.transip.eu/knowledgebase/entry/5885/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.transip.nl/vragen/110000580/	bsiphbvc.exe, 00000002.00000003.1806222214.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, bsiphbvc.exe, 0000000B.00000003.3389425724.0000000000A52000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.97.254.27	orderstream.net	Netherlands	20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	true
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551074
Start date and time:	2024-11-07 13:13:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DBROG0eWH7.exe renamed because original name is a hash value
Original Sample Name:	78f48020d8c0308bbb5c18c883b7b547adcb2674db93b85f3a9df6a20595d8bc.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@16/6@276/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 40 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: DBROG0eWH7.exe

Simulations

Behavior and APIs

Time	Type	Description
07:15:16	API Interceptor	3840x Sleep call for process: jqvkzish.exe modified
07:15:26	API Interceptor	632x Sleep call for process: bsiphbvc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.97.254.27	WrrCV4QR2J.exe	Get hash	malicious	FormBook	Browse	www.wrautomotive.online/ahec/?XveXHZvx=5igDJT3zPYxoznSfOhoK1Ng2m3hD5JqRz+D9mmXj9CLVcvHmJGefSTTLw3ACEWBDJ4ZMU5QrLRnI3LOtkf+25ITAAVo7msZgdw==&l4xX=rDStpH0He
	Antndte.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.rocsys.net/3hr5/?TZd=WvKXMpNdKcx12PohJdQ2Nu7zrY//6AeCNDisJJSnngoH0SI3JFeqPH7/T9Xi9rN0AVbH68W87D80yQtOqBVkzxSvcNI04lJ+LQ==&1dr=yP5PQD38
	hesaphareketi-01.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.rocsys.net/uaaq/?XFs82=6R5Xx6907&9pG0L=ZvgtLzuC5J0fwHYuRehKE7pqe+TegS3vAv4ZEylVZ8S9BUo4tJK/O+Yy7erX60uFZvklPnpu2szjI2ePXJ09nWZe2eIrY7ioDA==
	New_Order.exe	Get hash	malicious	FormBook	Browse	www.wrautomotive.online/fdo5/?540H2x=tmpHADT4fdGVd6nnK8VfxTcjTEmAMjvmemW+C4Ol5iYH1IbYxa+keO9dRydEANAVQTW4GcRzv85KoC+8HtmJLO5vdlfv2fS0QQ==&fXUX=ShJ8DFcXvtj84pw
	PO_YTWHDF3432.exe	Get hash	malicious	FormBook	Browse	www.wrautomotive.online/ahec/
	PO_CCTEB77.exe	Get hash	malicious	FormBook	Browse	www.wrautomotive.online/ahec/?KHcH=5igDJT3zPYxoznSYBBpd18gTi2dx8KCRz+D9mmXj9CLVcvHmJGefSTTLw3ACEWBDJ4ZMU5QrLRnI3LOtkf+zzorQEnBYkPkOfg==&Vjk=-N-tntX
	Fpopgapwdcgvxn.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.kermisbedrijfkramer.online/ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgP
	Product_Specs.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.wrautomotive.online/ur4g/?vxM0=G80Xg2gxjV&eh=GM1abjaFQeRWF1TbL/6IPq6IQ8Zq6L6A/eGtDh+rzhSfkUEKySbsXXOahwAFIXwkymySVlBBxGC7SDgkYy5RlvrvRaU4SsaPnA==
	PO_VCFGA1010.exe	Get hash	malicious	FormBook	Browse	www.wrautomotive.online/ahec/?TrRXYB=5igDJT3zPYxoznSYBBpd18gTi2dx8KCRz+D9mmXj9CLVcvHmJGefSTTLw3ACEWBDJ4ZMU5QrLRnI3LOtkf+z0orNAnxbm6AOaCZvJNva1SPD&NRpHp=DLPh_Z

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7450.bodis.com	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	4wwi2Lh5W4.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	4wwi2Lh5W4.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	https://pokerfanboy.com/	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Y7isAhMKal.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	3NvALxFlHV.exe	Get hash	malicious	FormBook	Browse	76.223.105.230
	https://sendspace.com/pro/z42su8	Get hash	malicious	Mamba2FA	Browse	18.245.31.5
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	3.170.115.57
	assailant.sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.171.230.55
	bin.m68k.elf	Get hash	malicious	Mirai	Browse	34.210.146.241
	bin.arm7.elf	Get hash	malicious	Mirai	Browse	54.230.74.218
	sora.arm7.elf	Get hash	malicious	Unknown	Browse	63.34.86.27
BODIS-NJUS	DHL_doc.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Wc7HGBGZfE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	BkZqIS5vlv.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	FzmC0FwV6y.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	IbRV4I7MrS.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
TRANSIP-ASAmsterdamtheNetherlandsNL	g49e742700.exe	Get hash	malicious	Emotet	Browse	149.210.171.237
	074kFuPFv8.exe	Get hash	malicious	Unknown	Browse	149.210.147.77
	074kFuPFv8.exe	Get hash	malicious	Unknown	Browse	149.210.147.77
	6fLnWSoXXD.elf	Get hash	malicious	Mirai	Browse	95.170.75.171
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	136.144.215.32
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	37.97.214.146
	bnrKk80Fa9.elf	Get hash	malicious	Mirai	Browse	95.170.75.159
	na.elf	Get hash	malicious	Mirai	Browse	95.170.75.159
	fBcMVl6ns6.lnk	Get hash	malicious	RHADAMANTHYS	Browse	37.97.185.116

Process:	C:\Users\user\Desktop\DBROG0eWH7.exe
File Type:	data
Category:	dropped
Size (bytes):	12
Entropy (8bit):	3.418295834054489
Encrypted:	false
SSDEEP:	3:MO:P
MD5:	AE8AF840FB91B0314E93D65E5494B3EF
SHA1:	234064717B321F1894B040299BF68BDA6960DEFC
SHA-256:	DA009758FE8E36D7FC4A396E86E318AF24296D0C016122FE6885E7246463FE1D
SHA-512:	9715057AB60C78B43908A3EF985A78CFF60A116EE26BC116751CA17A3AC0B30E0CE71CFE3C487B53057CE30A9D1A0078EE51BE915C387ECF95DA172B62288D66
Malicious:	false
Reputation:	low
Preview:	../!......e+

C:\qkcgyxexucxsiyk\bsiphbvc.exe

Download File

Process:	C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	6.790311729571532
Encrypted:	false
SSDEEP:	6144:YZY+B8/hwDB7c6LZNG8J7GBHRJtEbqel4pQJt4RE:YZnwoB7ceNR7WHRJtEvl4pQJGRE
MD5:	FA91458E80BA750FDA0B41D2B88AE1B1
SHA1:	5531267D0D3B4523007803F21BC58D0DE818B38B
SHA-256:	78F48020D8C0308BBB5C18C883B7B547ADCB2674DB93B85F3A9DF6A20595D8BC
SHA-512:	143E9021D9216EC43F31FB31509856531BB7A2544DD9E3BEB332088111F9416457A637A34E780610B89E5488DE8D04CC921800CCEFCFBF7CF139C2BDCA22974A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich.}........................PE..L...X\LU.....................................0....@.......................................@.....................................P............................p..@W......................................@............0..T............................text............................... ..`.rdata.......0......................@..@.data....H... ......................@....reloc..@W...p...X..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe

Download File

Process:	C:\Users\user\Desktop\DBROG0eWH7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	6.790311729571532
Encrypted:	false
SSDEEP:	6144:YZY+B8/hwDB7c6LZNG8J7GBHRJtEbqel4pQJt4RE:YZnwoB7ceNR7WHRJtEvl4pQJGRE
MD5:	FA91458E80BA750FDA0B41D2B88AE1B1
SHA1:	5531267D0D3B4523007803F21BC58D0DE818B38B
SHA-256:	78F48020D8C0308BBB5C18C883B7B547ADCB2674DB93B85F3A9DF6A20595D8BC
SHA-512:	143E9021D9216EC43F31FB31509856531BB7A2544DD9E3BEB332088111F9416457A637A34E780610B89E5488DE8D04CC921800CCEFCFBF7CF139C2BDCA22974A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich.}........................PE..L...X\LU.....................................0....@.......................................@.....................................P............................p..@W......................................@............0..T............................text............................... ..`.rdata.......0......................@..@.data....H... ......................@....reloc..@W...p...X..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\qkcgyxexucxsiyk\emmz4mbuo0g

Download File

Process:	C:\Users\user\Desktop\DBROG0eWH7.exe
File Type:	data
Category:	dropped
Size (bytes):	12
Entropy (8bit):	3.418295834054489
Encrypted:	false
SSDEEP:	3:MO:P
MD5:	AE8AF840FB91B0314E93D65E5494B3EF
SHA1:	234064717B321F1894B040299BF68BDA6960DEFC
SHA-256:	DA009758FE8E36D7FC4A396E86E318AF24296D0C016122FE6885E7246463FE1D
SHA-512:	9715057AB60C78B43908A3EF985A78CFF60A116EE26BC116751CA17A3AC0B30E0CE71CFE3C487B53057CE30A9D1A0078EE51BE915C387ECF95DA172B62288D66
Malicious:	false
Preview:	../!......e+

C:\qkcgyxexucxsiyk\hjkz5m

Download File

Process:	C:\qkcgyxexucxsiyk\bsiphbvc.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:b0kn:Qk
MD5:	82C2730B74BBD56ACE0D9EC37E78EC14
SHA1:	186245D5A9957DAE267F3CBA7CF95E6A3FA0CA88
SHA-256:	DB36136FE5D2F4DAF81FAD2A211E3A4CFCFAE940DDD6AD058D3740AF7AC7FB38
SHA-512:	E14C015196B2DD98775D9A82AFD516E12D7C6B8C260E195D6131A11B53B76D2125E4395DD5886C2E7212689DCB91DE37585D2AE6D41339B3A096E7D8E5C68E4A
Malicious:	false
Preview:	d.Q.

C:\qkcgyxexucxsiyk\jqvkzish.exe

Download File

Process:	C:\qkcgyxexucxsiyk\bsiphbvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	6.790311729571532
Encrypted:	false
SSDEEP:	6144:YZY+B8/hwDB7c6LZNG8J7GBHRJtEbqel4pQJt4RE:YZnwoB7ceNR7WHRJtEvl4pQJGRE
MD5:	FA91458E80BA750FDA0B41D2B88AE1B1
SHA1:	5531267D0D3B4523007803F21BC58D0DE818B38B
SHA-256:	78F48020D8C0308BBB5C18C883B7B547ADCB2674DB93B85F3A9DF6A20595D8BC
SHA-512:	143E9021D9216EC43F31FB31509856531BB7A2544DD9E3BEB332088111F9416457A637A34E780610B89E5488DE8D04CC921800CCEFCFBF7CF139C2BDCA22974A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich.}........................PE..L...X\LU.....................................0....@.......................................@.....................................P............................p..@W......................................@............0..T............................text............................... ..`.rdata.......0......................@..@.data....H... ......................@....reloc..@W...p...X..................@..B................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.790311729571532
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DBROG0eWH7.exe
File size:	357'376 bytes
MD5:	fa91458e80ba750fda0b41d2b88ae1b1
SHA1:	5531267d0d3b4523007803f21bc58d0de818b38b
SHA256:	78f48020d8c0308bbb5c18c883b7b547adcb2674db93b85f3a9df6a20595d8bc
SHA512:	143e9021d9216ec43f31fb31509856531bb7a2544dd9e3beb332088111f9416457a637a34e780610b89e5488de8d04cc921800ccefcfbf7cf139c2bdca22974a
SSDEEP:	6144:YZY+B8/hwDB7c6LZNG8J7GBHRJtEbqel4pQJt4RE:YZnwoB7ceNR7WHRJtEvl4pQJGRE
TLSH:	94745D18B590E1B9D1A0D1389B7A32A392B81AA07770D7EB3F5414DD4AEC4D1BAF3317
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................Rich...}........................PE..L...X\LU...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x430a9d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x554C5C58 [Fri May 8 06:48:56 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1b8099a32bcf0a0b3d1d39ee7c544b44

Entrypoint Preview

Instruction
call 00007F0D98C0A7BEh
jmp 00007F0D98C02A05h
push 00000014h
push 0044FDA0h
call 00007F0D98C03342h
call 00007F0D98C03C7Dh
movzx esi, ax
push 00000002h
call 00007F0D98C0A751h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F0D98C02A06h
xor ebx, ebx
jmp 00007F0D98C02A35h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F0D98C029EDh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F0D98C029DFh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F0D98C02A0Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F0D98C053F1h
test eax, eax
jne 00007F0D98C02A0Ah
push 0000001Ch
call 00007F0D98C02AE1h
pop ecx
call 00007F0D98C0534Dh
test eax, eax
jne 00007F0D98C02A0Ah
push 00000010h
call 00007F0D98C02AD0h
pop ecx
call 00007F0D98C039C6h
and dword ptr [ebp-04h], 00000000h
call 00007F0D98C09406h
test eax, eax
jns 00007F0D98C02A0Ah
push 0000001Bh
call 00007F0D98C02AB6h
pop ecx
call dword ptr [00443150h]
mov dword ptr [00456884h], eax
call 00007F0D98C0A7A5h
mov dword ptr [00454978h], eax
call 00007F0D98C0A3A2h
test eax, eax
jns 00007F0D98C02A0Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5030c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x5740	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4f7f0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x254	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x419ca	0x41a00	ce79de0b6ff00ae5362cc86880d5f984	False	0.543999255952381	data	6.570421212382599	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0xe002	0xe200	178b293bec90181385f0bed1589cbdb0	False	0.6180689988938053	data	6.271129625047008	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x52000	0x489c	0x1c00	e6c6eec1fd83dce1862440a1393ef305	False	0.41671316964285715	data	4.189504036798764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x57000	0x5740	0x5800	0b84ce1999716cc9a29737983673f94b	False	0.7712180397727273	data	6.814681003193168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	GetBkColor, GetDCBrushColor, GetDCPenColor, GetClipRgn, GetNearestColor, GetObjectType, GetPixelFormat, GetPolyFillMode, GetSystemPaletteUse, GetTextCharacterExtra, GetTextAlign, GetTextColor, GetTextCharset, GetTextCharsetInfo, SetPixel, SetSystemPaletteUse, SetTextCharacterExtra, SetTextColor, SetTextAlign, UpdateColors
USER32.dll	LoadIconA, GetWindowLongA, GetCursor, GetMenuContextHelpId, GetWindowContextHelpId, SetWindowTextA, RemovePropA, GetScrollPos, EndPaint, BeginPaint, GetWindowDC, GetDC, WindowFromDC, GetForegroundWindow, DrawTextA, GetMenuCheckMarkDimensions, GetMenuItemCount, GetMenuItemID, GetMenuState, GetMenu, IsWindowEnabled, EnableWindow, IsWindowUnicode, GetQueueStatus, GetInputState, SetFocus, CheckDlgButton, SetDlgItemTextA, GetDlgItemInt, GetDlgItem, EndDialog, ShowWindow, PostMessageA, SendMessageA
KERNEL32.dll	SetEnvironmentVariableA, ReadConsoleW, ReadFile, SetEndOfFile, GetTimeZoneInformation, WriteConsoleW, SetFilePointerEx, SetStdHandle, CreateFileW, GetCurrentDirectoryW, GetFullPathNameW, PeekNamedPipe, GetFileInformationByHandle, FileTimeToLocalFileTime, GetStringTypeW, OutputDebugStringW, HeapReAlloc, LCMapStringW, CompareStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetModuleFileNameA, GetConsoleMode, GetConsoleCP, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, DeleteFileA, FindClose, FlushFileBuffers, GetDriveTypeA, GetFileTime, GetFileType, WriteFile, IsDebuggerPresent, CloseHandle, GetLastError, GetCurrentProcess, GetCurrentProcessId, CreateThread, GetCurrentThreadId, IsProcessorFeaturePresent, GetTickCount, GetModuleHandleA, GetProcAddress, LoadResource, LockResource, SizeofResource, GlobalAlloc, GlobalFlags, GlobalHandle, FindResourceA, MoveFileA, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, HeapFree, HeapAlloc, GetSystemTimeAsFileTime, GetCommandLineA, RaiseException, RtlUnwind, HeapSize, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetStdHandle, GetModuleFileNameW, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetProcessHeap, FindFirstFileExW, GetDriveTypeW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T13:14:46.812380+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.4	49730	TCP
2024-11-07T13:14:46.812380+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.4	49730	TCP
2024-11-07T13:14:47.836973+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.4	49731	37.97.254.27	80	TCP
2024-11-07T13:14:49.767381+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.4	49732	199.59.243.227	80	TCP
2024-11-07T13:14:52.670590+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.4	60022	UDP
2024-11-07T13:14:53.128694+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.4	50386	UDP
2024-11-07T13:14:53.667848+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.4	56856	UDP
2024-11-07T13:14:59.785160+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49734	TCP
2024-11-07T13:15:38.662761+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49740	TCP
2024-11-07T13:16:07.883078+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.4	49779	UDP
2024-11-07T13:16:10.394704+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.4	49764	18.143.155.63	80	TCP
2024-11-07T13:16:10.394704+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.4	49764	18.143.155.63	80	TCP
2024-11-07T13:17:29.701648+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.4	54626	199.59.243.227	80	TCP
2024-11-07T13:17:29.701648+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.4	54626	199.59.243.227	80	TCP
2024-11-07T13:17:34.417854+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.4	50375	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 13:14:44.902656078 CET	49730	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:44.907444000 CET	80	49730	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:44.907514095 CET	49730	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:44.907565117 CET	49730	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:44.912305117 CET	80	49730	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:46.394563913 CET	80	49730	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:46.441657066 CET	49730	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:46.812380075 CET	80	49730	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:46.812452078 CET	49730	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:46.812640905 CET	49730	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:46.818502903 CET	80	49730	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:46.986944914 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:46.991714001 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:46.994419098 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:46.994419098 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:46.999279022 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.836894989 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.836926937 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.836941957 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.836954117 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.836972952 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.836976051 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.836988926 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.836996078 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.837002993 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.837013960 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.837025881 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.837033987 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.837038040 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.837049961 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.837076902 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.841891050 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.841923952 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.841936111 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.841972113 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.955475092 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.955492973 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.955507040 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.955557108 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.955604076 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.955646038 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.955651045 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.955666065 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.955679893 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.955733061 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.956218004 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956269979 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.956401110 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956413031 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956425905 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956438065 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956468105 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.956491947 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.956818104 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956837893 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956851959 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956862926 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956876040 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.956876993 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.956902027 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.997412920 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.997450113 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.997463942 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:47.997486115 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:47.997508049 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246390104 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246413946 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246427059 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246473074 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246514082 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246527910 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246540070 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246550083 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246558905 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246562004 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246575117 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246592999 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246618986 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246679068 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246686935 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246687889 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246695042 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246704102 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246717930 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246730089 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246731043 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246748924 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246793985 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246886015 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246897936 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246911049 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246922016 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246932983 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246938944 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246948004 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246957064 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246959925 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246962070 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.246967077 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.246994972 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.247014999 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.247039080 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.247051001 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.247064114 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.247073889 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.247085094 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:48.247087002 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.247112036 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.247133970 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.247243881 CET	49731	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:14:48.252293110 CET	80	49731	37.97.254.27	192.168.2.4
Nov 7, 2024 13:14:49.103816986 CET	49732	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:14:49.111011982 CET	80	49732	199.59.243.227	192.168.2.4
Nov 7, 2024 13:14:49.111145020 CET	49732	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:14:49.111248016 CET	49732	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:14:49.116520882 CET	80	49732	199.59.243.227	192.168.2.4
Nov 7, 2024 13:14:49.767203093 CET	80	49732	199.59.243.227	192.168.2.4
Nov 7, 2024 13:14:49.767308950 CET	80	49732	199.59.243.227	192.168.2.4
Nov 7, 2024 13:14:49.767380953 CET	49732	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:14:49.767848015 CET	80	49732	199.59.243.227	192.168.2.4
Nov 7, 2024 13:14:49.770302057 CET	49732	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:14:49.770332098 CET	49732	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:14:49.775177002 CET	80	49732	199.59.243.227	192.168.2.4
Nov 7, 2024 13:14:50.320668936 CET	49733	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:50.325602055 CET	80	49733	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:50.325701952 CET	49733	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:50.325788975 CET	49733	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:50.330921888 CET	80	49733	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:51.777851105 CET	80	49733	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:51.832284927 CET	49733	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:52.211303949 CET	80	49733	18.143.155.63	192.168.2.4
Nov 7, 2024 13:14:52.211448908 CET	49733	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:52.211529016 CET	49733	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:14:52.216453075 CET	80	49733	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:04.150712967 CET	49761	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:04.155755043 CET	80	49761	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:04.156079054 CET	49761	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:04.156260014 CET	49761	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:04.161057949 CET	80	49761	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:05.611562967 CET	80	49761	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:05.660257101 CET	49761	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:06.043905973 CET	80	49761	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:06.043986082 CET	49761	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:06.044102907 CET	49761	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:06.048883915 CET	80	49761	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:06.339895964 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:06.344862938 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:06.344943047 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:06.345002890 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:06.349777937 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195400953 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195430994 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195442915 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195455074 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195468903 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195482969 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195496082 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195508957 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195521116 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195533991 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.195607901 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.195647955 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.200582027 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.200650930 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.200669050 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.200803995 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.319116116 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319142103 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319154978 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319168091 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319183111 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319194078 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319241047 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319253922 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319252968 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.319266081 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319278955 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319299936 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.319330931 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.319833994 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319849014 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319860935 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319876909 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319889069 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.319905996 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.319933891 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.320689917 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.320719004 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.320729971 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.320741892 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.320745945 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.320780993 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.437563896 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437591076 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437603951 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437618971 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437633991 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437724113 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.437768936 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.437787056 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437824965 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437828064 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.437946081 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437967062 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437978029 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.437988043 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.438018084 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.441981077 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442030907 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442044020 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442085981 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.442112923 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442125082 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442137003 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442148924 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442158937 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.442186117 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.442368031 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442424059 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.442425966 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442557096 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442569017 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442581892 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.442608118 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.442629099 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.556684971 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556708097 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556720018 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556732893 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556746006 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556806087 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.556832075 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556843042 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.556875944 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.556953907 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556967020 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.556977987 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.557003021 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.557054043 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:07.562177896 CET	80	49762	37.97.254.27	192.168.2.4
Nov 7, 2024 13:16:07.562325001 CET	49762	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:16:08.143913984 CET	49763	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:16:08.148778915 CET	80	49763	199.59.243.227	192.168.2.4
Nov 7, 2024 13:16:08.148890972 CET	49763	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:16:08.148966074 CET	49763	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:16:08.153856993 CET	80	49763	199.59.243.227	192.168.2.4
Nov 7, 2024 13:16:08.785276890 CET	80	49763	199.59.243.227	192.168.2.4
Nov 7, 2024 13:16:08.785300970 CET	80	49763	199.59.243.227	192.168.2.4
Nov 7, 2024 13:16:08.785363913 CET	49763	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:16:08.785583019 CET	80	49763	199.59.243.227	192.168.2.4
Nov 7, 2024 13:16:08.785628080 CET	49763	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:16:08.785660028 CET	49763	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:16:08.790477037 CET	80	49763	199.59.243.227	192.168.2.4
Nov 7, 2024 13:16:08.874521971 CET	49764	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:08.879626989 CET	80	49764	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:08.879709005 CET	49764	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:08.879744053 CET	49764	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:08.884641886 CET	80	49764	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:10.351630926 CET	80	49764	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:10.394704103 CET	49764	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:10.792391062 CET	80	49764	18.143.155.63	192.168.2.4
Nov 7, 2024 13:16:10.792486906 CET	49764	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:10.792534113 CET	49764	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:16:10.797408104 CET	80	49764	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:24.753438950 CET	49765	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:24.758268118 CET	80	49765	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:24.758394957 CET	49765	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:24.758436918 CET	49765	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:24.763237000 CET	80	49765	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:26.235486984 CET	80	49765	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:26.285082102 CET	49765	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:26.678519964 CET	80	49765	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:26.678680897 CET	49765	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:26.678765059 CET	49765	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:26.683609009 CET	80	49765	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:26.821732044 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:26.826826096 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:26.827042103 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:26.827042103 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:26.832174063 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662760019 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662789106 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662805080 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662820101 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662832975 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662843943 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662858009 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662869930 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662883997 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662899017 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.662971973 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.663024902 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.667915106 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.667934895 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.667947054 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.667992115 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.722541094 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.784629107 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.784739017 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.784770012 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.784785032 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.784800053 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.784816980 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.784826994 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.784859896 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.784859896 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.785206079 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785218000 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785233021 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785248041 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785262108 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785284996 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.785309076 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.785852909 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785906076 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785917997 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785919905 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.785931110 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.785965919 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.786524057 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.786580086 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.786592007 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.786596060 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.786611080 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.786638021 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.832000971 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.901494980 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.901514053 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.901525974 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.901618958 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.901634932 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.901648998 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.901696920 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.901736021 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.902018070 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.902041912 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.902054071 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.902096987 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.905318022 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905368090 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905380011 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905390024 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.905397892 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905411959 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905430079 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.905462980 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.905683041 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905694962 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905706882 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905733109 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.905769110 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905788898 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.905816078 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:27.906335115 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.906347036 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:27.906383991 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:28.019037962 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019052029 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019063950 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019109964 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019125938 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019141912 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019148111 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:28.019172907 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:28.019180059 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:28.019426107 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019454002 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.019507885 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:28.019577980 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:28.024698019 CET	80	49766	37.97.254.27	192.168.2.4
Nov 7, 2024 13:17:28.024765015 CET	49766	80	192.168.2.4	37.97.254.27
Nov 7, 2024 13:17:29.069619894 CET	54626	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:17:29.074544907 CET	80	54626	199.59.243.227	192.168.2.4
Nov 7, 2024 13:17:29.074637890 CET	54626	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:17:29.074740887 CET	54626	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:17:29.079549074 CET	80	54626	199.59.243.227	192.168.2.4
Nov 7, 2024 13:17:29.701468945 CET	80	54626	199.59.243.227	192.168.2.4
Nov 7, 2024 13:17:29.701493025 CET	80	54626	199.59.243.227	192.168.2.4
Nov 7, 2024 13:17:29.701647997 CET	54626	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:17:29.701957941 CET	80	54626	199.59.243.227	192.168.2.4
Nov 7, 2024 13:17:29.702027082 CET	54626	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:17:29.702080965 CET	54626	80	192.168.2.4	199.59.243.227
Nov 7, 2024 13:17:29.706844091 CET	80	54626	199.59.243.227	192.168.2.4
Nov 7, 2024 13:17:29.785254955 CET	54627	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:29.790086031 CET	80	54627	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:29.790178061 CET	54627	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:29.790235043 CET	54627	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:29.795303106 CET	80	54627	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:31.248075008 CET	80	54627	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:31.300715923 CET	54627	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:31.686383009 CET	80	54627	18.143.155.63	192.168.2.4
Nov 7, 2024 13:17:31.686455965 CET	54627	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:31.689892054 CET	54627	80	192.168.2.4	18.143.155.63
Nov 7, 2024 13:17:31.694668055 CET	80	54627	18.143.155.63	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 13:14:44.549669027 CET	55351	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:44.580485106 CET	53	55351	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:44.624370098 CET	50781	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:44.897839069 CET	53	50781	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.813749075 CET	64844	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.843518019 CET	53	64844	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.844880104 CET	49594	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.856466055 CET	53	49594	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.858891010 CET	53898	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.869244099 CET	53	53898	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.871157885 CET	51539	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.902147055 CET	53	51539	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.903089046 CET	57649	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.913084030 CET	53	57649	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.914680004 CET	58008	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.924639940 CET	53	58008	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.926434994 CET	53607	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.935906887 CET	53	53607	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:46.937182903 CET	53843	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:46.982193947 CET	53	53843	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.248121023 CET	50283	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.278541088 CET	53	50283	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.279582024 CET	61682	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.289005995 CET	53	61682	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.290143967 CET	50089	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.320489883 CET	53	50089	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.321535110 CET	62525	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.330811977 CET	53	62525	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.331779003 CET	57655	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.340208054 CET	53	57655	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.341234922 CET	60136	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.350876093 CET	53	60136	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.351819038 CET	57390	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.383431911 CET	53	57390	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.384560108 CET	62308	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.546468019 CET	53	62308	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.547455072 CET	63593	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.556724072 CET	53	63593	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.557651043 CET	55252	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.567387104 CET	53	55252	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.568501949 CET	50271	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.578418970 CET	53	50271	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.579767942 CET	59255	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.589382887 CET	53	59255	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.590506077 CET	64407	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.601746082 CET	53	64407	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.602673054 CET	57621	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.612734079 CET	53	57621	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.613729954 CET	56274	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.622982979 CET	53	56274	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.623979092 CET	63024	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.633295059 CET	53	63024	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.634073973 CET	55786	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.645631075 CET	53	55786	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.646552086 CET	56640	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.678025961 CET	53	56640	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.678985119 CET	56590	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.689409018 CET	53	56590	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.690332890 CET	57517	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.721616030 CET	53	57517	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.722640038 CET	50398	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.732454062 CET	53	50398	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.733602047 CET	49180	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.765409946 CET	53	49180	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.766585112 CET	55957	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:48.775887966 CET	53	55957	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:48.776693106 CET	62401	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:49.102252007 CET	53	62401	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:49.771080971 CET	56768	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:49.780694962 CET	53	56768	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:49.781696081 CET	61289	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:49.791224957 CET	53	61289	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:49.795231104 CET	62489	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:49.826945066 CET	53	62489	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:50.074785948 CET	52040	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:50.085371971 CET	53	52040	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:50.103223085 CET	51421	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:50.319963932 CET	53	51421	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.212483883 CET	54440	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.385917902 CET	53	54440	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.387171030 CET	54284	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.560450077 CET	53	54284	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.561609030 CET	52342	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.571320057 CET	53	52342	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.583817005 CET	49523	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.594955921 CET	53	49523	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.595989943 CET	57907	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.607913017 CET	53	57907	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.608966112 CET	51713	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.617913961 CET	53	51713	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.619029045 CET	53873	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.648945093 CET	53	53873	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.650011063 CET	63415	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.659423113 CET	53	63415	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.660257101 CET	60022	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.670589924 CET	53	60022	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.671560049 CET	65159	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.681404114 CET	53	65159	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.682328939 CET	61070	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.692038059 CET	53	61070	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.692929029 CET	50071	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.723736048 CET	53	50071	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.725886106 CET	58308	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.736015081 CET	53	58308	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.736999989 CET	49225	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.747095108 CET	53	49225	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.748301983 CET	59746	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.921444893 CET	53	59746	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.926382065 CET	64835	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.936252117 CET	53	64835	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.937304020 CET	55220	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.947216988 CET	53	55220	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.947917938 CET	53883	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.979396105 CET	53	53883	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.980120897 CET	51090	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:52.990302086 CET	53	51090	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:52.991113901 CET	57493	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.001091957 CET	53	57493	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.001825094 CET	54598	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.013135910 CET	53	54598	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.014040947 CET	51336	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.023627996 CET	53	51336	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.024374962 CET	55596	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.034677982 CET	53	55596	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.035387993 CET	58747	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.045337915 CET	53	58747	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.046473980 CET	58227	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.056196928 CET	53	58227	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.056875944 CET	65267	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.068620920 CET	53	65267	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.069360018 CET	50657	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.079057932 CET	53	50657	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.079663038 CET	55879	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.088804007 CET	53	55879	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.089387894 CET	63119	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.099632978 CET	53	63119	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.100294113 CET	57298	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.108453035 CET	53	57298	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.109095097 CET	64512	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.118410110 CET	53	64512	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.119021893 CET	50386	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.128694057 CET	53	50386	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.129462004 CET	51819	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.139612913 CET	53	51819	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.140676975 CET	62676	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.171655893 CET	53	62676	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.172700882 CET	50072	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.336307049 CET	53	50072	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.586164951 CET	53689	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.596457005 CET	53	53689	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.597407103 CET	52293	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.608522892 CET	53	52293	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.612026930 CET	58423	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.622709036 CET	53	58423	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.623626947 CET	49228	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.654251099 CET	53	49228	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.655291080 CET	56856	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.667848110 CET	53	56856	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.668809891 CET	64709	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.679001093 CET	53	64709	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.680021048 CET	63309	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.690409899 CET	53	63309	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.691391945 CET	54635	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.702188015 CET	53	54635	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.703160048 CET	56241	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.712399960 CET	53	56241	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.713223934 CET	49843	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.744632959 CET	53	49843	1.1.1.1	192.168.2.4
Nov 7, 2024 13:14:53.745656013 CET	53189	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:14:53.757088900 CET	53	53189	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:04.019325972 CET	64125	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:04.049114943 CET	53	64125	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:06.044882059 CET	57306	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:06.054765940 CET	53	57306	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:06.055676937 CET	53056	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:06.087049007 CET	53	53056	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:06.087933064 CET	52311	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:06.098330021 CET	53	52311	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:06.099081993 CET	49233	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:06.130645037 CET	53	49233	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:06.131566048 CET	58760	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:06.141992092 CET	53	58760	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:06.142870903 CET	54336	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:06.305579901 CET	53	54336	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:06.307300091 CET	50898	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:06.338807106 CET	53	50898	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.557794094 CET	55282	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.567210913 CET	53	55282	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.568113089 CET	56153	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.578017950 CET	53	56153	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.579098940 CET	63055	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.610232115 CET	53	63055	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.611258984 CET	56697	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.642211914 CET	53	56697	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.643291950 CET	53725	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.654150963 CET	53	53725	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.655251026 CET	52772	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.666003942 CET	53	52772	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.667172909 CET	59844	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.675642014 CET	53	59844	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.676624060 CET	58887	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.871895075 CET	53	58887	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.873061895 CET	49779	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.883078098 CET	53	49779	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.884162903 CET	63569	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.893567085 CET	53	63569	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.894582987 CET	65051	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.904015064 CET	53	65051	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.904912949 CET	58525	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.935367107 CET	53	58525	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.936533928 CET	49531	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.946578026 CET	53	49531	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.947334051 CET	55172	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.979159117 CET	53	55172	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.980283976 CET	54450	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:07.989976883 CET	53	54450	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:07.991163015 CET	57930	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.000804901 CET	53	57930	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.001966000 CET	61748	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.031733036 CET	53	61748	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.033220053 CET	60990	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.064709902 CET	53	60990	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.065951109 CET	55342	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.097307920 CET	53	55342	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.098577976 CET	56147	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.108545065 CET	53	56147	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.109740019 CET	51805	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.120085955 CET	53	51805	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.121432066 CET	55217	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.131052017 CET	53	55217	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.132025957 CET	59169	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.142693043 CET	53	59169	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.786427021 CET	62933	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.819123030 CET	53	62933	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.820141077 CET	54644	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.829989910 CET	53	54644	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.831172943 CET	61869	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.841386080 CET	53	61869	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:08.842470884 CET	50397	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:08.873521090 CET	53	50397	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.793263912 CET	58080	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.802494049 CET	53	58080	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.803155899 CET	49660	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.812715054 CET	53	49660	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.813411951 CET	53566	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.822104931 CET	53	53566	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.822767019 CET	50056	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.832341909 CET	53	50056	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.832875967 CET	54123	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.842964888 CET	53	54123	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.843633890 CET	56407	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.853383064 CET	53	56407	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.853877068 CET	62010	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.863810062 CET	53	62010	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.864311934 CET	59477	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.873348951 CET	53	59477	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.874140978 CET	56330	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.883757114 CET	53	56330	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.884246111 CET	62492	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.893676043 CET	53	62492	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.894129992 CET	54578	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.904834986 CET	53	54578	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.905325890 CET	54285	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:10.914297104 CET	53	54285	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:10.914755106 CET	56201	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.079287052 CET	53	56201	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.080590963 CET	55290	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.091038942 CET	53	55290	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.091922045 CET	55225	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.102605104 CET	53	55225	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.103408098 CET	52289	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.114052057 CET	53	52289	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.115102053 CET	50865	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.145862103 CET	53	50865	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.146956921 CET	63250	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.178925991 CET	53	63250	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.180123091 CET	59755	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.211815119 CET	53	59755	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.212944984 CET	62231	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.223144054 CET	53	62231	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.224031925 CET	57057	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.233737946 CET	53	57057	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.234673023 CET	50990	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.265650988 CET	53	50990	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.266598940 CET	51205	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.276422977 CET	53	51205	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.277363062 CET	49375	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.287038088 CET	53	49375	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.287987947 CET	59899	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.295749903 CET	53	59899	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.296611071 CET	54166	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.306387901 CET	53	54166	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.307385921 CET	62432	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.318505049 CET	53	62432	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.319562912 CET	61349	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.351075888 CET	53	61349	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.352116108 CET	63336	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.361871004 CET	53	63336	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.362776995 CET	58408	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.373610973 CET	53	58408	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.374818087 CET	64626	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.405632019 CET	53	64626	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.406742096 CET	58312	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.418890953 CET	53	58312	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.419666052 CET	64986	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.451046944 CET	53	64986	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.452097893 CET	62035	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.461672068 CET	53	62035	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.462450981 CET	57954	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.472651005 CET	53	57954	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.473432064 CET	63573	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.484195948 CET	53	63573	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.484916925 CET	64147	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.495286942 CET	53	64147	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.496082067 CET	58828	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.506120920 CET	53	58828	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.507021904 CET	50571	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.539525986 CET	53	50571	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.540406942 CET	64326	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.549442053 CET	53	64326	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.550064087 CET	59257	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.559881926 CET	53	59257	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.560645103 CET	56206	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.570367098 CET	53	56206	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.571100950 CET	63702	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.602540970 CET	53	63702	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.603468895 CET	61972	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.613212109 CET	53	61972	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.614059925 CET	55962	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.623855114 CET	53	55962	1.1.1.1	192.168.2.4
Nov 7, 2024 13:16:11.624594927 CET	59428	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:16:11.633557081 CET	53	59428	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:24.717654943 CET	54828	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:24.749471903 CET	53	54828	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.679575920 CET	56816	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.707175016 CET	56816	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.710330009 CET	53	56816	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.712177038 CET	58565	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.713872910 CET	53	56816	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.721741915 CET	53	58565	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.723110914 CET	54187	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.732090950 CET	53	54187	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.732709885 CET	63957	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.745301962 CET	53	63957	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.747070074 CET	58905	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.756563902 CET	53	58905	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.757231951 CET	50330	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.785203934 CET	50330	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.788389921 CET	53	50330	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.789187908 CET	58960	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.792664051 CET	53	50330	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.819432974 CET	58960	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:26.820605040 CET	53	58960	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:26.826838970 CET	53	58960	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.020426035 CET	65515	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.029972076 CET	53	65515	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.030819893 CET	57998	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.050806999 CET	57998	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.062602997 CET	53	57998	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.062617064 CET	53	57998	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.064496040 CET	65138	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.075043917 CET	53	65138	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.076530933 CET	59897	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.085489988 CET	53	59897	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.087256908 CET	65428	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.097349882 CET	53	65428	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.098345041 CET	61045	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.108573914 CET	53	61045	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.109359980 CET	54806	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.129134893 CET	54806	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.135927916 CET	53	54806	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.140640020 CET	53	54806	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.776098013 CET	64206	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.800777912 CET	64206	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.811217070 CET	53	64206	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.811240911 CET	53	64206	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.813219070 CET	55485	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.824338913 CET	53	55485	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.825248003 CET	63030	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.835124969 CET	53	63030	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.838789940 CET	57279	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.863565922 CET	57279	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.870527029 CET	53	57279	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.870632887 CET	53	57279	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.871975899 CET	49787	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.881184101 CET	53	49787	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.882754087 CET	50911	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.892647028 CET	53	50911	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.893587112 CET	49653	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.904347897 CET	53	49653	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.905807018 CET	60613	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.925846100 CET	60613	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.938008070 CET	53	60613	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.938102007 CET	53	60613	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.939101934 CET	53111	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.948698997 CET	53	53111	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.949698925 CET	55420	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.972691059 CET	55420	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.981077909 CET	53	55420	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.981096029 CET	53	55420	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.983416080 CET	54630	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:28.993716002 CET	53	54630	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:28.995115042 CET	61085	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.004570007 CET	53	61085	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.005500078 CET	55476	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.015609026 CET	53	55476	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.016376019 CET	54422	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.025651932 CET	53	54422	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.026365995 CET	60076	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.050854921 CET	60076	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.057149887 CET	53	60076	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.057454109 CET	53	60076	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.058717966 CET	63239	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.067914963 CET	53	63239	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.702872992 CET	49278	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.722657919 CET	49278	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.733273029 CET	53	49278	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.733313084 CET	53	49278	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.734256029 CET	64571	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.743855000 CET	53	64571	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.744705915 CET	63739	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.769624949 CET	63739	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.776141882 CET	53	63739	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.776702881 CET	53	63739	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:29.776930094 CET	53303	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:29.784532070 CET	53	53303	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:31.860357046 CET	55121	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.878921032 CET	55121	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.892863035 CET	53	55121	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:31.893007040 CET	53	55121	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:31.900351048 CET	65518	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.925858974 CET	65518	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.932905912 CET	53	65518	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:31.933870077 CET	56170	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.934679031 CET	53	65518	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:31.945700884 CET	53	56170	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:31.946621895 CET	55520	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.973463058 CET	55520	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.977902889 CET	53	55520	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:31.978921890 CET	51099	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:31.980056047 CET	53	55520	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.003984928 CET	51099	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.011224985 CET	53	51099	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.011245966 CET	53	51099	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.015687943 CET	63789	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.026186943 CET	53	63789	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.027072906 CET	62197	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.037197113 CET	53	62197	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.037854910 CET	52412	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.047259092 CET	53	52412	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.048031092 CET	65353	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.058713913 CET	53	65353	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.059359074 CET	58359	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.069442987 CET	53	58359	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.070877075 CET	60805	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.081232071 CET	53	60805	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.081861019 CET	62049	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.097651958 CET	62049	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.111830950 CET	53	62049	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.111846924 CET	53	62049	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.113173008 CET	63544	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.123038054 CET	53	63544	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.123836040 CET	54022	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.135051966 CET	53	54022	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.135735035 CET	61633	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.160140991 CET	61633	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.296255112 CET	53	61633	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.296277046 CET	53	61633	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.297420979 CET	63054	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.316457033 CET	63054	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:32.323132038 CET	53	63054	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:32.460830927 CET	53	63054	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:33.091068983 CET	62202	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:33.113676071 CET	62202	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:33.120347977 CET	53	62202	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:33.122124910 CET	53	62202	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:33.763808012 CET	58647	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:33.773099899 CET	53	58647	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:33.773950100 CET	59312	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:33.781029940 CET	53	59312	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:33.781930923 CET	62052	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:33.791357994 CET	53	62052	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:33.792156935 CET	50654	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:33.801986933 CET	53	50654	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:33.802665949 CET	58925	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:33.831963062 CET	58925	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.046339989 CET	53	58925	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.046354055 CET	53	58925	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.047372103 CET	62807	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.066457987 CET	62807	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.078063011 CET	53	62807	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.078093052 CET	53	62807	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.079088926 CET	49784	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.087960005 CET	53	49784	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.088695049 CET	62639	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.098431110 CET	53	62639	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.099075079 CET	51116	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.128846884 CET	51116	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.130182028 CET	53	51116	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.131076097 CET	57909	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.135605097 CET	53	51116	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.160082102 CET	57909	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.161947966 CET	53	57909	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.162801981 CET	65388	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.167165995 CET	53	57909	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.170342922 CET	53	65388	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.171060085 CET	51881	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.180648088 CET	53	51881	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.181406021 CET	59586	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.207082987 CET	59586	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.212835073 CET	53	59586	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.214040995 CET	60104	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.214051962 CET	53	59586	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.238310099 CET	60104	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.244414091 CET	53	60104	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.245182991 CET	53	60104	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.245554924 CET	61839	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.252870083 CET	53	61839	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.253638983 CET	64221	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.262945890 CET	53	64221	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.263848066 CET	56522	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.273328066 CET	53	56522	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.274123907 CET	62019	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.300776958 CET	62019	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.308965921 CET	53	62019	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.309139967 CET	53	62019	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.309990883 CET	53566	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.320899963 CET	53	53566	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.322654009 CET	55779	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.332586050 CET	53	55779	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.333539009 CET	52363	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.342941999 CET	53	52363	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.345232010 CET	59780	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.354837894 CET	53	59780	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.355604887 CET	64462	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.365829945 CET	53	64462	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.366506100 CET	62107	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.376176119 CET	53	62107	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.376995087 CET	61736	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.386176109 CET	53	61736	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.386956930 CET	50375	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.410146952 CET	50375	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.417812109 CET	53	50375	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.417854071 CET	53	50375	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.418699980 CET	52034	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.427997112 CET	53	52034	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.431309938 CET	51411	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.457036018 CET	51411	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.462299109 CET	53	51411	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.463211060 CET	65095	53	192.168.2.4	1.1.1.1
Nov 7, 2024 13:17:34.463721991 CET	53	51411	1.1.1.1	192.168.2.4
Nov 7, 2024 13:17:34.473421097 CET	53	65095	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 13:14:44.549669027 CET	192.168.2.4	1.1.1.1	0x5e27	Standard query (0)	hearddivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:44.624370098 CET	192.168.2.4	1.1.1.1	0x73ae	Standard query (0)	pleasantstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.813749075 CET	192.168.2.4	1.1.1.1	0x5212	Standard query (0)	necessarystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.844880104 CET	192.168.2.4	1.1.1.1	0x67d2	Standard query (0)	pleasantnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.858891010 CET	192.168.2.4	1.1.1.1	0x5b0f	Standard query (0)	necessarynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.871157885 CET	192.168.2.4	1.1.1.1	0xf56a	Standard query (0)	pleasantbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.903089046 CET	192.168.2.4	1.1.1.1	0x60e	Standard query (0)	necessarybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.914680004 CET	192.168.2.4	1.1.1.1	0x1073	Standard query (0)	pleasantdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.926434994 CET	192.168.2.4	1.1.1.1	0x9aeb	Standard query (0)	necessarydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.937182903 CET	192.168.2.4	1.1.1.1	0x7f0a	Standard query (0)	orderstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.248121023 CET	192.168.2.4	1.1.1.1	0xefbf	Standard query (0)	requirestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.279582024 CET	192.168.2.4	1.1.1.1	0xfcb6	Standard query (0)	ordernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.290143967 CET	192.168.2.4	1.1.1.1	0xdd0	Standard query (0)	requirenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.321535110 CET	192.168.2.4	1.1.1.1	0x7430	Standard query (0)	orderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.331779003 CET	192.168.2.4	1.1.1.1	0x307b	Standard query (0)	requirebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.341234922 CET	192.168.2.4	1.1.1.1	0xbfb8	Standard query (0)	orderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.351819038 CET	192.168.2.4	1.1.1.1	0x8498	Standard query (0)	requiredivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.384560108 CET	192.168.2.4	1.1.1.1	0xfaed	Standard query (0)	leaderstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.547455072 CET	192.168.2.4	1.1.1.1	0x4c5e	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.557651043 CET	192.168.2.4	1.1.1.1	0x2a64	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.568501949 CET	192.168.2.4	1.1.1.1	0x3fb9	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.579767942 CET	192.168.2.4	1.1.1.1	0xc746	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.590506077 CET	192.168.2.4	1.1.1.1	0x8122	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.602673054 CET	192.168.2.4	1.1.1.1	0x4cb2	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.613729954 CET	192.168.2.4	1.1.1.1	0xc8e1	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.623979092 CET	192.168.2.4	1.1.1.1	0x4a0f	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.634073973 CET	192.168.2.4	1.1.1.1	0xd607	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.646552086 CET	192.168.2.4	1.1.1.1	0x4232	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.678985119 CET	192.168.2.4	1.1.1.1	0xe272	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.690332890 CET	192.168.2.4	1.1.1.1	0xe23	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.722640038 CET	192.168.2.4	1.1.1.1	0x9354	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.733602047 CET	192.168.2.4	1.1.1.1	0xebcf	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.766585112 CET	192.168.2.4	1.1.1.1	0xb1a1	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.776693106 CET	192.168.2.4	1.1.1.1	0x7875	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:49.771080971 CET	192.168.2.4	1.1.1.1	0x6325	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:49.781696081 CET	192.168.2.4	1.1.1.1	0xe84e	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:49.795231104 CET	192.168.2.4	1.1.1.1	0x9532	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:50.074785948 CET	192.168.2.4	1.1.1.1	0x4f83	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:50.103223085 CET	192.168.2.4	1.1.1.1	0xbd9b	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.212483883 CET	192.168.2.4	1.1.1.1	0x6ad9	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.387171030 CET	192.168.2.4	1.1.1.1	0xf979	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.561609030 CET	192.168.2.4	1.1.1.1	0x8bea	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.583817005 CET	192.168.2.4	1.1.1.1	0xcecf	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.595989943 CET	192.168.2.4	1.1.1.1	0x8e94	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.608966112 CET	192.168.2.4	1.1.1.1	0x3f8a	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.619029045 CET	192.168.2.4	1.1.1.1	0xe799	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.650011063 CET	192.168.2.4	1.1.1.1	0xd67e	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.660257101 CET	192.168.2.4	1.1.1.1	0x8624	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.671560049 CET	192.168.2.4	1.1.1.1	0x1c9	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.682328939 CET	192.168.2.4	1.1.1.1	0x6e1c	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.692929029 CET	192.168.2.4	1.1.1.1	0x8881	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.725886106 CET	192.168.2.4	1.1.1.1	0x76da	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.736999989 CET	192.168.2.4	1.1.1.1	0x51fd	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.748301983 CET	192.168.2.4	1.1.1.1	0x28ce	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.926382065 CET	192.168.2.4	1.1.1.1	0xa6	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.937304020 CET	192.168.2.4	1.1.1.1	0xaa65	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.947917938 CET	192.168.2.4	1.1.1.1	0x9e6	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.980120897 CET	192.168.2.4	1.1.1.1	0xafde	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.991113901 CET	192.168.2.4	1.1.1.1	0xe7fe	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.001825094 CET	192.168.2.4	1.1.1.1	0xd9a5	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.014040947 CET	192.168.2.4	1.1.1.1	0xcde9	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.024374962 CET	192.168.2.4	1.1.1.1	0x385e	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.035387993 CET	192.168.2.4	1.1.1.1	0xd22d	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.046473980 CET	192.168.2.4	1.1.1.1	0x357e	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.056875944 CET	192.168.2.4	1.1.1.1	0xde08	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.069360018 CET	192.168.2.4	1.1.1.1	0x99b4	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.079663038 CET	192.168.2.4	1.1.1.1	0x435f	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.089387894 CET	192.168.2.4	1.1.1.1	0x2fa3	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.100294113 CET	192.168.2.4	1.1.1.1	0xd494	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.109095097 CET	192.168.2.4	1.1.1.1	0xfed5	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.119021893 CET	192.168.2.4	1.1.1.1	0x9b08	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.129462004 CET	192.168.2.4	1.1.1.1	0xf45e	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.140676975 CET	192.168.2.4	1.1.1.1	0x586	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.172700882 CET	192.168.2.4	1.1.1.1	0x8266	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.586164951 CET	192.168.2.4	1.1.1.1	0x2a6f	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.597407103 CET	192.168.2.4	1.1.1.1	0xf7ca	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.612026930 CET	192.168.2.4	1.1.1.1	0xe67c	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.623626947 CET	192.168.2.4	1.1.1.1	0x70e0	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.655291080 CET	192.168.2.4	1.1.1.1	0xd937	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.668809891 CET	192.168.2.4	1.1.1.1	0xe22f	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.680021048 CET	192.168.2.4	1.1.1.1	0x7032	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.691391945 CET	192.168.2.4	1.1.1.1	0xc26b	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.703160048 CET	192.168.2.4	1.1.1.1	0x7646	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.713223934 CET	192.168.2.4	1.1.1.1	0xc2f7	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.745656013 CET	192.168.2.4	1.1.1.1	0x6ef0	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:04.019325972 CET	192.168.2.4	1.1.1.1	0xf186	Standard query (0)	hearddivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.044882059 CET	192.168.2.4	1.1.1.1	0xbbb1	Standard query (0)	necessarystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.055676937 CET	192.168.2.4	1.1.1.1	0xfa03	Standard query (0)	pleasantnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.087933064 CET	192.168.2.4	1.1.1.1	0xbac5	Standard query (0)	necessarynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.099081993 CET	192.168.2.4	1.1.1.1	0x6a42	Standard query (0)	pleasantbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.131566048 CET	192.168.2.4	1.1.1.1	0x9302	Standard query (0)	necessarybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.142870903 CET	192.168.2.4	1.1.1.1	0x3944	Standard query (0)	pleasantdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.307300091 CET	192.168.2.4	1.1.1.1	0x67b1	Standard query (0)	necessarydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.557794094 CET	192.168.2.4	1.1.1.1	0x85c2	Standard query (0)	requirestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.568113089 CET	192.168.2.4	1.1.1.1	0x1203	Standard query (0)	ordernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.579098940 CET	192.168.2.4	1.1.1.1	0xd17e	Standard query (0)	requirenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.611258984 CET	192.168.2.4	1.1.1.1	0x71a5	Standard query (0)	orderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.643291950 CET	192.168.2.4	1.1.1.1	0xe917	Standard query (0)	requirebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.655251026 CET	192.168.2.4	1.1.1.1	0xbeb2	Standard query (0)	orderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.667172909 CET	192.168.2.4	1.1.1.1	0xab77	Standard query (0)	requiredivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.676624060 CET	192.168.2.4	1.1.1.1	0x6588	Standard query (0)	leaderstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.873061895 CET	192.168.2.4	1.1.1.1	0xaf0a	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.884162903 CET	192.168.2.4	1.1.1.1	0x2c39	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.894582987 CET	192.168.2.4	1.1.1.1	0xe544	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.904912949 CET	192.168.2.4	1.1.1.1	0x106f	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.936533928 CET	192.168.2.4	1.1.1.1	0x7808	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.947334051 CET	192.168.2.4	1.1.1.1	0xda97	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.980283976 CET	192.168.2.4	1.1.1.1	0x22ce	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.991163015 CET	192.168.2.4	1.1.1.1	0x5919	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.001966000 CET	192.168.2.4	1.1.1.1	0xed7b	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.033220053 CET	192.168.2.4	1.1.1.1	0x25d6	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.065951109 CET	192.168.2.4	1.1.1.1	0x99a5	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.098577976 CET	192.168.2.4	1.1.1.1	0xb14e	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.109740019 CET	192.168.2.4	1.1.1.1	0xdbbb	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.121432066 CET	192.168.2.4	1.1.1.1	0x429b	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.132025957 CET	192.168.2.4	1.1.1.1	0x9b5e	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.786427021 CET	192.168.2.4	1.1.1.1	0x9266	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.820141077 CET	192.168.2.4	1.1.1.1	0xe10e	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.831172943 CET	192.168.2.4	1.1.1.1	0x3af1	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.842470884 CET	192.168.2.4	1.1.1.1	0x9db2	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.793263912 CET	192.168.2.4	1.1.1.1	0xe929	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.803155899 CET	192.168.2.4	1.1.1.1	0xa21b	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.813411951 CET	192.168.2.4	1.1.1.1	0xbc85	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.822767019 CET	192.168.2.4	1.1.1.1	0x8050	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.832875967 CET	192.168.2.4	1.1.1.1	0x4e40	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.843633890 CET	192.168.2.4	1.1.1.1	0x37a8	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.853877068 CET	192.168.2.4	1.1.1.1	0x162f	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.864311934 CET	192.168.2.4	1.1.1.1	0xd604	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.874140978 CET	192.168.2.4	1.1.1.1	0x1133	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.884246111 CET	192.168.2.4	1.1.1.1	0x5021	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.894129992 CET	192.168.2.4	1.1.1.1	0x844f	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.905325890 CET	192.168.2.4	1.1.1.1	0xf178	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.914755106 CET	192.168.2.4	1.1.1.1	0x81cd	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.080590963 CET	192.168.2.4	1.1.1.1	0x68b3	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.091922045 CET	192.168.2.4	1.1.1.1	0x4387	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.103408098 CET	192.168.2.4	1.1.1.1	0x6372	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.115102053 CET	192.168.2.4	1.1.1.1	0xa657	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.146956921 CET	192.168.2.4	1.1.1.1	0x38bb	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.180123091 CET	192.168.2.4	1.1.1.1	0xfe0d	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.212944984 CET	192.168.2.4	1.1.1.1	0xd7bd	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.224031925 CET	192.168.2.4	1.1.1.1	0x4a8	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.234673023 CET	192.168.2.4	1.1.1.1	0x9043	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.266598940 CET	192.168.2.4	1.1.1.1	0xf097	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.277363062 CET	192.168.2.4	1.1.1.1	0xe500	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.287987947 CET	192.168.2.4	1.1.1.1	0x497f	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.296611071 CET	192.168.2.4	1.1.1.1	0xcc61	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.307385921 CET	192.168.2.4	1.1.1.1	0xb0b9	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.319562912 CET	192.168.2.4	1.1.1.1	0x19f5	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.352116108 CET	192.168.2.4	1.1.1.1	0x9ef5	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.362776995 CET	192.168.2.4	1.1.1.1	0xc09d	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.374818087 CET	192.168.2.4	1.1.1.1	0xde9c	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.406742096 CET	192.168.2.4	1.1.1.1	0x4c9	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.419666052 CET	192.168.2.4	1.1.1.1	0x6a4f	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.452097893 CET	192.168.2.4	1.1.1.1	0xcc76	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.462450981 CET	192.168.2.4	1.1.1.1	0x9fc3	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.473432064 CET	192.168.2.4	1.1.1.1	0x7a54	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.484916925 CET	192.168.2.4	1.1.1.1	0xc8e2	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.496082067 CET	192.168.2.4	1.1.1.1	0xf3f8	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.507021904 CET	192.168.2.4	1.1.1.1	0xc6ce	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.540406942 CET	192.168.2.4	1.1.1.1	0xe4be	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.550064087 CET	192.168.2.4	1.1.1.1	0x56e3	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.560645103 CET	192.168.2.4	1.1.1.1	0x5e5c	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.571100950 CET	192.168.2.4	1.1.1.1	0xc1fb	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.603468895 CET	192.168.2.4	1.1.1.1	0x572	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.614059925 CET	192.168.2.4	1.1.1.1	0x67e6	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.624594927 CET	192.168.2.4	1.1.1.1	0x958a	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:24.717654943 CET	192.168.2.4	1.1.1.1	0x6519	Standard query (0)	hearddivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.679575920 CET	192.168.2.4	1.1.1.1	0xf9f7	Standard query (0)	necessarystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.707175016 CET	192.168.2.4	1.1.1.1	0xf9f7	Standard query (0)	necessarystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.712177038 CET	192.168.2.4	1.1.1.1	0xea41	Standard query (0)	pleasantnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.723110914 CET	192.168.2.4	1.1.1.1	0x936f	Standard query (0)	necessarynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.732709885 CET	192.168.2.4	1.1.1.1	0x9f32	Standard query (0)	pleasantbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.747070074 CET	192.168.2.4	1.1.1.1	0xe03	Standard query (0)	necessarybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.757231951 CET	192.168.2.4	1.1.1.1	0x4edf	Standard query (0)	pleasantdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.785203934 CET	192.168.2.4	1.1.1.1	0x4edf	Standard query (0)	pleasantdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.789187908 CET	192.168.2.4	1.1.1.1	0x78b0	Standard query (0)	necessarydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.819432974 CET	192.168.2.4	1.1.1.1	0x78b0	Standard query (0)	necessarydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.020426035 CET	192.168.2.4	1.1.1.1	0xb173	Standard query (0)	requirestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.030819893 CET	192.168.2.4	1.1.1.1	0x61e9	Standard query (0)	ordernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.050806999 CET	192.168.2.4	1.1.1.1	0x61e9	Standard query (0)	ordernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.064496040 CET	192.168.2.4	1.1.1.1	0xffc4	Standard query (0)	requirenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.076530933 CET	192.168.2.4	1.1.1.1	0x8b14	Standard query (0)	orderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.087256908 CET	192.168.2.4	1.1.1.1	0xa508	Standard query (0)	requirebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.098345041 CET	192.168.2.4	1.1.1.1	0xe1e6	Standard query (0)	orderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.109359980 CET	192.168.2.4	1.1.1.1	0x33ca	Standard query (0)	requiredivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.129134893 CET	192.168.2.4	1.1.1.1	0x33ca	Standard query (0)	requiredivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.776098013 CET	192.168.2.4	1.1.1.1	0x4f05	Standard query (0)	leaderstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.800777912 CET	192.168.2.4	1.1.1.1	0x4f05	Standard query (0)	leaderstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.813219070 CET	192.168.2.4	1.1.1.1	0x9888	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.825248003 CET	192.168.2.4	1.1.1.1	0x3f2f	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.838789940 CET	192.168.2.4	1.1.1.1	0xd466	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.863565922 CET	192.168.2.4	1.1.1.1	0xd466	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.871975899 CET	192.168.2.4	1.1.1.1	0xf904	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.882754087 CET	192.168.2.4	1.1.1.1	0xd603	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.893587112 CET	192.168.2.4	1.1.1.1	0x1c67	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.905807018 CET	192.168.2.4	1.1.1.1	0x5705	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.925846100 CET	192.168.2.4	1.1.1.1	0x5705	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.939101934 CET	192.168.2.4	1.1.1.1	0x6e0a	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.949698925 CET	192.168.2.4	1.1.1.1	0x3ba	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.972691059 CET	192.168.2.4	1.1.1.1	0x3ba	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.983416080 CET	192.168.2.4	1.1.1.1	0x8218	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.995115042 CET	192.168.2.4	1.1.1.1	0x5156	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.005500078 CET	192.168.2.4	1.1.1.1	0x2927	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.016376019 CET	192.168.2.4	1.1.1.1	0x323d	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.026365995 CET	192.168.2.4	1.1.1.1	0xd4fd	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.050854921 CET	192.168.2.4	1.1.1.1	0xd4fd	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.058717966 CET	192.168.2.4	1.1.1.1	0x54ab	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.702872992 CET	192.168.2.4	1.1.1.1	0x3ff8	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.722657919 CET	192.168.2.4	1.1.1.1	0x3ff8	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.734256029 CET	192.168.2.4	1.1.1.1	0x8a50	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.744705915 CET	192.168.2.4	1.1.1.1	0x4176	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.769624949 CET	192.168.2.4	1.1.1.1	0x4176	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.776930094 CET	192.168.2.4	1.1.1.1	0x6c4b	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.860357046 CET	192.168.2.4	1.1.1.1	0x886d	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.878921032 CET	192.168.2.4	1.1.1.1	0x886d	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.900351048 CET	192.168.2.4	1.1.1.1	0x22b0	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.925858974 CET	192.168.2.4	1.1.1.1	0x22b0	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.933870077 CET	192.168.2.4	1.1.1.1	0xfcbd	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.946621895 CET	192.168.2.4	1.1.1.1	0x6d83	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.973463058 CET	192.168.2.4	1.1.1.1	0x6d83	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.978921890 CET	192.168.2.4	1.1.1.1	0xe8f6	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.003984928 CET	192.168.2.4	1.1.1.1	0xe8f6	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.015687943 CET	192.168.2.4	1.1.1.1	0x9228	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.027072906 CET	192.168.2.4	1.1.1.1	0x137f	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.037854910 CET	192.168.2.4	1.1.1.1	0xe340	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.048031092 CET	192.168.2.4	1.1.1.1	0xbcb1	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.059359074 CET	192.168.2.4	1.1.1.1	0x3c6b	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.070877075 CET	192.168.2.4	1.1.1.1	0xb6ab	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.081861019 CET	192.168.2.4	1.1.1.1	0x5e42	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.097651958 CET	192.168.2.4	1.1.1.1	0x5e42	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.113173008 CET	192.168.2.4	1.1.1.1	0xdddd	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.123836040 CET	192.168.2.4	1.1.1.1	0x519f	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.135735035 CET	192.168.2.4	1.1.1.1	0xfd2c	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.160140991 CET	192.168.2.4	1.1.1.1	0xfd2c	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.297420979 CET	192.168.2.4	1.1.1.1	0x2b2d	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.316457033 CET	192.168.2.4	1.1.1.1	0x2b2d	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.091068983 CET	192.168.2.4	1.1.1.1	0x3328	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.113676071 CET	192.168.2.4	1.1.1.1	0x3328	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.763808012 CET	192.168.2.4	1.1.1.1	0x7676	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.773950100 CET	192.168.2.4	1.1.1.1	0x9d4e	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.781930923 CET	192.168.2.4	1.1.1.1	0xad89	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.792156935 CET	192.168.2.4	1.1.1.1	0x95e7	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.802665949 CET	192.168.2.4	1.1.1.1	0xb37a	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.831963062 CET	192.168.2.4	1.1.1.1	0xb37a	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.047372103 CET	192.168.2.4	1.1.1.1	0xced8	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.066457987 CET	192.168.2.4	1.1.1.1	0xced8	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.079088926 CET	192.168.2.4	1.1.1.1	0xb428	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.088695049 CET	192.168.2.4	1.1.1.1	0x380d	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.099075079 CET	192.168.2.4	1.1.1.1	0x8c0a	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.128846884 CET	192.168.2.4	1.1.1.1	0x8c0a	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.131076097 CET	192.168.2.4	1.1.1.1	0xc815	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.160082102 CET	192.168.2.4	1.1.1.1	0xc815	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.162801981 CET	192.168.2.4	1.1.1.1	0x9e06	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.171060085 CET	192.168.2.4	1.1.1.1	0xd864	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.181406021 CET	192.168.2.4	1.1.1.1	0x70bc	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.207082987 CET	192.168.2.4	1.1.1.1	0x70bc	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.214040995 CET	192.168.2.4	1.1.1.1	0x6d8	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.238310099 CET	192.168.2.4	1.1.1.1	0x6d8	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.245554924 CET	192.168.2.4	1.1.1.1	0x88bc	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.253638983 CET	192.168.2.4	1.1.1.1	0xb7f	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.263848066 CET	192.168.2.4	1.1.1.1	0xa41f	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.274123907 CET	192.168.2.4	1.1.1.1	0xbe97	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.300776958 CET	192.168.2.4	1.1.1.1	0xbe97	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.309990883 CET	192.168.2.4	1.1.1.1	0x30dd	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.322654009 CET	192.168.2.4	1.1.1.1	0xf436	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.333539009 CET	192.168.2.4	1.1.1.1	0xe941	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.345232010 CET	192.168.2.4	1.1.1.1	0x1f81	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.355604887 CET	192.168.2.4	1.1.1.1	0xc3ab	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.366506100 CET	192.168.2.4	1.1.1.1	0xd228	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.376995087 CET	192.168.2.4	1.1.1.1	0xd306	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.386956930 CET	192.168.2.4	1.1.1.1	0xeb8d	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.410146952 CET	192.168.2.4	1.1.1.1	0xeb8d	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.418699980 CET	192.168.2.4	1.1.1.1	0x560e	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.431309938 CET	192.168.2.4	1.1.1.1	0xc563	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.457036018 CET	192.168.2.4	1.1.1.1	0xc563	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.463211060 CET	192.168.2.4	1.1.1.1	0x3f4d	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 13:14:44.580485106 CET	1.1.1.1	192.168.2.4	0x5e27	Name error (3)	hearddivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:44.897839069 CET	1.1.1.1	192.168.2.4	0x73ae	No error (0)	pleasantstream.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.843518019 CET	1.1.1.1	192.168.2.4	0x5212	Name error (3)	necessarystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.856466055 CET	1.1.1.1	192.168.2.4	0x67d2	Name error (3)	pleasantnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.869244099 CET	1.1.1.1	192.168.2.4	0x5b0f	Name error (3)	necessarynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.902147055 CET	1.1.1.1	192.168.2.4	0xf56a	Name error (3)	pleasantbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.913084030 CET	1.1.1.1	192.168.2.4	0x60e	Name error (3)	necessarybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.924639940 CET	1.1.1.1	192.168.2.4	0x1073	Name error (3)	pleasantdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.935906887 CET	1.1.1.1	192.168.2.4	0x9aeb	Name error (3)	necessarydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:46.982193947 CET	1.1.1.1	192.168.2.4	0x7f0a	No error (0)	orderstream.net		37.97.254.27	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.278541088 CET	1.1.1.1	192.168.2.4	0xefbf	Name error (3)	requirestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.289005995 CET	1.1.1.1	192.168.2.4	0xfcb6	Name error (3)	ordernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.320489883 CET	1.1.1.1	192.168.2.4	0xdd0	Name error (3)	requirenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.330811977 CET	1.1.1.1	192.168.2.4	0x7430	Name error (3)	orderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.340208054 CET	1.1.1.1	192.168.2.4	0x307b	Name error (3)	requirebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.350876093 CET	1.1.1.1	192.168.2.4	0xbfb8	Name error (3)	orderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.383431911 CET	1.1.1.1	192.168.2.4	0x8498	Name error (3)	requiredivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.556724072 CET	1.1.1.1	192.168.2.4	0x4c5e	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.567387104 CET	1.1.1.1	192.168.2.4	0x2a64	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.578418970 CET	1.1.1.1	192.168.2.4	0x3fb9	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.589382887 CET	1.1.1.1	192.168.2.4	0xc746	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.601746082 CET	1.1.1.1	192.168.2.4	0x8122	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.612734079 CET	1.1.1.1	192.168.2.4	0x4cb2	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.622982979 CET	1.1.1.1	192.168.2.4	0xc8e1	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.633295059 CET	1.1.1.1	192.168.2.4	0x4a0f	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.645631075 CET	1.1.1.1	192.168.2.4	0xd607	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.678025961 CET	1.1.1.1	192.168.2.4	0x4232	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.689409018 CET	1.1.1.1	192.168.2.4	0xe272	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.721616030 CET	1.1.1.1	192.168.2.4	0xe23	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.732454062 CET	1.1.1.1	192.168.2.4	0x9354	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.765409946 CET	1.1.1.1	192.168.2.4	0xebcf	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:48.775887966 CET	1.1.1.1	192.168.2.4	0xb1a1	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:49.102252007 CET	1.1.1.1	192.168.2.4	0x7875	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 13:14:49.102252007 CET	1.1.1.1	192.168.2.4	0x7875	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:49.780694962 CET	1.1.1.1	192.168.2.4	0x6325	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:49.791224957 CET	1.1.1.1	192.168.2.4	0xe84e	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:49.826945066 CET	1.1.1.1	192.168.2.4	0x9532	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:50.085371971 CET	1.1.1.1	192.168.2.4	0x4f83	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:50.319963932 CET	1.1.1.1	192.168.2.4	0xbd9b	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.385917902 CET	1.1.1.1	192.168.2.4	0x6ad9	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.560450077 CET	1.1.1.1	192.168.2.4	0xf979	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.571320057 CET	1.1.1.1	192.168.2.4	0x8bea	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.594955921 CET	1.1.1.1	192.168.2.4	0xcecf	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.607913017 CET	1.1.1.1	192.168.2.4	0x8e94	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.617913961 CET	1.1.1.1	192.168.2.4	0x3f8a	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.648945093 CET	1.1.1.1	192.168.2.4	0xe799	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.659423113 CET	1.1.1.1	192.168.2.4	0xd67e	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.670589924 CET	1.1.1.1	192.168.2.4	0x8624	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.681404114 CET	1.1.1.1	192.168.2.4	0x1c9	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.692038059 CET	1.1.1.1	192.168.2.4	0x6e1c	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.723736048 CET	1.1.1.1	192.168.2.4	0x8881	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.736015081 CET	1.1.1.1	192.168.2.4	0x76da	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.747095108 CET	1.1.1.1	192.168.2.4	0x51fd	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.921444893 CET	1.1.1.1	192.168.2.4	0x28ce	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.936252117 CET	1.1.1.1	192.168.2.4	0xa6	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.947216988 CET	1.1.1.1	192.168.2.4	0xaa65	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.979396105 CET	1.1.1.1	192.168.2.4	0x9e6	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:52.990302086 CET	1.1.1.1	192.168.2.4	0xafde	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.001091957 CET	1.1.1.1	192.168.2.4	0xe7fe	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.013135910 CET	1.1.1.1	192.168.2.4	0xd9a5	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.023627996 CET	1.1.1.1	192.168.2.4	0xcde9	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.034677982 CET	1.1.1.1	192.168.2.4	0x385e	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.045337915 CET	1.1.1.1	192.168.2.4	0xd22d	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.056196928 CET	1.1.1.1	192.168.2.4	0x357e	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.068620920 CET	1.1.1.1	192.168.2.4	0xde08	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.079057932 CET	1.1.1.1	192.168.2.4	0x99b4	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.088804007 CET	1.1.1.1	192.168.2.4	0x435f	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.099632978 CET	1.1.1.1	192.168.2.4	0x2fa3	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.108453035 CET	1.1.1.1	192.168.2.4	0xd494	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.118410110 CET	1.1.1.1	192.168.2.4	0xfed5	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.128694057 CET	1.1.1.1	192.168.2.4	0x9b08	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.139612913 CET	1.1.1.1	192.168.2.4	0xf45e	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.171655893 CET	1.1.1.1	192.168.2.4	0x586	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.336307049 CET	1.1.1.1	192.168.2.4	0x8266	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.596457005 CET	1.1.1.1	192.168.2.4	0x2a6f	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.608522892 CET	1.1.1.1	192.168.2.4	0xf7ca	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.622709036 CET	1.1.1.1	192.168.2.4	0xe67c	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.654251099 CET	1.1.1.1	192.168.2.4	0x70e0	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.667848110 CET	1.1.1.1	192.168.2.4	0xd937	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.679001093 CET	1.1.1.1	192.168.2.4	0xe22f	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.690409899 CET	1.1.1.1	192.168.2.4	0x7032	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.702188015 CET	1.1.1.1	192.168.2.4	0xc26b	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.712399960 CET	1.1.1.1	192.168.2.4	0x7646	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.744632959 CET	1.1.1.1	192.168.2.4	0xc2f7	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:14:53.757088900 CET	1.1.1.1	192.168.2.4	0x6ef0	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:04.049114943 CET	1.1.1.1	192.168.2.4	0xf186	Name error (3)	hearddivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.054765940 CET	1.1.1.1	192.168.2.4	0xbbb1	Name error (3)	necessarystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.087049007 CET	1.1.1.1	192.168.2.4	0xfa03	Name error (3)	pleasantnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.098330021 CET	1.1.1.1	192.168.2.4	0xbac5	Name error (3)	necessarynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.130645037 CET	1.1.1.1	192.168.2.4	0x6a42	Name error (3)	pleasantbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.141992092 CET	1.1.1.1	192.168.2.4	0x9302	Name error (3)	necessarybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.305579901 CET	1.1.1.1	192.168.2.4	0x3944	Name error (3)	pleasantdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:06.338807106 CET	1.1.1.1	192.168.2.4	0x67b1	Name error (3)	necessarydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.567210913 CET	1.1.1.1	192.168.2.4	0x85c2	Name error (3)	requirestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.578017950 CET	1.1.1.1	192.168.2.4	0x1203	Name error (3)	ordernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.610232115 CET	1.1.1.1	192.168.2.4	0xd17e	Name error (3)	requirenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.642211914 CET	1.1.1.1	192.168.2.4	0x71a5	Name error (3)	orderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.654150963 CET	1.1.1.1	192.168.2.4	0xe917	Name error (3)	requirebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.666003942 CET	1.1.1.1	192.168.2.4	0xbeb2	Name error (3)	orderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.675642014 CET	1.1.1.1	192.168.2.4	0xab77	Name error (3)	requiredivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.883078098 CET	1.1.1.1	192.168.2.4	0xaf0a	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.893567085 CET	1.1.1.1	192.168.2.4	0x2c39	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.904015064 CET	1.1.1.1	192.168.2.4	0xe544	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.935367107 CET	1.1.1.1	192.168.2.4	0x106f	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.946578026 CET	1.1.1.1	192.168.2.4	0x7808	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.979159117 CET	1.1.1.1	192.168.2.4	0xda97	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:07.989976883 CET	1.1.1.1	192.168.2.4	0x22ce	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.000804901 CET	1.1.1.1	192.168.2.4	0x5919	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.031733036 CET	1.1.1.1	192.168.2.4	0xed7b	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.064709902 CET	1.1.1.1	192.168.2.4	0x25d6	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.097307920 CET	1.1.1.1	192.168.2.4	0x99a5	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.108545065 CET	1.1.1.1	192.168.2.4	0xb14e	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.120085955 CET	1.1.1.1	192.168.2.4	0xdbbb	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.131052017 CET	1.1.1.1	192.168.2.4	0x429b	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.142693043 CET	1.1.1.1	192.168.2.4	0x9b5e	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.819123030 CET	1.1.1.1	192.168.2.4	0x9266	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.829989910 CET	1.1.1.1	192.168.2.4	0xe10e	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.841386080 CET	1.1.1.1	192.168.2.4	0x3af1	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:08.873521090 CET	1.1.1.1	192.168.2.4	0x9db2	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.802494049 CET	1.1.1.1	192.168.2.4	0xe929	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.812715054 CET	1.1.1.1	192.168.2.4	0xa21b	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.822104931 CET	1.1.1.1	192.168.2.4	0xbc85	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.832341909 CET	1.1.1.1	192.168.2.4	0x8050	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.842964888 CET	1.1.1.1	192.168.2.4	0x4e40	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.853383064 CET	1.1.1.1	192.168.2.4	0x37a8	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.863810062 CET	1.1.1.1	192.168.2.4	0x162f	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.873348951 CET	1.1.1.1	192.168.2.4	0xd604	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.883757114 CET	1.1.1.1	192.168.2.4	0x1133	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.893676043 CET	1.1.1.1	192.168.2.4	0x5021	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.904834986 CET	1.1.1.1	192.168.2.4	0x844f	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:10.914297104 CET	1.1.1.1	192.168.2.4	0xf178	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.079287052 CET	1.1.1.1	192.168.2.4	0x81cd	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.091038942 CET	1.1.1.1	192.168.2.4	0x68b3	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.102605104 CET	1.1.1.1	192.168.2.4	0x4387	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.114052057 CET	1.1.1.1	192.168.2.4	0x6372	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.145862103 CET	1.1.1.1	192.168.2.4	0xa657	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.178925991 CET	1.1.1.1	192.168.2.4	0x38bb	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.211815119 CET	1.1.1.1	192.168.2.4	0xfe0d	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.223144054 CET	1.1.1.1	192.168.2.4	0xd7bd	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.233737946 CET	1.1.1.1	192.168.2.4	0x4a8	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.265650988 CET	1.1.1.1	192.168.2.4	0x9043	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.276422977 CET	1.1.1.1	192.168.2.4	0xf097	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.287038088 CET	1.1.1.1	192.168.2.4	0xe500	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.295749903 CET	1.1.1.1	192.168.2.4	0x497f	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.306387901 CET	1.1.1.1	192.168.2.4	0xcc61	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.318505049 CET	1.1.1.1	192.168.2.4	0xb0b9	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.351075888 CET	1.1.1.1	192.168.2.4	0x19f5	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.361871004 CET	1.1.1.1	192.168.2.4	0x9ef5	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.373610973 CET	1.1.1.1	192.168.2.4	0xc09d	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.405632019 CET	1.1.1.1	192.168.2.4	0xde9c	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.418890953 CET	1.1.1.1	192.168.2.4	0x4c9	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.451046944 CET	1.1.1.1	192.168.2.4	0x6a4f	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.461672068 CET	1.1.1.1	192.168.2.4	0xcc76	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.472651005 CET	1.1.1.1	192.168.2.4	0x9fc3	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.484195948 CET	1.1.1.1	192.168.2.4	0x7a54	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.495286942 CET	1.1.1.1	192.168.2.4	0xc8e2	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.506120920 CET	1.1.1.1	192.168.2.4	0xf3f8	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.539525986 CET	1.1.1.1	192.168.2.4	0xc6ce	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.549442053 CET	1.1.1.1	192.168.2.4	0xe4be	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.559881926 CET	1.1.1.1	192.168.2.4	0x56e3	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.570367098 CET	1.1.1.1	192.168.2.4	0x5e5c	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.602540970 CET	1.1.1.1	192.168.2.4	0xc1fb	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.613212109 CET	1.1.1.1	192.168.2.4	0x572	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.623855114 CET	1.1.1.1	192.168.2.4	0x67e6	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:16:11.633557081 CET	1.1.1.1	192.168.2.4	0x958a	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:24.749471903 CET	1.1.1.1	192.168.2.4	0x6519	Name error (3)	hearddivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.710330009 CET	1.1.1.1	192.168.2.4	0xf9f7	Name error (3)	necessarystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.713872910 CET	1.1.1.1	192.168.2.4	0xf9f7	Name error (3)	necessarystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.721741915 CET	1.1.1.1	192.168.2.4	0xea41	Name error (3)	pleasantnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.732090950 CET	1.1.1.1	192.168.2.4	0x936f	Name error (3)	necessarynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.745301962 CET	1.1.1.1	192.168.2.4	0x9f32	Name error (3)	pleasantbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.756563902 CET	1.1.1.1	192.168.2.4	0xe03	Name error (3)	necessarybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.788389921 CET	1.1.1.1	192.168.2.4	0x4edf	Name error (3)	pleasantdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.792664051 CET	1.1.1.1	192.168.2.4	0x4edf	Name error (3)	pleasantdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.820605040 CET	1.1.1.1	192.168.2.4	0x78b0	Name error (3)	necessarydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:26.826838970 CET	1.1.1.1	192.168.2.4	0x78b0	Name error (3)	necessarydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.029972076 CET	1.1.1.1	192.168.2.4	0xb173	Name error (3)	requirestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.062602997 CET	1.1.1.1	192.168.2.4	0x61e9	Name error (3)	ordernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.062617064 CET	1.1.1.1	192.168.2.4	0x61e9	Name error (3)	ordernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.075043917 CET	1.1.1.1	192.168.2.4	0xffc4	Name error (3)	requirenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.085489988 CET	1.1.1.1	192.168.2.4	0x8b14	Name error (3)	orderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.097349882 CET	1.1.1.1	192.168.2.4	0xa508	Name error (3)	requirebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.108573914 CET	1.1.1.1	192.168.2.4	0xe1e6	Name error (3)	orderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.140640020 CET	1.1.1.1	192.168.2.4	0x33ca	Name error (3)	requiredivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.824338913 CET	1.1.1.1	192.168.2.4	0x9888	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.835124969 CET	1.1.1.1	192.168.2.4	0x3f2f	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.870527029 CET	1.1.1.1	192.168.2.4	0xd466	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.870632887 CET	1.1.1.1	192.168.2.4	0xd466	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.881184101 CET	1.1.1.1	192.168.2.4	0xf904	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.892647028 CET	1.1.1.1	192.168.2.4	0xd603	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.904347897 CET	1.1.1.1	192.168.2.4	0x1c67	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.938008070 CET	1.1.1.1	192.168.2.4	0x5705	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.938102007 CET	1.1.1.1	192.168.2.4	0x5705	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.948698997 CET	1.1.1.1	192.168.2.4	0x6e0a	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.981077909 CET	1.1.1.1	192.168.2.4	0x3ba	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.981096029 CET	1.1.1.1	192.168.2.4	0x3ba	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:28.993716002 CET	1.1.1.1	192.168.2.4	0x8218	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.004570007 CET	1.1.1.1	192.168.2.4	0x5156	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.015609026 CET	1.1.1.1	192.168.2.4	0x2927	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.025651932 CET	1.1.1.1	192.168.2.4	0x323d	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.057149887 CET	1.1.1.1	192.168.2.4	0xd4fd	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.057454109 CET	1.1.1.1	192.168.2.4	0xd4fd	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.067914963 CET	1.1.1.1	192.168.2.4	0x54ab	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.733273029 CET	1.1.1.1	192.168.2.4	0x3ff8	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.733313084 CET	1.1.1.1	192.168.2.4	0x3ff8	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.743855000 CET	1.1.1.1	192.168.2.4	0x8a50	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.776141882 CET	1.1.1.1	192.168.2.4	0x4176	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:29.784532070 CET	1.1.1.1	192.168.2.4	0x6c4b	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.892863035 CET	1.1.1.1	192.168.2.4	0x886d	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.893007040 CET	1.1.1.1	192.168.2.4	0x886d	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.932905912 CET	1.1.1.1	192.168.2.4	0x22b0	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.934679031 CET	1.1.1.1	192.168.2.4	0x22b0	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.945700884 CET	1.1.1.1	192.168.2.4	0xfcbd	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.977902889 CET	1.1.1.1	192.168.2.4	0x6d83	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:31.980056047 CET	1.1.1.1	192.168.2.4	0x6d83	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.011224985 CET	1.1.1.1	192.168.2.4	0xe8f6	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.011245966 CET	1.1.1.1	192.168.2.4	0xe8f6	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.026186943 CET	1.1.1.1	192.168.2.4	0x9228	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.037197113 CET	1.1.1.1	192.168.2.4	0x137f	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.047259092 CET	1.1.1.1	192.168.2.4	0xe340	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.058713913 CET	1.1.1.1	192.168.2.4	0xbcb1	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.069442987 CET	1.1.1.1	192.168.2.4	0x3c6b	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.081232071 CET	1.1.1.1	192.168.2.4	0xb6ab	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.111830950 CET	1.1.1.1	192.168.2.4	0x5e42	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.111846924 CET	1.1.1.1	192.168.2.4	0x5e42	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.123038054 CET	1.1.1.1	192.168.2.4	0xdddd	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.135051966 CET	1.1.1.1	192.168.2.4	0x519f	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.296255112 CET	1.1.1.1	192.168.2.4	0xfd2c	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.296277046 CET	1.1.1.1	192.168.2.4	0xfd2c	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:32.460830927 CET	1.1.1.1	192.168.2.4	0x2b2d	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.122124910 CET	1.1.1.1	192.168.2.4	0x3328	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.773099899 CET	1.1.1.1	192.168.2.4	0x7676	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.781029940 CET	1.1.1.1	192.168.2.4	0x9d4e	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.791357994 CET	1.1.1.1	192.168.2.4	0xad89	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:33.801986933 CET	1.1.1.1	192.168.2.4	0x95e7	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.046339989 CET	1.1.1.1	192.168.2.4	0xb37a	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.046354055 CET	1.1.1.1	192.168.2.4	0xb37a	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.078063011 CET	1.1.1.1	192.168.2.4	0xced8	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.078093052 CET	1.1.1.1	192.168.2.4	0xced8	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.087960005 CET	1.1.1.1	192.168.2.4	0xb428	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.098431110 CET	1.1.1.1	192.168.2.4	0x380d	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.130182028 CET	1.1.1.1	192.168.2.4	0x8c0a	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.135605097 CET	1.1.1.1	192.168.2.4	0x8c0a	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.161947966 CET	1.1.1.1	192.168.2.4	0xc815	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.167165995 CET	1.1.1.1	192.168.2.4	0xc815	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.170342922 CET	1.1.1.1	192.168.2.4	0x9e06	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.180648088 CET	1.1.1.1	192.168.2.4	0xd864	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.212835073 CET	1.1.1.1	192.168.2.4	0x70bc	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.214051962 CET	1.1.1.1	192.168.2.4	0x70bc	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.244414091 CET	1.1.1.1	192.168.2.4	0x6d8	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.245182991 CET	1.1.1.1	192.168.2.4	0x6d8	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.252870083 CET	1.1.1.1	192.168.2.4	0x88bc	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.262945890 CET	1.1.1.1	192.168.2.4	0xb7f	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.273328066 CET	1.1.1.1	192.168.2.4	0xa41f	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.308965921 CET	1.1.1.1	192.168.2.4	0xbe97	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.309139967 CET	1.1.1.1	192.168.2.4	0xbe97	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.320899963 CET	1.1.1.1	192.168.2.4	0x30dd	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.332586050 CET	1.1.1.1	192.168.2.4	0xf436	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.342941999 CET	1.1.1.1	192.168.2.4	0xe941	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.354837894 CET	1.1.1.1	192.168.2.4	0x1f81	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.365829945 CET	1.1.1.1	192.168.2.4	0xc3ab	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.376176119 CET	1.1.1.1	192.168.2.4	0xd228	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.386176109 CET	1.1.1.1	192.168.2.4	0xd306	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.417812109 CET	1.1.1.1	192.168.2.4	0xeb8d	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.417854071 CET	1.1.1.1	192.168.2.4	0xeb8d	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.427997112 CET	1.1.1.1	192.168.2.4	0x560e	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.462299109 CET	1.1.1.1	192.168.2.4	0xc563	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.463721991 CET	1.1.1.1	192.168.2.4	0xc563	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 13:17:34.473421097 CET	1.1.1.1	192.168.2.4	0x3f4d	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pleasantstream.net

orderstream.net

variousstream.net

returnbottle.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	18.143.155.63	80	9340	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:14:44.907565117 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantstream.net
Nov 7, 2024 13:14:46.394563913 CET	389	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 12:14:46 GMT Content-Type: text/html Connection: close Set-Cookie: btst=ee7d6952d165c7d6c0914b8b95d79c35\|173.254.250.79\|1730981686\|1730981686\|0\|1\|0; path=/; domain=.pleasantstream.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	37.97.254.27	80	9340	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:14:46.994419098 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: orderstream.net
Nov 7, 2024 13:14:47.836894989 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 02 Apr 2024 11:23:50 GMT Server: Apache Last-Modified: Mon, 04 Mar 2024 08:41:05 GMT Vary: Accept-Encoding Content-Type: text/html Cache-Control: max-age=31536000 X-Varnish: 217333428 34925 Age: 18924657 Via: 1.1 varnish (Varnish/6.1) Accept-Ranges: bytes Content-Length: 64674 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 61 73 63 69 69 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head lang="en"> <meta charset="ascii"> <title>TransIP - Reserved domain</title> <meta name="description" content="TransIP - Reserved domain"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex, nofollow"> <link rel="shortcut icon" href="//reserved.transip.nl/assets/img/favicon.ico" type="image/x-icon" /> <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,900' rel='stylesheet' type='text/css'> <link rel="stylesheet" href="//reserved.transip.nl/assets/css/combined-min.css"> <title>Bezet!</title> </head> <body> <div class="container"> <div role="navigation" class="reserved-nav-container"> <div class="col-xs
Nov 7, 2024 13:14:47.836926937 CET	1236	IN	Data Raw: 2d 36 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 6c 65 66 74 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 62 72 61 6e 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 Data Ascii: -6 reserved-nav-left reserved-nav-brand"> <a href="https://transip.nl/" class="reserved-nav-brand-link lang_nl" rel="nofollow"> <svg version="1.1" id="transip-logo" xmlns="http://www.w3.org/2000/svg"
Nov 7, 2024 13:14:47.836941957 CET	424	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 30 2d 30 2e 39 2c 30 2e 33 2d 31 2e 34 2c 33 2e 32 2d 31 2e 34 68 33 2e 33 63 33 2e 35 2c 30 2c 34 2e 38 2c 30 2e 33 2c 34 2e 38 2c 32 2e 33 76 31 2e 38 63 2d 30 2e 38 2d 30 2e 39 Data Ascii: c0-0.9,0.3-1.4,3.2-1.4h3.3c3.5,0,4.8,0.3,4.8,2.3v1.8c-0.8-0.9-2.1-1.1-4.6-1.1h-3.6c-2,0-3.5,0.1-4.6,0.5 c-1.1,0.4-1.7,1.3-1.7,2.8v0.8c0,1.2,0.2,2.102,0.9,2.801c0.7,0.699,1.8,1,3.6,1h5.4c2.9,
Nov 7, 2024 13:14:47.836954117 CET	1236	IN	Data Raw: 34 2c 36 34 2e 36 2c 34 2e 34 48 36 31 2e 32 63 2d 32 2e 35 2c 30 2d 34 2e 33 2c 30 2e 33 2d 35 2e 33 2c 31 2e 38 56 34 2e 36 68 2d 32 2e 35 76 31 32 2e 35 68 32 2e 37 56 31 30 63 30 2d 32 2e 37 2c 31 2d 33 2e 35 2c 36 2e 33 2d 33 2e 35 48 36 33 Data Ascii: 4,64.6,4.4H61.2c-2.5,0-4.3,0.3-5.3,1.8V4.6h-2.5v12.5h2.7V10c0-2.7,1-3.5,6.3-3.5H63 c4.4,0.1,4.7,1,4.7,2.7V17.1h2.7V8.8C70.3,7.6,70,6.5,69.1,5.7z"/> <path class="transip-logo-part" d="
Nov 7, 2024 13:14:47.836976051 CET	1236	IN	Data Raw: 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: </g> <g> <g> <rect class="transip-logo-part" x="96.5" y="4.6" fill="#187DC1" width="2.7" height="12.5"/> </g>
Nov 7, 2024 13:14:47.836988926 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 74 72 61 6e 73 69 70 2d 6c 6f 67 6f 2d 70 61 72 74 22 20 64 3d 22 4d 31 32 2e 37 2c 31 32 2e 34 63 2d 30 2e 31 2c 32 2e 35 2d 30 2e 33 2c 32 2e Data Ascii: <path class="transip-logo-part" d="M12.7,12.4c-0.1,2.5-0.3,2.8-3.2,2.898H8.7c-2.4-0.1-3.1-0.6-3.1-2.699V6.7h9V4.6h-9V1.8H2.9v2.9H0v2.1h2.9V13.4 c0,1,0.3,2.1,1.1,2.8c0.8,0.8,2.2,1.2,4.3,1.2h1
Nov 7, 2024 13:14:47.837002993 CET	1236	IN	Data Raw: 36 2c 34 2e 35 2c 34 33 2e 34 2c 34 2e 35 7a 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 74 72 61 6e 73 69 70 2d 6c 6f 67 6f 2d 70 61 72 74 22 20 64 3d 22 Data Ascii: 6,4.5,43.4,4.5z"/> <path class="transip-logo-part" d="M69.1,5.7C68.2,4.9,66.7,4.4,64.6,4.4H61.2c-2.5,0-4.3,0.3-5.3,1.8V4.6h-2.5v12.5h2.7V10c0-2.7,1-3.5,6.3-3.5H63 c4.4,0.1,4.7,1,4.7,2
Nov 7, 2024 13:14:47.837013960 CET	848	IN	Data Raw: 22 20 66 69 6c 6c 3d 22 23 31 38 37 44 43 31 22 20 77 69 64 74 68 3d 22 32 2e 37 22 20 68 65 69 67 68 74 3d 22 32 2e 32 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 Data Ascii: " fill="#187DC1" width="2.7" height="2.2"/> </g> </g> <g> <g> <rect class="transip-logo
Nov 7, 2024 13:14:47.837025881 CET	1236	IN	Data Raw: 31 37 2e 34 68 34 2e 33 63 32 2e 33 2c 30 2c 34 2d 30 2e 33 30 31 2c 35 2e 32 2d 31 2e 32 63 31 2e 31 2d 30 2e 39 2c 31 2e 36 2d 32 2e 33 2c 31 2e 36 2d 34 2e 33 56 39 2e 38 43 31 32 30 2c 37 2e 36 2c 31 31 39 2e 32 2c 36 2e 33 2c 31 31 38 2c 35 Data Ascii: 17.4h4.3c2.3,0,4-0.301,5.2-1.2c1.1-0.9,1.6-2.3,1.6-4.3V9.8C120,7.6,119.2,6.3,118,5.5z"/> </g> </g> </svg> </a> </div>
Nov 7, 2024 13:14:47.837038040 CET	1236	IN	Data Raw: 31 70 74 22 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 36 22 20 64 3d 22 4d 2d 32 35 36 20 30 48 37 36 38 2e 30 32 76 35 31 32 2e 30 31 48 2d 32 35 36 7a 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 2d 32 35 36 20 30 76 35 37 2e 32 34 34 6c 39 30 Data Ascii: 1pt"><path fill="#006" d="M-256 0H768.02v512.01H-256z"/><path d="M-256 0v57.244l909.535 454.768H768.02V454.77L-141.515 0H-256zM768.02 0v57.243L-141.515 512.01H-256v-57.243L653.535 0H768.02z" fill="#fff"/><path d="M170.675 0v512.01h170.67V0h-17
Nov 7, 2024 13:14:47.841891050 CET	1236	IN	Data Raw: 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 20 78 3d 22 30 70 78 22 20 Data Ascii: s="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 200 200" style="enable-background:new 0 0 200 200;" xml:space="preserve"> <g>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	199.59.243.227	80	9340	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:14:49.111248016 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 13:14:49.767203093 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 12:14:48 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 367651fd-0c9c-4be0-94ce-34d7c84fa85d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=367651fd-0c9c-4be0-94ce-34d7c84fa85d; expires=Thu, 07 Nov 2024 12:29:49 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 13:14:49.767308950 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzY3NjUxZmQtMGM5Yy00YmUwLTk0Y2UtMzRkN2M4NGZhODVkIiwicGFnZV90aW1lIjoxNzMwOTgxNj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	18.143.155.63	80	9340	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:14:50.325788975 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 13:14:51.777851105 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 12:14:51 GMT Content-Type: text/html Connection: close Set-Cookie: btst=2fced65f7fa91fbf4c174817a1bd79ca\|173.254.250.79\|1730981691\|1730981691\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49761	18.143.155.63	80	9128	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:16:04.156260014 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantstream.net
Nov 7, 2024 13:16:05.611562967 CET	389	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 12:16:05 GMT Content-Type: text/html Connection: close Set-Cookie: btst=6cf6e1a4a02df970830bd3b8cbbfb806\|173.254.250.79\|1730981765\|1730981765\|0\|1\|0; path=/; domain=.pleasantstream.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49762	37.97.254.27	80	9128	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:16:06.345002890 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: orderstream.net
Nov 7, 2024 13:16:07.195400953 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 02 Apr 2024 11:23:50 GMT Server: Apache Last-Modified: Mon, 04 Mar 2024 08:41:05 GMT Vary: Accept-Encoding Content-Type: text/html Cache-Control: max-age=31536000 X-Varnish: 217904734 34925 Age: 18924736 Via: 1.1 varnish (Varnish/6.1) Accept-Ranges: bytes Content-Length: 64674 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 61 73 63 69 69 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head lang="en"> <meta charset="ascii"> <title>TransIP - Reserved domain</title> <meta name="description" content="TransIP - Reserved domain"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex, nofollow"> <link rel="shortcut icon" href="//reserved.transip.nl/assets/img/favicon.ico" type="image/x-icon" /> <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,900' rel='stylesheet' type='text/css'> <link rel="stylesheet" href="//reserved.transip.nl/assets/css/combined-min.css"> <title>Bezet!</title> </head> <body> <div class="container"> <div role="navigation" class="reserved-nav-container"> <div class="col-xs
Nov 7, 2024 13:16:07.195430994 CET	1236	IN	Data Raw: 2d 36 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 6c 65 66 74 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 62 72 61 6e 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 Data Ascii: -6 reserved-nav-left reserved-nav-brand"> <a href="https://transip.nl/" class="reserved-nav-brand-link lang_nl" rel="nofollow"> <svg version="1.1" id="transip-logo" xmlns="http://www.w3.org/2000/svg"
Nov 7, 2024 13:16:07.195442915 CET	424	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 30 2d 30 2e 39 2c 30 2e 33 2d 31 2e 34 2c 33 2e 32 2d 31 2e 34 68 33 2e 33 63 33 2e 35 2c 30 2c 34 2e 38 2c 30 2e 33 2c 34 2e 38 2c 32 2e 33 76 31 2e 38 63 2d 30 2e 38 2d 30 2e 39 Data Ascii: c0-0.9,0.3-1.4,3.2-1.4h3.3c3.5,0,4.8,0.3,4.8,2.3v1.8c-0.8-0.9-2.1-1.1-4.6-1.1h-3.6c-2,0-3.5,0.1-4.6,0.5 c-1.1,0.4-1.7,1.3-1.7,2.8v0.8c0,1.2,0.2,2.102,0.9,2.801c0.7,0.699,1.8,1,3.6,1h5.4c2.9,
Nov 7, 2024 13:16:07.195455074 CET	1236	IN	Data Raw: 34 2c 36 34 2e 36 2c 34 2e 34 48 36 31 2e 32 63 2d 32 2e 35 2c 30 2d 34 2e 33 2c 30 2e 33 2d 35 2e 33 2c 31 2e 38 56 34 2e 36 68 2d 32 2e 35 76 31 32 2e 35 68 32 2e 37 56 31 30 63 30 2d 32 2e 37 2c 31 2d 33 2e 35 2c 36 2e 33 2d 33 2e 35 48 36 33 Data Ascii: 4,64.6,4.4H61.2c-2.5,0-4.3,0.3-5.3,1.8V4.6h-2.5v12.5h2.7V10c0-2.7,1-3.5,6.3-3.5H63 c4.4,0.1,4.7,1,4.7,2.7V17.1h2.7V8.8C70.3,7.6,70,6.5,69.1,5.7z"/> <path class="transip-logo-part" d="
Nov 7, 2024 13:16:07.195468903 CET	1236	IN	Data Raw: 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: </g> <g> <g> <rect class="transip-logo-part" x="96.5" y="4.6" fill="#187DC1" width="2.7" height="12.5"/> </g>
Nov 7, 2024 13:16:07.195482969 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 74 72 61 6e 73 69 70 2d 6c 6f 67 6f 2d 70 61 72 74 22 20 64 3d 22 4d 31 32 2e 37 2c 31 32 2e 34 63 2d 30 2e 31 2c 32 2e 35 2d 30 2e 33 2c 32 2e Data Ascii: <path class="transip-logo-part" d="M12.7,12.4c-0.1,2.5-0.3,2.8-3.2,2.898H8.7c-2.4-0.1-3.1-0.6-3.1-2.699V6.7h9V4.6h-9V1.8H2.9v2.9H0v2.1h2.9V13.4 c0,1,0.3,2.1,1.1,2.8c0.8,0.8,2.2,1.2,4.3,1.2h1
Nov 7, 2024 13:16:07.195496082 CET	1236	IN	Data Raw: 36 2c 34 2e 35 2c 34 33 2e 34 2c 34 2e 35 7a 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 74 72 61 6e 73 69 70 2d 6c 6f 67 6f 2d 70 61 72 74 22 20 64 3d 22 Data Ascii: 6,4.5,43.4,4.5z"/> <path class="transip-logo-part" d="M69.1,5.7C68.2,4.9,66.7,4.4,64.6,4.4H61.2c-2.5,0-4.3,0.3-5.3,1.8V4.6h-2.5v12.5h2.7V10c0-2.7,1-3.5,6.3-3.5H63 c4.4,0.1,4.7,1,4.7,2
Nov 7, 2024 13:16:07.195508957 CET	848	IN	Data Raw: 22 20 66 69 6c 6c 3d 22 23 31 38 37 44 43 31 22 20 77 69 64 74 68 3d 22 32 2e 37 22 20 68 65 69 67 68 74 3d 22 32 2e 32 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 Data Ascii: " fill="#187DC1" width="2.7" height="2.2"/> </g> </g> <g> <g> <rect class="transip-logo
Nov 7, 2024 13:16:07.195521116 CET	1236	IN	Data Raw: 31 37 2e 34 68 34 2e 33 63 32 2e 33 2c 30 2c 34 2d 30 2e 33 30 31 2c 35 2e 32 2d 31 2e 32 63 31 2e 31 2d 30 2e 39 2c 31 2e 36 2d 32 2e 33 2c 31 2e 36 2d 34 2e 33 56 39 2e 38 43 31 32 30 2c 37 2e 36 2c 31 31 39 2e 32 2c 36 2e 33 2c 31 31 38 2c 35 Data Ascii: 17.4h4.3c2.3,0,4-0.301,5.2-1.2c1.1-0.9,1.6-2.3,1.6-4.3V9.8C120,7.6,119.2,6.3,118,5.5z"/> </g> </g> </svg> </a> </div>
Nov 7, 2024 13:16:07.195533991 CET	1236	IN	Data Raw: 31 70 74 22 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 36 22 20 64 3d 22 4d 2d 32 35 36 20 30 48 37 36 38 2e 30 32 76 35 31 32 2e 30 31 48 2d 32 35 36 7a 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 2d 32 35 36 20 30 76 35 37 2e 32 34 34 6c 39 30 Data Ascii: 1pt"><path fill="#006" d="M-256 0H768.02v512.01H-256z"/><path d="M-256 0v57.244l909.535 454.768H768.02V454.77L-141.515 0H-256zM768.02 0v57.243L-141.515 512.01H-256v-57.243L653.535 0H768.02z" fill="#fff"/><path d="M170.675 0v512.01h170.67V0h-17
Nov 7, 2024 13:16:07.200582027 CET	1236	IN	Data Raw: 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 20 78 3d 22 30 70 78 22 20 Data Ascii: s="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 200 200" style="enable-background:new 0 0 200 200;" xml:space="preserve"> <g>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49763	199.59.243.227	80	9128	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:16:08.148966074 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 13:16:08.785276890 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 12:16:07 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 75694da3-e79a-4e4d-9eb5-bec3037f195d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=75694da3-e79a-4e4d-9eb5-bec3037f195d; expires=Thu, 07 Nov 2024 12:31:08 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 13:16:08.785300970 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzU2OTRkYTMtZTc5YS00ZTRkLTllYjUtYmVjMzAzN2YxOTVkIiwicGFnZV90aW1lIjoxNzMwOTgxNz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49764	18.143.155.63	80	9128	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:16:08.879744053 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 13:16:10.351630926 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 12:16:10 GMT Content-Type: text/html Connection: close Set-Cookie: btst=72705f91c6c11a06e92fc3e0edd476b6\|173.254.250.79\|1730981770\|1730981770\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49765	18.143.155.63	80	7332	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:17:24.758436918 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantstream.net
Nov 7, 2024 13:17:26.235486984 CET	389	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 12:17:25 GMT Content-Type: text/html Connection: close Set-Cookie: btst=661cc4d24352069435510bb9d9922af0\|173.254.250.79\|1730981845\|1730981845\|0\|1\|0; path=/; domain=.pleasantstream.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49766	37.97.254.27	80	7332	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:17:26.827042103 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: orderstream.net
Nov 7, 2024 13:17:27.662760019 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 02 Apr 2024 11:23:50 GMT Server: Apache Last-Modified: Mon, 04 Mar 2024 08:41:05 GMT Vary: Accept-Encoding Content-Type: text/html Cache-Control: max-age=31536000 X-Varnish: 218231794 34925 Age: 18924817 Via: 1.1 varnish (Varnish/6.1) Accept-Ranges: bytes Content-Length: 64674 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 61 73 63 69 69 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head lang="en"> <meta charset="ascii"> <title>TransIP - Reserved domain</title> <meta name="description" content="TransIP - Reserved domain"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex, nofollow"> <link rel="shortcut icon" href="//reserved.transip.nl/assets/img/favicon.ico" type="image/x-icon" /> <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,900' rel='stylesheet' type='text/css'> <link rel="stylesheet" href="//reserved.transip.nl/assets/css/combined-min.css"> <title>Bezet!</title> </head> <body> <div class="container"> <div role="navigation" class="reserved-nav-container"> <div class="col-xs
Nov 7, 2024 13:17:27.662789106 CET	1236	IN	Data Raw: 2d 36 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 6c 65 66 74 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 62 72 61 6e 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 Data Ascii: -6 reserved-nav-left reserved-nav-brand"> <a href="https://transip.nl/" class="reserved-nav-brand-link lang_nl" rel="nofollow"> <svg version="1.1" id="transip-logo" xmlns="http://www.w3.org/2000/svg"
Nov 7, 2024 13:17:27.662805080 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 30 2d 30 2e 39 2c 30 2e 33 2d 31 2e 34 2c 33 2e 32 2d 31 2e 34 68 33 2e 33 63 33 2e 35 2c 30 2c 34 2e 38 2c 30 2e 33 2c 34 2e 38 2c 32 2e 33 76 31 2e 38 63 2d 30 2e 38 2d 30 2e 39 Data Ascii: c0-0.9,0.3-1.4,3.2-1.4h3.3c3.5,0,4.8,0.3,4.8,2.3v1.8c-0.8-0.9-2.1-1.1-4.6-1.1h-3.6c-2,0-3.5,0.1-4.6,0.5 c-1.1,0.4-1.7,1.3-1.7,2.8v0.8c0,1.2,0.2,2.102,0.9,2.801c0.7,0.699,1.8,1,3.6,1h5.4c2.9,
Nov 7, 2024 13:17:27.662820101 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 68 2d 32 2e 35 76 30 2e 39 63 30 2c 31 2e 39 2c 30 2e 38 2c 32 2e 39 2c 32 2e 31 30 31 2c 33 2e 34 63 31 2e 31 39 39 2c 30 2e 35 2c 32 2e 38 39 39 2c 30 2e 35 2c 34 2e 35 2c 30 2e 35 48 38 33 2e 36 63 32 2e 37 2c Data Ascii: h-2.5v0.9c0,1.9,0.8,2.9,2.101,3.4c1.199,0.5,2.899,0.5,4.5,0.5H83.6c2.7,0,6.4-0.102,6.4-3.7l0,0C90.1,11.9,89.4,10.9,88.4,10.4z" /> <g> <g>
Nov 7, 2024 13:17:27.662832975 CET	848	IN	Data Raw: 2c 36 2e 33 2c 31 31 38 2c 35 2e 35 7a 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ,6.3,118,5.5z"/> </g> </g> </svg> </a> <a href="https://transip.eu/" class="reserved-nav-brand-link lang_en hidden" rel
Nov 7, 2024 13:17:27.662843943 CET	1236	IN	Data Raw: 2e 33 2d 33 2e 39 2c 31 2e 35 56 34 2e 36 68 2d 32 2e 35 76 31 32 2e 35 68 32 2e 37 56 39 2e 33 63 30 2d 31 2e 35 2c 31 2d 32 2e 37 2c 33 2e 33 2d 32 2e 37 48 32 35 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: .3-3.9,1.5V4.6h-2.5v12.5h2.7V9.3c0-1.5,1-2.7,3.3-2.7H25 c4,0.1,4.4,0.3,4.5,3.3v0.7H32V8.9C31.9,7.4,31.5,6.2,30.6,5.5z"/> <path class="transip-logo-part" d="M48,13.7c0,0.7-0.3,1-1.2,1.
Nov 7, 2024 13:17:27.662858009 CET	1236	IN	Data Raw: 2c 30 2e 31 2d 30 2e 39 2c 30 2e 36 2d 31 2e 31 63 30 2e 35 2d 30 2e 32 2c 31 2e 35 2d 30 2e 33 2c 33 2e 31 30 31 2d 30 2e 33 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 38 33 2e 33 63 31 Data Ascii: ,0.1-0.9,0.6-1.1c0.5-0.2,1.5-0.3,3.101-0.3 H83.3c1.2,0,2.2,0,2.8,0.2C86.7,7,87,7.3,87,8.2v0.3h2.5V7.7c0-0.9-0.2-1.8-1.1-2.3c-0.9-0.6-2.4-0.9-4.9-0.9H80 c-2.8,0-4.5,0.3-5.6,0.8c-1,
Nov 7, 2024 13:17:27.662869930 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 74 72 61 6e 73 69 70 2d 6c Data Ascii: <g> <path class="transip-logo-part" fill="#187DC1" d="M117.3,12.2c0,2.7-1.3,3.1-4,3.1h-4c-2.399,0-4.1-0.399-4.2-3.2V9.8c0-2,1-3.3,3.9-3.3h4.5 c3.1,
Nov 7, 2024 13:17:27.662883997 CET	1236	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 73 77 69 74 63 68 4c 61 6e 67 75 61 67 65 28 27 65 6e 27 29 22 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 6c 65 66 74 3a Data Ascii: <a href="javascript:switchLanguage('en')" style="margin-left: 8px;" class="reserved-nav-flag"> <svg class="flag-icon" xmlns="http://www.w3.org/2000/svg" height="15" width="20" viewBox="0 0 640 480">
Nov 7, 2024 13:17:27.662899017 CET	848	IN	Data Raw: 73 73 3d 22 76 69 73 69 62 6c 65 2d 6d 64 20 76 69 73 69 62 6c 65 2d 6c 67 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 6d 61 78 2d 77 69 64 74 68 3a 20 32 30 30 70 78 3b 20 62 6f 72 64 65 72 3a Data Ascii: ss="visible-md visible-lg" style="display: inline-block; max-width: 200px; border: 1px solid #2ba3f4; text-transform: uppercase; font-weight: bold; color: #2ba3f4; border-radius: 3px; padding: 5px; padding-left: 10px; padding-right: 10px;">
Nov 7, 2024 13:17:27.667915106 CET	1236	IN	Data Raw: 35 37 2c 35 37 73 32 35 2e 35 2c 35 37 2c 35 37 2c 35 37 73 35 37 2d 32 35 2e 35 2c 35 37 2d 35 37 53 31 33 31 2e 34 2c 34 34 2c 39 39 2e 39 2c 34 34 7a 20 4d 31 33 33 2e 34 2c 31 34 31 2e 33 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 57,57s25.5,57,57,57s57-25.5,57-57S131.4,44,99.9,44z M133.4,141.3 c-3.7-1.8-15.9-4.2-18.8-6.1c-3.4-2.1-2.3-13.7-2.3-13.7l2.3-2c0,0,0.6-5.2,1.6-7.1c2.2-4.3,4.6-11.4,4.6-11.4s2.3-1.7,2.3-4.6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	54626	199.59.243.227	80	7332	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:17:29.074740887 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 13:17:29.701468945 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 12:17:29 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: b1de47ca-7b84-45e5-b8e3-266f3c96f133 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=b1de47ca-7b84-45e5-b8e3-266f3c96f133; expires=Thu, 07 Nov 2024 12:32:29 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 13:17:29.701493025 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjFkZTQ3Y2EtN2I4NC00NWU1LWI4ZTMtMjY2ZjNjOTZmMTMzIiwicGFnZV90aW1lIjoxNzMwOTgxOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	54627	18.143.155.63	80	7332	C:\qkcgyxexucxsiyk\bsiphbvc.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 13:17:29.790235043 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 13:17:31.248075008 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 12:17:30 GMT Content-Type: text/html Connection: close Set-Cookie: btst=ed7b0960e7e35dd7bd64a0b85785aab1\|173.254.250.79\|1730981850\|1730981850\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Target ID:	0
Start time:	07:14:42
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\DBROG0eWH7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DBROG0eWH7.exe"
Imagebase:	0x750000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:14:42
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe
Wow64 process (32bit):	true
Commandline:	"C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe"
Imagebase:	0xf10000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:14:42
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\bsiphbvc.exe
Wow64 process (32bit):	true
Commandline:	C:\qkcgyxexucxsiyk\bsiphbvc.exe
Imagebase:	0xab0000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:14:42
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\jqvkzish.exe
Wow64 process (32bit):	true
Commandline:	frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Imagebase:	0xb0000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:14:43
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\bsiphbvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\qkcgyxexucxsiyk\bsiphbvc.exe"
Imagebase:	0xab0000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:16:01
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\bsiphbvc.exe
Wow64 process (32bit):	true
Commandline:	"c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Imagebase:	0xab0000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:16:02
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\jqvkzish.exe
Wow64 process (32bit):	true
Commandline:	frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Imagebase:	0x1e0000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:17:20
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\bsiphbvc.exe
Wow64 process (32bit):	true
Commandline:	"c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Imagebase:	0xab0000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:17:23
Start date:	07/11/2024
Path:	C:\qkcgyxexucxsiyk\jqvkzish.exe
Wow64 process (32bit):	true
Commandline:	frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"
Imagebase:	0x610000
File size:	357'376 bytes
MD5 hash:	FA91458E80BA750FDA0B41D2B88AE1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00761B40 Relevance: 274.7, APIs: 145, Strings: 9, Instructions: 5246COMMON

Download Yara Rule

APIs

Part of subcall function 0075B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 0075B2C5

Part of subcall function 0077FF22: _doexit.LIBCMT ref: 0077FF2C

_malloc.LIBCMT ref: 00762593
_memset.LIBCMT ref: 0076262A

Strings

yG_5, xrefs: 00763049, 007637CA
)bg, xrefs: 007637CD
C:\Users\user, xrefs: 00765897
yG_5, xrefs: 00762106
_Wy, xrefs: 007679F6
E:9, xrefs: 0076204E
->`b, xrefs: 00764AE3
jz8, xrefs: 00765AA2
E:9, xrefs: 00766915, 00762459

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: ObjectSingleWait_doexit_malloc_memset
String ID: ->`b$C:\Users\user$_Wy$yG_5$yG_5$)bg$E:9$E:9$jz8
API String ID: 3291073784-566735055
Opcode ID: 4d462cd33db662bc712c3cf73a974f941ac8aae9390dfba1074353346f970b4a
Instruction ID: 1a54c18a3e73d405f29116244bb3eb32483efca28e5b14533de6bd3a2b89e2f4
Opcode Fuzzy Hash: 4d462cd33db662bc712c3cf73a974f941ac8aae9390dfba1074353346f970b4a
Instruction Fuzzy Hash: 2BB38D31810A48DED716DF79DC416AAB774BF9B780F00C356E90A761A2FB7959C2CB08

Function 007510A0 Relevance: 86.8, APIs: 13, Strings: 34, Instructions: 4533libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Ker), ref: 00751DBD
GetProcAddress.KERNEL32(00007243), ref: 00752066
GetProcAddress.KERNEL32(Creat), ref: 007521F4
GetProcAddress.KERNEL32(SetEv), ref: 00752306
GetProcAddress.KERNEL32(00006157), ref: 007524D3
GetProcAddress.KERNEL32(CloseHandleSetEv), ref: 007528DD
GetProcAddress.KERNEL32(65656C53), ref: 00752A92
_memset.LIBCMT ref: 00752DC4
CreateThread.KERNELBASE(00000000,00000000,00767490,00000128,00000000,00000000), ref: 007539A6
CloseHandle.KERNELBASE(00000000,?,?,00000000), ref: 00753D76

Strings

eObj, xrefs: 00751ADA
]D87, xrefs: 00751130
vent, xrefs: 00751AA9
eThr, xrefs: 00751B31
ent, xrefs: 00751A9F
p, xrefs: 00751B49
tF, xrefs: 00751B15
ct, xrefs: 00751AE4
e, xrefs: 00751B42
ead, xrefs: 00751A8B
SetEv, xrefs: 007522F9, 007522FF
T+, xrefs: 0075552F
fM, xrefs: 00751339
o, xrefs: 00751B52
nel3, xrefs: 00751A95
CloseHandleSetEv, xrefs: 007528C6, 007528CC
eate, xrefs: 00751B01
Cr, xrefs: 00751B62
Creat, xrefs: 007521C7, 007521E1
Ker, xrefs: 00751DB6, 00751DBC
rSin, xrefs: 00751ABC
A, xrefs: 00751B59
i}kN, xrefs: 007513BF
E, xrefs: 00751B79
Wa, xrefs: 00751A82
Slee, xrefs: 00751B1E
dll, xrefs: 00751AED
2., xrefs: 00751B80
gl, xrefs: 00751B28
_Wy, xrefs: 00752C67, 00753620, 0075456C
i, xrefs: 00751B72
U;8, xrefs: 007547AE
"}N, xrefs: 0075138B
8e#!, xrefs: 007518FA

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: AddressProc$Handle$CloseCreateModuleThread_memset
String ID: U;8$"}N$2.$8e#!$A$CloseHandleSetEv$Cr$Creat$E$Ker$SetEv$Slee$T+$Wa$]D87$_Wy$ct$dll$e$eObj$eThr$ead$eate$ent$fM$gl$i$i}kN$nel3$o$p$rSin$tF$vent
API String ID: 3360259145-3784719250
Opcode ID: 47c441b4c9bf02a4f068912924b58616add6934df87e31c11019010252082af8
Instruction ID: 39cc621e6edc48ff949f7ec37450418ffca7131b8bd65c9df92a0cfe1ccbaa2e
Opcode Fuzzy Hash: 47c441b4c9bf02a4f068912924b58616add6934df87e31c11019010252082af8
Instruction Fuzzy Hash: 06B31C31810B598AC757CF7AD8512A9B374BF9B381F10D346E809B6162FB7959C2DF08

Function 007600B0 Relevance: 39.4, APIs: 19, Strings: 3, Instructions: 900
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(007A44C8,74DEF550,00000000,00000000), ref: 00760305
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00760575

Part of subcall function 0075E550: _memset.LIBCMT ref: 0075E56E
Part of subcall function 0075E550: _free.LIBCMT ref: 0075E596

DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00760698
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 007606CE
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 007607F4
_strcat.LIBCMT ref: 00760806
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0076089E
__snprintf.LIBCMT ref: 007609E9
CreateDirectoryA.KERNEL32(?,00000000), ref: 00760AE1

Part of subcall function 0075E120: _malloc.LIBCMT ref: 0075E1CF

__snprintf.LIBCMT ref: 00760A8E
_strcat.LIBCMT ref: 00760B68
CreateDirectoryA.KERNEL32(?,00000000), ref: 00760B9D
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00760D22
_strcat.LIBCMT ref: 00760E50
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00760E8C
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00760FB1
_strcat.LIBCMT ref: 00760FD2
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 007610C4
_memset.LIBCMT ref: 007610D8

Strings

C:\Users\user, xrefs: 007609DD, 00760A7C
\, xrefs: 00760DBC
C:\qkcgyxexucxsiyk\, xrefs: 00760801, 00760B63, 00760E4B, 00760FCD

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: Directory$Create$_strcat$FilePathTemp__snprintf_memset$AttributesDeleteRemoveVersion_free_malloc
String ID: C:\Users\user$C:\qkcgyxexucxsiyk\$\
API String ID: 1290010854-488630046
Opcode ID: a118605864b83a38ae5a90623665521eb8038d285e7e7fe91c4bea25dfb7c001
Instruction ID: 011d11c3113495bd7b231a983fe6a78b826f843242aebb99d092e4376a5f7a24
Opcode Fuzzy Hash: a118605864b83a38ae5a90623665521eb8038d285e7e7fe91c4bea25dfb7c001
Instruction Fuzzy Hash: 62927031C10A4D9ACB02DFBADC4169EB774BF9A341F04C716E806B6162FB7856C6CB48

Function 0075A590 Relevance: 9.2, APIs: 6, Instructions: 219
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007796C0: _strcat.LIBCMT ref: 007796E2

Sleep.KERNELBASE(000003E8,?,00000000,00000000), ref: 0075A653
FindFirstFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0075A816
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0075A8C7
FindNextFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0075A8D5
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0075A914
_memset.LIBCMT ref: 0075A95F

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep_memset_strcat
String ID:
API String ID: 1172265220-0
Opcode ID: 0c8130b3b8e4d34e3d8bcf1144d380cd415a53f55bad0b399dca18e8de9a624d
Instruction ID: 085c840132d5d6aa36dc251096547eccca71f58b5755a7300807d2de440d7070
Opcode Fuzzy Hash: 0c8130b3b8e4d34e3d8bcf1144d380cd415a53f55bad0b399dca18e8de9a624d
Instruction Fuzzy Hash: 7BA16D31C00A0CEECB02DFB9D8555AEB778FF4A341F14C356E906B6161EB385A86CB59

Function 00772230 Relevance: 4.6, APIs: 3, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007722ED
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00772311
FreeSid.ADVAPI32(?), ref: 00772380

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f144a6cc2e47c1325b1b68600eb9e3c9d09243d06c85aab52fe26fa5b95bc0bf
Instruction ID: a5c7bb1932714dbd478a35ed88add13f3a7eab326e2fb7c248d9d5bf49716f3f
Opcode Fuzzy Hash: f144a6cc2e47c1325b1b68600eb9e3c9d09243d06c85aab52fe26fa5b95bc0bf
Instruction Fuzzy Hash: F6411235D10B499AC702CF78D85166EB7B8FF5B381F10C356E805BA152EB795A83DB08

Function 00761B80 Relevance: 221.2, APIs: 115, Strings: 9, Instructions: 4198COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00762593
_memset.LIBCMT ref: 0076262A

Strings

yG_5, xrefs: 00763049, 007637CA
)bg, xrefs: 007637CD
C:\Users\user, xrefs: 00765897
yG_5, xrefs: 00762106
_Wy, xrefs: 007679F6
E:9, xrefs: 0076204E
->`b, xrefs: 00764AE3
jz8, xrefs: 00765AA2
E:9, xrefs: 00766915, 00762459

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _malloc_memset
String ID: ->`b$C:\Users\user$_Wy$yG_5$yG_5$)bg$E:9$E:9$jz8
API String ID: 4137368368-566735055
Opcode ID: fe1076bfa243db61590c54ddd7baa2b4d973930aa4d4ec1606c66def7ab89692
Instruction ID: 373c339c5de4b91f98937b7cec94600281a982bb52e198afa9b27f40c9f32f7c
Opcode Fuzzy Hash: fe1076bfa243db61590c54ddd7baa2b4d973930aa4d4ec1606c66def7ab89692
Instruction Fuzzy Hash: E7938C31810B48DED716DF79AC516AAB774BF9B780F00C316E9057A1A2FB7959C2CB08

Function 00780A9D Relevance: 19.6, APIs: 13, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___security_init_cookie.LIBCMT ref: 00780A9D
___crtGetShowWindowMode.LIBCMT ref: 00780AB3

Part of subcall function 00781D30: GetStartupInfoW.KERNEL32(?), ref: 00781D3A

_fast_error_exit.LIBCMT ref: 00780B16
_fast_error_exit.LIBCMT ref: 00780B27
__RTC_Initialize.LIBCMT ref: 00780B2D
__ioinit.LIBCMT ref: 00780B36
_fast_error_exit.LIBCMT ref: 00780B41
GetCommandLineA.KERNEL32(0079FDA0,00000014), ref: 00780B47
___crtGetEnvironmentStringsA.LIBCMT ref: 00780B52
__setargv.LIBCMT ref: 00780B5C
__setenvp.LIBCMT ref: 00780B6D
__cinit.LIBCMT ref: 00780B80
__wincmdln.LIBCMT ref: 00780B91

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _fast_error_exit$___crt$CommandEnvironmentInfoInitializeLineModeShowStartupStringsWindow___security_init_cookie__cinit__ioinit__setargv__setenvp__wincmdln
String ID:
API String ID: 1579532436-0
Opcode ID: ba96151fd0a7be3458ff07b726d2179d2861790b340f3d8706d05d63f10b7110
Instruction ID: 4090bd2aafa4e137f575a099e8424a4ca5ed3e4fc6258dabbf66711806f79cba
Opcode Fuzzy Hash: ba96151fd0a7be3458ff07b726d2179d2861790b340f3d8706d05d63f10b7110
Instruction Fuzzy Hash: 6B21E5A06C0345D9EBD07BB49D4EF6E2654AF00759F908069F90C9A0D2EFFCC94893E6

Function 0075A970 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 109
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0075A9DD
_memset.LIBCMT ref: 0075A9EA
CreateProcessA.KERNELBASE(6F27C689,CE90F1CB,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 0075AA67
CloseHandle.KERNEL32(Drv), ref: 0075AA74
CloseHandle.KERNEL32(CE960DD4), ref: 0075AAAB

Strings

Drv, xrefs: 0075AA71
D, xrefs: 0075AA06

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseHandle_memset$CreateProcess
String ID: D$Drv
API String ID: 1151464618-2549996444
Opcode ID: dcdee563a07365fefe5da4ca66b239278d49deded9e1e7170851618f167673ac
Instruction ID: afb7efc7fb71049c77931c24fc5bff17d8f3fce07380eeea87eac13bde651b1a
Opcode Fuzzy Hash: dcdee563a07365fefe5da4ca66b239278d49deded9e1e7170851618f167673ac
Instruction Fuzzy Hash: C0415E3191064CEEC702CFB9D84179DB7B4BF8A340F10C356E905B61A2E7756A96DF48

Function 0075FC60 Relevance: 12.2, APIs: 8, Instructions: 250
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0075FCF1
ReadFile.KERNELBASE(00000000,00000000,4EEBF2B6,?,00000000), ref: 0075FD40
CloseHandle.KERNELBASE(00000000), ref: 0075FD7D

Part of subcall function 007796C0: _strcat.LIBCMT ref: 007796E2

GetTickCount.KERNEL32 ref: 0075FDBA

Part of subcall function 0075E5D0: __itow.LIBCMT ref: 0075E60F

_sprintf.LIBCMT ref: 0075FEE2
CreateFileA.KERNELBASE(4EADF7CB,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0075FF44
WriteFile.KERNELBASE(00000000,00000000,4EEBF2B6,?,00000000), ref: 0075FFB0
CloseHandle.KERNEL32(00000000), ref: 00760020

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite__itow_sprintf_strcat
String ID:
API String ID: 1645784512-0
Opcode ID: f5919d732e11317b5fb2733ec0b6f84819da5f9eed2b3b4439df98a54e1bf062
Instruction ID: aac5535b54d11e1f98cc6e4b3d767f6c218cf4a6275d795b132943196aacf55d
Opcode Fuzzy Hash: f5919d732e11317b5fb2733ec0b6f84819da5f9eed2b3b4439df98a54e1bf062
Instruction Fuzzy Hash: 23B16B3180060CEAD702DFBAAC416AEB734FF8A740F14C706E905761A2F77925D6DB59

Function 0075AB30 Relevance: 4.7, APIs: 3, Instructions: 211
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0075B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 0075B2C5

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,4E86B585), ref: 0075ACC1

Part of subcall function 0075B340: ReleaseMutex.KERNEL32(?), ref: 0075B357

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: de6d5dbef6ee5a85e602b589e70aa308e58809f0aac9e5bf453381207201ec2d
Instruction ID: 73698ee8c8ed71ca3349e785f01595e0ad66af0ab235d7f18bc75dfc1d55563f
Opcode Fuzzy Hash: de6d5dbef6ee5a85e602b589e70aa308e58809f0aac9e5bf453381207201ec2d
Instruction Fuzzy Hash: 0C916C32D10A4CDACB02CFB9DC516AEB774BF8A381F00C356E90576162EB7955D2DB48

Function 0077D002 Relevance: 4.5, APIs: 3, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0077D01A

Part of subcall function 0077FFBC: __FF_MSGBANNER.LIBCMT ref: 0077FFD3
Part of subcall function 0077FFBC: __NMSG_WRITE.LIBCMT ref: 0077FFDA
Part of subcall function 0077FFBC: RtlAllocateHeap.NTDLL(?,00000000,00000001,00000000,00000000,00000000,?,00781324,00000000,00000000,00000000,00000000,?,00781BFD,00000018,0079FDC0), ref: 0077FFFF

std::exception::exception.LIBCMT ref: 0077D038
__CxxThrowException@8.LIBCMT ref: 0077D04D

Part of subcall function 00780D5A: RaiseException.KERNEL32(?,?,?,0079FBB0,74DEF550,00000000,?,?,?,0077D052,?,0079FBB0,00000008,00000001), ref: 00780DAF

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: 58589f50beb81d62e1b1e157118fdd84a236815d1b307ec5b70596338095bae4
Instruction ID: b3d4279f38b1a268f6d6b03f3c8aab434273676ca6f37b48753b92e1df38df53
Opcode Fuzzy Hash: 58589f50beb81d62e1b1e157118fdd84a236815d1b307ec5b70596338095bae4
Instruction Fuzzy Hash: 19E0E57054020DF6DF10BEA8DC1A8EE777CAF00340F008465EC08E5192EB799E09D6E1

Function 0075FB80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0075FC0C

Strings

0Z], xrefs: 0075FBA6

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _memset
String ID: 0Z]
API String ID: 2102423945-2320452800
Opcode ID: 4129949fb137678a1f8f71b6ce7d03c569f9a526e4413bb67ab9c6d7ce522006
Instruction ID: 9582350f8fa17a83ec03b0054d015edaf597233f6b6997cf4601081b6ecfb3f8
Opcode Fuzzy Hash: 4129949fb137678a1f8f71b6ce7d03c569f9a526e4413bb67ab9c6d7ce522006
Instruction Fuzzy Hash: 5A21933190020CEBCB04DFB8DD81ADDB3B4EF49700F10C266E905A7192E7796A91DB54

Function 0077FC69 Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 0077FC6F

Part of subcall function 0077FC35: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,0077FC74,00000000,?,0077FFE9,000000FF,0000001E,00000000,00000000,00000000,?,00781324), ref: 0077FC44
Part of subcall function 0077FC35: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0077FC56

ExitProcess.KERNEL32 ref: 0077FC78

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: bb4bf9e2828f15223009dcfc83abdc98d15a4f8990b021fb2bcc98855b58a679
Instruction ID: 034d43fb7eb3bee22b44d57184d79419fe4d97e521fd3ea78f597fc53b8b7ff0
Opcode Fuzzy Hash: bb4bf9e2828f15223009dcfc83abdc98d15a4f8990b021fb2bcc98855b58a679
Instruction Fuzzy Hash: 0FB0923000010EBBCF022F11DD0A84C3F69EF002D0B008021F90A08031DB7AAA939A95

Function 0077FF22 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 0077FF2C

Part of subcall function 0077FDF3: __lock.LIBCMT ref: 0077FE01
Part of subcall function 0077FDF3: DecodePointer.KERNEL32(0079FCB8,0000001C,0077FD4C,00000000,00000001,00000000,?,0077FC9A,000000FF,?,00781B56,00000011,?,?,007833FF,0000000D), ref: 0077FE40
Part of subcall function 0077FDF3: DecodePointer.KERNEL32(?,0077FC9A,000000FF,?,00781B56,00000011,?,?,007833FF,0000000D), ref: 0077FE51
Part of subcall function 0077FDF3: EncodePointer.KERNEL32(00000000,?,0077FC9A,000000FF,?,00781B56,00000011,?,?,007833FF,0000000D), ref: 0077FE6A
Part of subcall function 0077FDF3: DecodePointer.KERNEL32(-00000004,?,0077FC9A,000000FF,?,00781B56,00000011,?,?,007833FF,0000000D), ref: 0077FE7A
Part of subcall function 0077FDF3: EncodePointer.KERNEL32(00000000,?,0077FC9A,000000FF,?,00781B56,00000011,?,?,007833FF,0000000D), ref: 0077FE80
Part of subcall function 0077FDF3: DecodePointer.KERNEL32(?,0077FC9A,000000FF,?,00781B56,00000011,?,?,007833FF,0000000D), ref: 0077FE96
Part of subcall function 0077FDF3: DecodePointer.KERNEL32(?,0077FC9A,000000FF,?,00781B56,00000011,?,?,007833FF,0000000D), ref: 0077FEA1

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: f7f6a0432f982f61e0f5b7a89d520721d54e395663bdd65d67eea067398039ac
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: BEB0127168030C73DE212541EC03F053B4C5740B94F204031FA0C1C2E1A5D3756050C9

Non-executed Functions

Function 0075BBD0 Relevance: 23.7, APIs: 12, Strings: 1, Instructions: 942networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E550: _memset.LIBCMT ref: 0075E56E
Part of subcall function 0075E550: _free.LIBCMT ref: 0075E596

Part of subcall function 0075E120: _malloc.LIBCMT ref: 0075E1CF

__snprintf.LIBCMT ref: 0075C327
socket.WS2_32(00000002,00000001,00000006), ref: 0075C4AB
setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 0075C509
gethostbyname.WS2_32(?), ref: 0075C516
inet_ntoa.WS2_32(?), ref: 0075C54E
inet_addr.WS2_32(00000000), ref: 0075C555
htons.WS2_32(00000050), ref: 0075C593
connect.WS2_32(00000000,?,00000010), ref: 0075C5DF
send.WS2_32(00000000,00000000,00000000,00000000), ref: 0075C6C7
recv.WS2_32(00000000,?,00000400,00000000), ref: 0075C72C

Strings

/, xrefs: 0075BE76

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: __snprintf_free_malloc_memsetconnectgethostbynamehtonsinet_addrinet_ntoarecvsendsetsockoptsocket
String ID: /
API String ID: 3604359004-2043925204
Opcode ID: 5bf06f664b509e81346509242a41aed0a00b2c825b226d33dea745950ffb64e4
Instruction ID: a2ac64b687a973e25675ea2029c34f01a90c43d59c802e6ac881799dda69d073
Opcode Fuzzy Hash: 5bf06f664b509e81346509242a41aed0a00b2c825b226d33dea745950ffb64e4
Instruction Fuzzy Hash: 8E92A031D10B489ACB16DFB9DC516ADB374BF9B341F10C316E805B62A2FB785986CB48

Function 0075D460 Relevance: 13.7, APIs: 9, Instructions: 192serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000000), ref: 0075D4AF
CreateServiceA.ADVAPI32(00000000,00D70088,00D70088,000F01FF,00000110,00000002,00000000,4EF0193E,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0075D534
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 0075D57B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0075D598
CloseServiceHandle.ADVAPI32(00000000), ref: 0075D5B7
OpenServiceA.ADVAPI32(00000000,00000010), ref: 0075D5D8
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0075D648
CloseServiceHandle.ADVAPI32(00000000), ref: 0075D65C
CloseServiceHandle.ADVAPI32(00000000), ref: 0075D6A8

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: da2c05abce5d4c2f634cedbc0d82f5810e24e91bf7e58e3dee512b4e8c9c0091
Instruction ID: cca03555cf2b85bdbe98ef028942d13770caa2079ba1be0481ad219cbf2956ff
Opcode Fuzzy Hash: da2c05abce5d4c2f634cedbc0d82f5810e24e91bf7e58e3dee512b4e8c9c0091
Instruction Fuzzy Hash: 11914B31C20E4D9ED703CFBA98116AEF738AF9B781F10C306E815761A1EB7955C68B08

Function 007723B0 Relevance: 12.2, APIs: 8, Instructions: 193serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000), ref: 00772452
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000,?,00000000), ref: 0077247C
GetLastError.KERNEL32(?,00000000), ref: 00772484
_malloc.LIBCMT ref: 007724AB
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000,00000000), ref: 007724D3
__snprintf.LIBCMT ref: 00772549
_free.LIBCMT ref: 00772598
CloseServiceHandle.ADVAPI32(00000000,00000000), ref: 007725A1

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService__snprintf_free_malloc
String ID:
API String ID: 3403677689-0
Opcode ID: ab2558c4c50a03704748dd19f01f4fa674a7e9ccf9e0c4f548a2e07b5e674014
Instruction ID: b6143d459f12d62a317c7763d0a3e9475cda87cede01fbd12a0ab58d955a8509
Opcode Fuzzy Hash: ab2558c4c50a03704748dd19f01f4fa674a7e9ccf9e0c4f548a2e07b5e674014
Instruction Fuzzy Hash: 5F719F31D00209EEDB01DFB6D885AAEB778EF8A340F14C716E90477191E7396A869B94

Function 00772843 Relevance: 9.1, APIs: 6, Instructions: 96processCOMMON

Download Yara Rule

APIs

Part of subcall function 0075E120: _malloc.LIBCMT ref: 0075E1CF

__snprintf.LIBCMT ref: 007728B5

Part of subcall function 0075E550: _memset.LIBCMT ref: 0075E56E
Part of subcall function 0075E550: _free.LIBCMT ref: 0075E596

CreateToolhelp32Snapshot.KERNEL32(00000008,?,?), ref: 00772900
Module32First.KERNEL32(00000000,?), ref: 00772925
CloseHandle.KERNEL32(0000000A,0000000A,?,00000000), ref: 00772A6F
Process32Next.KERNEL32(00000000,00000128), ref: 00772AC0
CloseHandle.KERNEL32(00000000), ref: 00772AD0

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32__snprintf_free_malloc_memset
String ID:
API String ID: 1384585931-0
Opcode ID: 730a0d6a3688d775343d754d87f77bb22a4f98083956d5cd3a2a3d06d36d570f
Instruction ID: b2020b0a8240b346a34373e67317b7681edf401355b5db3927ceac2db4d47cf5
Opcode Fuzzy Hash: 730a0d6a3688d775343d754d87f77bb22a4f98083956d5cd3a2a3d06d36d570f
Instruction Fuzzy Hash: 4841A131D00209EFCB11DF7ADC45A9DB778FF8A345F04C256E808B61A1EB3866969F48

Function 0078207E Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00781A59,?,?,?,00000000), ref: 00782083
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0078208C

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa4d78868884bb7c0fcc5844eb073c718771d6a5b630761cd1047832576313c8
Instruction ID: d466b835dced2f514e6e901dd466fe72b21b235a619752836e82f8e683f39330
Opcode Fuzzy Hash: aa4d78868884bb7c0fcc5844eb073c718771d6a5b630761cd1047832576313c8
Instruction Fuzzy Hash: 6BB09231084A0CABCB002BE5EC09B597F28FB05756F448012F60E441718B779A128A99

Function 0075D420 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0075D455

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: bfee5139436c4dbfcec69325c0c523fcdcb10051d2d13c098be276c27f307ed0
Instruction ID: 1baf6db7a4baef8ca1e25397f76d0635372cf0d7d513b57bf4cb4c2d66b71957
Opcode Fuzzy Hash: bfee5139436c4dbfcec69325c0c523fcdcb10051d2d13c098be276c27f307ed0
Instruction Fuzzy Hash: 54E092B480520DDBDB00DFE5E54579EBBB8AB49205F50829AD80567240D7B55A048FA6

Function 0078204D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0078839F,00788354,?,00000000,00000000,00000000,00000000), ref: 00782053

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5e3e1d7f6eb7fd70e4b1dc637831d2589465d0988506a2c0350accc9884f0714
Instruction ID: 6a27824784cbb567a2cbf39413ddc22bc6b1cc58cd3441e42b56db2eb395f682
Opcode Fuzzy Hash: 5e3e1d7f6eb7fd70e4b1dc637831d2589465d0988506a2c0350accc9884f0714
Instruction Fuzzy Hash: 14A0123004060CA7CF001B51EC044443F1CF6001517444011F40D00130872359124584

Function 00791A6A Relevance: 1.4, Strings: 1, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

Strings

Zx, xrefs: 00791A9F, 00791AD3, 00791AEB

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID: Zx
API String ID: 0-4213891535
Opcode ID: 13ae554fede668713c8418b731cea2a7546aabb52c717da24dcf4f4522932379
Instruction ID: 8475c641304f318dee8d73c6cebc488df94a53d3160c71a93059053a9d2843cc
Opcode Fuzzy Hash: 13ae554fede668713c8418b731cea2a7546aabb52c717da24dcf4f4522932379
Instruction Fuzzy Hash: 4A615BB1E016268BCF18CF1ED890169FBF6FF94300759C1AAE819DB31AE674D951CB90

Function 00776653 Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c278e7a8631378f6064c13123a1e45e676acd8807fda065355670b2af5a341c
Instruction ID: b9d8569be3254ee41d33a7868d0bb04061a9c0b3d7aa87eadbf0b346ab06d3f5
Opcode Fuzzy Hash: 7c278e7a8631378f6064c13123a1e45e676acd8807fda065355670b2af5a341c
Instruction Fuzzy Hash: 1C826332D10A598EC706CF7ADC81269B7B4BF9E380B14C716E809B7162F73865D6DB48

Function 00776687 Relevance: .8, Instructions: 796COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851422897eb1941fa2bca8c761e19d1a0cef9f13cb88e2158ff2bd1c688106fd
Instruction ID: e71c3eecf4f8137b7484273ff00d635d8dd3363949dc62540572b80828691026
Opcode Fuzzy Hash: 851422897eb1941fa2bca8c761e19d1a0cef9f13cb88e2158ff2bd1c688106fd
Instruction Fuzzy Hash: FD826432D10A598BC706CF7ADC81269B7B4BF9E380B14C716E809B7562F73865D6CB48

Function 00769EE0 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c338fbfffe29feb0a2224e6c5e5a1f818cdde487fc663d9469213905055deb3f
Instruction ID: 877485b6c25497ad4d56764301f6b8b87f9f5dccf46b9467a572753535e8977f
Opcode Fuzzy Hash: c338fbfffe29feb0a2224e6c5e5a1f818cdde487fc663d9469213905055deb3f
Instruction Fuzzy Hash: 95026231D106489FCB06CF7ED8911ADB7B4FF9A341B15C316E806B7262E7386982CB44

Function 0077DF8E Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 676d1b2786d34e22a393ed589729c9b2cd1d0d3b7c7b5320d8cf418b68dc7d97
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7BC195722051930ADF2D463AC43503EFAB15E927F131B87ADD8BBCB1D5EE28C964D620

Function 0077E3C3 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 023bf45a86e23fdedf3f12d0dc3d2fd1d8d99c43b44d9cf0952f4cba7d08989d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 8BC1757220519309DF6D4639C43503EBAB15EA27F131B97ADE8BBCF1D5EE28C924D620

Function 0077DB59 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 52875a43674a54250df18cf2529c6f4892ceec37fe259d9448853d69dd09d249
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: B6C15E723051930ADF3D4639847913EBAB15EA27F131A976DD8BBCB1D4EE28CD24D620

Function 0077D741 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1fd09d50f203b18165932dbb75149720d46b5984123d37fafbbbe8bc72d50a7a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A9C16D7220919309DF3D463A847503EBAB15EA27F131B976DD8BBCB1D4EE28DD24D620

Function 0076A119 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5638b654b7816f63446993560b09691a5755e1121177583b45cffe435687441
Instruction ID: b6e68bff6ff40db1b18fcf84cff79bd367522be8a96637855fa8f24b03be1058
Opcode Fuzzy Hash: e5638b654b7816f63446993560b09691a5755e1121177583b45cffe435687441
Instruction Fuzzy Hash: 6DB14C31D106489FCB06CFBED88116DB7B5FF9A340B15C716E806B7262E7396992CB48

Function 0077D1A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e202493b8936cee054238c14e1097348c63b8db4c8ee9c1cce7b34566504fefe
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C7113B7720108543DE34862DC8B46F6A7B5FFC63A176EC266C1494BA49D12ADD429500

Function 0076FF50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 377
pipeprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00770038
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000000,00000000), ref: 007700DC
SetHandleInformation.KERNEL32(?,00000001,00000000,?,00000000,00000000), ref: 007700F1
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000000,00000000), ref: 0077019B
SetHandleInformation.KERNEL32(?,00000001,00000000,?,00000000,00000000), ref: 00770279
_memset.LIBCMT ref: 00770287
_memset.LIBCMT ref: 007702CE
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 007703F5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 0077043F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00770461
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 0077046A
WriteFile.KERNEL32(?,90D98B10,CD9B3DAB,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 007704CF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 007704EA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00770505
WaitForSingleObject.KERNEL32(?,00002710,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0077056E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00770577
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0077058A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 007705AF

Strings

D, xrefs: 007702E9

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: Handle$Close$Create_memset$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: D
API String ID: 1810108774-2746444292
Opcode ID: 3eabe1eb05c68fc966ef36ccbd8b3f005fcae79ff02b0ea0d7d1d0168035ae6f
Instruction ID: adf19e16e237cd5f2c63ee6b4602adebfa1a941a76e778405a8ff12484f4b9ae
Opcode Fuzzy Hash: 3eabe1eb05c68fc966ef36ccbd8b3f005fcae79ff02b0ea0d7d1d0168035ae6f
Instruction Fuzzy Hash: 23023C31D10B4DDECB02CFB9D85169EB778BF9A381F10D316E906B6162EB385582DB48

Function 0075D090 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 174registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000CE40), ref: 0075D1D8
SetServiceStatus.ADVAPI32(007A4780), ref: 0075D214
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0075D27D
SetServiceStatus.ADVAPI32(007A4780), ref: 0075D2A4
WaitForSingleObject.KERNEL32(00001388), ref: 0075D2CD
SetServiceStatus.ADVAPI32(007A4780), ref: 0075D35F
CloseHandle.KERNEL32 ref: 0075D392
SetServiceStatus.ADVAPI32(007A4780), ref: 0075D401

Strings

]/da, xrefs: 0075D224
>&|, xrefs: 0075D311

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: ]/da$>&|
API String ID: 3399922960-1858257644
Opcode ID: e5b9a0c1a8f7c9597ad2570d83720a6651e37ee926158dd7e511df91198d2be2
Instruction ID: 76d62aa8fbb19e1587e356489b57ab7064ee83c9e3022cdd8ce2ea925d172c49
Opcode Fuzzy Hash: e5b9a0c1a8f7c9597ad2570d83720a6651e37ee926158dd7e511df91198d2be2
Instruction Fuzzy Hash: F9815A31910A48DEC706CFB8EC55269BBB4FB8B341F10C30AE801B6261EBBD55C6CB48

Function 007614E0 Relevance: 13.7, APIs: 9, Instructions: 231processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000), ref: 00761579
Process32First.KERNEL32(00000000,00000128), ref: 00761665
_strcat.LIBCMT ref: 00761698

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32_strcat
String ID:
API String ID: 4070235666-0
Opcode ID: d51bbb76ee7d5e466c6a0b3057eac25622648e29d574a9917db897e7995310b8
Instruction ID: c030c27e7f23beabc4c51bdf4570e1f0ea7266d733c793d1c4dbbcfac27bb523
Opcode Fuzzy Hash: d51bbb76ee7d5e466c6a0b3057eac25622648e29d574a9917db897e7995310b8
Instruction Fuzzy Hash: F0A1A035C1060CDEC702CFBAD8456AEB378BF9A741B14C756E906B2162FB3859C6CB48

Function 00773140 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 226synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0075B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 0075B2C5

GetModuleFileNameA.KERNEL32(00000000,007A47C8,00000104), ref: 00773296
_strcat.LIBCMT ref: 007732B0
_memset.LIBCMT ref: 00773300
GetTickCount.KERNEL32 ref: 00773388
__vfwprintf_p.LIBCMT ref: 0077349A
ReleaseMutex.KERNEL32 ref: 007734C0

Part of subcall function 0075D7B0: GetModuleFileNameA.KERNEL32(00000000,00777F53,00000104,00000000), ref: 0075D7EF

Strings

oI\:, xrefs: 0077322B

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: FileModuleName$CountMutexObjectReleaseSingleTickWait__vfwprintf_p_memset_strcat
String ID: oI\:
API String ID: 123108371-3980936684
Opcode ID: 92c5e67c6b07a885b44a4fd28b4b927d478a51af28cfb8bf37f86dae9586e520
Instruction ID: f5d57e4ef2b5bf38edd231698cde8a3947fc5fa91ea183c2a980dd0d37cb1cf5
Opcode Fuzzy Hash: 92c5e67c6b07a885b44a4fd28b4b927d478a51af28cfb8bf37f86dae9586e520
Instruction Fuzzy Hash: 11A19D31910B489AC706DFB8AC5166AB778BFDB791B00C316E80676162FB7D45D3CB48

Function 007726A0 Relevance: 12.2, APIs: 8, Instructions: 241processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 0077274C
Process32First.KERNEL32(00000000,00000128), ref: 0077281D
__snprintf.LIBCMT ref: 007728B5
CreateToolhelp32Snapshot.KERNEL32(00000008,?,?), ref: 00772900
Module32First.KERNEL32(00000000,?), ref: 00772925
CloseHandle.KERNEL32(0000000A,0000000A,?,00000000), ref: 00772A6F
Process32Next.KERNEL32(00000000,00000128), ref: 00772AC0

Part of subcall function 0075E120: _malloc.LIBCMT ref: 0075E1CF

Part of subcall function 0075E550: _memset.LIBCMT ref: 0075E56E
Part of subcall function 0075E550: _free.LIBCMT ref: 0075E596

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32$CloseHandleModule32Next__snprintf_free_malloc_memset
String ID:
API String ID: 2771089087-0
Opcode ID: ea74ffe9c23ce7c3539aabc13afad7182b78f32d96cb8246d842198d6841634e
Instruction ID: a166f8021cd9ac6c3fa329ce2d344dbbad61be3dcb89356f2e3ae572f3826e46
Opcode Fuzzy Hash: ea74ffe9c23ce7c3539aabc13afad7182b78f32d96cb8246d842198d6841634e
Instruction Fuzzy Hash: FCB19E31D10A4DDEDB02CFB9DC4559EB778BF9B380F00C356E909BA162EB7855828B48

Function 00777AF0 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 480COMMON

Download Yara Rule

Strings

, xrefs: 00777E66
, xrefs: 00778198

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _free_memset
String ID: $
API String ID: 287624719-227171996
Opcode ID: cecc99c4206f9ba39102d068e64dff86132e48582b9dbd9dea51276d14ec7a79
Instruction ID: 94d15e79617978c50a6f5a86431d944fac2a12fc9d71786dbdb63b5f54732486
Opcode Fuzzy Hash: cecc99c4206f9ba39102d068e64dff86132e48582b9dbd9dea51276d14ec7a79
Instruction Fuzzy Hash: 2712D231D10A48DACB06DFB9DC515AEB778BF8A380F04C316E905B6162FB785986CB58

Function 0076F3B0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 376COMMON

Download Yara Rule

Strings

d'n., xrefs: 0076F5D1
%>+2, xrefs: 0076F5B4

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID:
String ID: %>+2$d'n.
API String ID: 0-2693770206
Opcode ID: 4014bf2fd070bb38b80841c10ad25154264c3ef72eeb4800c8580b89b42328dd
Instruction ID: 7ebf1db57f5b0ad5967a3ad4d1d88f52447eaaa3ae9962fc5dd24cdef49e870a
Opcode Fuzzy Hash: 4014bf2fd070bb38b80841c10ad25154264c3ef72eeb4800c8580b89b42328dd
Instruction Fuzzy Hash: B0F1D231C10A4D9ECB12CFB9D8512ADB374BF9B390B14C316EC06B61A2E73969D29B44

Function 0075EC20 Relevance: 10.8, APIs: 7, Instructions: 283sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0075A530: _strcat.LIBCMT ref: 0075A562

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0075EEC0

Part of subcall function 0075E120: _malloc.LIBCMT ref: 0075E1CF

__snprintf.LIBCMT ref: 0075EF09

Part of subcall function 0075E550: _memset.LIBCMT ref: 0075E56E
Part of subcall function 0075E550: _free.LIBCMT ref: 0075E596

_memset.LIBCMT ref: 0075EFD9
_memset.LIBCMT ref: 0075EFEC
Sleep.KERNEL32(00015F90), ref: 0075F0A5
DeleteFileA.KERNEL32(?), ref: 0075F0B2
_memset.LIBCMT ref: 0075F0C6

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _memset$File$DeleteModuleNameSleep__snprintf_free_malloc_strcat
String ID:
API String ID: 1452756023-0
Opcode ID: 4a473cf9f70f5058abd3c7b7b6aa158567b1c901c41366011d5401997ad25f6b
Instruction ID: 50dc5b9e376029e7847ceca8799c168dacf920e775ed0b8fe6ff411cab6ebaec
Opcode Fuzzy Hash: 4a473cf9f70f5058abd3c7b7b6aa158567b1c901c41366011d5401997ad25f6b
Instruction Fuzzy Hash: E0C1B731910A48DACB02DFB9DC556AEB378BF8A781F00C316E905B6162FB7856C6CB54

Function 00761676 Relevance: 10.6, APIs: 7, Instructions: 143COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00761698
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00761739
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0076174D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 007617C4
Process32Next.KERNEL32(00000000,00000128), ref: 007617EE
CloseHandle.KERNEL32(00000000), ref: 0076184F
_memset.LIBCMT ref: 00761888

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate_memset_strcat
String ID:
API String ID: 1974761079-0
Opcode ID: 3619d87f3a56021f6526492f15b246b739c0ab4626edb917f1be6832b44a5a4b
Instruction ID: cb0b719f1cedcc375fc5b6e4d4d0081fb0c52e351dd79510cfb8a8f51ea385b6
Opcode Fuzzy Hash: 3619d87f3a56021f6526492f15b246b739c0ab4626edb917f1be6832b44a5a4b
Instruction Fuzzy Hash: A3516E32D10608DECB06DF79D8556AEB374BF5A741B14C356E806B2162FB3859D2CA48

Function 00783469 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00783469

Part of subcall function 0077FD51: EncodePointer.KERNEL32(00000000,?,0078346E,00780B21,0079FDA0,00000014), ref: 0077FD54
Part of subcall function 0077FD51: __initp_misc_winsig.LIBCMT ref: 0077FD6F
Part of subcall function 0077FD51: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00781DC9
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00781DDD
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00781DF0
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00781E03
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00781E16
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00781E29
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00781E3C
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00781E4F
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00781E62
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00781E75
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00781E88
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00781E9B
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00781EAE
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00781EC1
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00781ED4
Part of subcall function 0077FD51: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00781EE7

__mtinitlocks.LIBCMT ref: 0078346E
__mtterm.LIBCMT ref: 00783477
__calloc_crt.LIBCMT ref: 0078349C
__initptd.LIBCMT ref: 007834BE
GetCurrentThreadId.KERNEL32 ref: 007834C5

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: AddressProc$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 1593083391-0
Opcode ID: 8e2dc7d0f08cfada0a555aa788ac7fa50b0a08c0602d0851ca691f3a2c50877e
Instruction ID: d7fb3a7666430739cf79994188729abe4eb0f4165e61593c6a4d88725ac3f51f
Opcode Fuzzy Hash: 8e2dc7d0f08cfada0a555aa788ac7fa50b0a08c0602d0851ca691f3a2c50877e
Instruction Fuzzy Hash: 83F0F0327C935199E2757B7C7C0F66A2684DB01B31B608629F599C60E3FF1C8A424354

Function 0075D8E0 Relevance: 9.3, APIs: 6, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000), ref: 0075DAD2
GetProcAddress.KERNEL32(00000000), ref: 0075DB2C
_rand.LIBCMT ref: 0075DD1E
_rand.LIBCMT ref: 0075DD25
_rand.LIBCMT ref: 0075DD30
_rand.LIBCMT ref: 0075DD37

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _rand$AddressProc
String ID:
API String ID: 345958962-0
Opcode ID: 96bc4c0095ceb77b1d3b23db48004d4c4a838467c8e567f52ffa2bca2a5a8336
Instruction ID: 7cfa2895dcb02ea876e5ea58f4b20a9ade536c5f73a28ec11c912a5b1de18718
Opcode Fuzzy Hash: 96bc4c0095ceb77b1d3b23db48004d4c4a838467c8e567f52ffa2bca2a5a8336
Instruction Fuzzy Hash: BFD19F31D10A48DECB12CFB9D8515ADB774FF9B391B14C316E801B62A2EB7959C2DB08

Function 0075AEE0 Relevance: 9.2, APIs: 6, Instructions: 223fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0075B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 0075B2C5

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0075AFF0
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 0075B0D3
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0075B1E1
_memset.LIBCMT ref: 0075B220
CloseHandle.KERNEL32(00000000,?), ref: 0075B235
_memset.LIBCMT ref: 0075B282

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseFileHandle_memset$CreateObjectReadSingleWait
String ID:
API String ID: 2757182182-0
Opcode ID: 1b46021587b18696b1124da2bcc5630b25f1291a122632b9fe686eb6a4f375ae
Instruction ID: 76172fff7179b3b891c7d4a4fde6a3b834c375a4f58bdb87404d0abaabb9d945
Opcode Fuzzy Hash: 1b46021587b18696b1124da2bcc5630b25f1291a122632b9fe686eb6a4f375ae
Instruction Fuzzy Hash: FD91B431D10B489ACB02DFB99C516AEB378BF9B381F10C316E90576162FB7959C2CB58

Function 007618E0 Relevance: 9.1, APIs: 6, Instructions: 147processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000), ref: 00761998
Process32First.KERNEL32(00000000,?), ref: 007619BA
_strcat.LIBCMT ref: 00761A12
Process32Next.KERNEL32(00000000,00000128), ref: 00761AC5
CloseHandle.KERNEL32(00000000), ref: 00761B1A
_memset.LIBCMT ref: 00761B2E

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset_strcat
String ID:
API String ID: 1640862104-0
Opcode ID: 54cf64e7856e2d481492912bb9e82b66c9b7ccd63c6202ed7d5a0e3f9b3cdf41
Instruction ID: e29ad8e899f3a93c4296e8c9ed679b224cb825ffd2ac484fc0b4413e7f431bb6
Opcode Fuzzy Hash: 54cf64e7856e2d481492912bb9e82b66c9b7ccd63c6202ed7d5a0e3f9b3cdf41
Instruction Fuzzy Hash: 19516E719002089BCB15CFB9D9455AEB7B4FF8A340F04C256E905F7261E738AA85CB48

Function 00772C90 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 0075E120: _malloc.LIBCMT ref: 0075E1CF

__snprintf.LIBCMT ref: 00772D37

Part of subcall function 0075E550: _memset.LIBCMT ref: 0075E56E
Part of subcall function 0075E550: _free.LIBCMT ref: 0075E596

_memset.LIBCMT ref: 00772DBC
_memset.LIBCMT ref: 0077310D

Strings

C:\Users\user, xrefs: 00772DE0
Fs>., xrefs: 00772FA2

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _memset$__snprintf_free_malloc
String ID: C:\Users\user$Fs>.
API String ID: 801102166-1231207852
Opcode ID: 3c7721db69e3cacbc5fe19d59180735320fce6ae55f389aae78e3f1631bc120e
Instruction ID: c0a17bfeec2b295f2a8f41c8ba4b3ae26e2d13f796ee63f67492139c0bd8c68a
Opcode Fuzzy Hash: 3c7721db69e3cacbc5fe19d59180735320fce6ae55f389aae78e3f1631bc120e
Instruction Fuzzy Hash: 6DC19371C10618DACB06DFB4DC46AEDB778BF5A380F00C216E905B6192FB786A96CB54

Function 0076A880 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0076A8F1

Part of subcall function 0077FFBC: __FF_MSGBANNER.LIBCMT ref: 0077FFD3
Part of subcall function 0077FFBC: __NMSG_WRITE.LIBCMT ref: 0077FFDA
Part of subcall function 0077FFBC: RtlAllocateHeap.NTDLL(?,00000000,00000001,00000000,00000000,00000000,?,00781324,00000000,00000000,00000000,00000000,?,00781BFD,00000018,0079FDC0), ref: 0077FFFF

_memset.LIBCMT ref: 0076A914
_memset.LIBCMT ref: 0076A9D1
_free.LIBCMT ref: 0076A9E4

Strings

\L5, xrefs: 0076A965

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _memset$AllocateHeap_free_malloc
String ID: \L5
API String ID: 585861054-1149637256
Opcode ID: 8ad7cbb029ab487c084b6a52e085f9137eac5aedb7b527677974084b432c68d9
Instruction ID: 4a1639f21c482143f6d249a1dda451ced95d89901870e3aa434737ade28fa974
Opcode Fuzzy Hash: 8ad7cbb029ab487c084b6a52e085f9137eac5aedb7b527677974084b432c68d9
Instruction Fuzzy Hash: C0517371810B19DECB42DF78D85156AF3B8FF9A390B10C71BE816B7212EB759982CB44

Function 00773620 Relevance: 7.6, APIs: 5, Instructions: 69synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,00770ECC,007777B0,00000001), ref: 0077366D
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00773681
CloseHandle.KERNEL32(00000000,?,00770ECC,007777B0,00000001), ref: 007736D5
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00770ECC,007777B0,00000001), ref: 0077372A
CloseHandle.KERNEL32(00000000,?,00770ECC,007777B0,00000001), ref: 00773733

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 8150a9b77394763505a043e73383adc42c5b60da35476e53212a0a1a3c280210
Instruction ID: b6a6c8117cef2391577112248c0b8b54de8aab23563ab20858c813f07a2bc5de
Opcode Fuzzy Hash: 8150a9b77394763505a043e73383adc42c5b60da35476e53212a0a1a3c280210
Instruction Fuzzy Hash: 54314831920B08EEC702CFB9DC51B49B778EF9B751F10C30AF906B61A1EB7855828B08

Function 00789BC5 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00789BD1

Part of subcall function 0077FFBC: __FF_MSGBANNER.LIBCMT ref: 0077FFD3
Part of subcall function 0077FFBC: __NMSG_WRITE.LIBCMT ref: 0077FFDA
Part of subcall function 0077FFBC: RtlAllocateHeap.NTDLL(?,00000000,00000001,00000000,00000000,00000000,?,00781324,00000000,00000000,00000000,00000000,?,00781BFD,00000018,0079FDC0), ref: 0077FFFF

_free.LIBCMT ref: 00789BE4

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 3e732de8445f20b88c5f8d0d270b7736986e2dc540a19846905765c4ac6e49f1
Instruction ID: a305bed882e8220e104088be861cf721ef7cba4b9b69e7acf56af606f87c5a5e
Opcode Fuzzy Hash: 3e732de8445f20b88c5f8d0d270b7736986e2dc540a19846905765c4ac6e49f1
Instruction Fuzzy Hash: D011CA32584219EBCF213F78AC0967A3BD8BF15361F248526FB49D6151DE3D88419764

Function 00767490 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 480synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 007676AC
WaitForSingleObject.KERNEL32(00002710), ref: 00767924
CloseHandle.KERNEL32 ref: 00767B02

Strings

_Wy, xrefs: 007679F6

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseCreateEventHandleObjectSingleWait
String ID: _Wy
API String ID: 2631291778-1149416084
Opcode ID: 1087ec524c69a8becb8f1acd3967ff4910238634c377886be76481ef2ff503b2
Instruction ID: e7c7bee8b898c5cd90abd85d666f417e6f8b99978cf6d25141321e3b1f5e8316
Opcode Fuzzy Hash: 1087ec524c69a8becb8f1acd3967ff4910238634c377886be76481ef2ff503b2
Instruction Fuzzy Hash: B2322B31C20A599ECB06CFBAD8511ADB7B4BF9B381B14C317E801B6162F73858C2DB18

Function 0075B590 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075B614
_strcat.LIBCMT ref: 0075B821

Part of subcall function 0075E120: _malloc.LIBCMT ref: 0075E1CF

Part of subcall function 0075E550: _memset.LIBCMT ref: 0075E56E
Part of subcall function 0075E550: _free.LIBCMT ref: 0075E596

Strings

=, xrefs: 0075B5DB
^^MN, xrefs: 0075B5CB

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: _memset$_free_malloc_strcat
String ID: =$^^MN
API String ID: 3230045079-2753829600
Opcode ID: 41f909baba68ff6201596c6b0666803c581e9107b89783a4d8cda35ea09b5e9a
Instruction ID: 371cc8af5529afdf22a8ef1f0c19663d85a62c14dcb8dd4f2c26904e44c49d7d
Opcode Fuzzy Hash: 41f909baba68ff6201596c6b0666803c581e9107b89783a4d8cda35ea09b5e9a
Instruction Fuzzy Hash: 18A16D32C10A499EC702CFBED8415AEB774BF9B381B14C716E80576162EB3869D6CF58

Function 0075CC40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 0075CD54
RegSetValueExA.ADVAPI32(?,00000000,00000001,CE921463,00000000), ref: 0075CDBA
RegCloseKey.ADVAPI32(?), ref: 0075CE29

Strings

htrN, xrefs: 0075CC88

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseOpenValue
String ID: htrN
API String ID: 779948276-4437919
Opcode ID: a575f0f8c9afdf27f206bacbc53514d72328a03686e1448c6db613d82bbd723a
Instruction ID: 910db688dcafe17a5635b430f2e9a022f15dd882ef6ba137e01a2c0deaafc12b
Opcode Fuzzy Hash: a575f0f8c9afdf27f206bacbc53514d72328a03686e1448c6db613d82bbd723a
Instruction Fuzzy Hash: B0514B32C1064CEECB02CBBB984159DFB34AF9E345F24D756E800B61A1E7752AD5AF44

Function 00789554 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 007895E5
_memmove.LIBCMT ref: 00789659
___AdjustPointer.LIBCMT ref: 007896AA
_memmove.LIBCMT ref: 007896B3

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 3d4830b795b965abe5505887db72e422eac010ce340502db75e07459e55c0769
Instruction ID: 590001cd22633b73835c20c97ca48f57b9022be60198cc94cf47029f892f5b23
Opcode Fuzzy Hash: 3d4830b795b965abe5505887db72e422eac010ce340502db75e07459e55c0769
Instruction Fuzzy Hash: 324194753843039EEB29BE18D895B7A33A4AF45320F68401DFA45861E1FF79EC81DB10

Function 00767EF0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00768000
_malloc.LIBCMT ref: 0076808E

Part of subcall function 0077FFBC: __FF_MSGBANNER.LIBCMT ref: 0077FFD3
Part of subcall function 0077FFBC: __NMSG_WRITE.LIBCMT ref: 0077FFDA
Part of subcall function 0077FFBC: RtlAllocateHeap.NTDLL(?,00000000,00000001,00000000,00000000,00000000,?,00781324,00000000,00000000,00000000,00000000,?,00781BFD,00000018,0079FDC0), ref: 0077FFFF

_memset.LIBCMT ref: 007680A5
_free.LIBCMT ref: 007680AC

Part of subcall function 0077FF84: HeapFree.KERNEL32(00000000,00000000,?,007833A7,00000000,007822E7,00789CF5,00000000,?,007812DA,?,?,00000000), ref: 0077FF98
Part of subcall function 0077FF84: GetLastError.KERNEL32(00000000,?,007833A7,00000000,007822E7,00789CF5,00000000,?,007812DA,?,?,00000000,?,?,?,007834A1), ref: 0077FFAA

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: Heap_malloc$AllocateErrorFreeLast_free_memset
String ID:
API String ID: 1931880523-0
Opcode ID: f79281e26835a743ecfbafeae7d08adece7a4772d9026d929e087d501420be2c
Instruction ID: 16a80c8e2dbbcc7dc01358af18daa9d94035789586e7b6f643a4b30b08aa9f13
Opcode Fuzzy Hash: f79281e26835a743ecfbafeae7d08adece7a4772d9026d929e087d501420be2c
Instruction Fuzzy Hash: 3461AF32C10A489ACB03DFBAD84016AF778FF9B390B14C356EC057A262FB395592CB55

Function 0078C726 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0078C75C
__isleadbyte_l.LIBCMT ref: 0078C78A
MultiByteToWideChar.KERNEL32(560C1730,00000009,?,C06E0F66,00000000,00000000,?,00000000,00000000,?,00760A93,?,00000000), ref: 0078C7B8
MultiByteToWideChar.KERNEL32(560C1730,00000009,?,00000001,00000000,00000000,?,00000000,00000000,?,00760A93,?,00000000), ref: 0078C7EE

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 454a0911b0edd736d51b216c26af9549d7dad2d02cdcd761667f2c30a553da6f
Instruction ID: 255bbbe4bc0d8412efe915898f9edeecaaaa261bd61f4a298c59792d53da5533
Opcode Fuzzy Hash: 454a0911b0edd736d51b216c26af9549d7dad2d02cdcd761667f2c30a553da6f
Instruction Fuzzy Hash: 4F31B431680246EFDB22AF75CC48B6A7BE5FF41320F154169F8648B1A1E738D851DFA0

Function 0078456C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 007845BB
GetLastError.KERNEL32 ref: 007845C5
__free_osfhnd.LIBCMT ref: 007845D2
__dosmaperr.LIBCMT ref: 007845F4

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr__free_osfhnd
String ID:
API String ID: 1721093958-0
Opcode ID: aee41db926f1613482b8f261f3274419dddc3de99701efb47514dfba3dd6659c
Instruction ID: ced902c3d5194b059d24c1af4f963bd8944ee93e43605f31361066594b18f5b8
Opcode Fuzzy Hash: aee41db926f1613482b8f261f3274419dddc3de99701efb47514dfba3dd6659c
Instruction Fuzzy Hash: 3601263378019167C6217374B90DB7E3B854F82774F19431AEA19975D2DBBEC89183A1

Function 007878B0 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 007878D4

Part of subcall function 00787FBB: __fltout2.LIBCMT ref: 00787FE4

__cftog_l.LIBCMT ref: 007878FA
__cftoe_l.LIBCMT ref: 0078792C

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 97528c95ab462ee88af0cc1992edc7293eed247f6c840a93e3bbb7985f82c46c
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F0014C3208814EFBCF1A6E84CC45CEE3F62BB19354B688415FA1A59031D23BD9B1EB91

Function 00788E98 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00788EAF

Part of subcall function 007894C6: ___AdjustPointer.LIBCMT ref: 0078950F

_UnwindNestedFrames.LIBCMT ref: 00788EC6
___FrameUnwindToState.LIBCMT ref: 00788ED8
CallCatchBlock.LIBCMT ref: 00788EFC

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 47ff991701b949d2c6ac9b0ab3a6bae88cad4e47a60bb843eb0d441dcfe1d101
Instruction ID: 7d93137770559c3a81becb9b40ab6163e0169f5c2de57080c120b9f6db3f715a
Opcode Fuzzy Hash: 47ff991701b949d2c6ac9b0ab3a6bae88cad4e47a60bb843eb0d441dcfe1d101
Instruction Fuzzy Hash: 7B012932440149FBCF126F55CC05EEB3BBAFF48754F448014FA5866120D73AE8A1EBA1

Function 00782A9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0078332F: __getptd_noexit.LIBCMT ref: 00783330

__lock.LIBCMT ref: 00782ADB
_free.LIBCMT ref: 00782B08

Strings

)z, xrefs: 00782AFF

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: __getptd_noexit__lock_free
String ID: )z
API String ID: 1533244847-279417685
Opcode ID: 510230b521a97ccfeb502846ab5e51703d8798a1c17712855d7dc4b54a354b93
Instruction ID: 57cc43f3992375eafb41b06813653cb0909dc71fa9a0e6b0fd74433f5aae7b07
Opcode Fuzzy Hash: 510230b521a97ccfeb502846ab5e51703d8798a1c17712855d7dc4b54a354b93
Instruction Fuzzy Hash: 7011A171D85725DBCB21BF68940561DB7A0FF05B22B15811AE814B3692DB3CAD43CBD1

Function 0078832D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__controlfp_s.LIBCMT ref: 0078833B

Part of subcall function 0078D8AF: __control87.LIBCMT ref: 0078D8D3

__invoke_watson.LIBCMT ref: 0078834E

Strings

csm, xrefs: 0078835C

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: __control87__controlfp_s__invoke_watson
String ID: csm
API String ID: 1371525046-1018135373
Opcode ID: 7c223177855d7b31945f2c238f26521f8c8c61eee384bb82e08a6307672c3e56
Instruction ID: 1d27a323163a8b5f8c897a18813a72237c362f9cad3041fcccbafbb3f3f032f6
Opcode Fuzzy Hash: 7c223177855d7b31945f2c238f26521f8c8c61eee384bb82e08a6307672c3e56
Instruction Fuzzy Hash: EDF030312C1214DA8BA9B9A96849AAE674D5F20B11FD84851F808CA952DF58DE81C397

Function 0078431A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0078433C
__calloc_crt.LIBCMT ref: 00784355

Strings

Wz, xrefs: 0078436C

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: __calloc_crt
String ID: Wz
API String ID: 3494438863-2702952237
Opcode ID: 0f935fef16fbee1c1fdfbd3eaa587bdbcb07be4b00e252b5463716c9d4676251
Instruction ID: e5f9d58edbe80d525d2fedc044f6ce62623b5aa2200ec0083e6feb5e35841bcf
Opcode Fuzzy Hash: 0f935fef16fbee1c1fdfbd3eaa587bdbcb07be4b00e252b5463716c9d4676251
Instruction Fuzzy Hash: 7FF0C275398723DAF714EF69BC016A63798FB96328F144027E200EA698E3BCC8418348

Function 00781A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00781AC4,00000000,00000000,00000000,00000000,00000000,00788856,?,0078209B,00000003,0077FFD8,00000000,00000000,00000000), ref: 00781A96
__invoke_watson.LIBCMT ref: 00781AB2

Strings

PNv, xrefs: 00781A96

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: PNv
API String ID: 4034010525-4070351811
Opcode ID: 61db481a8e76707180211c4ee584c3515f216c60e0b5544c2cd732a19eff8ee3
Instruction ID: cbb45864ab0bd78a3912cab060522e52edb183c23060e53fb95843e16913a0fb
Opcode Fuzzy Hash: 61db481a8e76707180211c4ee584c3515f216c60e0b5544c2cd732a19eff8ee3
Instruction Fuzzy Hash: D3E0EC75541109FBDF063F61DC098AA3A6ABF44350B848450FE1480531D63AC971DB95

Function 0077CFE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0077CFE6
__set_abort_behavior.LIBCMT ref: 0077CFF6

Strings

PNv, xrefs: 0077CFE6

Memory Dump Source

Source File: 00000000.00000002.1753135906.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true

Associated: 00000000.00000002.1753113863.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753175722.0000000000793000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753199651.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1753243416.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_750000_DBROG0eWH7.jbxd

Similarity

API ID: DecodePointer__set_abort_behavior
String ID: PNv
API String ID: 4109001881-4070351811
Opcode ID: d7de7c3eac9ff4a3a89f4292996206775a57fff64a1c311ae3e773223af66ad3
Instruction ID: 01ec60d4e6e2a61444c09baf34a49f51a9b88e89617fad3c55a77ca8f979e539
Opcode Fuzzy Hash: d7de7c3eac9ff4a3a89f4292996206775a57fff64a1c311ae3e773223af66ad3
Instruction Fuzzy Hash: 8DC09B323E820599F61437F52C0BB65114DEB45B53F61401DF715D40D0ED9DD5815226

Analysis Process: ek5v3xaskkfpqwron.exePID: 8148, Parent PID: 6488COMMON

Execution Graph

Execution Coverage:	19%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 00F110A0 Relevance: 85.0, APIs: 13, Strings: 33, Instructions: 4533libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Ker), ref: 00F11DBD
GetProcAddress.KERNEL32(00007243), ref: 00F12066
GetProcAddress.KERNEL32(Creat), ref: 00F121F4
GetProcAddress.KERNEL32(SetEv), ref: 00F12306
GetProcAddress.KERNEL32(00006157), ref: 00F124D3
GetProcAddress.KERNEL32(CloseHandleSetEv), ref: 00F128DD
GetProcAddress.KERNEL32(65656C53), ref: 00F12A92
_memset.LIBCMT ref: 00F12DC4
CreateThread.KERNELBASE(00000000,00000000,00F27490,00000128,00000000,00000000), ref: 00F139A6
CloseHandle.KERNELBASE(00000000,?,?,00000000), ref: 00F13D76

Strings

rSin, xrefs: 00F11ABC
vent, xrefs: 00F11AA9
eThr, xrefs: 00F11B31
gl, xrefs: 00F11B28
Ker, xrefs: 00F11DB6, 00F11DBC
fM, xrefs: 00F11339
ct, xrefs: 00F11AE4
Creat, xrefs: 00F121C7, 00F121E1
T+, xrefs: 00F1552F
]D87, xrefs: 00F11130
8e#!, xrefs: 00F118FA
p, xrefs: 00F11B49
Slee, xrefs: 00F11B1E
i}kN, xrefs: 00F113BF
Wa, xrefs: 00F11A82
U;8, xrefs: 00F147AE
2., xrefs: 00F11B80
o, xrefs: 00F11B52
ead, xrefs: 00F11A8B
E, xrefs: 00F11B79
Cr, xrefs: 00F11B62
ent, xrefs: 00F11A9F
nel3, xrefs: 00F11A95
tF, xrefs: 00F11B15
CloseHandleSetEv, xrefs: 00F128C6, 00F128CC
e, xrefs: 00F11B42
A, xrefs: 00F11B59
dll, xrefs: 00F11AED
eate, xrefs: 00F11B01
i, xrefs: 00F11B72
"}N, xrefs: 00F1138B
SetEv, xrefs: 00F122F9, 00F122FF
eObj, xrefs: 00F11ADA

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: AddressProc$Handle$CloseCreateModuleThread_memset
String ID: U;8$"}N$2.$8e#!$A$CloseHandleSetEv$Cr$Creat$E$Ker$SetEv$Slee$T+$Wa$]D87$ct$dll$e$eObj$eThr$ead$eate$ent$fM$gl$i$i}kN$nel3$o$p$rSin$tF$vent
API String ID: 3360259145-1701805576
Opcode ID: e44d0d57aaf065ba1aa66753b0c1cc9a6b960404f8de905a2289ba7323d75ca0
Instruction ID: 4e0994e6f8c7f2bc1692068f34a4607e3782a7a2a8c92865f3c1057e75622cbb
Opcode Fuzzy Hash: e44d0d57aaf065ba1aa66753b0c1cc9a6b960404f8de905a2289ba7323d75ca0
Instruction Fuzzy Hash: 8FB33A31C24F5D8AC797CF7698512A9B374BF9A381F108386E819B6161FBB559C2EF00

Function 00F38C10 Relevance: 27.6, APIs: 18, Instructions: 619
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcat.LIBCMT ref: 00F38E56
GetProcessHeap.KERNEL32(?,?,?,?,?,00000000), ref: 00F38E66
LoadLibraryA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00000000), ref: 00F38F1F

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

GetProcAddress.KERNEL32(00000000,00000000), ref: 00F38F75

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

FreeLibrary.KERNEL32(00000000,?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F38F8D
HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,00000000,?,?,?,00000000), ref: 00F39006
FreeLibrary.KERNEL32(00000100,?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F39015

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Library$FreeHeap$AddressAllocLoadProcProcess_free_malloc_memset_strcat
String ID:
API String ID: 1947443141-0
Opcode ID: 374a16518fc75bcc63cca1ff7dd53c781d8440de17c0a466dec5eb51e9d1d070
Instruction ID: 188e4774c7f7d2a40e55129b3de4182d11051f8a438f4e253aa1e9c910f963ca
Opcode Fuzzy Hash: 374a16518fc75bcc63cca1ff7dd53c781d8440de17c0a466dec5eb51e9d1d070
Instruction Fuzzy Hash: A7529C32C14F0D9AC742DFB5EC515AAB778BF5A391F008316E916B6262FBB455C2EB00

Function 00F1D460 Relevance: 13.7, APIs: 9, Instructions: 192
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002,00000000), ref: 00F1D4AF
CreateServiceA.ADVAPI32(00000000,015E5A10,015E5A10,000F01FF,00000110,00000002,00000000,4EF0193E,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F1D534
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00F1D57B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00F1D598
CloseServiceHandle.ADVAPI32(00000000), ref: 00F1D5B7
OpenServiceA.ADVAPI32(00000000,00000010), ref: 00F1D5D8
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00F1D648
CloseServiceHandle.ADVAPI32(00000000), ref: 00F1D65C
CloseServiceHandle.ADVAPI32(00000000), ref: 00F1D6A8

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 598824aa0769306ec987f092e94467006e2febe4d26ab14c748ff7e1d6259c37
Instruction ID: 6287dc8c5b74f646bf04ee6f7f798cc14a09d44dff8a9273f6b942f01d5ce85c
Opcode Fuzzy Hash: 598824aa0769306ec987f092e94467006e2febe4d26ab14c748ff7e1d6259c37
Instruction Fuzzy Hash: 00915C31C10F0DAAC703DFB69C116AEF778AF5A782F10D306E916761A0EBB555C2AB04

Function 00F1D8E0 Relevance: 10.8, APIs: 7, Instructions: 290
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000), ref: 00F1DAD2
GetProcAddress.KERNEL32(00000000), ref: 00F1DB2C
CryptGenRandom.ADVAPI32(00000004,?), ref: 00F1DC5E
_rand.LIBCMT ref: 00F1DD1E
_rand.LIBCMT ref: 00F1DD25
_rand.LIBCMT ref: 00F1DD30
_rand.LIBCMT ref: 00F1DD37

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _rand$AddressProc$CryptRandom
String ID:
API String ID: 2249235034-0
Opcode ID: 6a26c30c02ed1cace7a1c812e73c949a2b3d3cb6729b5862b59e75b0d2e6faef
Instruction ID: 6c6955205871fcdc7f300929539423848101604612ce43532cb4a5967c89c79e
Opcode Fuzzy Hash: 6a26c30c02ed1cace7a1c812e73c949a2b3d3cb6729b5862b59e75b0d2e6faef
Instruction Fuzzy Hash: 47D1AB31C10B4DDECB02DFB5E8511ADB7B4FF4A391B148316E821B62A1EBB565C2EB40

Function 00F21B40 Relevance: 273.0, APIs: 144, Strings: 9, Instructions: 5246COMMON

Download Yara Rule

APIs

Part of subcall function 00F1B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 00F1B2C5

Part of subcall function 00F3FF22: _doexit.LIBCMT ref: 00F3FF2C

_malloc.LIBCMT ref: 00F22593
_memset.LIBCMT ref: 00F2262A

Strings

yG_5, xrefs: 00F22106
yG_5, xrefs: 00F23049, 00F237CA
jz8, xrefs: 00F25AA2
->`b, xrefs: 00F24AE3
C:\Users\user, xrefs: 00F25897
E:9, xrefs: 00F2204E
E:9, xrefs: 00F26915, 00F22459
)bg, xrefs: 00F237CD
C:\qkcgyxexucxsiyk\jqvkzish.exe, xrefs: 00F26A53, 00F26A63, 00F26EDB, 00F26F03, 00F26F1D, 00F27087

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: ObjectSingleWait_doexit_malloc_memset
String ID: ->`b$C:\Users\user$C:\qkcgyxexucxsiyk\jqvkzish.exe$yG_5$yG_5$)bg$E:9$E:9$jz8
API String ID: 3291073784-2105165761
Opcode ID: c9b5b01b6c896e07c22e3c5016b04bf5c63c8045797950873c74a5aafa27802c
Instruction ID: 3e7d9ac1a75532aa252ad1827c7015a9576edd30202feffb2f24c6f16009cd4c
Opcode Fuzzy Hash: c9b5b01b6c896e07c22e3c5016b04bf5c63c8045797950873c74a5aafa27802c
Instruction Fuzzy Hash: E0B3DD31C00B1C9ED752DF75EC526A9B774BF5A780F008356E919BA2A2FBB459C1EB00

Function 00F21B80 Relevance: 217.7, APIs: 114, Strings: 8, Instructions: 4198COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00F22593
_memset.LIBCMT ref: 00F2262A

Strings

yG_5, xrefs: 00F22106
yG_5, xrefs: 00F23049, 00F237CA
jz8, xrefs: 00F25AA2
->`b, xrefs: 00F24AE3
C:\Users\user, xrefs: 00F25897
E:9, xrefs: 00F2204E
E:9, xrefs: 00F26915, 00F22459
)bg, xrefs: 00F237CD

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _malloc_memset
String ID: ->`b$C:\Users\user$yG_5$yG_5$)bg$E:9$E:9$jz8
API String ID: 4137368368-806300838
Opcode ID: b6986df18a5dffbec56f1446eaf5f7a51612fc45abb074d7b1a36a9a062d27f5
Instruction ID: cfa47b2bca94ae2293082110f51c8aa4095968fabec515534019cc0c89ad2a7a
Opcode Fuzzy Hash: b6986df18a5dffbec56f1446eaf5f7a51612fc45abb074d7b1a36a9a062d27f5
Instruction Fuzzy Hash: 7893DD31C00B4C9ED752DF75EC526A9B774BF5A780F008316E919BA2A2FBB559C1EB00

Function 00F200B0 Relevance: 39.4, APIs: 19, Strings: 3, Instructions: 900
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00F644C8,74DEF550,00000000,00000000), ref: 00F20305
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00F20575

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00F20698
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00F206CE
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00F207F4
_strcat.LIBCMT ref: 00F20806
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F2089E
__snprintf.LIBCMT ref: 00F209E9
CreateDirectoryA.KERNEL32(?,00000000), ref: 00F20AE1

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

__snprintf.LIBCMT ref: 00F20A8E
_strcat.LIBCMT ref: 00F20B68
CreateDirectoryA.KERNEL32(?,00000000), ref: 00F20B9D
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00F20D22
_strcat.LIBCMT ref: 00F20E50
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00F20E8C
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00F20FB1
_strcat.LIBCMT ref: 00F20FD2
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00F210C4
_memset.LIBCMT ref: 00F210D8

Strings

\, xrefs: 00F20DBC
C:\qkcgyxexucxsiyk\, xrefs: 00F20801, 00F20B63, 00F20E4B, 00F20FCD
C:\Users\user, xrefs: 00F209DD, 00F20A7C

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Directory$Create$_strcat$FilePathTemp__snprintf_memset$AttributesDeleteRemoveVersion_free_malloc
String ID: C:\Users\user$C:\qkcgyxexucxsiyk\$\
API String ID: 1290010854-488630046
Opcode ID: b3c82afa9970df8952065e8b602dcaf1ee24ce531ead7cb57cf262454384c01e
Instruction ID: 8335cfd11f8e93f39a76d623988a6d35952a8db89e043663f106fa6f6f75276d
Opcode Fuzzy Hash: b3c82afa9970df8952065e8b602dcaf1ee24ce531ead7cb57cf262454384c01e
Instruction Fuzzy Hash: EC92A032C00B4DAACB42DFB6EC5159DB778BF5A381F048712E915B61A2FB7466C5EB00

Function 00F40A9D Relevance: 19.6, APIs: 13, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___security_init_cookie.LIBCMT ref: 00F40A9D
___crtGetShowWindowMode.LIBCMT ref: 00F40AB3

Part of subcall function 00F41D30: GetStartupInfoW.KERNEL32(?), ref: 00F41D3A

_fast_error_exit.LIBCMT ref: 00F40B16
_fast_error_exit.LIBCMT ref: 00F40B27
__RTC_Initialize.LIBCMT ref: 00F40B2D
__ioinit.LIBCMT ref: 00F40B36
_fast_error_exit.LIBCMT ref: 00F40B41
GetCommandLineA.KERNEL32(00F5FDA0,00000014), ref: 00F40B47
___crtGetEnvironmentStringsA.LIBCMT ref: 00F40B52
__setargv.LIBCMT ref: 00F40B5C
__setenvp.LIBCMT ref: 00F40B6D
__cinit.LIBCMT ref: 00F40B80
__wincmdln.LIBCMT ref: 00F40B91

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _fast_error_exit$___crt$CommandEnvironmentInfoInitializeLineModeShowStartupStringsWindow___security_init_cookie__cinit__ioinit__setargv__setenvp__wincmdln
String ID:
API String ID: 1579532436-0
Opcode ID: 6d38f76c85ded2a337f9323817c6ceaad3eee81272968499aeabfba95fc20067
Instruction ID: 023cb77118b738add717045fc1d518a2d8be40aefa61b26003b240042d9deda1
Opcode Fuzzy Hash: 6d38f76c85ded2a337f9323817c6ceaad3eee81272968499aeabfba95fc20067
Instruction Fuzzy Hash: EF21A621E4030999E610B7B49D46F6D3D54DF407A9F100069FF04DA0D2EFBCCA84B659

Function 00F382D0 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 00F38543
_strcat.LIBCMT ref: 00F38564
_strcat.LIBCMT ref: 00F38673
_strcat.LIBCMT ref: 00F386CC
_memset.LIBCMT ref: 00F386EF
_memset.LIBCMT ref: 00F38BCA
_memset.LIBCMT ref: 00F38BDA
_memset.LIBCMT ref: 00F38BED

Strings

<XM, xrefs: 00F38306

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _memset$_strcat$ComputerName
String ID: <XM
API String ID: 1094313773-2590437253
Opcode ID: 236792aace7cf31b12331814dffdc16261375ce196b7e2083c02b1b869b47a2e
Instruction ID: 0942208065b8b1dac5224c2700344049c6c439d15f69cb2a8d325c725dd80b1f
Opcode Fuzzy Hash: 236792aace7cf31b12331814dffdc16261375ce196b7e2083c02b1b869b47a2e
Instruction Fuzzy Hash: AD329231D00A0C9ACB45DFB5ED516ADB374AF19780F108316E512B71A2FF7869C6EB50

Function 00F1A970 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F1A9DD
_memset.LIBCMT ref: 00F1A9EA
CreateProcessA.KERNELBASE(6F27C689,CE90F1CB,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00F1AA67
CloseHandle.KERNEL32(00F27244), ref: 00F1AA74
CloseHandle.KERNEL32(?), ref: 00F1AAAB

Strings

D, xrefs: 00F1AA06

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CloseHandle_memset$CreateProcess
String ID: D
API String ID: 1151464618-2746444292
Opcode ID: 5b195e94b4eacece539b87f7cf17f5bc7efba4cae2b41f39217d662fb1b886b5
Instruction ID: be7e10f3f1ebd541c6e34294c6f60db60690d773203c4f37232ee0c737382e4c
Opcode Fuzzy Hash: 5b195e94b4eacece539b87f7cf17f5bc7efba4cae2b41f39217d662fb1b886b5
Instruction Fuzzy Hash: E7416C31D10B4CEECB02CFB5E94279DB7B4AF49340F108352E915B61A2E7B16A95EF44

Function 00F1AEE0 Relevance: 9.2, APIs: 6, Instructions: 223
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F1B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 00F1B2C5

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1AFF0
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00F1B0D3
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F1B1E1
_memset.LIBCMT ref: 00F1B220
CloseHandle.KERNEL32(00000000,?), ref: 00F1B235
_memset.LIBCMT ref: 00F1B282

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CloseFileHandle_memset$CreateObjectReadSingleWait
String ID:
API String ID: 2757182182-0
Opcode ID: f600c5282fe7ef075f887aff11bde18d26d47ca7ae9e43a95434a408d8088c44
Instruction ID: 6b66615677306e2f5480c78e5c8c5b2bac31898b7f641c2d99bab3e582ca9738
Opcode Fuzzy Hash: f600c5282fe7ef075f887aff11bde18d26d47ca7ae9e43a95434a408d8088c44
Instruction Fuzzy Hash: ED91A031D10F4CAADB03DFB59C516AEB378AF5A780F108312E911B61A2FB7555C2EB50

Function 00F1AB30 Relevance: 4.7, APIs: 3, Instructions: 211
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F1B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 00F1B2C5

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,4E86B585), ref: 00F1ACC1

Part of subcall function 00F1B340: ReleaseMutex.KERNEL32(?), ref: 00F1B357

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: af76f9856d8591316b23a43552bfc44e2362ff9d924a24ffff25659ba250b00a
Instruction ID: ca59b2504b7321aa5a6d126eaeea9ec424e162d5ab60ef362cbdee8f5c979417
Opcode Fuzzy Hash: af76f9856d8591316b23a43552bfc44e2362ff9d924a24ffff25659ba250b00a
Instruction Fuzzy Hash: 40917B32C00E4CDACB02DFB5EC526AEB778AF5A381F008716E915761A1EB7556D2EB40

Function 00F32230 Relevance: 4.6, APIs: 3, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F322ED
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00F32311
FreeSid.ADVAPI32(?), ref: 00F32380

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b143d2f46b9807e939425764f80a7821d1f1f07a028ef7815e2323349f93f00f
Instruction ID: 87664fe3950303c7c2a73cf2b981b521348e6c2803ea6c747b263ff7a380a03c
Opcode Fuzzy Hash: b143d2f46b9807e939425764f80a7821d1f1f07a028ef7815e2323349f93f00f
Instruction Fuzzy Hash: 7D415D35D00F0DDAD742CFB4D8156AEB7B8FF1A381F108316E911BA251EBB55A82EB00

Function 00F21280 Relevance: 3.1, APIs: 2, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F21495

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

Part of subcall function 00F1AEE0: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F1AFF0

_memset.LIBCMT ref: 00F214BC

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _memset$CreateFile_free_malloc
String ID:
API String ID: 2908176987-0
Opcode ID: 516c6eea85d55a498b20d64b80cd82c5c1300ed3b53fdae07b110201e3553bbf
Instruction ID: f8447803d41aebd1ef0c9b70899775d59cf67a2fc65764689fee1b6e82c6d726
Opcode Fuzzy Hash: 516c6eea85d55a498b20d64b80cd82c5c1300ed3b53fdae07b110201e3553bbf
Instruction Fuzzy Hash: 1551AD71C04F4D9AC702DBB6AC1169AB338AF5A391F008312E905B61A1FBB466C5FF80

Function 00F21110 Relevance: 3.1, APIs: 2, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00F211E3
_memset.LIBCMT ref: 00F21211

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CreateFile_memset
String ID:
API String ID: 3830271748-0
Opcode ID: fda2a1efd9f056de4eee778ee9a423f2aaa94a2de4f181784b45d2264a3828eb
Instruction ID: 38f2d9f8cffb006eb73e42e39d89f26191aaa706f67c9a6dc6d0d3ec48f63c6f
Opcode Fuzzy Hash: fda2a1efd9f056de4eee778ee9a423f2aaa94a2de4f181784b45d2264a3828eb
Instruction Fuzzy Hash: AF317231C00F1D9ACB12DFB5AC1279EF738BF5A790F108752EA157A191EBB45682EB40

Function 00F3FC69 Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00F3FC6F

Part of subcall function 00F3FC35: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00F3FC74,00000000,?,00F3FFE9,000000FF,0000001E,00000000,00000000,00000000,?,00F41324), ref: 00F3FC44
Part of subcall function 00F3FC35: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00F3FC56

ExitProcess.KERNEL32 ref: 00F3FC78

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 065c6ea2850d589d6827528f48e566078e4ed90ed52b10d1828e8bd4cc45666b
Instruction ID: 8a2aa7c2e29d04ef1105330064dabe1b491f4e4dcb6fcebea810088fa2f9e0ff
Opcode Fuzzy Hash: 065c6ea2850d589d6827528f48e566078e4ed90ed52b10d1828e8bd4cc45666b
Instruction Fuzzy Hash: 86B0923040020EBBCF022F25DC0A8483F69EB002E1F004021F90608032DB7AAA92AA80

Function 00F3FF22 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00F3FF2C

Part of subcall function 00F3FDF3: __lock.LIBCMT ref: 00F3FE01
Part of subcall function 00F3FDF3: DecodePointer.KERNEL32(00F5FCB8,0000001C,00F3FD4C,00000000,00000001,00000000,?,00F3FC9A,000000FF,?,00F41B56,00000011,?,?,00F433FF,0000000D), ref: 00F3FE40
Part of subcall function 00F3FDF3: DecodePointer.KERNEL32(?,00F3FC9A,000000FF,?,00F41B56,00000011,?,?,00F433FF,0000000D), ref: 00F3FE51
Part of subcall function 00F3FDF3: EncodePointer.KERNEL32(00000000,?,00F3FC9A,000000FF,?,00F41B56,00000011,?,?,00F433FF,0000000D), ref: 00F3FE6A
Part of subcall function 00F3FDF3: DecodePointer.KERNEL32(-00000004,?,00F3FC9A,000000FF,?,00F41B56,00000011,?,?,00F433FF,0000000D), ref: 00F3FE7A
Part of subcall function 00F3FDF3: EncodePointer.KERNEL32(00000000,?,00F3FC9A,000000FF,?,00F41B56,00000011,?,?,00F433FF,0000000D), ref: 00F3FE80
Part of subcall function 00F3FDF3: DecodePointer.KERNEL32(?,00F3FC9A,000000FF,?,00F41B56,00000011,?,?,00F433FF,0000000D), ref: 00F3FE96
Part of subcall function 00F3FDF3: DecodePointer.KERNEL32(?,00F3FC9A,000000FF,?,00F41B56,00000011,?,?,00F433FF,0000000D), ref: 00F3FEA1

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 5a41d7ee6c1c6d6883227d8b2ace59b74bfd7af91b9424240f8462ed524fae04
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: A1B0127198030C33D9112541EC03F053B0C5740B74F200031FA0C1C6E1E593756450C9

Non-executed Functions

Function 00F323B0 Relevance: 12.2, APIs: 8, Instructions: 193serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000), ref: 00F32452
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000,?,00000000), ref: 00F3247C
GetLastError.KERNEL32(?,00000000), ref: 00F32484
_malloc.LIBCMT ref: 00F324AB
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000,00000000), ref: 00F324D3
__snprintf.LIBCMT ref: 00F32549
_free.LIBCMT ref: 00F32598
CloseServiceHandle.ADVAPI32(00000000,00000000), ref: 00F325A1

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService__snprintf_free_malloc
String ID:
API String ID: 3403677689-0
Opcode ID: d5e9ef102e8f891399a55bbc9ba5c25dd2a37d63e649d3d50e8030ac8592cf9e
Instruction ID: daf08e7abae74a5d5e5996e5fdfa7c80c69ab6e8b5b13bdbe5557ccef6a68fa9
Opcode Fuzzy Hash: d5e9ef102e8f891399a55bbc9ba5c25dd2a37d63e649d3d50e8030ac8592cf9e
Instruction Fuzzy Hash: CB71BF32D0060DABCB01CFB6DC81AAEB778EF49350F148715EA1477291E7756A85EF90

Function 00F1A590 Relevance: 9.2, APIs: 6, Instructions: 219filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F396C0: _strcat.LIBCMT ref: 00F396E2

Sleep.KERNEL32(000003E8,?,00000000,00000000), ref: 00F1A653
FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F1A816
DeleteFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F1A8C7
FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F1A8D5
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F1A914
_memset.LIBCMT ref: 00F1A95F

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep_memset_strcat
String ID:
API String ID: 1172265220-0
Opcode ID: ca5feb2e387455d3faba8e62cb66ed2161138981e59a5e9c7696e9dba05ad8fe
Instruction ID: d1331881fe4fd38342b250eb2cb738107200dfc17caa0de73466c3d30739204d
Opcode Fuzzy Hash: ca5feb2e387455d3faba8e62cb66ed2161138981e59a5e9c7696e9dba05ad8fe
Instruction Fuzzy Hash: 07A19B31C00A0CEECB42DFB5D8516AEB778BF0A351F108356E916B7161EB749AC6EB50

Function 00F2FF50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 377pipeprocessfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F30038
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000000,00000000), ref: 00F300DC
SetHandleInformation.KERNEL32(?,00000001,00000000,?,00000000,00000000), ref: 00F300F1
CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000000,00000000), ref: 00F3019B
SetHandleInformation.KERNEL32(?,00000001,00000000,?,00000000,00000000), ref: 00F30279
_memset.LIBCMT ref: 00F30287
_memset.LIBCMT ref: 00F302CE
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00F303F5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F3043F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F30461
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F3046A
WriteFile.KERNEL32(?,90D98B10,CD9B3DAB,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00F304CF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F304EA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F30505
WaitForSingleObject.KERNEL32(?,00002710,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F3056E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F30577
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F3058A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 00F305AF

Strings

D, xrefs: 00F302E9

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Handle$Close$Create_memset$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: D
API String ID: 1810108774-2746444292
Opcode ID: 17e024b52886aa68f5447fee9720b344fe49932e15a3fa84326ba5a152f9b73a
Instruction ID: 22268ce7026b37f5b8d885fb76614f0826b04c9c1bfca1275b472e0971817d5b
Opcode Fuzzy Hash: 17e024b52886aa68f5447fee9720b344fe49932e15a3fa84326ba5a152f9b73a
Instruction Fuzzy Hash: E2025B31C10B4DEECB42CFB5DC516AEB778BF5A391F108316E916B6161EBB45582EB00

Function 00F1D090 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 174registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000CE40), ref: 00F1D1D8
SetServiceStatus.ADVAPI32(00F64780), ref: 00F1D214
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F1D27D
SetServiceStatus.ADVAPI32(00F64780), ref: 00F1D2A4
WaitForSingleObject.KERNEL32(00001388), ref: 00F1D2CD
SetServiceStatus.ADVAPI32(00F64780), ref: 00F1D35F
CloseHandle.KERNEL32 ref: 00F1D392
SetServiceStatus.ADVAPI32(00F64780), ref: 00F1D401

Strings

]/da, xrefs: 00F1D224
>&|, xrefs: 00F1D311

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: ]/da$>&|
API String ID: 3399922960-1858257644
Opcode ID: bebc2dbf645cb298ec07cf6e3c1ad90e923c2bbfb2dd179565fd8c4574e9cfbf
Instruction ID: 1d667924430c95f9cc37bb4381cb5c574a51f83c677a40b435733eef5cca21ce
Opcode Fuzzy Hash: bebc2dbf645cb298ec07cf6e3c1ad90e923c2bbfb2dd179565fd8c4574e9cfbf
Instruction Fuzzy Hash: BA815831900B0D9EC746DFB8EC55269BBB4FB1A381F10831AE925B6260EBF565C5FB40

Function 00F214E0 Relevance: 13.7, APIs: 9, Instructions: 231processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000), ref: 00F21579
Process32First.KERNEL32(00000000,00000128), ref: 00F21665
_strcat.LIBCMT ref: 00F21698

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32_strcat
String ID:
API String ID: 4070235666-0
Opcode ID: fadbca387f051c0ad9fbbcac09bb1a3f0c4c7c7bbcb61993fe5e7f6a9b5dd027
Instruction ID: dde3b00287526c90646b2fa809dcf3d57aebf861cbf39c653af3d7a1a79dffcc
Opcode Fuzzy Hash: fadbca387f051c0ad9fbbcac09bb1a3f0c4c7c7bbcb61993fe5e7f6a9b5dd027
Instruction Fuzzy Hash: CEA1D132C10A0CDAC742CFB6EC811AEB778BF5A781F148316E915B2162FB7469C5EB04

Function 00F33140 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 226synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1B2A0: WaitForSingleObject.KERNEL32(?,00004E20), ref: 00F1B2C5

GetModuleFileNameA.KERNEL32(00000000,00F647C8,00000104), ref: 00F33296
_strcat.LIBCMT ref: 00F332B0
_memset.LIBCMT ref: 00F33300
GetTickCount.KERNEL32 ref: 00F33388
__vfwprintf_p.LIBCMT ref: 00F3349A
ReleaseMutex.KERNEL32 ref: 00F334C0

Part of subcall function 00F1D7B0: GetModuleFileNameA.KERNEL32(00000000,00F37F53,00000104,00000000), ref: 00F1D7EF

Strings

oI\:, xrefs: 00F3322B

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: FileModuleName$CountMutexObjectReleaseSingleTickWait__vfwprintf_p_memset_strcat
String ID: oI\:
API String ID: 123108371-3980936684
Opcode ID: f15dad90294f2254e5be0fdf0ac093283592e6df68e073e98fa6b2e64e7c8a47
Instruction ID: 440fe9f70051be8c654b0e9ee6362341aaa2362d959cc3c6281c43aad252bf67
Opcode Fuzzy Hash: f15dad90294f2254e5be0fdf0ac093283592e6df68e073e98fa6b2e64e7c8a47
Instruction Fuzzy Hash: 13A1DF31810F0C9ED743EFB4EC5256AB778AF5A791B008316E9267A161FBB455C2FB40

Function 00F1FC60 Relevance: 12.2, APIs: 8, Instructions: 250fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00F1FCF1
ReadFile.KERNEL32(00000000,00000000,4EEBF2B6,?,00000000), ref: 00F1FD40
CloseHandle.KERNEL32(00000000), ref: 00F1FD7D

Part of subcall function 00F396C0: _strcat.LIBCMT ref: 00F396E2

GetTickCount.KERNEL32 ref: 00F1FDBA

Part of subcall function 00F1E5D0: __itow.LIBCMT ref: 00F1E60F

_sprintf.LIBCMT ref: 00F1FEE2
CreateFileA.KERNEL32(4EADF7CB,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00F1FF44
WriteFile.KERNEL32(00000000,00000000,4EEBF2B6,?,00000000), ref: 00F1FFB0
CloseHandle.KERNEL32(00000000), ref: 00F20020

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite__itow_sprintf_strcat
String ID:
API String ID: 1645784512-0
Opcode ID: 810ab9f667e787ddbefa738c6bb030b387ba9465caf2b1da88054c1899b432a8
Instruction ID: 0a9b140ef5c357ba2b02c29c96248d61382a725a3802e596049ae36f75e01ed1
Opcode Fuzzy Hash: 810ab9f667e787ddbefa738c6bb030b387ba9465caf2b1da88054c1899b432a8
Instruction Fuzzy Hash: ABB19D31C00B0CAAD742DFB6AC4266EB734AF0A781F148705EA11761A2FBB525D5FF54

Function 00F326A0 Relevance: 12.2, APIs: 8, Instructions: 241processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00F3274C
Process32First.KERNEL32(00000000,00000128), ref: 00F3281D
__snprintf.LIBCMT ref: 00F328B5
CreateToolhelp32Snapshot.KERNEL32(00000008,?,?), ref: 00F32900
Module32First.KERNEL32(00000000,?), ref: 00F32925
CloseHandle.KERNEL32(0000000A,0000000A,?,00000000), ref: 00F32A6F
Process32Next.KERNEL32(00000000,00000128), ref: 00F32AC0

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32$CloseHandleModule32Next__snprintf_free_malloc_memset
String ID:
API String ID: 2771089087-0
Opcode ID: a411224258be4b70ee7c370c58cd28761bac759982ccfff19233222df36636d1
Instruction ID: d44da90f3ff70e84cac54492590a6ebc7433c8c2d54f32005411a45da911c723
Opcode Fuzzy Hash: a411224258be4b70ee7c370c58cd28761bac759982ccfff19233222df36636d1
Instruction Fuzzy Hash: 69B1AE31D10F0DDACB02CFB6DC516AEB778BF5A381F008356E915BA261EBB455C1AB40

Function 00F37AF0 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 480COMMON

Download Yara Rule

Strings

, xrefs: 00F38198
, xrefs: 00F37E66

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _free_memset
String ID: $
API String ID: 287624719-227171996
Opcode ID: 9d17824f599a6679a03b645dda570f0ee6ae217a01af9ea66b4501738735642f
Instruction ID: f26a7565f902b3d2ec7c249d179d5493412616e3ca4d016772f6e947881cfcde
Opcode Fuzzy Hash: 9d17824f599a6679a03b645dda570f0ee6ae217a01af9ea66b4501738735642f
Instruction Fuzzy Hash: 5A120232D10B4C9AC742DFB5EC525AEB778BF4A390F048316E905B6262FB7459C2EB50

Function 00F2F3B0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 376COMMON

Download Yara Rule

Strings

%>+2, xrefs: 00F2F5B4
d'n., xrefs: 00F2F5D1

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID:
String ID: %>+2$d'n.
API String ID: 0-2693770206
Opcode ID: 3dd67e6220e75ab77f09d81783e934fb43fae6b502a5257e4e0f5865297cab1b
Instruction ID: 3d9e78a38c9d8db921307fc7be7ef52d2bf384e9638eae7463b2ec242b3e3332
Opcode Fuzzy Hash: 3dd67e6220e75ab77f09d81783e934fb43fae6b502a5257e4e0f5865297cab1b
Instruction Fuzzy Hash: EBF1F132C20B4D9ECB02CFBAEC512ADF374BF5A391F148326E915762A1E77465C5AB40

Function 00F1EC20 Relevance: 10.8, APIs: 7, Instructions: 283sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1A530: _strcat.LIBCMT ref: 00F1A562

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00F1EEC0

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

__snprintf.LIBCMT ref: 00F1EF09

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

_memset.LIBCMT ref: 00F1EFD9
_memset.LIBCMT ref: 00F1EFEC
Sleep.KERNEL32(00015F90), ref: 00F1F0A5
DeleteFileA.KERNEL32(?), ref: 00F1F0B2
_memset.LIBCMT ref: 00F1F0C6

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _memset$File$DeleteModuleNameSleep__snprintf_free_malloc_strcat
String ID:
API String ID: 1452756023-0
Opcode ID: 1f3a2395a9d175ac2b8d49c674f8ab997f40970d31ed943be994021e866e4e3e
Instruction ID: e877fa6951838428c9de1b316e9d8c89cddbbc43ed6bfbc5899a3bb8a4827d8b
Opcode Fuzzy Hash: 1f3a2395a9d175ac2b8d49c674f8ab997f40970d31ed943be994021e866e4e3e
Instruction Fuzzy Hash: 6EC1E672D00B4C9ACB02DFB5DC526AEB778AF4A781F008316E915B7162FB7856C1EB50

Function 00F21676 Relevance: 10.6, APIs: 7, Instructions: 143COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00F21698
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00F21739
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00F2174D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00F217C4
Process32Next.KERNEL32(00000000,00000128), ref: 00F217EE
CloseHandle.KERNEL32(00000000), ref: 00F2184F
_memset.LIBCMT ref: 00F21888

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate_memset_strcat
String ID:
API String ID: 1974761079-0
Opcode ID: b90de8f98aeff98e2ddab0f80e674c0e6e91d9c5524b8f5e9ca382dc260ee697
Instruction ID: 3b4bb6244af0be705d8cf8462a60a3776563200bc323b27e9d1380d3f235de0a
Opcode Fuzzy Hash: b90de8f98aeff98e2ddab0f80e674c0e6e91d9c5524b8f5e9ca382dc260ee697
Instruction Fuzzy Hash: 2751C032C00A1C9AC746DB75DC916BEB3B8BF19741F148356E816B2161FB745AD1EB00

Function 00F43469 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00F43469

Part of subcall function 00F3FD51: EncodePointer.KERNEL32(00000000,?,00F4346E,00F40B21,00F5FDA0,00000014), ref: 00F3FD54
Part of subcall function 00F3FD51: __initp_misc_winsig.LIBCMT ref: 00F3FD6F
Part of subcall function 00F3FD51: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F41DC9
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F41DDD
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F41DF0
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F41E03
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F41E16
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F41E29
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F41E3C
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F41E4F
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F41E62
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F41E75
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F41E88
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F41E9B
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F41EAE
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F41EC1
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F41ED4
Part of subcall function 00F3FD51: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F41EE7

__mtinitlocks.LIBCMT ref: 00F4346E
__mtterm.LIBCMT ref: 00F43477
__calloc_crt.LIBCMT ref: 00F4349C
__initptd.LIBCMT ref: 00F434BE
GetCurrentThreadId.KERNEL32 ref: 00F434C5

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: AddressProc$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 1593083391-0
Opcode ID: d33a846db6ba70f3be3fc4290020edb480d5f80348db61ae9acf748a54f8ba28
Instruction ID: a441f2f15bb1407473cf307f8fe48d51bfc99d0a8e88b1be494f0d615b44e571
Opcode Fuzzy Hash: d33a846db6ba70f3be3fc4290020edb480d5f80348db61ae9acf748a54f8ba28
Instruction Fuzzy Hash: 8FF09032A5972119E275BB747C076DA3E90AB01771B204629FEA0C51F2FF589A807190

Function 00F218E0 Relevance: 9.1, APIs: 6, Instructions: 147processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000), ref: 00F21998
Process32First.KERNEL32(00000000,?), ref: 00F219BA
_strcat.LIBCMT ref: 00F21A12
Process32Next.KERNEL32(00000000,00000128), ref: 00F21AC5
CloseHandle.KERNEL32(00000000), ref: 00F21B1A
_memset.LIBCMT ref: 00F21B2E

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset_strcat
String ID:
API String ID: 1640862104-0
Opcode ID: 99a96797257e9e8c04ecf3fdd4b208453594fde956d087b727e1b8b41b421fd9
Instruction ID: 8472470ab160622e526c623039aff82730d06496b140f6139289f34d86b453fc
Opcode Fuzzy Hash: 99a96797257e9e8c04ecf3fdd4b208453594fde956d087b727e1b8b41b421fd9
Instruction Fuzzy Hash: ED51BD31D0060C9BCB45CFBAE9855ADB7B8FF59340F04826AE915F7260E770AA84EF40

Function 00F32843 Relevance: 9.1, APIs: 6, Instructions: 96processCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

__snprintf.LIBCMT ref: 00F328B5

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

CreateToolhelp32Snapshot.KERNEL32(00000008,?,?), ref: 00F32900
Module32First.KERNEL32(00000000,?), ref: 00F32925
CloseHandle.KERNEL32(0000000A,0000000A,?,00000000), ref: 00F32A6F
Process32Next.KERNEL32(00000000,00000128), ref: 00F32AC0
CloseHandle.KERNEL32(00000000), ref: 00F32AD0

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32__snprintf_free_malloc_memset
String ID:
API String ID: 1384585931-0
Opcode ID: 62889417a35e1eb71f28855954d31576e1670216feafc487e695cc4ed3b18863
Instruction ID: ee5c7a39a00a6693e13a9f48755028518669c8400d3503ceee9648e32967c2cd
Opcode Fuzzy Hash: 62889417a35e1eb71f28855954d31576e1670216feafc487e695cc4ed3b18863
Instruction Fuzzy Hash: FF419A31D00A0DDBDB51DF76DC85AA9B778FF08345F048295E914B62A0EBB86685BF40

Function 00F32C90 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

__snprintf.LIBCMT ref: 00F32D37

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

_memset.LIBCMT ref: 00F32DBC
_memset.LIBCMT ref: 00F3310D

Strings

C:\Users\user, xrefs: 00F32DE0
Fs>., xrefs: 00F32FA2

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _memset$__snprintf_free_malloc
String ID: C:\Users\user$Fs>.
API String ID: 801102166-1231207852
Opcode ID: 8134be5fca565a33a3ddcfdcba3dfc2e56435a79f62c70c44e8b453b47372aee
Instruction ID: 1f2787e396e6b2bd925a180f0c8caf24f323c96334c79ecebb5c2cee1d420881
Opcode Fuzzy Hash: 8134be5fca565a33a3ddcfdcba3dfc2e56435a79f62c70c44e8b453b47372aee
Instruction Fuzzy Hash: A4C18F71C10A1C9ACB46EFB4DC52AEEB778BF19340F008216E505B6192FF746A86EB50

Function 00F2A880 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00F2A8F1

Part of subcall function 00F3FFBC: __FF_MSGBANNER.LIBCMT ref: 00F3FFD3
Part of subcall function 00F3FFBC: __NMSG_WRITE.LIBCMT ref: 00F3FFDA
Part of subcall function 00F3FFBC: RtlAllocateHeap.NTDLL(015D0000,00000000,00000001,00000000,00000000,00000000,?,00F41324,00000000,00000000,00000000,00000000,?,00F41BFD,00000018,00F5FDC0), ref: 00F3FFFF

_memset.LIBCMT ref: 00F2A914
_memset.LIBCMT ref: 00F2A9D1
_free.LIBCMT ref: 00F2A9E4

Strings

\L5, xrefs: 00F2A965

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _memset$AllocateHeap_free_malloc
String ID: \L5
API String ID: 585861054-1149637256
Opcode ID: 15537c6efa288ef7ec42bfd2158958716ea5cdc091d3b5892f628ee34af018f7
Instruction ID: 353f0811e48328f91b2629a280f5c831e7f3b50ba9a60bfc0c262ab9e69946d9
Opcode Fuzzy Hash: 15537c6efa288ef7ec42bfd2158958716ea5cdc091d3b5892f628ee34af018f7
Instruction Fuzzy Hash: 3A516E71C10F1DDEC742DF79E85156AB3B8FF5A390B008716E816B7222EB759982EB40

Function 00F33620 Relevance: 7.6, APIs: 5, Instructions: 69synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,00F30ECC,00F377B0,00000001), ref: 00F3366D
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00F33681
CloseHandle.KERNEL32(00000000,?,00F30ECC,00F377B0,00000001), ref: 00F336D5
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00F30ECC,00F377B0,00000001), ref: 00F3372A
CloseHandle.KERNEL32(00000000,?,00F30ECC,00F377B0,00000001), ref: 00F33733

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 7c102748ff5c58e7bd228ebbcf7e1a2b3e52be01859963ee7f58af6c38abad31
Instruction ID: d6703a4861122c4af628fc69db5ff3e8dc4a30100db479d4a99dbaafe6de10fd
Opcode Fuzzy Hash: 7c102748ff5c58e7bd228ebbcf7e1a2b3e52be01859963ee7f58af6c38abad31
Instruction Fuzzy Hash: ED314B31914B0CAED742CFB5AC51B49B778BF5A791F10870AFA26B72A0E7B45581AB00

Function 00F49BC5 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00F49BD1

Part of subcall function 00F3FFBC: __FF_MSGBANNER.LIBCMT ref: 00F3FFD3
Part of subcall function 00F3FFBC: __NMSG_WRITE.LIBCMT ref: 00F3FFDA
Part of subcall function 00F3FFBC: RtlAllocateHeap.NTDLL(015D0000,00000000,00000001,00000000,00000000,00000000,?,00F41324,00000000,00000000,00000000,00000000,?,00F41BFD,00000018,00F5FDC0), ref: 00F3FFFF

_free.LIBCMT ref: 00F49BE4

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: ed9794c58c66e844d16ca81bdd2986d4a0b25101afa5eda60268a0640b0332d6
Instruction ID: 1207c0e4d2553ce524fbacc7dad64dce469c8568a81b1d34922844f12eb1ae75
Opcode Fuzzy Hash: ed9794c58c66e844d16ca81bdd2986d4a0b25101afa5eda60268a0640b0332d6
Instruction Fuzzy Hash: B3110A32A0C31AABDB212F74AC44B5B3FD8AF053B4F204539FE45D6290DEB88A40B654

Function 00F1B590 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1B614
_strcat.LIBCMT ref: 00F1B821

Part of subcall function 00F1E120: _malloc.LIBCMT ref: 00F1E1CF

Part of subcall function 00F1E550: _memset.LIBCMT ref: 00F1E56E
Part of subcall function 00F1E550: _free.LIBCMT ref: 00F1E596

Strings

^^MN, xrefs: 00F1B5CB
=, xrefs: 00F1B5DB

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: _memset$_free_malloc_strcat
String ID: =$^^MN
API String ID: 3230045079-2753829600
Opcode ID: 530707ff9bfcae71283c2e317cd20093cb8f036f6b21f0e23ab1c6ba0e969436
Instruction ID: 699350cb39925b6f37db08993387a42f00fcf8b4248d43619cf74d816ee1be93
Opcode Fuzzy Hash: 530707ff9bfcae71283c2e317cd20093cb8f036f6b21f0e23ab1c6ba0e969436
Instruction Fuzzy Hash: 3CA1AB32C10B4D9EC702CFBAA8814AEB774AF9A381B14C712E815B7162EB7065D1EF40

Function 00F1CC40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00F1CD54
RegSetValueExA.ADVAPI32(?,00000000,00000001,CE921463,00000000), ref: 00F1CDBA
RegCloseKey.ADVAPI32(?), ref: 00F1CE29

Strings

htrN, xrefs: 00F1CC88

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CloseOpenValue
String ID: htrN
API String ID: 779948276-4437919
Opcode ID: 12139a8a6ba170b176bf3cfb1295fad6d597dc22e9fd71137275483e2cc1fe04
Instruction ID: 68cccb464d8acf7b376d8743fa15ec95380212c0dc916c3ab4098a46c690eda5
Opcode Fuzzy Hash: 12139a8a6ba170b176bf3cfb1295fad6d597dc22e9fd71137275483e2cc1fe04
Instruction Fuzzy Hash: D8516A32C1064CEACB02CBB7984159DFB30AF5E345F28DB56E910B61A1E7B12AD4EF40

Function 00F49554 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00F495E5
_memmove.LIBCMT ref: 00F49659
___AdjustPointer.LIBCMT ref: 00F496AA
_memmove.LIBCMT ref: 00F496B3

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 53cca839ca13cfda2e47635d2fcfdb2f83c2ed3bebd374a845b1d4c2d586f8de
Instruction ID: 2e401c0387f4bf1a963e189752ab054b1ede3176c479320983590b0f5451fe0b
Opcode Fuzzy Hash: 53cca839ca13cfda2e47635d2fcfdb2f83c2ed3bebd374a845b1d4c2d586f8de
Instruction Fuzzy Hash: 25417076B083079AEB299E18D892B673FE4AF45770F65401DFC418A1E5EFB5D880FA10

Function 00F27EF0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00F28000
_malloc.LIBCMT ref: 00F2808E

Part of subcall function 00F3FFBC: __FF_MSGBANNER.LIBCMT ref: 00F3FFD3
Part of subcall function 00F3FFBC: __NMSG_WRITE.LIBCMT ref: 00F3FFDA
Part of subcall function 00F3FFBC: RtlAllocateHeap.NTDLL(015D0000,00000000,00000001,00000000,00000000,00000000,?,00F41324,00000000,00000000,00000000,00000000,?,00F41BFD,00000018,00F5FDC0), ref: 00F3FFFF

_memset.LIBCMT ref: 00F280A5
_free.LIBCMT ref: 00F280AC

Part of subcall function 00F3FF84: HeapFree.KERNEL32(00000000,00000000,?,00F433A7,00000000,00F422E7,00F49CF5,00000000,?,00F412DA,?,?,00000000), ref: 00F3FF98
Part of subcall function 00F3FF84: GetLastError.KERNEL32(00000000,?,00F433A7,00000000,00F422E7,00F49CF5,00000000,?,00F412DA,?,?,00000000,?,?,?,00F434A1), ref: 00F3FFAA

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: Heap_malloc$AllocateErrorFreeLast_free_memset
String ID:
API String ID: 1931880523-0
Opcode ID: aeae82b8a8fbe28b0d5eff3d66608eaaf9f78c34438f7393fb162c3e15426a41
Instruction ID: 0d5cda0880cd6a745d4a5629df5d94c7326198eaf9bf4beb274a525006e7f72c
Opcode Fuzzy Hash: aeae82b8a8fbe28b0d5eff3d66608eaaf9f78c34438f7393fb162c3e15426a41
Instruction Fuzzy Hash: 5B61B932C14F4C9ACB03DFBAE84116AF378BF9A390B108312E8117B261FB745592EB51

Function 00F4C726 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F4C75C
__isleadbyte_l.LIBCMT ref: 00F4C78A
MultiByteToWideChar.KERNEL32(560C1730,00000009,?,C06E0F66,00000000,00000000,?,00000000,00000000,?,00F20A93,?,00000000), ref: 00F4C7B8
MultiByteToWideChar.KERNEL32(560C1730,00000009,?,00000001,00000000,00000000,?,00000000,00000000,?,00F20A93,?,00000000), ref: 00F4C7EE

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 96495ce23ca8344b49122358b40c866b98b1020f95e4c2a9f8666da186f58e21
Instruction ID: 8b317ad63446c64f7730078849e243d5a334f79786142151028ebafe2813507b
Opcode Fuzzy Hash: 96495ce23ca8344b49122358b40c866b98b1020f95e4c2a9f8666da186f58e21
Instruction Fuzzy Hash: 8D31AF31A02246AFDB618F75CC44BAA7FA5FF41360F159129EC64971A0E730E990EBD0

Function 00F4456C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00F445BB
GetLastError.KERNEL32 ref: 00F445C5
__free_osfhnd.LIBCMT ref: 00F445D2
__dosmaperr.LIBCMT ref: 00F445F4

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr__free_osfhnd
String ID:
API String ID: 1721093958-0
Opcode ID: 5409e0709fae2c2117a301524cdcfd3f5fd9bc9c87e916a5ae13d020c8f55add
Instruction ID: 91c998b3873d2e35695ea4b30e6df5b20c5fdd2cb7e59dd339f96c0cadbef766
Opcode Fuzzy Hash: 5409e0709fae2c2117a301524cdcfd3f5fd9bc9c87e916a5ae13d020c8f55add
Instruction Fuzzy Hash: AD012633A0125017DA60A274BE09B7E7F844F83774F1D4219FE29B75D2DA65E840B1D0

Function 00F478B0 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F478D4

Part of subcall function 00F47FBB: __fltout2.LIBCMT ref: 00F47FE4

__cftog_l.LIBCMT ref: 00F478FA
__cftoe_l.LIBCMT ref: 00F4792C

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: d62f27be349045024df31dceb743c259ed333a6356a8aebd566aa3fd770939c5
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 3F01483244828EBBCF226E84CC418EE3F62BB18360B588515FE1858031D337DAB1BB81

Function 00F48E98 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00F48EAF

Part of subcall function 00F494C6: ___AdjustPointer.LIBCMT ref: 00F4950F

_UnwindNestedFrames.LIBCMT ref: 00F48EC6
___FrameUnwindToState.LIBCMT ref: 00F48ED8
CallCatchBlock.LIBCMT ref: 00F48EFC

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 47ff991701b949d2c6ac9b0ab3a6bae88cad4e47a60bb843eb0d441dcfe1d101
Instruction ID: adea74057d804ae1b3964a5a1bea8faf3715480c1df922523cc2f66dce993921
Opcode Fuzzy Hash: 47ff991701b949d2c6ac9b0ab3a6bae88cad4e47a60bb843eb0d441dcfe1d101
Instruction Fuzzy Hash: 0501C532500149ABCF129F95CC05EAA3FAAAF48764F158015FD5866121D776E8A2ABA0

Function 00F1F356 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 396sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F175B0: GetSystemTimeAsFileTime.KERNEL32(00F1E0E5,00000014,00000014,?,00F1E0E5,00000014), ref: 00F40057
Part of subcall function 00F175B0: __aulldiv.LIBCMT ref: 00F40077

Part of subcall function 00F1E990: Sleep.KERNEL32(000003E8,?,?,?,?,00000000,00000000,?,00000000,0000001F,00000000), ref: 00F1EB4F

_memset.LIBCMT ref: 00F1F8B0
Sleep.KERNEL32(000008AE), ref: 00F1F94A

Strings

C:\qkcgyxexucxsiyk\jqvkzish.exe, xrefs: 00F1F9DC

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: SleepTime$FileSystem__aulldiv_memset
String ID: C:\qkcgyxexucxsiyk\jqvkzish.exe
API String ID: 906812606-61857822
Opcode ID: 40a1faf9efabe1d65634d2258df2fb1e0dc1ec3984637d534ef15bb89ef0d9a9
Instruction ID: 48f553f1cfc3c9ba01f596f016c39f5a16e5ff3528d4c677c49f195f1f2fff95
Opcode Fuzzy Hash: 40a1faf9efabe1d65634d2258df2fb1e0dc1ec3984637d534ef15bb89ef0d9a9
Instruction Fuzzy Hash: 72027C31C10A0C9ECB02DFB6EC819ADB774BF19380F148716E915B6262EB746AC5EF50

Function 00F4832D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__controlfp_s.LIBCMT ref: 00F4833B

Part of subcall function 00F4D8AF: __control87.LIBCMT ref: 00F4D8D3

__invoke_watson.LIBCMT ref: 00F4834E

Strings

csm, xrefs: 00F4835C

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: __control87__controlfp_s__invoke_watson
String ID: csm
API String ID: 1371525046-1018135373
Opcode ID: b5911343ea0ed005a87fa4f7a9f31147fe6699a00fff43af7a5f4000ff7e7e9e
Instruction ID: 576ab69f025fac51d0ba19e419679569f395f3c4d448861266c9be301ff0ab10
Opcode Fuzzy Hash: b5911343ea0ed005a87fa4f7a9f31147fe6699a00fff43af7a5f4000ff7e7e9e
Instruction Fuzzy Hash: 92F0B421A012149E8B29ADA96C45ABE3FCD9F10BB1F584811FC08CB512DF55CEC2F0D6

Function 00F41A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00F41AC4,00000000,00000000,00000000,00000000,00000000,00F48856,?,00F4209B,00000003,00F3FFD8,00000000,00000000,00000000), ref: 00F41A96
__invoke_watson.LIBCMT ref: 00F41AB2

Strings

PNv, xrefs: 00F41A96

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: PNv
API String ID: 4034010525-4070351811
Opcode ID: 278d88d7a8f2a32defd09cbb67572cbfd57e3f0541a3d01e4d7364504035b79e
Instruction ID: 65c804fc5f96c7b822b35e00d69376a81a67cf8a23313e0d918ecd3cc1b61758
Opcode Fuzzy Hash: 278d88d7a8f2a32defd09cbb67572cbfd57e3f0541a3d01e4d7364504035b79e
Instruction Fuzzy Hash: 87E0E27294120DBBDF022FB1DD068AA3EAABF04390B444460FE2480031E63AC9B0BB91

Function 00F3CFE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00F3CFE6
__set_abort_behavior.LIBCMT ref: 00F3CFF6

Strings

PNv, xrefs: 00F3CFE6

Memory Dump Source

Source File: 00000001.00000002.1722132894.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000001.00000002.1722118245.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722164910.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722183662.0000000000F62000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1722200716.0000000000F67000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f10000_ek5v3xaskkfpqwron.jbxd

Similarity

API ID: DecodePointer__set_abort_behavior
String ID: PNv
API String ID: 4109001881-4070351811
Opcode ID: f11f336ebb751efb4ee0e0eb13e999ae728a3e7421454f54ca9ac12d8c82b17b
Instruction ID: a1741391f5c94b17a3cffc6a6632aecbb55434eea38d1a0bd6cd73ba4f9f25b1
Opcode Fuzzy Hash: f11f336ebb751efb4ee0e0eb13e999ae728a3e7421454f54ca9ac12d8c82b17b
Instruction Fuzzy Hash: 2EC048326A920159F61427BA2C06B692A49AB42B62F200419FA21E80C1ED91E680B162

Analysis Process: bsiphbvc.exePID: 9340, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	99

Executed Functions

Function 00AB10A0 Relevance: 86.8, APIs: 13, Strings: 34, Instructions: 4533libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Ker), ref: 00AB1DBD
GetProcAddress.KERNEL32(00007243), ref: 00AB2066
GetProcAddress.KERNEL32(Creat), ref: 00AB21F4
GetProcAddress.KERNEL32(SetEv), ref: 00AB2306
GetProcAddress.KERNEL32(00006157), ref: 00AB24D3
GetProcAddress.KERNEL32(CloseHandleSetEv), ref: 00AB28DD
GetProcAddress.KERNEL32(65656C53), ref: 00AB2A92
_memset.LIBCMT ref: 00AB2DC4
CreateThread.KERNELBASE(00000000,00000000,00AC7490,00000128,00000000,00000000), ref: 00AB39A6
CloseHandle.KERNELBASE(00000000,?,?,00000000), ref: 00AB3D76

Strings

U;8, xrefs: 00AB47AE
eate, xrefs: 00AB1B01
o, xrefs: 00AB1B52
]D87, xrefs: 00AB1130
Slee, xrefs: 00AB1B1E
gl, xrefs: 00AB1B28
fM, xrefs: 00AB1339
i}kN, xrefs: 00AB13BF
8e#!, xrefs: 00AB18FA
"}N, xrefs: 00AB138B
eThr, xrefs: 00AB1B31
Wa, xrefs: 00AB1A82
nel3, xrefs: 00AB1A95
SetEv, xrefs: 00AB22F9, 00AB22FF
A, xrefs: 00AB1B59
e, xrefs: 00AB1B42
CloseHandleSetEv, xrefs: 00AB28C6, 00AB28CC
rSin, xrefs: 00AB1ABC
j1v{, xrefs: 00AB3CEE, 00AB5166, 00AB5170, 00AB6D0C, 00AB6D1B
ent, xrefs: 00AB1A9F
tF, xrefs: 00AB1B15
eObj, xrefs: 00AB1ADA
ct, xrefs: 00AB1AE4
ead, xrefs: 00AB1A8B
i, xrefs: 00AB1B72
dll, xrefs: 00AB1AED
E, xrefs: 00AB1B79
Creat, xrefs: 00AB21C7, 00AB21E1
vent, xrefs: 00AB1AA9
2., xrefs: 00AB1B80
p, xrefs: 00AB1B49
Ker, xrefs: 00AB1DB6, 00AB1DBC
T+, xrefs: 00AB552F
Cr, xrefs: 00AB1B62

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: AddressProc$Handle$CloseCreateModuleThread_memset
String ID: U;8$"}N$2.$8e#!$A$CloseHandleSetEv$Cr$Creat$E$Ker$SetEv$Slee$T+$Wa$]D87$ct$dll$e$eObj$eThr$ead$eate$ent$fM$gl$i$i}kN$j1v{$nel3$o$p$rSin$tF$vent
API String ID: 3360259145-234659658
Opcode ID: b4261c1696cf1cf900a8db77245a18856b1f85a74edb8a219b4a6002e31dd1f9
Instruction ID: 90953955ec9ab66d09905deed0936eb18b747e538717b471f77d57ded80076f5
Opcode Fuzzy Hash: b4261c1696cf1cf900a8db77245a18856b1f85a74edb8a219b4a6002e31dd1f9
Instruction Fuzzy Hash: 5DB31931820B598EC757CFB6D8552A9B378BF6A381F109386E809B7161FB3459CADF04

Function 00ABD8E0 Relevance: 10.8, APIs: 7, Instructions: 290
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000), ref: 00ABDAD2
GetProcAddress.KERNEL32(00000000), ref: 00ABDB2C
CryptGenRandom.ADVAPI32(00000004,?), ref: 00ABDC5E
_rand.LIBCMT ref: 00ABDD1E
_rand.LIBCMT ref: 00ABDD25
_rand.LIBCMT ref: 00ABDD30
_rand.LIBCMT ref: 00ABDD37

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: _rand$AddressProc$CryptRandom
String ID:
API String ID: 2249235034-0
Opcode ID: 53d07ae13fc262c6312d52b68592c194606d000b60ced520f601646ef274e135
Instruction ID: f04cb738898aa86b908eb47d2be3a0f2bf3cf38864a76790cd2d0820fe951a54
Opcode Fuzzy Hash: 53d07ae13fc262c6312d52b68592c194606d000b60ced520f601646ef274e135
Instruction Fuzzy Hash: 64D17C71C10A489ECB02DFF5E8556AEB778FF6A390B148316E901B7262FB3159C6DB40

Function 00AC21AD Relevance: 291.3, APIs: 123, Strings: 41, Instructions: 4260COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00AC2593
_memset.LIBCMT ref: 00AC262A

Strings

`Jp, xrefs: 00AC2850
huE, xrefs: 00AC4F38
hDE, xrefs: 00AC5286
jh/8, xrefs: 00AC3364
hdC, xrefs: 00AC580D
jhN4, xrefs: 00AC3476
h0$, xrefs: 00AC42BB
h!, xrefs: 00AC2C03
yG_5, xrefs: 00AC3049
h$!, xrefs: 00AC4BB8
hd8, xrefs: 00AC52CF
jh14, xrefs: 00AC3670
jjj, xrefs: 00AC58F3
h , xrefs: 00AC489F
huD, xrefs: 00AC2AC9
h4E, xrefs: 00AC2A3C
jhUC, xrefs: 00AC3EFF
h=$, xrefs: 00AC517D
h@4, xrefs: 00AC3B75
h#2, xrefs: 00AC39AE
jh.7, xrefs: 00AC38EA
hoF, xrefs: 00AC48EA
hM$, xrefs: 00AC3FC3
j1v{, xrefs: 00AC2AEA, 00AC3A1D, 00AC3A3E
jz8, xrefs: 00AC5AA2
huA, xrefs: 00AC4193
h4, xrefs: 00AC4594
jjj, xrefs: 00AC58FF
C:\Windows\system32\config\systemprofile, xrefs: 00AC5897
h-3, xrefs: 00AC4099
h|8, xrefs: 00AC5688
)bg, xrefs: 00AC37CD
jh+A, xrefs: 00AC4D29
h@3, xrefs: 00AC44C9
h)#, xrefs: 00AC559F
hL8, xrefs: 00AC278B
->`b, xrefs: 00AC4AE3
j!h1, xrefs: 00AC2881
h{C, xrefs: 00AC47EA
h", xrefs: 00AC30E8
h%1, xrefs: 00AC37F2

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: _malloc_memset
String ID: ->`b$C:\Windows\system32\config\systemprofile$`Jp$h#2$h$!$h%1$h)#$h-3$h0$$h4E$h=$$h@3$h@4$hDE$hL8$hM$$hd8$hdC$hoF$huA$huD$huE$h{C$h|8$h $h!$h"$h4$jhN4$jh+A$jh.7$jh/8$jh14$jhUC$j!h1$j1v{$jjj$jjj$yG_5$)bg$jz8
API String ID: 4137368368-4234076158
Opcode ID: 9b1a1201954a392a4cdc4c8c7c430fc7a19203de9976b3e9d99941d7f7562ba3
Instruction ID: 0f04f9506c1be0ac793c94a472e71137bcf7d8fe71524bb93dcafdb5b7316d8e
Opcode Fuzzy Hash: 9b1a1201954a392a4cdc4c8c7c430fc7a19203de9976b3e9d99941d7f7562ba3
Instruction Fuzzy Hash: 4693AE31C10B089ED712DFB5EC55AA9B778AF6A780F008356E906772A2FF7159D6CB00

Function 00AC00B0 Relevance: 41.2, APIs: 19, Strings: 4, Instructions: 900
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00B044C8), ref: 00AC0305
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00AC0575

Part of subcall function 00ABE550: _memset.LIBCMT ref: 00ABE56E
Part of subcall function 00ABE550: _free.LIBCMT ref: 00ABE596

DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00AC0698
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00AC06CE
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00AC07F4
_strcat.LIBCMT ref: 00AC0806
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AC089E
__snprintf.LIBCMT ref: 00AC09E9
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AC0AE1

Part of subcall function 00ABE120: _malloc.LIBCMT ref: 00ABE1CF

__snprintf.LIBCMT ref: 00AC0A8E
_strcat.LIBCMT ref: 00AC0B68
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AC0B9D
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00AC0D22
_strcat.LIBCMT ref: 00AC0E50
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00AC0E8C
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00AC0FB1
_strcat.LIBCMT ref: 00AC0FD2
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00AC10C4
_memset.LIBCMT ref: 00AC10D8

Strings

j1v{, xrefs: 00AC0FC1
\, xrefs: 00AC0DBC
C:\Windows\system32\config\systemprofile, xrefs: 00AC09DD, 00AC0A7C
C:\qkcgyxexucxsiyk\, xrefs: 00AC0801, 00AC0B63, 00AC0E4B, 00AC0FCD

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: Directory$Create$_strcat$FilePathTemp__snprintf_memset$AttributesDeleteRemoveVersion_free_malloc
String ID: C:\Windows\system32\config\systemprofile$C:\qkcgyxexucxsiyk\$\$j1v{
API String ID: 1290010854-2673577253
Opcode ID: 24226b6d6c11f64700dafd1b40c8c5e6b74d0ff2cf5d205400633d5ade2682ce
Instruction ID: ba053a9bedb18e5af1d9b25c5aaa2adf41c1e979c8b112e2903c3755ddc56807
Opcode Fuzzy Hash: 24226b6d6c11f64700dafd1b40c8c5e6b74d0ff2cf5d205400633d5ade2682ce
Instruction Fuzzy Hash: 11927E31C10B499ECB02DBB6DD45AADB778AF69380F148756E906B7162FF3066C9CB40

Function 00ABD090 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 174
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000CE40), ref: 00ABD1D8
SetServiceStatus.SECHOST(00B04780), ref: 00ABD214
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ABD27D
SetServiceStatus.ADVAPI32(00B04780), ref: 00ABD2A4
WaitForSingleObject.KERNEL32(00001388), ref: 00ABD2CD
SetServiceStatus.ADVAPI32(00B04780), ref: 00ABD35F
CloseHandle.KERNEL32 ref: 00ABD392
SetServiceStatus.ADVAPI32(00B04780), ref: 00ABD401

Strings

]/da, xrefs: 00ABD224
>&|, xrefs: 00ABD311

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: ]/da$>&|
API String ID: 3399922960-1858257644
Opcode ID: 4a888a53c58310ea8ea1c5297f640ca075073dc6e0898a036e4c712d2b8078ff
Instruction ID: c3412a9ed01d71e0ea7fa77944299ac7632e16ce5e9b8e14130f30de25e679fc
Opcode Fuzzy Hash: 4a888a53c58310ea8ea1c5297f640ca075073dc6e0898a036e4c712d2b8078ff
Instruction Fuzzy Hash: 46818C759006099FC706DFB8EC59269BBB8FF2A380F10831AE501B7260EF7599C9CB44

Function 00ABF0E0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe", xrefs: 00ABF9D7
h:A, xrefs: 00ABF676
C:\qkcgyxexucxsiyk\jqvkzish.exe, xrefs: 00ABF9DC

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID:
String ID: C:\qkcgyxexucxsiyk\jqvkzish.exe$frrqzdvmnkqk "c:\qkcgyxexucxsiyk\bsiphbvc.exe"$h:A
API String ID: 0-429150623
Opcode ID: 170c53f6d0a0822aea090391043f4629922f5e58d26a859ec19dcf2f86aeb792
Instruction ID: 226e1bf412948d1a146de812643b412901ccd304547f1de507656ea66383f843
Opcode Fuzzy Hash: 170c53f6d0a0822aea090391043f4629922f5e58d26a859ec19dcf2f86aeb792
Instruction Fuzzy Hash: 76328C71C1064C9ECB02DFF6D9859ADB7B8BF69340F148716E805B7262FB306A89CB50

Function 00AC18E0 Relevance: 9.1, APIs: 6, Instructions: 147
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 00AC1998
Process32First.KERNEL32(00000000,?), ref: 00AC19BA
_strcat.LIBCMT ref: 00AC1A12
Process32Next.KERNEL32(00000000,00000128), ref: 00AC1AC5
CloseHandle.KERNELBASE(00000000), ref: 00AC1B1A
_memset.LIBCMT ref: 00AC1B2E

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset_strcat
String ID:
API String ID: 1640862104-0
Opcode ID: 6b4b6aa5de84efb5ec15a6c7b3360991a9b1c5063b03bc56f9cdb9b9cd0ac01c
Instruction ID: 6114f0c92525b507a4fe90a9a3365ea079d440f93bcdcf6cf3525ede95ceed9f
Opcode Fuzzy Hash: 6b4b6aa5de84efb5ec15a6c7b3360991a9b1c5063b03bc56f9cdb9b9cd0ac01c
Instruction Fuzzy Hash: 0A516F719002089FCB15DFB6D9495ADB7B8FF69344F04825AE905F7261EB30AA84CF50

Function 00ADD002 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00ADD01A

Part of subcall function 00ADFFBC: __FF_MSGBANNER.LIBCMT ref: 00ADFFD3
Part of subcall function 00ADFFBC: __NMSG_WRITE.LIBCMT ref: 00ADFFDA
Part of subcall function 00ADFFBC: RtlAllocateHeap.NTDLL(?,00000000,00000001,00000000,00000000,00000000,?,00AE1324,00000000,00000000,00000000,00000000,?,00AE1BFD,00000018,00AFFDC0), ref: 00ADFFFF

std::exception::exception.LIBCMT ref: 00ADD038
__CxxThrowException@8.LIBCMT ref: 00ADD04D

Part of subcall function 00AE0D5A: RaiseException.KERNEL32(?,?,00ADCF8B,000000FF,00000000,00000000,?,?,?,?,00ADCF8B,000000FF,00AFFC5C,00000000), ref: 00AE0DAF

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: 10c3807f1092c986f817ade0cfec28ff1ba9f0ad13d9baec2ae1fa0411348738
Instruction ID: a9c4c0774723316946fbbd7f329ffb2f13e6d864163cf2a68f079bdfd9aa214e
Opcode Fuzzy Hash: 10c3807f1092c986f817ade0cfec28ff1ba9f0ad13d9baec2ae1fa0411348738
Instruction Fuzzy Hash: A4E0E57140020DAACB10FB94CD158FE7778BF40300F1044A6FA06A6292EBB08A459691

Function 00AD9860 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00ADCF15
__CxxThrowException@8.LIBCMT ref: 00ADCF2A

Part of subcall function 00ADD002: _malloc.LIBCMT ref: 00ADD01A

Memory Dump Source

Source File: 00000002.00000002.2479692023.0000000000AB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000002.00000002.2479665087.0000000000AB0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479737913.0000000000AF3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B02000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479815457.0000000000B06000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2479883687.0000000000B07000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ab0000_bsiphbvc.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 1d695f3ce39ab99acc502f7d2fc049c39ab814396d8fda41d3390361401e15e4
Instruction ID: 61a2e495f67f549d232fb6fbc184bf8744f105131c0064c277a049cdaf5920c8
Opcode Fuzzy Hash: 1d695f3ce39ab99acc502f7d2fc049c39ab814396d8fda41d3390361401e15e4
Instruction Fuzzy Hash: 30F089B050020DAADF08BAE89D16DFF73AC6B40711F500566F516D3382E7B0EA049252

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DBROG0eWH7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\qkcgyxexucxsiyk\emmz4mbuo0g

C:\qkcgyxexucxsiyk\bsiphbvc.exe

C:\qkcgyxexucxsiyk\ek5v3xaskkfpqwron.exe

C:\qkcgyxexucxsiyk\emmz4mbuo0g

C:\qkcgyxexucxsiyk\hjkz5m

C:\qkcgyxexucxsiyk\jqvkzish.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
DBROG0eWH7.exe

Function 007600B0 Relevance: 39.4, APIs: 19, Strings: 3, Instructions: 900
fileCOMMON

Function 0075A590 Relevance: 9.2, APIs: 6, Instructions: 219
filesleepCOMMON

Function 00772230 Relevance: 4.6, APIs: 3, Instructions: 88
memoryCOMMON

Function 00780A9D Relevance: 19.6, APIs: 13, Instructions: 89
COMMON

Function 0075A970 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 109
processCOMMON

Function 0075FC60 Relevance: 12.2, APIs: 8, Instructions: 250
fileCOMMON

Function 0075AB30 Relevance: 4.7, APIs: 3, Instructions: 211
fileCOMMON

Function 0077D002 Relevance: 4.5, APIs: 3, Instructions: 29
COMMON

Function 0075FB80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Function 0077FC69 Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Function 0077FF22 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre