Edit tour

Windows Analysis Report
8CO4P3HwDt.exe

Overview

General Information

Sample name:	8CO4P3HwDt.exe renamed because original name is a hash value
Original sample name:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b.exe
Analysis ID:	1551213
MD5:	c3c8df0d6043078abdf157a68d37eb96
SHA1:	4ef0b88e12b3770fbaa6e5683b15b51c130f38ad
SHA256:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

8CO4P3HwDt.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\8CO4P3HwDt.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

uzqv383gxrrqx7oiosyki.exe (PID: 6972 cmdline: "C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

usncdvbjyrwr.exe (PID: 7072 cmdline: "C:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

usncdvbjyrwr.exe (PID: 6988 cmdline: C:\oblimpyrbviueg\usncdvbjyrwr.exe MD5: C3C8DF0D6043078ABDF157A68D37EB96)

hrzceasx.exe (PID: 7048 cmdline: uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

usncdvbjyrwr.exe (PID: 4064 cmdline: "c:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

hrzceasx.exe (PID: 5040 cmdline: uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:50:45.143921+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.12	49717	TCP
2024-11-07T15:51:24.425231+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.12	49726	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:50:38.470948+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.12	49713	TCP
2024-11-07T15:50:42.469182+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.12	49715	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:50:38.470948+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.12	49713	TCP
2024-11-07T15:50:42.469182+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.12	49715	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:50:32.391304+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.12	61040	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:50:43.090729+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.12	52795	UDP
2024-11-07T15:50:43.761660+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.12	54810	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:50:35.597709+0100	2815568	1	A Network Trojan was detected	192.168.2.12	49712	18.143.155.63	80	TCP
2024-11-07T15:52:09.305733+0100	2815568	1	A Network Trojan was detected	192.168.2.12	49728	199.59.243.227	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:50:35.597709+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.12	49712	18.143.155.63	80	TCP
2024-11-07T15:52:09.305733+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.12	49728	199.59.243.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8CO4P3HwDt.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\oblimpyrbviueg\hrzceasx.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2

Multi AV Scanner detection for dropped file

Source: C:\oblimpyrbviueg\hrzceasx.exe	ReversingLabs: Detection: 89%
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	ReversingLabs: Detection: 89%
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: 8CO4P3HwDt.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Joe Sandbox ML: detected
Source: C:\oblimpyrbviueg\hrzceasx.exe	Joe Sandbox ML: detected
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8CO4P3HwDt.exe

Joe Sandbox ML: detected

Source: 8CO4P3HwDt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8CO4P3HwDt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_008BA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_008BA780
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: 2_2_0034A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0034A780
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_00DAA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00DAA780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_0039A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0039A780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00B6A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00B6A780

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.12:49712 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.12:49728 -> 199.59.243.227:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadernothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net

Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63
Source: Joe Sandbox View	IP Address: 85.214.228.140 85.214.228.140

Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.12:61040
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.12:49712 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.12:52795
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.12:49715
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.12:49715
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.12:49713
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.12:49713
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.12:54810
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.12:49728 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.12:49726
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.12:49717

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008EF820 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket,

0_2_008EF820

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net

Source: global traffic	DNS traffic detected: DNS query: heavenstream.net
Source: global traffic	DNS traffic detected: DNS query: leadernothing.net
Source: global traffic	DNS traffic detected: DNS query: heavennothing.net
Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net
Source: global traffic	DNS traffic detected: DNS query: leaderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavenbusiness.net
Source: global traffic	DNS traffic detected: DNS query: leaderappear.net
Source: global traffic	DNS traffic detected: DNS query: heavenappear.net
Source: global traffic	DNS traffic detected: DNS query: heavymanner.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanner.net
Source: global traffic	DNS traffic detected: DNS query: heavyanother.net
Source: global traffic	DNS traffic detected: DNS query: gentleanother.net
Source: global traffic	DNS traffic detected: DNS query: heavybusiness.net
Source: global traffic	DNS traffic detected: DNS query: gentlebusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavyappear.net
Source: global traffic	DNS traffic detected: DNS query: gentleappear.net
Source: global traffic	DNS traffic detected: DNS query: variousmanner.net
Source: global traffic	DNS traffic detected: DNS query: returnmanner.net
Source: global traffic	DNS traffic detected: DNS query: variousanother.net
Source: global traffic	DNS traffic detected: DNS query: returnanother.net
Source: global traffic	DNS traffic detected: DNS query: variousbusiness.net
Source: global traffic	DNS traffic detected: DNS query: returnbusiness.net
Source: global traffic	DNS traffic detected: DNS query: variousappear.net
Source: global traffic	DNS traffic detected: DNS query: returnappear.net
Source: global traffic	DNS traffic detected: DNS query: degreeinstead.net
Source: global traffic	DNS traffic detected: DNS query: forwardinstead.net
Source: global traffic	DNS traffic detected: DNS query: degreeexplain.net
Source: global traffic	DNS traffic detected: DNS query: forwardexplain.net
Source: global traffic	DNS traffic detected: DNS query: degreebright.net
Source: global traffic	DNS traffic detected: DNS query: forwardbright.net
Source: global traffic	DNS traffic detected: DNS query: degreeinside.net
Source: global traffic	DNS traffic detected: DNS query: forwardinside.net
Source: global traffic	DNS traffic detected: DNS query: answerinstead.net
Source: global traffic	DNS traffic detected: DNS query: glassinstead.net
Source: global traffic	DNS traffic detected: DNS query: answerexplain.net
Source: global traffic	DNS traffic detected: DNS query: glassexplain.net
Source: global traffic	DNS traffic detected: DNS query: answerbright.net

Source: usncdvbjyrwr.exe, 00000003.00000002.3139289965.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, usncdvbjyrwr.exe, 00000009.00000002.3575220568.00000000009F7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	File created: C:\Windows\oblimpyrbviueg\	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

File deleted: C:\Windows\oblimpyrbviueg\vqipymk4ju

Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_008CACF0	0_2_008CACF0
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: 2_2_0035ACF0	2_2_0035ACF0
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: 2_2_003610DA	2_2_003610DA
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_00DBACF0	3_2_00DBACF0
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_003AACF0	4_2_003AACF0
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_003B10CC	4_2_003B10CC
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00B7ACF0	10_2_00B7ACF0

Source: 8CO4P3HwDt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@12/5@213/4

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_008B2250
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00342250
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_00DA2250
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_00392250
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00B62250

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008D4C00 CreateToolhelp32Snapshot,Process32First,CreateToolhelp32Snapshot,Module32First,CloseHandle,Process32Next,CloseHandle,

0_2_008D4C00

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008BAD00 StartServiceCtrlDispatcherA,

0_2_008BAD00

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_008BAD00 StartServiceCtrlDispatcherA,	0_2_008BAD00
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: 2_2_0034AD00 StartServiceCtrlDispatcherA,	2_2_0034AD00
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_00DAAD00 StartServiceCtrlDispatcherA,	3_2_00DAAD00
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_0039AD00 StartServiceCtrlDispatcherA,	4_2_0039AD00
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00B6AD00 StartServiceCtrlDispatcherA,	10_2_00B6AD00

Source: C:\oblimpyrbviueg\hrzceasx.exe

Mutant created: NULL

Source: 8CO4P3HwDt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8CO4P3HwDt.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

File read: C:\Users\user\Desktop\8CO4P3HwDt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8CO4P3HwDt.exe "C:\Users\user\Desktop\8CO4P3HwDt.exe"
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Process created: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe "C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe"
Source: unknown	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe C:\oblimpyrbviueg\usncdvbjyrwr.exe
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "C:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\oblimpyrbviueg\hrzceasx.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Process created: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe "C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "C:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "c:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: 8CO4P3HwDt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008DC35F GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,

0_2_008DC35F

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_008F1C80 push eax; ret	0_2_008F1C94
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_008F1C80 push eax; ret	0_2_008F1CBC
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_008CD86B push 0B008FD0h; ret	0_2_008CD870
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: 2_2_00381C80 push eax; ret	2_2_00381C94
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: 2_2_00381C80 push eax; ret	2_2_00381CBC
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_00DE1C80 push eax; ret	3_2_00DE1C94
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_00DE1C80 push eax; ret	3_2_00DE1CBC
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_003AD86B push 0B003DD0h; ret	4_2_003AD870
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_003D1C80 push eax; ret	4_2_003D1C94
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_003D1C80 push eax; ret	4_2_003D1CBC
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00BA1C80 push eax; ret	10_2_00BA1C94
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00BA1C80 push eax; ret	10_2_00BA1CBC
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00B7D86B push 0B00BAD0h; ret	10_2_00B7D870

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\oblimpyrbviueg\hrzceasx.exe	Jump to dropped file
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	File created: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	File created: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Jump to dropped file

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008BAD00 StartServiceCtrlDispatcherA,

0_2_008BAD00

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

0_2_008DC35F

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	0_2_008D2500
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_00362500
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	3_2_00DC2500
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_003B2500
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_00B82500

Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_00343770
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		3_2_00DA3770

Source: C:\oblimpyrbviueg\hrzceasx.exe	Window / User API: threadDelayed 656			Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Window / User API: threadDelayed 1217			Jump to behavior

Source: C:\oblimpyrbviueg\hrzceasx.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_2-11847
Source: C:\oblimpyrbviueg\hrzceasx.exe	Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_0-9971
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_3-10139

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 7056	Thread sleep time: -37774s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7052	Thread sleep count: 656 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7052	Thread sleep time: -656000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7052	Thread sleep count: 1217 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7052	Thread sleep time: -1217000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 4132	Thread sleep count: 325 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 4132	Thread sleep time: -16250000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 4132	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 5776	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 5776	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Last function: Thread delayed
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Last function: Thread delayed
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Last function: Thread delayed
Source: C:\oblimpyrbviueg\hrzceasx.exe	Last function: Thread delayed
Source: C:\oblimpyrbviueg\hrzceasx.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_008BA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_008BA780
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	Code function: 2_2_0034A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0034A780
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_00DAA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00DAA780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_0039A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0039A780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00B6A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00B6A780

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: usncdvbjyrwr.exe, 00000009.00000002.3575220568.00000000009F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: uzqv383gxrrqx7oiosyki.exe, 00000002.00000002.2372023037.000000000150E000.00000004.00000020.00020000.00000000.sdmp, usncdvbjyrwr.exe, 00000003.00000002.3139289965.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	API call chain: ExitProcess graph end node	graph_0-9932
Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	API call chain: ExitProcess graph end node	graph_2-11836
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	API call chain: ExitProcess graph end node	graph_3-10076
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

0_2_008DC35F

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008E5570 GetProcessHeap,RtlAllocateHeap,

0_2_008E5570

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008E7710 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008E7710

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008E68B0 GetSystemTime,GetTickCount,

0_2_008E68B0

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_008C15A0 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,

0_2_008C15A0

Source: C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	4 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
8CO4P3HwDt.exe	89%	ReversingLabs	Win32.Adware.Multiverze
8CO4P3HwDt.exe	100%	Avira	TR/Nivdort.Gen2
8CO4P3HwDt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\oblimpyrbviueg\usncdvbjyrwr.exe	100%	Avira	TR/Nivdort.Gen2
C:\oblimpyrbviueg\hrzceasx.exe	100%	Avira	TR/Nivdort.Gen2
C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	100%	Avira	TR/Nivdort.Gen2
C:\oblimpyrbviueg\usncdvbjyrwr.exe	100%	Joe Sandbox ML
C:\oblimpyrbviueg\hrzceasx.exe	100%	Joe Sandbox ML
C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	100%	Joe Sandbox ML
C:\oblimpyrbviueg\hrzceasx.exe	89%	ReversingLabs	Win32.Adware.Multiverze
C:\oblimpyrbviueg\usncdvbjyrwr.exe	89%	ReversingLabs	Win32.Adware.Multiverze
C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe	89%	ReversingLabs	Win32.Adware.Multiverze

Name	IP	Active	Malicious	Reputation
degreedaughter.net	85.214.228.140	true	false	high
7450.bodis.com	199.59.243.227	true	false	high
gentleanother.net	54.244.188.177	true	false	high
returnbottle.net	18.143.155.63	true	false	high
pleasantinstead.net	18.143.155.63	true	false	high
forwardpeople.net	unknown	unknown	true	unknown
degreeanother.net	unknown	unknown	false	high
degreeexplain.net	unknown	unknown	true	unknown
heaveninside.net	unknown	unknown	true	unknown
answerappear.net	unknown	unknown	false	high
heavybusiness.net	unknown	unknown	true	unknown
pleasantinside.net	unknown	unknown	true	unknown
requirebusiness.net	unknown	unknown	false	high
forwardinside.net	unknown	unknown	true	unknown
glassmanner.net	unknown	unknown	false	high
answerexplain.net	unknown	unknown	true	unknown
orderinside.net	unknown	unknown	true	unknown
variousappear.net	unknown	unknown	true	unknown
returnbright.net	unknown	unknown	true	unknown
difficultanother.net	unknown	unknown	false	high
heavyinside.net	unknown	unknown	true	unknown
forwardready.net	unknown	unknown	true	unknown
glassdaughter.net	unknown	unknown	true	unknown
necessarymanner.net	unknown	unknown	false	high
leadernothing.net	unknown	unknown	false	high
answeranother.net	unknown	unknown	false	high
leadermanner.net	unknown	unknown	false	high
heavybottle.net	unknown	unknown	false	high
heavenbright.net	unknown	unknown	true	unknown
heavydivide.net	unknown	unknown	false	high
degreebrown.net	unknown	unknown	true	unknown
gentleinstead.net	unknown	unknown	true	unknown
glassanother.net	unknown	unknown	false	high
heavenanother.net	unknown	unknown	false	high
difficultmanner.net	unknown	unknown	false	high
glassexplain.net	unknown	unknown	true	unknown
requireinside.net	unknown	unknown	true	unknown
heavenexplain.net	unknown	unknown	true	unknown
forwardbusiness.net	unknown	unknown	false	high
difficultexplain.net	unknown	unknown	true	unknown
gentleappear.net	unknown	unknown	true	unknown
pleasantbright.net	unknown	unknown	true	unknown
returnexplain.net	unknown	unknown	true	unknown
gentlemanner.net	unknown	unknown	true	unknown
answerdaughter.net	unknown	unknown	true	unknown
heardinside.net	unknown	unknown	true	unknown
requiremanner.net	unknown	unknown	false	high
gentleexplain.net	unknown	unknown	true	unknown
glassappear.net	unknown	unknown	false	high
necessaryanother.net	unknown	unknown	false	high
glassinside.net	unknown	unknown	true	unknown
difficultbright.net	unknown	unknown	true	unknown
glasspeople.net	unknown	unknown	true	unknown
requireinstead.net	unknown	unknown	true	unknown
necessaryinside.net	unknown	unknown	true	unknown
returndivide.net	unknown	unknown	false	high
heardinstead.net	unknown	unknown	true	unknown
variousbright.net	unknown	unknown	true	unknown
degreebusiness.net	unknown	unknown	false	high
answerbusiness.net	unknown	unknown	false	high
heavenbusiness.net	unknown	unknown	true	unknown
gentledivide.net	unknown	unknown	false	high
variousinstead.net	unknown	unknown	true	unknown
gentlestream.net	unknown	unknown	false	high
pleasantmanner.net	unknown	unknown	false	high
necessaryappear.net	unknown	unknown	false	high
pleasantbusiness.net	unknown	unknown	false	high
heardbright.net	unknown	unknown	true	unknown
heavenbottle.net	unknown	unknown	false	high
heavynothing.net	unknown	unknown	false	high
gentlebusiness.net	unknown	unknown	true	unknown
ordermanner.net	unknown	unknown	false	high
leaderbottle.net	unknown	unknown	false	high
pleasantanother.net	unknown	unknown	false	high
heavyanother.net	unknown	unknown	true	unknown
degreeinstead.net	unknown	unknown	true	unknown
degreepeople.net	unknown	unknown	true	unknown
answerready.net	unknown	unknown	true	unknown
difficultbrown.net	unknown	unknown	true	unknown
answerbright.net	unknown	unknown	true	unknown
heavennothing.net	unknown	unknown	false	high
returninside.net	unknown	unknown	true	unknown
forwardbright.net	unknown	unknown	true	unknown
difficultinside.net	unknown	unknown	true	unknown
heavybright.net	unknown	unknown	true	unknown
leaderanother.net	unknown	unknown	false	high
returninstead.net	unknown	unknown	true	unknown
difficultinstead.net	unknown	unknown	true	unknown
heavenappear.net	unknown	unknown	true	unknown
answerinside.net	unknown	unknown	true	unknown
degreebright.net	unknown	unknown	true	unknown
forwardbrown.net	unknown	unknown	true	unknown
heavyinstead.net	unknown	unknown	true	unknown
gentleinside.net	unknown	unknown	true	unknown
heardexplain.net	unknown	unknown	true	unknown
heavyappear.net	unknown	unknown	true	unknown
answerpeople.net	unknown	unknown	true	unknown
pleasantexplain.net	unknown	unknown	true	unknown
requireexplain.net	unknown	unknown	true	unknown
orderappear.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	usncdvbjyrwr.exe, 00000003.00000002.3139289965.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, usncdvbjyrwr.exe, 00000009.00000002.3575220568.00000000009F7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	false
85.214.228.140	degreedaughter.net	Germany	6724	STRATOSTRATOAGDE	false
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false
54.244.188.177	gentleanother.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551213
Start date and time:	2024-11-07 15:49:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8CO4P3HwDt.exe renamed because original name is a hash value
Original Sample Name:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@12/5@213/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 81% Number of executed functions: 43 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: 8CO4P3HwDt.exe

Simulations

Behavior and APIs

Time	Type	Description
09:51:02	API Interceptor	1851x Sleep call for process: hrzceasx.exe modified
09:51:49	API Interceptor	381x Sleep call for process: usncdvbjyrwr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.143.155.63	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
85.214.228.140	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	dlynankz.biz/mfjpaqkdwglsvxqo
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	dlynankz.biz/rgkgvuyxljjatio
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	dlynankz.biz/pio
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	dlynankz.biz/og

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gentleanother.net	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
returnbottle.net	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
degreedaughter.net	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
7450.bodis.com	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	ch89yHIa99.exe	Get hash	malicious	Ducktail	Browse	13.35.58.111
	ub7ZX9i3k6.exe	Get hash	malicious	Ducktail	Browse	13.35.58.86
	uupEsxBhAI.exe	Get hash	malicious	Ducktail	Browse	13.35.58.78
STRATOSTRATOAGDE	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	http://googe.de	Get hash	malicious	Unknown	Browse	85.214.62.112
	debug.dbg.elf	Get hash	malicious	Mirai	Browse	85.215.233.6
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	81.169.145.95
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	85.214.228.140
BODIS-NJUS	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Wc7HGBGZfE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
AMAZON-02US	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	ch89yHIa99.exe	Get hash	malicious	Ducktail	Browse	13.35.58.111
	ub7ZX9i3k6.exe	Get hash	malicious	Ducktail	Browse	13.35.58.86
	uupEsxBhAI.exe	Get hash	malicious	Ducktail	Browse	13.35.58.78

Process:	C:\Users\user\Desktop\8CO4P3HwDt.exe
File Type:	data
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:EDGCf3:EL3
MD5:	46E5BCD6997E903847E4E88C16E5855E
SHA1:	378A9B0E6F3DA4C35C7711198509623232FF3BBF
SHA-256:	C7BB3FCAEF237E69116176515D297C58563485A620A8D12405ADE6D0B42F2EBB
SHA-512:	B79BA76D152EA659E77249942406F0618904EE10BF3AE3B1321ACE85EA70E45F67C37C22308BFAD3F8E74E197F7E8CD7790C9583204B6EE7998016A2DA38D249
Malicious:	false
Reputation:	low
Preview:	..&c..hh.

C:\oblimpyrbviueg\hrzceasx.exe

Download File

Process:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362496
Entropy (8bit):	6.788547539713091
Encrypted:	false
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
MD5:	C3C8DF0D6043078ABDF157A68D37EB96
SHA1:	4EF0B88E12B3770FBAA6E5683B15B51C130F38AD
SHA-256:	A45535760B1CAB75D55825736DCDEC6E9CC7D3521247731AF0E4010B3C9B005B
SHA-512:	A3E80BFC92D0959D5037385967EBCC3DB5022E075B0B86323FC23171B9B5123D49014E24CB6E2F6A7E2DAC145633B794D637BD22AA2F48EF3255A7E662050946
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....!zV............................0........ ....@.......................................@.....................................P.................................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\oblimpyrbviueg\usncdvbjyrwr.exe

Download File

Process:	C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362496
Entropy (8bit):	6.788547539713091
Encrypted:	false
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
MD5:	C3C8DF0D6043078ABDF157A68D37EB96
SHA1:	4EF0B88E12B3770FBAA6E5683B15B51C130F38AD
SHA-256:	A45535760B1CAB75D55825736DCDEC6E9CC7D3521247731AF0E4010B3C9B005B
SHA-512:	A3E80BFC92D0959D5037385967EBCC3DB5022E075B0B86323FC23171B9B5123D49014E24CB6E2F6A7E2DAC145633B794D637BD22AA2F48EF3255A7E662050946
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....!zV............................0........ ....@.......................................@.....................................P.................................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe

Download File

Process:	C:\Users\user\Desktop\8CO4P3HwDt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362496
Entropy (8bit):	6.788547539713091
Encrypted:	false
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
MD5:	C3C8DF0D6043078ABDF157A68D37EB96
SHA1:	4EF0B88E12B3770FBAA6E5683B15B51C130F38AD
SHA-256:	A45535760B1CAB75D55825736DCDEC6E9CC7D3521247731AF0E4010B3C9B005B
SHA-512:	A3E80BFC92D0959D5037385967EBCC3DB5022E075B0B86323FC23171B9B5123D49014E24CB6E2F6A7E2DAC145633B794D637BD22AA2F48EF3255A7E662050946
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....!zV............................0........ ....@.......................................@.....................................P.................................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\oblimpyrbviueg\vqipymk4ju

Download File

Process:	C:\Users\user\Desktop\8CO4P3HwDt.exe
File Type:	data
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:EDGCf3:EL3
MD5:	46E5BCD6997E903847E4E88C16E5855E
SHA1:	378A9B0E6F3DA4C35C7711198509623232FF3BBF
SHA-256:	C7BB3FCAEF237E69116176515D297C58563485A620A8D12405ADE6D0B42F2EBB
SHA-512:	B79BA76D152EA659E77249942406F0618904EE10BF3AE3B1321ACE85EA70E45F67C37C22308BFAD3F8E74E197F7E8CD7790C9583204B6EE7998016A2DA38D249
Malicious:	false
Reputation:	low
Preview:	..&c..hh.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.788547539713091
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8CO4P3HwDt.exe
File size:	362'496 bytes
MD5:	c3c8df0d6043078abdf157a68d37eb96
SHA1:	4ef0b88e12b3770fbaa6e5683b15b51c130f38ad
SHA256:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b
SHA512:	a3e80bfc92d0959d5037385967ebcc3db5022e075b0b86323fc23171b9b5123d49014e24cb6e2f6a7e2dac145633b794d637bd22aa2f48ef3255a7e662050946
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
TLSH:	0D74E5FEDD8281EEDC42A0B8857B2773E3AD205477A861DB6180379464B99F4D93730B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O...O...O...4...O...N...O..B....O...@...O..B....O.Rich..O.........................PE..L....!zV...........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x439d30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x567A21DA [Wed Dec 23 04:23:54 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	7a1c04e3869a3f036d363cbe0174fe1a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
movzx eax, word ptr [0044D468h]
sub esp, 08h
push esi
sub eax, 68644053h
push edi
mov word ptr [0044D468h], ax
call 00007F2945A1EB76h
mov esi, 00000001h
add word ptr [0044D090h], si
mov cx, word ptr [0044D35Ch]
mov dx, word ptr [0044D090h]
add word ptr [0044D35Ch], si
movsx eax, cx
movsx ecx, dx
add eax, BB104443h
cmp eax, ecx
jle 00007F2945A20B74h
fld qword ptr [0044D118h]
fadd qword ptr [0044BC98h]
fstp qword ptr [0044D118h]
call 00007F2945A0ABFFh
fld dword ptr [0044D470h]
fld1
fsub st(1), st(0)
fxch st(0), st(1)
fstp dword ptr [0044D470h]
mov edx, dword ptr [0044D4BCh]
mov dword ptr [ebp-04h], edx
fild dword ptr [ebp-04h]
fld dword ptr [0044D470h]
fadd qword ptr [0044BC90h]
fsubp st(1), st(0)
fcomp qword ptr [0044BC88h]
fstsw
test ah, 00000044h
jp 00007F2945A20BC3h
mov ax, word ptr [0044D0D0h]
movsx ecx, ax
sub ecx, 755D6C2Bh
mov dword ptr [ebp-04h], ecx
fild dword ptr [ebp-04h]
fld dword ptr [0044D4E0h]
fadd qword ptr [0044BC80h]
fucompp
fstsw
fadd dword ptr [0000D4E0h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2003 (.NET) build 3077
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4bca0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4f000	0xc884	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0x11c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40ffa	0x41000	5a9a8d96b5f64734f57e7b2baaa57c62	False	0.5254845252403846	data	6.3165136802931405	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0xa2a6	0xa400	4d907b36f74b44746b114cc40fdbae71	False	0.7407583841463414	data	6.482155544995024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4d000	0x107c	0x600	73290f6375722a8ce1cd1240da1c5b65	False	0.8548177083333334	data	6.29086260359177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4f000	0xc928	0xca00	dbb909cb46c8431f801e8c1f33f54a36	False	0.6598275061881188	data	6.835926954483472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	SetTextJustification, GetMetaRgn, GetPixelFormat, GetFontUnicodeRanges, SetPixel, GetDCPenColor, GetGraphicsMode, SetTextColor, GetMapMode
USER32.dll	wvsprintfA, GetDlgItem, GetMenuCheckMarkDimensions, DrawTextA, GetMenuItemCount, GetWindowLongA, IsWindowUnicode, EnableWindow, SetFocus, GetMenu, SetDlgItemTextA, IsWindowEnabled, LoadIconA, GetScrollPos, PostMessageA, SetWindowTextA, GetMenuContextHelpId, EndDialog, CheckDlgButton, GetInputState, BeginPaint, GetForegroundWindow, MoveWindow, GetCursor, GetKeyboardType, RemovePropA, GetPropA, GetDialogBaseUnits, CharLowerBuffA, CallWindowProcA
KERNEL32.dll	GetModuleHandleA, CloseHandle, CreateFileA, WriteFile, GetFileSize, HeapReAlloc, FlushFileBuffers, LoadResource, GetFileTime, GetCurrentThreadId, GlobalFlags, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, SetFilePointer, GlobalHandle, LocalFlags, IsDebuggerPresent, GetProcAddress, GetVersion, GetLastError, GetStdHandle, HeapFree, ExitProcess, GetProcessHeap, HeapAlloc, GetSystemTime, SystemTimeToFileTime, lstrlenA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T15:50:32.391304+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.12	61040	UDP
2024-11-07T15:50:35.597709+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.12	49712	18.143.155.63	80	TCP
2024-11-07T15:50:35.597709+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.12	49712	18.143.155.63	80	TCP
2024-11-07T15:50:38.470948+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.12	49713	TCP
2024-11-07T15:50:38.470948+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.12	49713	TCP
2024-11-07T15:50:42.469182+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.12	49715	TCP
2024-11-07T15:50:42.469182+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.12	49715	TCP
2024-11-07T15:50:43.090729+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.12	52795	UDP
2024-11-07T15:50:43.761660+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.12	54810	UDP
2024-11-07T15:50:45.143921+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.12	49717	TCP
2024-11-07T15:51:24.425231+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.12	49726	TCP
2024-11-07T15:52:09.305733+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.12	49728	199.59.243.227	80	TCP
2024-11-07T15:52:09.305733+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.12	49728	199.59.243.227	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:50:33.017055988 CET	49711	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:33.022098064 CET	80	49711	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:33.022188902 CET	49711	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:33.022269011 CET	49711	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:33.027275085 CET	80	49711	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:33.846889973 CET	80	49711	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:33.847028017 CET	80	49711	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:33.847048998 CET	80	49711	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:33.847057104 CET	80	49711	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:33.847124100 CET	49711	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:33.848169088 CET	49711	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:33.853404999 CET	80	49711	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:34.107758045 CET	49712	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:34.112782001 CET	80	49712	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:34.112879992 CET	49712	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:34.113013029 CET	49712	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:34.118542910 CET	80	49712	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:35.553335905 CET	80	49712	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:35.597708941 CET	49712	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:35.957968950 CET	80	49712	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:35.958059072 CET	49712	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:35.958121061 CET	49712	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:35.964277983 CET	80	49712	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:37.458581924 CET	49713	80	192.168.2.12	54.244.188.177
Nov 7, 2024 15:50:37.463578939 CET	80	49713	54.244.188.177	192.168.2.12
Nov 7, 2024 15:50:37.463658094 CET	49713	80	192.168.2.12	54.244.188.177
Nov 7, 2024 15:50:37.470662117 CET	49713	80	192.168.2.12	54.244.188.177
Nov 7, 2024 15:50:37.475969076 CET	80	49713	54.244.188.177	192.168.2.12
Nov 7, 2024 15:50:38.343558073 CET	80	49713	54.244.188.177	192.168.2.12
Nov 7, 2024 15:50:38.394351006 CET	49713	80	192.168.2.12	54.244.188.177
Nov 7, 2024 15:50:38.470947981 CET	80	49713	54.244.188.177	192.168.2.12
Nov 7, 2024 15:50:38.471096039 CET	49713	80	192.168.2.12	54.244.188.177
Nov 7, 2024 15:50:38.471421003 CET	49713	80	192.168.2.12	54.244.188.177
Nov 7, 2024 15:50:38.476959944 CET	80	49713	54.244.188.177	192.168.2.12
Nov 7, 2024 15:50:39.348402977 CET	49714	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:39.353569031 CET	80	49714	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:39.353688002 CET	49714	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:39.353786945 CET	49714	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:39.358644962 CET	80	49714	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:40.029390097 CET	80	49714	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:40.029539108 CET	80	49714	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:40.029622078 CET	49714	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:40.061903000 CET	80	49714	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:40.062052965 CET	49714	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:40.063730955 CET	49714	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:50:40.068866968 CET	80	49714	199.59.243.227	192.168.2.12
Nov 7, 2024 15:50:40.598248005 CET	49715	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:40.603164911 CET	80	49715	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:40.603296995 CET	49715	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:40.603492022 CET	49715	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:40.608274937 CET	80	49715	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:42.053514004 CET	80	49715	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:42.097421885 CET	49715	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:42.469182014 CET	80	49715	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:42.469261885 CET	49715	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:42.469300032 CET	49715	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:50:42.474421024 CET	80	49715	18.143.155.63	192.168.2.12
Nov 7, 2024 15:50:44.020972013 CET	49719	80	192.168.2.12	85.214.228.140
Nov 7, 2024 15:50:44.027000904 CET	80	49719	85.214.228.140	192.168.2.12
Nov 7, 2024 15:50:44.027081966 CET	49719	80	192.168.2.12	85.214.228.140
Nov 7, 2024 15:50:44.027134895 CET	49719	80	192.168.2.12	85.214.228.140
Nov 7, 2024 15:50:44.033591032 CET	80	49719	85.214.228.140	192.168.2.12
Nov 7, 2024 15:50:44.905226946 CET	80	49719	85.214.228.140	192.168.2.12
Nov 7, 2024 15:50:44.905646086 CET	49719	80	192.168.2.12	85.214.228.140
Nov 7, 2024 15:50:44.911237001 CET	80	49719	85.214.228.140	192.168.2.12
Nov 7, 2024 15:50:44.911303043 CET	49719	80	192.168.2.12	85.214.228.140
Nov 7, 2024 15:52:08.664349079 CET	49728	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:52:08.669409990 CET	80	49728	199.59.243.227	192.168.2.12
Nov 7, 2024 15:52:08.669593096 CET	49728	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:52:08.669750929 CET	49728	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:52:08.677541971 CET	80	49728	199.59.243.227	192.168.2.12
Nov 7, 2024 15:52:09.305361032 CET	80	49728	199.59.243.227	192.168.2.12
Nov 7, 2024 15:52:09.305672884 CET	80	49728	199.59.243.227	192.168.2.12
Nov 7, 2024 15:52:09.305732965 CET	49728	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:52:09.306257010 CET	80	49728	199.59.243.227	192.168.2.12
Nov 7, 2024 15:52:09.306303978 CET	49728	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:52:09.306588888 CET	49728	80	192.168.2.12	199.59.243.227
Nov 7, 2024 15:52:09.311486959 CET	80	49728	199.59.243.227	192.168.2.12
Nov 7, 2024 15:52:14.426393032 CET	49729	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:52:14.546691895 CET	80	49729	18.143.155.63	192.168.2.12
Nov 7, 2024 15:52:14.546781063 CET	49729	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:52:14.546895981 CET	49729	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:52:14.551703930 CET	80	49729	18.143.155.63	192.168.2.12
Nov 7, 2024 15:52:16.004764080 CET	80	49729	18.143.155.63	192.168.2.12
Nov 7, 2024 15:52:16.004925013 CET	49729	80	192.168.2.12	18.143.155.63
Nov 7, 2024 15:52:16.010896921 CET	80	49729	18.143.155.63	192.168.2.12
Nov 7, 2024 15:52:16.010987043 CET	49729	80	192.168.2.12	18.143.155.63

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:50:32.061055899 CET	55878	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.071244955 CET	53	55878	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.111917973 CET	53411	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.121053934 CET	53	53411	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.193698883 CET	63400	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.202768087 CET	53	63400	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.210737944 CET	58660	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.242705107 CET	53	58660	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.243936062 CET	58781	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.275132895 CET	53	58781	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.276457071 CET	59659	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.288017988 CET	53	59659	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.289321899 CET	61978	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.300187111 CET	53	61978	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.303232908 CET	55103	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.335155964 CET	53	55103	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.336568117 CET	65082	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.346949100 CET	53	65082	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.348006964 CET	53986	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.380029917 CET	53	53986	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.381208897 CET	61040	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.391304016 CET	53	61040	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.401412964 CET	59300	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.412921906 CET	53	59300	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.414256096 CET	52176	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.571103096 CET	53	52176	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.572403908 CET	52575	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.583162069 CET	53	52575	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.584578037 CET	62868	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:32.597249985 CET	53	62868	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:32.599634886 CET	63277	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:33.014821053 CET	53	63277	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:33.849387884 CET	58522	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:33.859556913 CET	53	58522	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:33.860847950 CET	51386	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:33.872083902 CET	53	51386	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:33.873311043 CET	58182	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:33.904542923 CET	53	58182	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:33.906032085 CET	62924	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:33.915256023 CET	53	62924	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:33.916457891 CET	65267	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:34.107028008 CET	53	65267	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:35.959131956 CET	55524	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:35.992850065 CET	53	55524	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:35.994096041 CET	61398	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.004683971 CET	53	61398	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.005716085 CET	60911	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.018410921 CET	53	60911	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.019709110 CET	52556	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.029875040 CET	53	52556	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.030996084 CET	54630	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.042032957 CET	53	54630	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.043268919 CET	54333	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.073939085 CET	53	54333	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.075202942 CET	63881	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.106527090 CET	53	63881	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.107708931 CET	62455	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.118455887 CET	53	62455	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.119703054 CET	59622	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.129980087 CET	53	59622	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.131140947 CET	53254	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.141983032 CET	53	53254	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.143102884 CET	64960	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.152947903 CET	53	64960	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.154073000 CET	62052	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.185976028 CET	53	62052	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.187191963 CET	54006	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.195962906 CET	53	54006	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.196903944 CET	65385	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.207361937 CET	53	65385	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.208410025 CET	63560	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.375502110 CET	53	63560	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.376693964 CET	49474	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.388797045 CET	53	49474	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.390199900 CET	54167	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.398511887 CET	53	54167	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.399653912 CET	52652	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.431021929 CET	53	52652	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.432921886 CET	56999	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.596924067 CET	53	56999	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.598845005 CET	51371	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.609118938 CET	53	51371	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.610866070 CET	49263	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.620577097 CET	53	49263	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.621695042 CET	56129	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.652581930 CET	53	56129	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.653825998 CET	49434	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.663974047 CET	53	49434	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.665091991 CET	52014	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.674887896 CET	53	52014	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.676348925 CET	49903	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.694242954 CET	53	49903	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.699486017 CET	61515	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.707346916 CET	53	61515	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.709897041 CET	49793	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.719021082 CET	53	49793	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.720170975 CET	54123	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.751260996 CET	53	54123	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.753268003 CET	63967	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.763493061 CET	53	63967	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.765487909 CET	49332	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.798727989 CET	53	49332	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.800281048 CET	49900	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.808063030 CET	53	49900	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.809489965 CET	52886	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.816996098 CET	53	52886	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.818222046 CET	64139	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.825573921 CET	53	64139	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.826747894 CET	59683	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.857584953 CET	53	59683	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.858894110 CET	56391	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.872421026 CET	53	56391	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.876452923 CET	56949	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.887038946 CET	53	56949	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.888290882 CET	60037	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.898539066 CET	53	60037	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.900391102 CET	50806	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.909567118 CET	53	50806	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.911684990 CET	62194	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.922736883 CET	53	62194	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.926268101 CET	60799	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.936700106 CET	53	60799	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.937891960 CET	50548	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.950093031 CET	53	50548	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.951394081 CET	53084	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.983128071 CET	53	53084	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.984416008 CET	60950	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:36.994483948 CET	53	60950	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:36.995716095 CET	62464	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.006149054 CET	53	62464	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.007405043 CET	56681	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.018970966 CET	53	56681	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.020015001 CET	58417	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.030833960 CET	53	58417	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.031716108 CET	60429	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.064296007 CET	53	60429	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.065376997 CET	53324	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.075678110 CET	53	53324	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.080423117 CET	54910	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.091466904 CET	53	54910	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.094731092 CET	60740	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.104702950 CET	53	60740	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.105887890 CET	51969	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.117088079 CET	53	51969	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.118273973 CET	53501	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.128886938 CET	53	53501	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.135714054 CET	64198	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.147527933 CET	53	64198	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:37.239980936 CET	52980	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:37.438239098 CET	53	52980	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.472532034 CET	55819	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.482202053 CET	53	55819	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.483479023 CET	59309	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.514782906 CET	53	59309	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.516201973 CET	62935	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.527385950 CET	53	62935	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.528678894 CET	61769	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.539263010 CET	53	61769	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.540628910 CET	59765	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.573142052 CET	53	59765	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.574743032 CET	55329	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.585866928 CET	53	55329	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.587299109 CET	55021	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.596869946 CET	53	55021	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.598417997 CET	65030	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.609096050 CET	53	65030	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.610598087 CET	56384	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.623939037 CET	53	56384	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.625407934 CET	49775	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.658279896 CET	53	49775	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.659610987 CET	54442	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.692061901 CET	53	54442	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.693331957 CET	49369	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.725785017 CET	53	49369	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.727310896 CET	54136	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.760349989 CET	53	54136	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.761543989 CET	62645	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.792762995 CET	53	62645	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.793943882 CET	51602	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.804871082 CET	53	51602	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.806032896 CET	56069	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.815332890 CET	53	56069	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.816703081 CET	51711	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.826771021 CET	53	51711	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.828016996 CET	59437	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.858014107 CET	53	59437	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.859339952 CET	55379	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.869194031 CET	53	55379	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.870381117 CET	60758	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.901793003 CET	53	60758	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.911035061 CET	59374	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.920753002 CET	53	59374	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.921946049 CET	50799	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.932405949 CET	53	50799	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.933685064 CET	53607	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.943319082 CET	53	53607	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.944565058 CET	60019	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.976975918 CET	53	60019	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.978297949 CET	60223	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:38.989069939 CET	53	60223	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:38.990175009 CET	61079	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:39.347677946 CET	53	61079	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.068571091 CET	57230	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.099374056 CET	53	57230	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.119277000 CET	55991	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.150058031 CET	53	55991	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.169529915 CET	59172	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.181050062 CET	53	59172	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.185806036 CET	63285	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.197092056 CET	53	63285	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.253731966 CET	55383	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.266252041 CET	53	55383	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.319753885 CET	50108	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.331813097 CET	53	50108	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.336393118 CET	63224	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.348149061 CET	53	63224	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.349582911 CET	51736	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.359796047 CET	53	51736	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.361592054 CET	62520	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.373874903 CET	53	62520	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.375204086 CET	49234	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.386442900 CET	53	49234	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:40.387890100 CET	50654	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:40.597685099 CET	53	50654	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.470266104 CET	58581	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.479764938 CET	53	58581	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.480931044 CET	52051	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.491219044 CET	53	52051	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.492441893 CET	59401	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.502408981 CET	53	59401	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.503568888 CET	55030	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.511087894 CET	53	55030	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.512459993 CET	59105	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.522123098 CET	53	59105	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.531462908 CET	50204	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.561728001 CET	53	50204	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.563071966 CET	54353	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.594779968 CET	53	54353	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.596116066 CET	51958	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:42.759627104 CET	53	51958	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:42.854782104 CET	52214	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.013878107 CET	53	52214	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.080676079 CET	52795	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.090728998 CET	53	52795	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.091844082 CET	57223	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.122219086 CET	53	57223	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.133059978 CET	49291	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.164113045 CET	53	49291	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.166635036 CET	59043	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.177833080 CET	53	59043	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.179464102 CET	57582	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.189707994 CET	53	57582	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.190999985 CET	52649	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.224935055 CET	53	52649	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.226085901 CET	52629	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.237549067 CET	53	52629	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.239110947 CET	62532	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.249094009 CET	53	62532	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.250960112 CET	49455	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.260262012 CET	53	49455	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.261773109 CET	50094	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.272043943 CET	53	50094	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.273907900 CET	64281	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.284220934 CET	53	64281	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.285676003 CET	65320	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.316426039 CET	53	65320	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.317713976 CET	63384	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.327120066 CET	53	63384	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.328691006 CET	57036	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.337754011 CET	53	57036	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.338885069 CET	57503	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.348467112 CET	53	57503	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.353317022 CET	53278	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.363282919 CET	53	53278	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.380511045 CET	59799	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.389350891 CET	53	59799	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.390388966 CET	60558	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.400141954 CET	53	60558	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.401166916 CET	64665	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.431592941 CET	53	64665	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.432663918 CET	53246	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.464695930 CET	53	53246	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.465941906 CET	63725	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.476999998 CET	53	63725	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.478089094 CET	55563	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.488123894 CET	53	55563	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.489490032 CET	55685	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.498915911 CET	53	55685	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.500036001 CET	61883	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.510081053 CET	53	61883	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.511238098 CET	52284	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.519056082 CET	53	52284	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.520224094 CET	55065	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.530484915 CET	53	55065	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.531517029 CET	50689	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.563083887 CET	53	50689	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.564354897 CET	50684	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.737529039 CET	53	50684	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.738893032 CET	54594	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.749855995 CET	53	54594	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.751023054 CET	54810	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.761660099 CET	53	54810	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.762669086 CET	63247	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.920042038 CET	53	63247	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.921403885 CET	59645	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.953638077 CET	53	59645	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.955495119 CET	50438	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.965208054 CET	53	50438	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.966486931 CET	50106	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.977418900 CET	53	50106	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.978571892 CET	58421	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:43.988555908 CET	53	58421	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:43.989830017 CET	49896	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:44.003756046 CET	53	49896	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:44.004937887 CET	64768	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:44.020085096 CET	53	64768	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:44.906639099 CET	59919	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:44.915266991 CET	53	59919	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:44.916501999 CET	54798	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:44.926552057 CET	53	54798	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:44.927695036 CET	51161	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:44.937752008 CET	53	51161	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:44.939047098 CET	56095	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:44.949186087 CET	53	56095	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:44.950342894 CET	58248	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:44.980081081 CET	53	58248	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:44.981360912 CET	53990	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:45.143635035 CET	53	53990	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:45.154129028 CET	52148	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:45.164115906 CET	53	52148	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:45.165505886 CET	60302	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:45.176037073 CET	53	60302	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:45.177978992 CET	53633	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:45.191411972 CET	53	53633	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:45.193425894 CET	55464	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:45.225363970 CET	53	55464	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:45.227000952 CET	56118	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:45.236249924 CET	53	56118	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:45.238771915 CET	58987	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:45.271048069 CET	53	58987	1.1.1.1	192.168.2.12
Nov 7, 2024 15:50:58.035965919 CET	61358	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:50:58.046475887 CET	53	61358	1.1.1.1	192.168.2.12
Nov 7, 2024 15:51:53.549278021 CET	50315	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:51:53.935127974 CET	53	50315	1.1.1.1	192.168.2.12
Nov 7, 2024 15:51:54.941850901 CET	60212	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:51:54.951539993 CET	53	60212	1.1.1.1	192.168.2.12
Nov 7, 2024 15:51:55.958080053 CET	60585	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:51:55.968050957 CET	53	60585	1.1.1.1	192.168.2.12
Nov 7, 2024 15:51:56.988593102 CET	60823	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:51:56.999291897 CET	53	60823	1.1.1.1	192.168.2.12
Nov 7, 2024 15:51:58.004246950 CET	53881	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:51:58.014391899 CET	53	53881	1.1.1.1	192.168.2.12
Nov 7, 2024 15:51:59.022233963 CET	50299	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:51:59.032080889 CET	53	50299	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:00.036933899 CET	55281	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:00.050940037 CET	53	55281	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:01.122180939 CET	58046	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:01.148332119 CET	58046	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:01.155534983 CET	53	58046	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:01.157527924 CET	53	58046	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:02.162286997 CET	59907	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:02.190639973 CET	59907	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:02.323637009 CET	53	59907	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:02.323879004 CET	53	59907	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:03.333918095 CET	58435	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:03.341836929 CET	53	58435	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:04.349649906 CET	62005	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:04.359714985 CET	53	62005	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:05.363652945 CET	54560	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:05.393719912 CET	54560	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:05.517164946 CET	53	54560	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:05.517184973 CET	53	54560	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:06.519807100 CET	56897	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:06.549989939 CET	56897	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:06.552776098 CET	53	56897	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:06.557041883 CET	53	56897	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:07.589507103 CET	61872	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:07.600938082 CET	53	61872	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:10.321799040 CET	58565	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:10.333369017 CET	53	58565	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:11.349198103 CET	59222	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:11.360363007 CET	53	59222	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:12.363647938 CET	60844	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:12.377095938 CET	53	60844	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:13.382306099 CET	57177	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:13.409570932 CET	57177	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:13.414598942 CET	53	57177	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:13.417268038 CET	53	57177	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:17.019814014 CET	59353	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:17.050282955 CET	59353	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:17.051208019 CET	53	59353	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:17.057410002 CET	53	59353	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:18.097644091 CET	52698	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:18.127909899 CET	52698	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:18.130179882 CET	53	52698	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:18.135242939 CET	53	52698	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:19.144499063 CET	65415	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:19.156049967 CET	53	65415	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:20.161726952 CET	61319	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:20.173338890 CET	53	61319	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:21.175951004 CET	63940	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:21.185372114 CET	53	63940	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:22.192511082 CET	59254	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:22.202563047 CET	53	59254	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:23.207057953 CET	57650	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:23.237200975 CET	57650	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:23.238806963 CET	53	57650	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:23.244930029 CET	53	57650	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:24.254065990 CET	53932	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:24.265342951 CET	53	53932	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:25.269614935 CET	57903	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:25.281001091 CET	53	57903	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:26.285334110 CET	51747	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:26.295265913 CET	53	51747	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:27.300828934 CET	61329	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:27.331180096 CET	61329	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:27.332876921 CET	53	61329	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:27.338790894 CET	53	61329	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:28.347543955 CET	62280	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:28.357753038 CET	53	62280	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:29.336440086 CET	49746	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:29.346055984 CET	53	49746	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:30.285355091 CET	56288	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:30.295526981 CET	53	56288	1.1.1.1	192.168.2.12
Nov 7, 2024 15:52:31.208456993 CET	61050	53	192.168.2.12	1.1.1.1
Nov 7, 2024 15:52:31.218302965 CET	53	61050	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 15:50:32.061055899 CET	192.168.2.12	1.1.1.1	0x6fb1	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.111917973 CET	192.168.2.12	1.1.1.1	0x9f02	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.193698883 CET	192.168.2.12	1.1.1.1	0x1080	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.210737944 CET	192.168.2.12	1.1.1.1	0xf947	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.243936062 CET	192.168.2.12	1.1.1.1	0x2035	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.276457071 CET	192.168.2.12	1.1.1.1	0x725f	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.289321899 CET	192.168.2.12	1.1.1.1	0x9c63	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.303232908 CET	192.168.2.12	1.1.1.1	0xddbc	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.336568117 CET	192.168.2.12	1.1.1.1	0x2a19	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.348006964 CET	192.168.2.12	1.1.1.1	0x4b2c	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.381208897 CET	192.168.2.12	1.1.1.1	0xb2a6	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.401412964 CET	192.168.2.12	1.1.1.1	0x4c67	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.414256096 CET	192.168.2.12	1.1.1.1	0x46b6	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.572403908 CET	192.168.2.12	1.1.1.1	0xc90e	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.584578037 CET	192.168.2.12	1.1.1.1	0x229b	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.599634886 CET	192.168.2.12	1.1.1.1	0xd7e6	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.849387884 CET	192.168.2.12	1.1.1.1	0x10d5	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.860847950 CET	192.168.2.12	1.1.1.1	0x556f	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.873311043 CET	192.168.2.12	1.1.1.1	0x8172	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.906032085 CET	192.168.2.12	1.1.1.1	0xc596	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.916457891 CET	192.168.2.12	1.1.1.1	0x2603	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.959131956 CET	192.168.2.12	1.1.1.1	0x1983	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.994096041 CET	192.168.2.12	1.1.1.1	0x3a90	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.005716085 CET	192.168.2.12	1.1.1.1	0xf593	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.019709110 CET	192.168.2.12	1.1.1.1	0x271	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.030996084 CET	192.168.2.12	1.1.1.1	0x9f5e	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.043268919 CET	192.168.2.12	1.1.1.1	0x9f06	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.075202942 CET	192.168.2.12	1.1.1.1	0x12d4	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.107708931 CET	192.168.2.12	1.1.1.1	0xee5d	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.119703054 CET	192.168.2.12	1.1.1.1	0x597f	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.131140947 CET	192.168.2.12	1.1.1.1	0xe1c2	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.143102884 CET	192.168.2.12	1.1.1.1	0x2967	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.154073000 CET	192.168.2.12	1.1.1.1	0xaa70	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.187191963 CET	192.168.2.12	1.1.1.1	0xe4ef	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.196903944 CET	192.168.2.12	1.1.1.1	0xe62c	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.208410025 CET	192.168.2.12	1.1.1.1	0xc635	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.376693964 CET	192.168.2.12	1.1.1.1	0xcd9e	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.390199900 CET	192.168.2.12	1.1.1.1	0xc6e5	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.399653912 CET	192.168.2.12	1.1.1.1	0x97c3	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.432921886 CET	192.168.2.12	1.1.1.1	0x60c3	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.598845005 CET	192.168.2.12	1.1.1.1	0x8bb5	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.610866070 CET	192.168.2.12	1.1.1.1	0x9494	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.621695042 CET	192.168.2.12	1.1.1.1	0x3c4c	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.653825998 CET	192.168.2.12	1.1.1.1	0x17c	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.665091991 CET	192.168.2.12	1.1.1.1	0x9d86	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.676348925 CET	192.168.2.12	1.1.1.1	0x96af	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.699486017 CET	192.168.2.12	1.1.1.1	0xcc10	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.709897041 CET	192.168.2.12	1.1.1.1	0x8504	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.720170975 CET	192.168.2.12	1.1.1.1	0x593a	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.753268003 CET	192.168.2.12	1.1.1.1	0x3393	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.765487909 CET	192.168.2.12	1.1.1.1	0xdf7e	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.800281048 CET	192.168.2.12	1.1.1.1	0x7c79	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.809489965 CET	192.168.2.12	1.1.1.1	0xa0e	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.818222046 CET	192.168.2.12	1.1.1.1	0xa22	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.826747894 CET	192.168.2.12	1.1.1.1	0xb0d5	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.858894110 CET	192.168.2.12	1.1.1.1	0x3a7d	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.876452923 CET	192.168.2.12	1.1.1.1	0xe738	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.888290882 CET	192.168.2.12	1.1.1.1	0xf1c3	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.900391102 CET	192.168.2.12	1.1.1.1	0xdff1	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.911684990 CET	192.168.2.12	1.1.1.1	0x7828	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.926268101 CET	192.168.2.12	1.1.1.1	0x852	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.937891960 CET	192.168.2.12	1.1.1.1	0x9330	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.951394081 CET	192.168.2.12	1.1.1.1	0xcb8b	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.984416008 CET	192.168.2.12	1.1.1.1	0x1a70	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.995716095 CET	192.168.2.12	1.1.1.1	0xa641	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.007405043 CET	192.168.2.12	1.1.1.1	0x4f53	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.020015001 CET	192.168.2.12	1.1.1.1	0xb4dc	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.031716108 CET	192.168.2.12	1.1.1.1	0xb927	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.065376997 CET	192.168.2.12	1.1.1.1	0x6ac3	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.080423117 CET	192.168.2.12	1.1.1.1	0x951c	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.094731092 CET	192.168.2.12	1.1.1.1	0x3235	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.105887890 CET	192.168.2.12	1.1.1.1	0xe52d	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.118273973 CET	192.168.2.12	1.1.1.1	0xf7e6	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.135714054 CET	192.168.2.12	1.1.1.1	0x324a	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.239980936 CET	192.168.2.12	1.1.1.1	0xbe1e	Standard query (0)	gentleanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.472532034 CET	192.168.2.12	1.1.1.1	0x9db6	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.483479023 CET	192.168.2.12	1.1.1.1	0x1bfb	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.516201973 CET	192.168.2.12	1.1.1.1	0x6ea6	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.528678894 CET	192.168.2.12	1.1.1.1	0x4495	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.540628910 CET	192.168.2.12	1.1.1.1	0xa77	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.574743032 CET	192.168.2.12	1.1.1.1	0xaed2	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.587299109 CET	192.168.2.12	1.1.1.1	0xb8f	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.598417997 CET	192.168.2.12	1.1.1.1	0x5eab	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.610598087 CET	192.168.2.12	1.1.1.1	0xc77e	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.625407934 CET	192.168.2.12	1.1.1.1	0x5d04	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.659610987 CET	192.168.2.12	1.1.1.1	0x42c7	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.693331957 CET	192.168.2.12	1.1.1.1	0x40c6	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.727310896 CET	192.168.2.12	1.1.1.1	0xa219	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.761543989 CET	192.168.2.12	1.1.1.1	0x14ca	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.793943882 CET	192.168.2.12	1.1.1.1	0x5c1e	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.806032896 CET	192.168.2.12	1.1.1.1	0x613e	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.816703081 CET	192.168.2.12	1.1.1.1	0x6012	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.828016996 CET	192.168.2.12	1.1.1.1	0x5596	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.859339952 CET	192.168.2.12	1.1.1.1	0x177a	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.870381117 CET	192.168.2.12	1.1.1.1	0x485c	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.911035061 CET	192.168.2.12	1.1.1.1	0x7f28	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.921946049 CET	192.168.2.12	1.1.1.1	0x6785	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.933685064 CET	192.168.2.12	1.1.1.1	0xde1	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.944565058 CET	192.168.2.12	1.1.1.1	0x813e	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.978297949 CET	192.168.2.12	1.1.1.1	0x6aaa	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.990175009 CET	192.168.2.12	1.1.1.1	0x9b48	Standard query (0)	glassbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.068571091 CET	192.168.2.12	1.1.1.1	0x5d9d	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.119277000 CET	192.168.2.12	1.1.1.1	0x3785	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.169529915 CET	192.168.2.12	1.1.1.1	0x8cb0	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.185806036 CET	192.168.2.12	1.1.1.1	0x1ca2	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.253731966 CET	192.168.2.12	1.1.1.1	0xf7c1	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.319753885 CET	192.168.2.12	1.1.1.1	0x418b	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.336393118 CET	192.168.2.12	1.1.1.1	0xfd79	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.349582911 CET	192.168.2.12	1.1.1.1	0x4959	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.361592054 CET	192.168.2.12	1.1.1.1	0xe209	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.375204086 CET	192.168.2.12	1.1.1.1	0x13ef	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.387890100 CET	192.168.2.12	1.1.1.1	0xa28f	Standard query (0)	pleasantinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.470266104 CET	192.168.2.12	1.1.1.1	0xec6f	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.480931044 CET	192.168.2.12	1.1.1.1	0x3dfc	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.492441893 CET	192.168.2.12	1.1.1.1	0x2328	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.503568888 CET	192.168.2.12	1.1.1.1	0x9b53	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.512459993 CET	192.168.2.12	1.1.1.1	0xa73c	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.531462908 CET	192.168.2.12	1.1.1.1	0xf742	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.563071966 CET	192.168.2.12	1.1.1.1	0x7b3b	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.596116066 CET	192.168.2.12	1.1.1.1	0xc3ba	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.854782104 CET	192.168.2.12	1.1.1.1	0x436c	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.080676079 CET	192.168.2.12	1.1.1.1	0x6482	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.091844082 CET	192.168.2.12	1.1.1.1	0x5067	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.133059978 CET	192.168.2.12	1.1.1.1	0x8836	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.166635036 CET	192.168.2.12	1.1.1.1	0x1a06	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.179464102 CET	192.168.2.12	1.1.1.1	0x1080	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.190999985 CET	192.168.2.12	1.1.1.1	0x312	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.226085901 CET	192.168.2.12	1.1.1.1	0x9f35	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.239110947 CET	192.168.2.12	1.1.1.1	0x6949	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.250960112 CET	192.168.2.12	1.1.1.1	0x422	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.261773109 CET	192.168.2.12	1.1.1.1	0x2a1f	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.273907900 CET	192.168.2.12	1.1.1.1	0x8d40	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.285676003 CET	192.168.2.12	1.1.1.1	0xab2c	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.317713976 CET	192.168.2.12	1.1.1.1	0x363d	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.328691006 CET	192.168.2.12	1.1.1.1	0x565	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.338885069 CET	192.168.2.12	1.1.1.1	0xae8b	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.353317022 CET	192.168.2.12	1.1.1.1	0x5f6c	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.380511045 CET	192.168.2.12	1.1.1.1	0x891d	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.390388966 CET	192.168.2.12	1.1.1.1	0x1f10	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.401166916 CET	192.168.2.12	1.1.1.1	0x6d7a	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.432663918 CET	192.168.2.12	1.1.1.1	0xcff5	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.465941906 CET	192.168.2.12	1.1.1.1	0x9b23	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.478089094 CET	192.168.2.12	1.1.1.1	0x66d7	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.489490032 CET	192.168.2.12	1.1.1.1	0xcbb2	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.500036001 CET	192.168.2.12	1.1.1.1	0x8aad	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.511238098 CET	192.168.2.12	1.1.1.1	0xae72	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.520224094 CET	192.168.2.12	1.1.1.1	0xb30	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.531517029 CET	192.168.2.12	1.1.1.1	0x8fee	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.564354897 CET	192.168.2.12	1.1.1.1	0xbee	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.738893032 CET	192.168.2.12	1.1.1.1	0xd646	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.751023054 CET	192.168.2.12	1.1.1.1	0x783	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.762669086 CET	192.168.2.12	1.1.1.1	0xdbd9	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.921403885 CET	192.168.2.12	1.1.1.1	0x84ec	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.955495119 CET	192.168.2.12	1.1.1.1	0x9229	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.966486931 CET	192.168.2.12	1.1.1.1	0x23f7	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.978571892 CET	192.168.2.12	1.1.1.1	0x216b	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.989830017 CET	192.168.2.12	1.1.1.1	0x642a	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.004937887 CET	192.168.2.12	1.1.1.1	0x8aed	Standard query (0)	degreedaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.906639099 CET	192.168.2.12	1.1.1.1	0x507e	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.916501999 CET	192.168.2.12	1.1.1.1	0x6ccc	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.927695036 CET	192.168.2.12	1.1.1.1	0xbfca	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.939047098 CET	192.168.2.12	1.1.1.1	0xb1cd	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.950342894 CET	192.168.2.12	1.1.1.1	0x5d0	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.981360912 CET	192.168.2.12	1.1.1.1	0x97	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.154129028 CET	192.168.2.12	1.1.1.1	0xacd3	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.165505886 CET	192.168.2.12	1.1.1.1	0xd50c	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.177978992 CET	192.168.2.12	1.1.1.1	0x45b7	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.193425894 CET	192.168.2.12	1.1.1.1	0x39	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.227000952 CET	192.168.2.12	1.1.1.1	0x9568	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.238771915 CET	192.168.2.12	1.1.1.1	0x3b02	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:58.035965919 CET	192.168.2.12	1.1.1.1	0x839f	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:53.549278021 CET	192.168.2.12	1.1.1.1	0xa8c0	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:54.941850901 CET	192.168.2.12	1.1.1.1	0xa923	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:55.958080053 CET	192.168.2.12	1.1.1.1	0xde81	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:56.988593102 CET	192.168.2.12	1.1.1.1	0x8011	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:58.004246950 CET	192.168.2.12	1.1.1.1	0x3544	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:59.022233963 CET	192.168.2.12	1.1.1.1	0x560c	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:00.036933899 CET	192.168.2.12	1.1.1.1	0x6beb	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:01.122180939 CET	192.168.2.12	1.1.1.1	0xbf22	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:01.148332119 CET	192.168.2.12	1.1.1.1	0xbf22	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:02.162286997 CET	192.168.2.12	1.1.1.1	0x3599	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:02.190639973 CET	192.168.2.12	1.1.1.1	0x3599	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:03.333918095 CET	192.168.2.12	1.1.1.1	0x1a3d	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:04.349649906 CET	192.168.2.12	1.1.1.1	0x6f42	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:05.363652945 CET	192.168.2.12	1.1.1.1	0x3af4	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:05.393719912 CET	192.168.2.12	1.1.1.1	0x3af4	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:06.519807100 CET	192.168.2.12	1.1.1.1	0x699b	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:06.549989939 CET	192.168.2.12	1.1.1.1	0x699b	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:07.589507103 CET	192.168.2.12	1.1.1.1	0x84f6	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:10.321799040 CET	192.168.2.12	1.1.1.1	0x12e8	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:11.349198103 CET	192.168.2.12	1.1.1.1	0xe12a	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:12.363647938 CET	192.168.2.12	1.1.1.1	0x76de	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:13.382306099 CET	192.168.2.12	1.1.1.1	0x504e	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:13.409570932 CET	192.168.2.12	1.1.1.1	0x504e	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:17.019814014 CET	192.168.2.12	1.1.1.1	0x3904	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:17.050282955 CET	192.168.2.12	1.1.1.1	0x3904	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:18.097644091 CET	192.168.2.12	1.1.1.1	0x9a0e	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:18.127909899 CET	192.168.2.12	1.1.1.1	0x9a0e	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:19.144499063 CET	192.168.2.12	1.1.1.1	0x89a2	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:20.161726952 CET	192.168.2.12	1.1.1.1	0xc02b	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:21.175951004 CET	192.168.2.12	1.1.1.1	0x6223	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:22.192511082 CET	192.168.2.12	1.1.1.1	0xf5dc	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:23.207057953 CET	192.168.2.12	1.1.1.1	0xc414	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:23.237200975 CET	192.168.2.12	1.1.1.1	0xc414	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:24.254065990 CET	192.168.2.12	1.1.1.1	0xff2b	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:25.269614935 CET	192.168.2.12	1.1.1.1	0x27f6	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:26.285334110 CET	192.168.2.12	1.1.1.1	0x54ee	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:27.300828934 CET	192.168.2.12	1.1.1.1	0x5fc8	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:27.331180096 CET	192.168.2.12	1.1.1.1	0x5fc8	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:28.347543955 CET	192.168.2.12	1.1.1.1	0xc9e4	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:29.336440086 CET	192.168.2.12	1.1.1.1	0xb364	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:30.285355091 CET	192.168.2.12	1.1.1.1	0x65d7	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:31.208456993 CET	192.168.2.12	1.1.1.1	0x358d	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 15:50:32.071244955 CET	1.1.1.1	192.168.2.12	0x6fb1	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.121053934 CET	1.1.1.1	192.168.2.12	0x9f02	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.202768087 CET	1.1.1.1	192.168.2.12	0x1080	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.242705107 CET	1.1.1.1	192.168.2.12	0xf947	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.275132895 CET	1.1.1.1	192.168.2.12	0x2035	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.288017988 CET	1.1.1.1	192.168.2.12	0x725f	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.300187111 CET	1.1.1.1	192.168.2.12	0x9c63	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.335155964 CET	1.1.1.1	192.168.2.12	0xddbc	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.346949100 CET	1.1.1.1	192.168.2.12	0x2a19	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.380029917 CET	1.1.1.1	192.168.2.12	0x4b2c	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.391304016 CET	1.1.1.1	192.168.2.12	0xb2a6	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.412921906 CET	1.1.1.1	192.168.2.12	0x4c67	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.571103096 CET	1.1.1.1	192.168.2.12	0x46b6	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.583162069 CET	1.1.1.1	192.168.2.12	0xc90e	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.597249985 CET	1.1.1.1	192.168.2.12	0x229b	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.014821053 CET	1.1.1.1	192.168.2.12	0xd7e6	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:50:33.014821053 CET	1.1.1.1	192.168.2.12	0xd7e6	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.859556913 CET	1.1.1.1	192.168.2.12	0x10d5	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.872083902 CET	1.1.1.1	192.168.2.12	0x556f	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.904542923 CET	1.1.1.1	192.168.2.12	0x8172	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.915256023 CET	1.1.1.1	192.168.2.12	0xc596	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.107028008 CET	1.1.1.1	192.168.2.12	0x2603	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.992850065 CET	1.1.1.1	192.168.2.12	0x1983	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.004683971 CET	1.1.1.1	192.168.2.12	0x3a90	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.018410921 CET	1.1.1.1	192.168.2.12	0xf593	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.029875040 CET	1.1.1.1	192.168.2.12	0x271	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.042032957 CET	1.1.1.1	192.168.2.12	0x9f5e	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.073939085 CET	1.1.1.1	192.168.2.12	0x9f06	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.106527090 CET	1.1.1.1	192.168.2.12	0x12d4	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.118455887 CET	1.1.1.1	192.168.2.12	0xee5d	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.129980087 CET	1.1.1.1	192.168.2.12	0x597f	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.141983032 CET	1.1.1.1	192.168.2.12	0xe1c2	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.152947903 CET	1.1.1.1	192.168.2.12	0x2967	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.185976028 CET	1.1.1.1	192.168.2.12	0xaa70	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.195962906 CET	1.1.1.1	192.168.2.12	0xe4ef	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.207361937 CET	1.1.1.1	192.168.2.12	0xe62c	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.375502110 CET	1.1.1.1	192.168.2.12	0xc635	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.388797045 CET	1.1.1.1	192.168.2.12	0xcd9e	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.398511887 CET	1.1.1.1	192.168.2.12	0xc6e5	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.431021929 CET	1.1.1.1	192.168.2.12	0x97c3	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.596924067 CET	1.1.1.1	192.168.2.12	0x60c3	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.609118938 CET	1.1.1.1	192.168.2.12	0x8bb5	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.620577097 CET	1.1.1.1	192.168.2.12	0x9494	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.652581930 CET	1.1.1.1	192.168.2.12	0x3c4c	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.663974047 CET	1.1.1.1	192.168.2.12	0x17c	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.674887896 CET	1.1.1.1	192.168.2.12	0x9d86	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.694242954 CET	1.1.1.1	192.168.2.12	0x96af	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.707346916 CET	1.1.1.1	192.168.2.12	0xcc10	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.719021082 CET	1.1.1.1	192.168.2.12	0x8504	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.751260996 CET	1.1.1.1	192.168.2.12	0x593a	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.763493061 CET	1.1.1.1	192.168.2.12	0x3393	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.798727989 CET	1.1.1.1	192.168.2.12	0xdf7e	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.808063030 CET	1.1.1.1	192.168.2.12	0x7c79	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.816996098 CET	1.1.1.1	192.168.2.12	0xa0e	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.825573921 CET	1.1.1.1	192.168.2.12	0xa22	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.857584953 CET	1.1.1.1	192.168.2.12	0xb0d5	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.872421026 CET	1.1.1.1	192.168.2.12	0x3a7d	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.887038946 CET	1.1.1.1	192.168.2.12	0xe738	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.898539066 CET	1.1.1.1	192.168.2.12	0xf1c3	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.909567118 CET	1.1.1.1	192.168.2.12	0xdff1	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.922736883 CET	1.1.1.1	192.168.2.12	0x7828	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.936700106 CET	1.1.1.1	192.168.2.12	0x852	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.950093031 CET	1.1.1.1	192.168.2.12	0x9330	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.983128071 CET	1.1.1.1	192.168.2.12	0xcb8b	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:36.994483948 CET	1.1.1.1	192.168.2.12	0x1a70	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.006149054 CET	1.1.1.1	192.168.2.12	0xa641	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.018970966 CET	1.1.1.1	192.168.2.12	0x4f53	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.030833960 CET	1.1.1.1	192.168.2.12	0xb4dc	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.064296007 CET	1.1.1.1	192.168.2.12	0xb927	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.075678110 CET	1.1.1.1	192.168.2.12	0x6ac3	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.091466904 CET	1.1.1.1	192.168.2.12	0x951c	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.104702950 CET	1.1.1.1	192.168.2.12	0x3235	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.117088079 CET	1.1.1.1	192.168.2.12	0xe52d	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.128886938 CET	1.1.1.1	192.168.2.12	0xf7e6	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.147527933 CET	1.1.1.1	192.168.2.12	0x324a	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.438239098 CET	1.1.1.1	192.168.2.12	0xbe1e	No error (0)	gentleanother.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.482202053 CET	1.1.1.1	192.168.2.12	0x9db6	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.514782906 CET	1.1.1.1	192.168.2.12	0x1bfb	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.527385950 CET	1.1.1.1	192.168.2.12	0x6ea6	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.539263010 CET	1.1.1.1	192.168.2.12	0x4495	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.573142052 CET	1.1.1.1	192.168.2.12	0xa77	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.585866928 CET	1.1.1.1	192.168.2.12	0xaed2	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.596869946 CET	1.1.1.1	192.168.2.12	0xb8f	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.609096050 CET	1.1.1.1	192.168.2.12	0x5eab	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.623939037 CET	1.1.1.1	192.168.2.12	0xc77e	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.658279896 CET	1.1.1.1	192.168.2.12	0x5d04	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.692061901 CET	1.1.1.1	192.168.2.12	0x42c7	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.725785017 CET	1.1.1.1	192.168.2.12	0x40c6	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.760349989 CET	1.1.1.1	192.168.2.12	0xa219	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.792762995 CET	1.1.1.1	192.168.2.12	0x14ca	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.804871082 CET	1.1.1.1	192.168.2.12	0x5c1e	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.815332890 CET	1.1.1.1	192.168.2.12	0x613e	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.826771021 CET	1.1.1.1	192.168.2.12	0x6012	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.858014107 CET	1.1.1.1	192.168.2.12	0x5596	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.869194031 CET	1.1.1.1	192.168.2.12	0x177a	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.901793003 CET	1.1.1.1	192.168.2.12	0x485c	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.920753002 CET	1.1.1.1	192.168.2.12	0x7f28	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.932405949 CET	1.1.1.1	192.168.2.12	0x6785	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.943319082 CET	1.1.1.1	192.168.2.12	0xde1	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.976975918 CET	1.1.1.1	192.168.2.12	0x813e	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.989069939 CET	1.1.1.1	192.168.2.12	0x6aaa	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.347677946 CET	1.1.1.1	192.168.2.12	0x9b48	No error (0)	glassbright.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:50:39.347677946 CET	1.1.1.1	192.168.2.12	0x9b48	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.099374056 CET	1.1.1.1	192.168.2.12	0x5d9d	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.150058031 CET	1.1.1.1	192.168.2.12	0x3785	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.181050062 CET	1.1.1.1	192.168.2.12	0x8cb0	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.197092056 CET	1.1.1.1	192.168.2.12	0x1ca2	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.266252041 CET	1.1.1.1	192.168.2.12	0xf7c1	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.331813097 CET	1.1.1.1	192.168.2.12	0x418b	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.348149061 CET	1.1.1.1	192.168.2.12	0xfd79	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.359796047 CET	1.1.1.1	192.168.2.12	0x4959	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.373874903 CET	1.1.1.1	192.168.2.12	0xe209	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.386442900 CET	1.1.1.1	192.168.2.12	0x13ef	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:40.597685099 CET	1.1.1.1	192.168.2.12	0xa28f	No error (0)	pleasantinstead.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.479764938 CET	1.1.1.1	192.168.2.12	0xec6f	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.491219044 CET	1.1.1.1	192.168.2.12	0x3dfc	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.502408981 CET	1.1.1.1	192.168.2.12	0x2328	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.511087894 CET	1.1.1.1	192.168.2.12	0x9b53	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.522123098 CET	1.1.1.1	192.168.2.12	0xa73c	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.561728001 CET	1.1.1.1	192.168.2.12	0xf742	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.594779968 CET	1.1.1.1	192.168.2.12	0x7b3b	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:42.759627104 CET	1.1.1.1	192.168.2.12	0xc3ba	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.013878107 CET	1.1.1.1	192.168.2.12	0x436c	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.090728998 CET	1.1.1.1	192.168.2.12	0x6482	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.122219086 CET	1.1.1.1	192.168.2.12	0x5067	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.164113045 CET	1.1.1.1	192.168.2.12	0x8836	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.177833080 CET	1.1.1.1	192.168.2.12	0x1a06	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.189707994 CET	1.1.1.1	192.168.2.12	0x1080	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.224935055 CET	1.1.1.1	192.168.2.12	0x312	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.237549067 CET	1.1.1.1	192.168.2.12	0x9f35	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.249094009 CET	1.1.1.1	192.168.2.12	0x6949	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.260262012 CET	1.1.1.1	192.168.2.12	0x422	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.272043943 CET	1.1.1.1	192.168.2.12	0x2a1f	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.284220934 CET	1.1.1.1	192.168.2.12	0x8d40	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.316426039 CET	1.1.1.1	192.168.2.12	0xab2c	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.327120066 CET	1.1.1.1	192.168.2.12	0x363d	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.337754011 CET	1.1.1.1	192.168.2.12	0x565	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.348467112 CET	1.1.1.1	192.168.2.12	0xae8b	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.363282919 CET	1.1.1.1	192.168.2.12	0x5f6c	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.389350891 CET	1.1.1.1	192.168.2.12	0x891d	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.400141954 CET	1.1.1.1	192.168.2.12	0x1f10	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.431592941 CET	1.1.1.1	192.168.2.12	0x6d7a	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.464695930 CET	1.1.1.1	192.168.2.12	0xcff5	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.476999998 CET	1.1.1.1	192.168.2.12	0x9b23	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.488123894 CET	1.1.1.1	192.168.2.12	0x66d7	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.498915911 CET	1.1.1.1	192.168.2.12	0xcbb2	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.510081053 CET	1.1.1.1	192.168.2.12	0x8aad	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.519056082 CET	1.1.1.1	192.168.2.12	0xae72	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.530484915 CET	1.1.1.1	192.168.2.12	0xb30	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.563083887 CET	1.1.1.1	192.168.2.12	0x8fee	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.737529039 CET	1.1.1.1	192.168.2.12	0xbee	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.749855995 CET	1.1.1.1	192.168.2.12	0xd646	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.761660099 CET	1.1.1.1	192.168.2.12	0x783	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.920042038 CET	1.1.1.1	192.168.2.12	0xdbd9	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.953638077 CET	1.1.1.1	192.168.2.12	0x84ec	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.965208054 CET	1.1.1.1	192.168.2.12	0x9229	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.977418900 CET	1.1.1.1	192.168.2.12	0x23f7	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:43.988555908 CET	1.1.1.1	192.168.2.12	0x216b	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.003756046 CET	1.1.1.1	192.168.2.12	0x642a	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.020085096 CET	1.1.1.1	192.168.2.12	0x8aed	No error (0)	degreedaughter.net		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.915266991 CET	1.1.1.1	192.168.2.12	0x507e	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.926552057 CET	1.1.1.1	192.168.2.12	0x6ccc	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.937752008 CET	1.1.1.1	192.168.2.12	0xbfca	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.949186087 CET	1.1.1.1	192.168.2.12	0xb1cd	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:44.980081081 CET	1.1.1.1	192.168.2.12	0x5d0	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.143635035 CET	1.1.1.1	192.168.2.12	0x97	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.164115906 CET	1.1.1.1	192.168.2.12	0xacd3	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.176037073 CET	1.1.1.1	192.168.2.12	0xd50c	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.191411972 CET	1.1.1.1	192.168.2.12	0x45b7	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.225363970 CET	1.1.1.1	192.168.2.12	0x39	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.236249924 CET	1.1.1.1	192.168.2.12	0x9568	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:45.271048069 CET	1.1.1.1	192.168.2.12	0x3b02	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:58.046475887 CET	1.1.1.1	192.168.2.12	0x839f	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:53.935127974 CET	1.1.1.1	192.168.2.12	0xa8c0	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:54.951539993 CET	1.1.1.1	192.168.2.12	0xa923	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:55.968050957 CET	1.1.1.1	192.168.2.12	0xde81	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:56.999291897 CET	1.1.1.1	192.168.2.12	0x8011	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:58.014391899 CET	1.1.1.1	192.168.2.12	0x3544	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:51:59.032080889 CET	1.1.1.1	192.168.2.12	0x560c	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:00.050940037 CET	1.1.1.1	192.168.2.12	0x6beb	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:01.155534983 CET	1.1.1.1	192.168.2.12	0xbf22	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:01.157527924 CET	1.1.1.1	192.168.2.12	0xbf22	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:02.323637009 CET	1.1.1.1	192.168.2.12	0x3599	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:02.323879004 CET	1.1.1.1	192.168.2.12	0x3599	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:03.341836929 CET	1.1.1.1	192.168.2.12	0x1a3d	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:04.359714985 CET	1.1.1.1	192.168.2.12	0x6f42	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:05.517164946 CET	1.1.1.1	192.168.2.12	0x3af4	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:05.517184973 CET	1.1.1.1	192.168.2.12	0x3af4	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:06.552776098 CET	1.1.1.1	192.168.2.12	0x699b	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:06.557041883 CET	1.1.1.1	192.168.2.12	0x699b	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:07.600938082 CET	1.1.1.1	192.168.2.12	0x84f6	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:10.333369017 CET	1.1.1.1	192.168.2.12	0x12e8	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:11.360363007 CET	1.1.1.1	192.168.2.12	0xe12a	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:12.377095938 CET	1.1.1.1	192.168.2.12	0x76de	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:13.414598942 CET	1.1.1.1	192.168.2.12	0x504e	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:13.417268038 CET	1.1.1.1	192.168.2.12	0x504e	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:17.051208019 CET	1.1.1.1	192.168.2.12	0x3904	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:17.057410002 CET	1.1.1.1	192.168.2.12	0x3904	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:18.130179882 CET	1.1.1.1	192.168.2.12	0x9a0e	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:19.156049967 CET	1.1.1.1	192.168.2.12	0x89a2	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:20.173338890 CET	1.1.1.1	192.168.2.12	0xc02b	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:21.185372114 CET	1.1.1.1	192.168.2.12	0x6223	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:22.202563047 CET	1.1.1.1	192.168.2.12	0xf5dc	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:23.238806963 CET	1.1.1.1	192.168.2.12	0xc414	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:23.244930029 CET	1.1.1.1	192.168.2.12	0xc414	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:24.265342951 CET	1.1.1.1	192.168.2.12	0xff2b	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:25.281001091 CET	1.1.1.1	192.168.2.12	0x27f6	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:26.295265913 CET	1.1.1.1	192.168.2.12	0x54ee	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:27.332876921 CET	1.1.1.1	192.168.2.12	0x5fc8	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:27.338790894 CET	1.1.1.1	192.168.2.12	0x5fc8	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:28.357753038 CET	1.1.1.1	192.168.2.12	0xc9e4	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:29.346055984 CET	1.1.1.1	192.168.2.12	0xb364	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:30.295526981 CET	1.1.1.1	192.168.2.12	0x65d7	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:52:31.218302965 CET	1.1.1.1	192.168.2.12	0x358d	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

variousstream.net

returnbottle.net

gentleanother.net

glassbright.net

pleasantinstead.net

degreedaughter.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49711	199.59.243.227	80	6988	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:33.022269011 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:50:33.846889973 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:50:33 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 2382c5f9-8a7e-4c0a-a215-6f464e077715 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=2382c5f9-8a7e-4c0a-a215-6f464e077715; expires=Thu, 07 Nov 2024 15:05:33 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:50:33.847028017 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjM4MmM1ZjktOGE3ZS00YzBhLWEyMTUtNmY0NjRlMDc3NzE1IiwicGFnZV90aW1lIjoxNzMwOTkxMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49712	18.143.155.63	80	6988	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:34.113013029 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:50:35.553335905 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:50:35 GMT Content-Type: text/html Connection: close Set-Cookie: btst=4f4a395d43b883d113ce3f1655f99bdd\|173.254.250.79\|1730991035\|1730991035\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49713	54.244.188.177	80	6988	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:37.470662117 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 15:50:38.343558073 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:50:38 GMT Content-Type: text/html Connection: close Set-Cookie: btst=84e7993b3c108256a1aa9609985e2eb2\|173.254.250.79\|1730991038\|1730991038\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49714	199.59.243.227	80	6988	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:39.353786945 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 15:50:40.029390097 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:50:39 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: 9782c938-0d34-401d-ae41-50a557bacf11 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=9782c938-0d34-401d-ae41-50a557bacf11; expires=Thu, 07 Nov 2024 15:05:39 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:50:40.029539108 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTc4MmM5MzgtMGQzNC00MDFkLWFlNDEtNTBhNTU3YmFjZjExIiwicGFnZV90aW1lIjoxNzMwOTkxMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49715	18.143.155.63	80	6988	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:40.603492022 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 15:50:42.053514004 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:50:41 GMT Content-Type: text/html Connection: close Set-Cookie: btst=069b3b0f557afb4262afe464f92083d2\|173.254.250.79\|1730991041\|1730991041\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49719	85.214.228.140	80	6988	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:44.027134895 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 15:50:44.905226946 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 14:50:44 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49728	199.59.243.227	80	4064	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:52:08.669750929 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:52:09.305361032 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:52:09 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: a11d97d2-230e-4ccd-8fed-4b26b07567bd cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=a11d97d2-230e-4ccd-8fed-4b26b07567bd; expires=Thu, 07 Nov 2024 15:07:09 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:52:09.305672884 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTExZDk3ZDItMjMwZS00Y2NkLThmZWQtNGIyNmIwNzU2N2JkIiwicGFnZV90aW1lIjoxNzMwOTkxMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49729	18.143.155.63	80	4064	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:52:14.546895981 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:52:16.004764080 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:52:15 GMT Content-Type: text/html Connection: close Set-Cookie: btst=fafd3b3524f491e9a5eb21aced272a45\|173.254.250.79\|1730991135\|1730991135\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Target ID:	0
Start time:	09:50:26
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\8CO4P3HwDt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8CO4P3HwDt.exe"
Imagebase:	0x8b0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:50:27
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe
Wow64 process (32bit):	true
Commandline:	"C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe"
Imagebase:	0x340000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:50:27
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Wow64 process (32bit):	true
Commandline:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Imagebase:	0xda0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:50:29
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\hrzceasx.exe
Wow64 process (32bit):	true
Commandline:	uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0x390000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:50:30
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Wow64 process (32bit):	true
Commandline:	"C:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0xda0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:51:48
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Wow64 process (32bit):	true
Commandline:	"c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0xda0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:51:49
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\hrzceasx.exe
Wow64 process (32bit):	true
Commandline:	uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0xb60000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	26.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.9%
Total number of Nodes:	905
Total number of Limit Nodes:	16

Executed Functions

Function 008DC35F Relevance: 273.3, APIs: 118, Strings: 35, Instructions: 5532libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 008DC4BB
GetProcAddress.KERNEL32(76E00000,?), ref: 008DC582
GetProcAddress.KERNEL32(76E00000,?), ref: 008DC605
GetProcAddress.KERNEL32(76E00000,?), ref: 008DC676
GetProcAddress.KERNEL32(76E00000,?), ref: 008DC72E
GetProcAddress.KERNEL32(76E00000,?), ref: 008DC81A
GetProcAddress.KERNEL32(76E00000,?), ref: 008DC8B1

Strings

h*, xrefs: 008DDED2
h[*, xrefs: 008E0EA3
h<, xrefs: 008DC47F
C:\Users\user, xrefs: 008E15B6
jhz*, xrefs: 008DFCBA
h:, xrefs: 008DFF33
hq, xrefs: 008DCEB6
h., xrefs: 008DD52D
h6, xrefs: 008E1841
hC", xrefs: 008DF2E2
jhu<, xrefs: 008DDC0D
h, xrefs: 008DFC0B
h0, xrefs: 008E11E9
hk#, xrefs: 008DF7E0
hO+, xrefs: 008DE7D5
,b/, xrefs: 008DC9B6
h), xrefs: 008DE929
j4h!, xrefs: 008DC388
(S, xrefs: 008E1583
h, xrefs: 008DD3E2
h&(, xrefs: 008E06B1
h{), xrefs: 008DF008
h{7, xrefs: 008E1281
h, xrefs: 008E01BA
h-<, xrefs: 008E1A01
h\7, xrefs: 008DFA94
hQ", xrefs: 008E1325
h-), xrefs: 008E147A
hi+, xrefs: 008DE3C0
a!l, xrefs: 008DD991
hP, xrefs: 008E088B
hd", xrefs: 008DE1BF
jhl7, xrefs: 008DD588
hi*, xrefs: 008E0B40
jhb$, xrefs: 008DEA44

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$hq$h{)$h{7$h$h$h)$h*$h.$h6$h<$jhz*$jhb$$jhl7$jhu<$j4h!$(S$,b/
API String ID: 667068680-112787745
Opcode ID: 35661dcc04118c918487bd667c4963d2044346dcc658871c218cb94869e838dd
Instruction ID: b1bccdb9cf5e9aeb6db99f110c8470818ba7644088bdcfcd6c0669a7d4df0e03
Opcode Fuzzy Hash: 35661dcc04118c918487bd667c4963d2044346dcc658871c218cb94869e838dd
Instruction Fuzzy Hash: FBB39BB0900709EBD704DF74FD49EB9BBB2FB88310F11815ADB80963A5EB3059A1EB55

Function 008C15A0 Relevance: 33.1, APIs: 12, Strings: 6, Instructions: 1602fileCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(008FDFC0), ref: 008C16A3
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 008C187D
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 008C1BED
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 008C1C40
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 008C1E18
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 008C1F47
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008C247A

Strings

\, xrefs: 008C296C
#tG5, xrefs: 008C289D
v-7P, xrefs: 008C2B64
}3, xrefs: 008C1647
C:\Users\user, xrefs: 008C2210, 008C230B
2V, xrefs: 008C1D3E

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Directory$Create$DeleteFileRemoveVersion
String ID: #tG5$2V$C:\Users\user$\$v-7P$}3
API String ID: 696612475-113834627
Opcode ID: f9fe61712fb2944f3722d99c946ba30467ae309d7534f1f5344c0eb6c066db20
Instruction ID: 2812319be08d8e3154c17a879dff1ad346e0040551618a57e11d7a2c01652f85
Opcode Fuzzy Hash: f9fe61712fb2944f3722d99c946ba30467ae309d7534f1f5344c0eb6c066db20
Instruction Fuzzy Hash: 1CE2E0B1900709DBCB049F74FD88EB97BB3FB99310F218159D781932A4EB3099A5DB45

Function 008BA780 Relevance: 7.8, APIs: 5, Instructions: 294
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8), ref: 008BA899
FindFirstFileA.KERNELBASE(?,?), ref: 008BA9FF
DeleteFileA.KERNELBASE(?), ref: 008BAB11
FindNextFileA.KERNELBASE(00000000,?), ref: 008BAB31
FindClose.KERNEL32(00000000), ref: 008BAB4A

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 8226ff0dd0ed42107319b09ee926128d9333194acf8f03221ad0c464353eb78e
Instruction ID: 3eedd43f1e20a170a8007197eef9b7edad04c37a6f309d683f83a888c03646d8
Opcode Fuzzy Hash: 8226ff0dd0ed42107319b09ee926128d9333194acf8f03221ad0c464353eb78e
Instruction Fuzzy Hash: 97C1DE31A00B09DBCB049F34FD58EB97BB2FB98310F118195DA85933A4EF315AA5DB45

Function 008E7710 Relevance: 4.7, APIs: 3, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,008C16FF), ref: 008E77DE
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,008C16FF), ref: 008E7817
FreeSid.ADVAPI32(?,?,?,?,008C16FF), ref: 008E7918

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 68847c30d1c5fa873a09b9bd66f43bff87eb12a5406f38c1a4439d64df96da3c
Instruction ID: 3a8817ff17833ab4d2b284084573fc35b04a24ece86a58dfdc2a0b6c4789f174
Opcode Fuzzy Hash: 68847c30d1c5fa873a09b9bd66f43bff87eb12a5406f38c1a4439d64df96da3c
Instruction Fuzzy Hash: D961C0B4901709EBCB009F75ED88DB97F7BFB94300B52808AD78063364EB3455A4DBA9

Function 008E5570 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,008EEFAF,008EEFAF,?,?,00000001), ref: 008E55B2
RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 008E55B9

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b0bcc545d7087fa963d246b185e7b2d704257712c60d748dbbdc5223e5d61523
Instruction ID: b2a006ea0f948eb7bca841e0bb3dc022bca0157ffb8fb3efb32cb6721116e2e3
Opcode Fuzzy Hash: b0bcc545d7087fa963d246b185e7b2d704257712c60d748dbbdc5223e5d61523
Instruction Fuzzy Hash: 5CF01C75905308EBCB00DFB4E949D79BBB9FB48300F204155EA09D7364EA31AA61CB91

Function 008DD366 Relevance: 230.4, APIs: 98, Strings: 31, Instructions: 4600libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76E00000,?), ref: 008DD3C5
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD44E
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD4F9
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD575
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD60A
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD699
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD70E
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD817
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD89B
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD935
GetProcAddress.KERNEL32(76E00000,?), ref: 008DD9F0
GetProcAddress.KERNEL32(76E00000,?), ref: 008DDB13

Strings

h*, xrefs: 008DDED2
h[*, xrefs: 008E0EA3
C:\Users\user, xrefs: 008E15B6
jhz*, xrefs: 008DFCBA
h:, xrefs: 008DFF33
h., xrefs: 008DD52D
h6, xrefs: 008E1841
hC", xrefs: 008DF2E2
jhu<, xrefs: 008DDC0D
h, xrefs: 008DFC0B
h0, xrefs: 008E11E9
hk#, xrefs: 008DF7E0
hO+, xrefs: 008DE7D5
h), xrefs: 008DE929
(S, xrefs: 008E1583
h, xrefs: 008DD3E2
h&(, xrefs: 008E06B1
h{), xrefs: 008DF008
h{7, xrefs: 008E1281
h, xrefs: 008E01BA
h-<, xrefs: 008E1A01
h\7, xrefs: 008DFA94
hQ", xrefs: 008E1325
h-), xrefs: 008E147A
hi+, xrefs: 008DE3C0
a!l, xrefs: 008DD991
hP, xrefs: 008E088B
hd", xrefs: 008DE1BF
jhl7, xrefs: 008DD588
hi*, xrefs: 008E0B40
jhb$, xrefs: 008DEA44

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h$h)$h*$h.$h6$jhz*$jhb$$jhl7$jhu<$(S
API String ID: 190572456-2603301341
Opcode ID: 5d64bae7f4fba8e92d75bcac633e6b991090c23978a09eabaf20365f93a9e66d
Instruction ID: 7ddaeef1aa40dfa85f5a26182f63003edbcab0eb5e0297a7e891586bb995e87a
Opcode Fuzzy Hash: 5d64bae7f4fba8e92d75bcac633e6b991090c23978a09eabaf20365f93a9e66d
Instruction Fuzzy Hash: DCA38AB0900709EBD704DF74FD49EB9BBB6FB88310F11815ADB80923A5EB3059A1EB55

Function 008DE0B9 Relevance: 185.8, APIs: 79, Strings: 25, Instructions: 3825
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76E00000,?), ref: 008DE0ED
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE1A4
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE290
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE32F
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE394
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE43A
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE501
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE5DD

Strings

h[*, xrefs: 008E0EA3
C:\Users\user, xrefs: 008E15B6
jhz*, xrefs: 008DFCBA
h:, xrefs: 008DFF33
h6, xrefs: 008E1841
hC", xrefs: 008DF2E2
h, xrefs: 008DFC0B
h0, xrefs: 008E11E9
hk#, xrefs: 008DF7E0
hO+, xrefs: 008DE7D5
h), xrefs: 008DE929
(S, xrefs: 008E1583
h{), xrefs: 008DF008
h&(, xrefs: 008E06B1
h{7, xrefs: 008E1281
h-<, xrefs: 008E1A01
h, xrefs: 008E01BA
h\7, xrefs: 008DFA94
hQ", xrefs: 008E1325
h-), xrefs: 008E147A
hi+, xrefs: 008DE3C0
hP, xrefs: 008E088B
hd", xrefs: 008DE1BF
hi*, xrefs: 008E0B40
jhb$, xrefs: 008DEA44

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 190572456-1105801417
Opcode ID: 3b56cacdaef3663dd7cbdfc041798e9a8bbe95c34f573b0a6d90c921085addfe
Instruction ID: 62c182c74160bea4b0cb7e1c2c23ff78d97f0cf82c526069ecd99ad297c7ebb3
Opcode Fuzzy Hash: 3b56cacdaef3663dd7cbdfc041798e9a8bbe95c34f573b0a6d90c921085addfe
Instruction Fuzzy Hash: E7838BB0900709EBD704DF74FD49EB9BBB6FB88310F21815ADB80923A5EB305961EB55

Function 008DE6F6 Relevance: 168.0, APIs: 71, Strings: 23, Instructions: 3471
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76E00000,?), ref: 008DE70E
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE7C2
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE849
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE903
GetProcAddress.KERNEL32(76E00000,?), ref: 008DE9A9
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEA2A
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEABF
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEB23
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEBA9
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEC61
GetProcAddress.KERNEL32(76E00000,?), ref: 008DECEA
GetProcAddress.KERNEL32(76E00000,?), ref: 008DED7B
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEDD9
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEEAD
GetProcAddress.KERNEL32(76E00000,?), ref: 008DEFED
GetProcAddress.KERNEL32(76E00000,?), ref: 008DF05C
GetProcAddress.KERNEL32(76E00000,?), ref: 008DF135
GetProcAddress.KERNEL32(76E00000,?), ref: 008DF19A
GetProcAddress.KERNEL32(76E00000,?), ref: 008DF1F9
LoadLibraryA.KERNELBASE(?), ref: 008DF26D
LoadLibraryA.KERNEL32(?), ref: 008DF349
GetProcAddress.KERNEL32(76FC0000,00000000), ref: 008DF44D
GetProcAddress.KERNEL32(76FC0000,?), ref: 008DF515
GetProcAddress.KERNEL32(76FC0000,?), ref: 008DF5C3
GetProcAddress.KERNEL32(76FC0000,?), ref: 008DF6BD
GetProcAddress.KERNEL32(76FC0000,?), ref: 008DF7CB
GetProcAddress.KERNEL32(76FC0000,?), ref: 008DF8D9

Strings

h{), xrefs: 008DF008
h[*, xrefs: 008E0EA3
h&(, xrefs: 008E06B1
h{7, xrefs: 008E1281
h-<, xrefs: 008E1A01
h, xrefs: 008E01BA
h\7, xrefs: 008DFA94
C:\Users\user, xrefs: 008E15B6
hQ", xrefs: 008E1325
jhz*, xrefs: 008DFCBA
h-), xrefs: 008E147A
h:, xrefs: 008DFF33
hP, xrefs: 008E088B
h6, xrefs: 008E1841
hi*, xrefs: 008E0B40
hC", xrefs: 008DF2E2
h, xrefs: 008DFC0B
h0, xrefs: 008E11E9
hk#, xrefs: 008DF7E0
hO+, xrefs: 008DE7D5
h), xrefs: 008DE929
(S, xrefs: 008E1583
jhb$, xrefs: 008DEA44

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hi*$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 2238633743-2215104298
Opcode ID: d07a6fd2e715abae98ee37db5d0b357d685ae2fe5873b71de5735560788115ef
Instruction ID: 3daa440d89ae16de4d718dfc08d06501762a35d3d04298320bf8eb701d7a59dd
Opcode Fuzzy Hash: d07a6fd2e715abae98ee37db5d0b357d685ae2fe5873b71de5735560788115ef
Instruction Fuzzy Hash: 6A739CB0900709EBD704DF74FD49EB9BBB6FB88310F21815ADB84923A4EB305961EB55

Function 008E0F4E Relevance: 41.3, APIs: 15, Strings: 8, Instructions: 1085
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F40000,?), ref: 008E0FCA
GetProcAddress.KERNEL32(76F40000,?), ref: 008E10D6
GetProcAddress.KERNEL32(76F40000,?), ref: 008E11B4
GetProcAddress.KERNEL32(76F40000,?), ref: 008E126C
GetProcAddress.KERNEL32(76F40000,?), ref: 008E1308
GetProcAddress.KERNEL32(76F40000,?), ref: 008E1375
GetProcAddress.KERNEL32(76F40000,?), ref: 008E145D
GetProcAddress.KERNEL32(76F40000,?), ref: 008E151F

Part of subcall function 008E68B0: GetSystemTime.KERNEL32(?,?,00000001,?,?,?,008E1588,00000015,?), ref: 008E6967
Part of subcall function 008E68B0: GetTickCount.KERNEL32 ref: 008E6A58

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 008E15C5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 008E1609
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 008E1658
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 008E1674
GetTickCount.KERNEL32 ref: 008E17EE
GetCommandLineA.KERNEL32 ref: 008E1997

Strings

h{7, xrefs: 008E1281
h6, xrefs: 008E1841
h-<, xrefs: 008E1A01
C:\Users\user, xrefs: 008E15B6
h0, xrefs: 008E11E9
hQ", xrefs: 008E1325
(S, xrefs: 008E1583
h-), xrefs: 008E147A

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc$CreateMutex$CountTick$CommandEnvironmentLineSystemTimeVariable
String ID: C:\Users\user$h-)$h-<$h0$hQ"$h{7$h6$(S
API String ID: 116423738-75577720
Opcode ID: b732722969b6ccfb97f51b6df6b7caa4b143bee6266f53d4594ae82f632f6581
Instruction ID: 5ebd4489b69c4ffd5201ceeb7b07dba8a0cb45fc0202907e54f08262fb82c40e
Opcode Fuzzy Hash: b732722969b6ccfb97f51b6df6b7caa4b143bee6266f53d4594ae82f632f6581
Instruction Fuzzy Hash: 0CA28EB1901709EBDB04DF74FD49EB9BBB2FB98310F218059D784932A4EB3059A1EB45

Function 008C2525 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008C259F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 008C2891
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 008C2A8F

Strings

\, xrefs: 008C296C
#tG5, xrefs: 008C289D
v-7P, xrefs: 008C2B64

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CreateDirectory$PathTemp
String ID: #tG5$\$v-7P
API String ID: 4115145201-232245755
Opcode ID: 477378245a39b326cacef034b6d0184a08899aefdf33040257b9dbb44d7f9b88
Instruction ID: 330e6be29f1c1c124c91d3d15001d60af18411aca89d953172a4457c4bbf094c
Opcode Fuzzy Hash: 477378245a39b326cacef034b6d0184a08899aefdf33040257b9dbb44d7f9b88
Instruction Fuzzy Hash: ED4212B1900709DBCB049F74FD48EB87BB3FB98300F218199D781972A4EB3199A5DB95

Function 008C7230 Relevance: 11.0, APIs: 7, Instructions: 456
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 008C736B
ReadFile.KERNELBASE(00000000,000000FF,?,?,00000000,?,?,?,?,000000FF), ref: 008C73D9
CloseHandle.KERNELBASE(00000000,?,?,?,?,000000FF), ref: 008C73F2
GetTickCount.KERNEL32 ref: 008C74B7
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 008C771A
WriteFile.KERNELBASE(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 008C77BA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 008C7845

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 9b42761ad83a25641571f15db3f3a3dddd767254e79dea53853fb41314955c88
Instruction ID: c1c702d573b516e3af0a9c278f1705b5f369d7191a8e9a40ba2fdf9e00ff773a
Opcode Fuzzy Hash: 9b42761ad83a25641571f15db3f3a3dddd767254e79dea53853fb41314955c88
Instruction Fuzzy Hash: 2B12DB71904B04DBD7048F34FC88EB9BBB7FB98721F11815ADB81963A4EB3054A1DB56

Function 008D6700 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 429
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 008D695B
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 008D6C2D
CloseHandle.KERNEL32(?), ref: 008D6D57

Strings

[v"=, xrefs: 008D6799

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: [v"=
API String ID: 1065093856-2465089900
Opcode ID: 488ff83fa8be66fe2ce4238cc56f441ad87cc0cd31d9202f212b8abcfc2d2d95
Instruction ID: fdab16e75e883f1270a5bf6666f1013d46176aa5030a3611731f47e02bca548e
Opcode Fuzzy Hash: 488ff83fa8be66fe2ce4238cc56f441ad87cc0cd31d9202f212b8abcfc2d2d95
Instruction Fuzzy Hash: 8E129E70900B09EBD7049F74FD58EB97BB2FB88311F21815ACB85933A4EB3055A5EB85

Function 008C3A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 008C3BE8
CloseHandle.KERNEL32(00000000), ref: 008C3C04
CloseHandle.KERNEL32(?), ref: 008C3C38

Strings

D, xrefs: 008C3B27

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 1f0737ee84856e78ad7d4587d83747d9f29ad6550314408d284022931e61896e
Instruction ID: f6c957e10464e61fe61d05740c2aff6ce2bb433b6780d505de04f5d9acabc585
Opcode Fuzzy Hash: 1f0737ee84856e78ad7d4587d83747d9f29ad6550314408d284022931e61896e
Instruction Fuzzy Hash: 94617E70A01B09EBD700DFB0FE48FB87B72FB98310F218195D780662A8DB3155A5DB55

Function 008BAC20 Relevance: 3.1, APIs: 2, Instructions: 53
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 008BACA0
CharLowerBuffA.USER32(?,00000000), ref: 008BACA8

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: e75afae33fe126f23e0e3fdde0b428316d28b0a07de3a95aeb568c5f391d5713
Instruction ID: 37af44ba3726ec21938958a4a36cdd9f6896900b2dc53e05538c0e6eedc97c66
Opcode Fuzzy Hash: e75afae33fe126f23e0e3fdde0b428316d28b0a07de3a95aeb568c5f391d5713
Instruction Fuzzy Hash: 17112875A04B05DBC3059F78FC88CB97F76F7987203168146EB8583368EB3059A4DB99

Function 008D4770 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,008BFCFC,008BFCFC,?,?,?,?,00000001), ref: 008D47A0
RtlFreeHeap.NTDLL(00000000,?,?,?,00000001), ref: 008D47A7

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f71d575a1d104528f14efc1d38ddac3f71ab6ff0660c65c3c86654c89e5c66c5
Instruction ID: 8288697860fdd96480acf3d05f62f77bd6aa537f2c9ef26274ccacebee54bafd
Opcode Fuzzy Hash: f71d575a1d104528f14efc1d38ddac3f71ab6ff0660c65c3c86654c89e5c66c5
Instruction Fuzzy Hash: CB011975905B08EBC7009F70FE48DB9BBB6FB98311B124081EF8592264EB3009B4EB55

Function 008E9D80 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D3E30: GetStdHandle.KERNEL32(000000F6,?,00000001,0000D92F,?,008E9D96), ref: 008D3E4E
Part of subcall function 008D3E30: GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,0000D92F,?,008E9D96), ref: 008D3EBA
Part of subcall function 008D3E30: GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,0000D92F,?,008E9D96), ref: 008D3F3A

ExitProcess.KERNEL32 ref: 008E9ED0

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: de5710f4f08faf52ff8b66a81c1ce642b9c6ea93dea195fc4a599dd4ef34c6bf
Instruction ID: 4d9677d53f58d640b223f5006e3a1b3162fd8db88d6f6e6b96ac264819b91899
Opcode Fuzzy Hash: de5710f4f08faf52ff8b66a81c1ce642b9c6ea93dea195fc4a599dd4ef34c6bf
Instruction Fuzzy Hash: 5E316970901B09EBC704EF35FE499793B72FB99301B618155C7C1A2374EB3459A1DB4A

Function 008CAA20 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 008CAB0F

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 9f3776b5af868bd703a3d7547341425feb3a1e7b2ba0ea2bea6b73a1d82085c2
Instruction ID: fdc80a6c96188eb483fd1a27d54024f881b7fc7e0c518b4140b6f9355deee6ee
Opcode Fuzzy Hash: 9f3776b5af868bd703a3d7547341425feb3a1e7b2ba0ea2bea6b73a1d82085c2
Instruction Fuzzy Hash: 4721C9B4905709D7CB04AF70FE84EB87BB7FB84311B204459CB4192328E7315991EF85

Non-executed Functions

Function 008EF820 Relevance: 24.2, APIs: 11, Strings: 2, Instructions: 1429networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 008F0491
setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 008F05C5
gethostbyname.WS2_32(?), ref: 008F0669
inet_ntoa.WS2_32(00000002), ref: 008F06D6
inet_addr.WS2_32(00000000), ref: 008F06DD
htons.WS2_32(00000050), ref: 008F071A

Strings

/, xrefs: 008EFA5E
`z{, xrefs: 008F0A91

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: gethostbynamehtonsinet_addrinet_ntoasetsockoptsocket
String ID: /$`z{
API String ID: 2269612703-3201032225
Opcode ID: 46625d97b8b5cb8211d0208cbdf781a00fadd2c1f838c5991f1e8c2a8812a291
Instruction ID: 2b96d2aa8e62b59e9855ba7e6fa3c9ec9ebe65e03eb1beb2e27914bda04f3b51
Opcode Fuzzy Hash: 46625d97b8b5cb8211d0208cbdf781a00fadd2c1f838c5991f1e8c2a8812a291
Instruction Fuzzy Hash: 2CD2BA71900709DBCB04EF74FD88EBC7BB2FB99310B21805ADB85932A5EB3059A5DB45

Function 008B2250 Relevance: 13.7, APIs: 9, Instructions: 246serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 008B2303
CreateServiceA.ADVAPI32(00000000,01450788,01450788,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 008B2375
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 008B23DC
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 008B240D
CloseServiceHandle.ADVAPI32(00000000), ref: 008B2426
OpenServiceA.ADVAPI32(00000000,01450788,00000010), ref: 008B24D5
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 008B24F8
CloseServiceHandle.ADVAPI32(00000000), ref: 008B253C
CloseServiceHandle.ADVAPI32(00000000), ref: 008B25B9

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 9e2f9a8d5c153adb00e8d811b5e4a34d088d7e6e730b538f76f24a97e67073f8
Instruction ID: 2864f35874f068012593ac82355a1cd021879f17a55df324fcde1f3a736affef
Opcode Fuzzy Hash: 9e2f9a8d5c153adb00e8d811b5e4a34d088d7e6e730b538f76f24a97e67073f8
Instruction Fuzzy Hash: E4B16775A01705EFD7009F74ED88FB8BB72FB88710F11814ADB81A63A8EB7055A1DB49

Function 008D4C00 Relevance: 11.2, APIs: 7, Instructions: 660processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 008D4D14
Process32First.KERNEL32(00000000,?), ref: 008D4E93
CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000), ref: 008D529B
Module32First.KERNEL32(00000000,?), ref: 008D52FF
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 008D55C2
Process32Next.KERNEL32(0000000A,00000128), ref: 008D564E
CloseHandle.KERNEL32(00000000,?,00000000), ref: 008D56DF

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID:
API String ID: 930127669-0
Opcode ID: f2e2bae8b20304f4a694ec645c2796ac9dcfd537830d78058c78c51867d03ba1
Instruction ID: ac45e12e6a5b1786b48684fdd00123eac5a32d9dc89a13c06d00b1bf5af997c2
Opcode Fuzzy Hash: f2e2bae8b20304f4a694ec645c2796ac9dcfd537830d78058c78c51867d03ba1
Instruction Fuzzy Hash: 16529C71901715EBC7049F71FE48EB87BB2FB98311B218186C785A23B4EB3159A1DF89

Function 008D2500 Relevance: 11.1, APIs: 5, Strings: 1, Instructions: 575serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000), ref: 008D2702
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000,?,00000000), ref: 008D2791
GetLastError.KERNEL32(?,00000000), ref: 008D281B
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 008D290D

Part of subcall function 008EB3F0: lstrlenA.KERNEL32(00000001,0144B4A9,?,008D94CD,?,00000024,00000000,00000001,?,?,00000000,?,?,?,?,?), ref: 008EB47E

CloseServiceHandle.ADVAPI32(00000000), ref: 008D2D27

Strings

>]>, xrefs: 008D2D33

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicelstrlen
String ID: >]>
API String ID: 783426840-737585485
Opcode ID: cbc0fdea0f5308a39025a58082bd4c574dd5a2593755141e07281d9af4a632c9
Instruction ID: 73d0172e29429f488a0c3d98129b3718fa6e793d431a7f752ec0a8b46b86779b
Opcode Fuzzy Hash: cbc0fdea0f5308a39025a58082bd4c574dd5a2593755141e07281d9af4a632c9
Instruction Fuzzy Hash: F342D071901B09DBC7049F74FD48EB87BB2FB98310F21814ACB81A23B4EB3155A5DB99

Function 008E68B0 Relevance: 3.1, APIs: 2, Instructions: 128timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,00000001,?,?,?,008E1588,00000015,?), ref: 008E6967
GetTickCount.KERNEL32 ref: 008E6A58

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CountSystemTickTime
String ID:
API String ID: 2164215191-0
Opcode ID: ea9b81c18ce58a4d468df631d6cea3bed450c34c1fbef854336b7019530feea7
Instruction ID: 4de69f153661cbfaba19b899ad464d77d81099c1177cccbc2f27ced10af6f143
Opcode Fuzzy Hash: ea9b81c18ce58a4d468df631d6cea3bed450c34c1fbef854336b7019530feea7
Instruction Fuzzy Hash: C751A171800719DBC704EF75FE48DB8BB72FB993107218295C781622B8EB315A71EB89

Function 008CACF0 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

3k:, xrefs: 008CB509

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID:
String ID: 3k:
API String ID: 0-1299657057
Opcode ID: 8eaa352bb94b74deea2354471d517ecf2363b18e62ee8a518b33f963287f1978
Instruction ID: 5a665323cdc74551f59db231594c4cf8abb656b6fa8f37039d0e1fd80f938b9e
Opcode Fuzzy Hash: 8eaa352bb94b74deea2354471d517ecf2363b18e62ee8a518b33f963287f1978
Instruction Fuzzy Hash: 2F32B171900B09DBC704DF75FD88DB87BB3FB98310B228059D685932B4EB3594A5EB85

Function 008BAD00 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 008BAD74

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 8c6e5225f403d029699606144faad9d45914589f843191872edce339b8c7bc02
Instruction ID: e92404d9f8848a4a00fedbb1988daec5d757a468622c97e19d21b3a39968184b
Opcode Fuzzy Hash: 8c6e5225f403d029699606144faad9d45914589f843191872edce339b8c7bc02
Instruction Fuzzy Hash: 1511527490570ADBC700DFB5F9489BDBFB6FB9C300B218196CA85A3324D73156A4DB85

Function 008CCCA0 Relevance: 12.5, APIs: 8, Instructions: 454registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(01450788,008E9EE0), ref: 008CCE80
SetServiceStatus.ADVAPI32(00000000,008FD8CC), ref: 008CCF35
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008CCF66
SetServiceStatus.ADVAPI32(00000000,008FD8CC), ref: 008CD018
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 008CD122
SetServiceStatus.ADVAPI32(00000000,008FD8CC), ref: 008CD1FD
CloseHandle.KERNEL32(00000000), ref: 008CD254
SetServiceStatus.ADVAPI32(00000000,008FD8CC), ref: 008CD30E

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 8b1cceb2b02dfc8c7be0f416722dee8be12f058a3aafaf8c556bc4a003e5a440
Instruction ID: 8d15517e87a9d22e466a54b4d55e59abd756e6946b914e3447bbf0bbf0a0ecff
Opcode Fuzzy Hash: 8b1cceb2b02dfc8c7be0f416722dee8be12f058a3aafaf8c556bc4a003e5a440
Instruction Fuzzy Hash: 12225CB4905709EBC704DF70FE48DB8BBB2FB98311B21845ACA4193374EB315AA5EB54

Function 008D2E80 Relevance: 10.9, APIs: 7, Instructions: 391processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000001), ref: 008D2FE6
Process32First.KERNEL32(00000000,?), ref: 008D3056

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 2404c01d222e8c015109fabce22aa4d6c5c2e7381dbe6245a76cf13d6fdb5cae
Instruction ID: 61a698e70e72f3562d980d528c1ea2149f2b2c963dfa7d3749886f6409478534
Opcode Fuzzy Hash: 2404c01d222e8c015109fabce22aa4d6c5c2e7381dbe6245a76cf13d6fdb5cae
Instruction Fuzzy Hash: 1202C370904709DBCB049F74FE44EB87BB7FBA8314B21819ACA8192374EB355A64EB45

Function 008D7790 Relevance: 9.3, APIs: 6, Instructions: 267filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 008D7872
GetFileTime.KERNEL32(00000000,?,?,?), ref: 008D78DD
CloseHandle.KERNEL32(00000000), ref: 008D796E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D7A84
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 008D7ADF
CloseHandle.KERNEL32(00000000), ref: 008D7AFD

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 41bf9b477c25e9994ddba4910e257bffe1dbddbf6447e7d2532e17fd079513e2
Instruction ID: c66c12aef78563bea2d23d3e3a3b86ece69232ae5fdb8195ff3d7550ceb886e6
Opcode Fuzzy Hash: 41bf9b477c25e9994ddba4910e257bffe1dbddbf6447e7d2532e17fd079513e2
Instruction Fuzzy Hash: F1B1D071900709EBC700AF74FD48EB8BBB2FB98311F21856ADB84A2374EB305965DB54

Function 008C2FF0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 284processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008C3115
Process32First.KERNEL32(00000000,00000128), ref: 008C3245
Process32Next.KERNEL32(00000000,00000128), ref: 008C338B

Strings

Tr^Z, xrefs: 008C34BD

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID: Tr^Z
API String ID: 1238713047-2648191975
Opcode ID: 4ba5f9c1c4b87acec8b68545a4f023306b6a0478f324bd7a209fbf5ac176797a
Instruction ID: feb9ecb9fce75ef5bd9f63b796d2d902ebffe60b4db7ca65cd513aaae7f77fe4
Opcode Fuzzy Hash: 4ba5f9c1c4b87acec8b68545a4f023306b6a0478f324bd7a209fbf5ac176797a
Instruction Fuzzy Hash: 80C17070901B09DBDB009F30FD88EB87B72FBD4315B218199D785A2274EB3195B9DB89

Function 008D3078 Relevance: 7.8, APIs: 5, Instructions: 262COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008D31F8

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: OpenProcess
String ID:
API String ID: 3743895883-0
Opcode ID: 4fd1cfa30004b9e68bbe6cf5daa5979821691ca5b9c3e7e4de85988053be3bf6
Instruction ID: 553b9857cef099aae9cce21c03e042dcd0b97ae00a082650a015424f2b19aa03
Opcode Fuzzy Hash: 4fd1cfa30004b9e68bbe6cf5daa5979821691ca5b9c3e7e4de85988053be3bf6
Instruction Fuzzy Hash: 66B1B270805709DBCB04DF70FE48AB9BBB3FB95314B218196CA80A3374E7314A65EB45

Function 008E7990 Relevance: 7.6, APIs: 5, Instructions: 109synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 008E7A41
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 008E7A6A
CloseHandle.KERNEL32(00000000), ref: 008E7AB5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 008E7B09
CloseHandle.KERNEL32(?,?,000000FF), ref: 008E7B24

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 8ae17bb8cc00934ea52f6cefedff7d068fdecb79b15ab558442398fc403f0fed
Instruction ID: 45c3035f91011b1d2c056631743f418f15856370dec3fb2e571d52ea5a2df69b
Opcode Fuzzy Hash: 8ae17bb8cc00934ea52f6cefedff7d068fdecb79b15ab558442398fc403f0fed
Instruction Fuzzy Hash: 69415670100B18DBD3049F35FC88E787BB6FB89721F11814AEB81863B4EB34A4A5EB55

Function 008EB680 Relevance: 6.3, APIs: 4, Instructions: 284fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,1212816C), ref: 008EB826
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 008EB8A6
CloseHandle.KERNEL32(00000000,?,00000000), ref: 008EB9EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 008EBA79

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID:
API String ID: 2564258376-0
Opcode ID: 6ddb8a10759d3b4e220a530b9eb8a0a2c3d07bb089ff0b343addf0d034b67c5d
Instruction ID: f43beb453b9b4285d6d74ac2d3b6687784ae9e910772d330adad451e17cab216
Opcode Fuzzy Hash: 6ddb8a10759d3b4e220a530b9eb8a0a2c3d07bb089ff0b343addf0d034b67c5d
Instruction Fuzzy Hash: 8CC1BD70900B09EBC7049F75FD48EB97B72F798311F218159DB84932B0EB3059A1EB89

Function 008D3E30 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00000001,0000D92F,?,008E9D96), ref: 008D3E4E
GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,0000D92F,?,008E9D96), ref: 008D3EBA
GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,0000D92F,?,008E9D96), ref: 008D3F3A

Strings

8N6x, xrefs: 008D3F59

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Handle
String ID: 8N6x
API String ID: 2519475695-3105736675
Opcode ID: e849af784f19e9ecd33f5986e6a854a6968067fda0d20e7e3e99bd66736ed697
Instruction ID: 1734ac0e4d9f53afd1a58800b2acd6351af9d72646b29b4ef65d32cb5c5492c1
Opcode Fuzzy Hash: e849af784f19e9ecd33f5986e6a854a6968067fda0d20e7e3e99bd66736ed697
Instruction Fuzzy Hash: FE3122B2900708DBC3049F79ED84D787BB6F799320B62815AD754832A1EA315960EF9A

Function 008E3BDF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000355D0,00000000,00000000,00000000), ref: 008E3F6E
Sleep.KERNEL32(0000C350), ref: 008E3FF5

Strings

DH|(, xrefs: 008E3E05

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CreateSleepThread
String ID: DH|(
API String ID: 4202482776-4253307406
Opcode ID: b591f3c85e112118ffcf93494a895ebc4dc8228cd2c58df2327da065271e8c60
Instruction ID: 11030cd12ff2ee9daf811ae1d899aab97ff8590cb4980a4c1ab15200f6d6c204
Opcode Fuzzy Hash: b591f3c85e112118ffcf93494a895ebc4dc8228cd2c58df2327da065271e8c60
Instruction Fuzzy Hash: FFB1EE70900B08EBD7009F74FD49EB97BB6FB98310F218095E785972B0EB305A65EB46

Function 008C3276 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 008C338B
CloseHandle.KERNEL32(00000000), ref: 008C3421

Strings

Tr^Z, xrefs: 008C34BD

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: bc5e569fba2fa8c3297ae7dda7ac14ea663b0e64cff248500c228f615051741a
Instruction ID: dfcfecc8a48f23fdc48febb199307969945acde91f04c5da4efa049f9fd84688
Opcode Fuzzy Hash: bc5e569fba2fa8c3297ae7dda7ac14ea663b0e64cff248500c228f615051741a
Instruction Fuzzy Hash: AF51AC70500B4AC7DB008F30FC88FB57B72FBE4314F218199C68596260EF3296AAC74A

Function 008C32B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 008C338B
CloseHandle.KERNEL32(00000000), ref: 008C3421

Strings

Tr^Z, xrefs: 008C34BD

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: 25096557318c3c75a02e5c315611f0d84f4cb9b98a2594eede9bb39c89450bfe
Instruction ID: e2a0a765fee471028e0d2d14e9170c696d768dd1221011153eacb5ebb7f3360d
Opcode Fuzzy Hash: 25096557318c3c75a02e5c315611f0d84f4cb9b98a2594eede9bb39c89450bfe
Instruction Fuzzy Hash: 22418F70504B4AC7DB104F30FC89FB47B76FBD5314F258199C68592260EB3696BACB4A

Function 008EB5A0 Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 008EB5FB
HeapReAlloc.KERNEL32(00000000), ref: 008EB602
GetProcessHeap.KERNEL32(00000000,?), ref: 008EB632
HeapAlloc.KERNEL32(00000000), ref: 008EB639

Memory Dump Source

Source File: 00000000.00000002.2384330848.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2384303700.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384363330.00000000008F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384380335.00000000008FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2384396336.00000000008FF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_8CO4P3HwDt.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 9d8110d2193ae45c4c0574f8f5b15a4e1ee2ee24ab13d126364af2206856d0ea
Instruction ID: 9461991dd69fa760fcfd5f519ee7488e6192626d4603e5a3acc93e7ff3fd993d
Opcode Fuzzy Hash: 9d8110d2193ae45c4c0574f8f5b15a4e1ee2ee24ab13d126364af2206856d0ea
Instruction Fuzzy Hash: 27014C75504709EBCB009F75FC49D7ABB7AF799311F108245EE45CA620EB319490C755

Analysis Process: uzqv383gxrrqx7oiosyki.exePID: 6972, Parent PID: 6916COMMON

Execution Graph

Execution Coverage:	29.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00343770 Relevance: 25.8, APIs: 13, Strings: 1, Instructions: 1321
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00343AD7
LoadLibraryA.KERNELBASE(00000000), ref: 00343BD8
GetProcAddress.KERNEL32(00000000,00000000), ref: 00343DAE
FreeLibrary.KERNEL32(?), ref: 00343DEF
HeapAlloc.KERNEL32(?,00000000,00000288), ref: 00343E51
FreeLibrary.KERNEL32(?), ref: 00343F0D

Strings

m}:m, xrefs: 00344643

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Library$FreeHeap$AddressAllocLoadProcProcess
String ID: m}:m
API String ID: 1564586625-2727069789
Opcode ID: f15c4de6be5bde3ce42a02259f77fa497b88342a4cf3c1d087dbb181994b46fd
Instruction ID: 78aa532bb68df47b7200f086bb6d37b9cecddaf3e1e4c4cdb711939fb167b92e
Opcode Fuzzy Hash: f15c4de6be5bde3ce42a02259f77fa497b88342a4cf3c1d087dbb181994b46fd
Instruction Fuzzy Hash: 4DC2D0B4900705DBCB07AF61FC886A97FBDFB85321F2285D6C881662F4E73585A5CB81

Function 00342250 Relevance: 13.7, APIs: 9, Instructions: 246
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00342303
CreateServiceA.ADVAPI32(00000000,01510D60,01510D60,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00342375
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 003423DC
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0034240D
CloseServiceHandle.ADVAPI32(00000000), ref: 00342426
OpenServiceA.ADVAPI32(00000000,01510D60,00000010), ref: 003424D5
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 003424F8
CloseServiceHandle.ADVAPI32(00000000), ref: 0034253C
CloseServiceHandle.ADVAPI32(00000000), ref: 003425B9

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 66d5f579a7b9b0586362728543145a5e0ccadaaa9cd8bd213685b389cd595cec
Instruction ID: f1bfa87d656e129c9902d7156b2e50544ddf290e4e5dc232f5be96f313fb3d69
Opcode Fuzzy Hash: 66d5f579a7b9b0586362728543145a5e0ccadaaa9cd8bd213685b389cd595cec
Instruction Fuzzy Hash: AAB18BB4A01304EFD7069F61FC89AA97B7CFB89720F2284C6D881A76F4E77055A1CB45

Function 0036C35F Relevance: 273.3, APIs: 118, Strings: 35, Instructions: 5532libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0036C4BB
GetProcAddress.KERNEL32(76E00000,?), ref: 0036C582
GetProcAddress.KERNEL32(76E00000,?), ref: 0036C605
GetProcAddress.KERNEL32(76E00000,?), ref: 0036C676
GetProcAddress.KERNEL32(76E00000,?), ref: 0036C72E
GetProcAddress.KERNEL32(76E00000,?), ref: 0036C81A
GetProcAddress.KERNEL32(76E00000,?), ref: 0036C8B1

Strings

a!l, xrefs: 0036D991
h0, xrefs: 003711E9
,b/, xrefs: 0036C9B6
hQ", xrefs: 00371325
h<, xrefs: 0036C47F
h6, xrefs: 00371841
jhz*, xrefs: 0036FCBA
hi*, xrefs: 00370B40
h, xrefs: 003701BA
h\7, xrefs: 0036FA94
j4h!, xrefs: 0036C388
hq, xrefs: 0036CEB6
h, xrefs: 0036D3E2
hC", xrefs: 0036F2E2
hO+, xrefs: 0036E7D5
jhl7, xrefs: 0036D588
h*, xrefs: 0036DED2
h, xrefs: 0036FC0B
h:, xrefs: 0036FF33
h), xrefs: 0036E929
jhb$, xrefs: 0036EA44
(S, xrefs: 00371583
jhu<, xrefs: 0036DC0D
h{), xrefs: 0036F008
h[*, xrefs: 00370EA3
hP, xrefs: 0037088B
h., xrefs: 0036D52D
h-), xrefs: 0037147A
C:\Users\user, xrefs: 003715B6
h-<, xrefs: 00371A01
h&(, xrefs: 003706B1
h{7, xrefs: 00371281
hd", xrefs: 0036E1BF
hk#, xrefs: 0036F7E0
hi+, xrefs: 0036E3C0

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$hq$h{)$h{7$h$h$h)$h*$h.$h6$h<$jhz*$jhb$$jhl7$jhu<$j4h!$(S$,b/
API String ID: 667068680-112787745
Opcode ID: 4ff2993beb4441b15b1831ae9513ddc62dfbf43268b0df3dee37d217355238c0
Instruction ID: 0e8241fb3201a234a46e4cfb75d9569a14faf444674c012fdacfa93382783eb5
Opcode Fuzzy Hash: 4ff2993beb4441b15b1831ae9513ddc62dfbf43268b0df3dee37d217355238c0
Instruction Fuzzy Hash: 52B3C0B4900704EBDB06EFA5FD89AA97BBCFB88320F2184CAD580972F5DB345950DB41

Function 0036D366 Relevance: 230.4, APIs: 98, Strings: 31, Instructions: 4600libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76E00000,?), ref: 0036D3C5
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D44E
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D4F9
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D575
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D60A
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D699
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D70E
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D817
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D89B
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D935
GetProcAddress.KERNEL32(76E00000,?), ref: 0036D9F0
GetProcAddress.KERNEL32(76E00000,?), ref: 0036DB13

Strings

a!l, xrefs: 0036D991
h0, xrefs: 003711E9
hQ", xrefs: 00371325
h6, xrefs: 00371841
jhz*, xrefs: 0036FCBA
hi*, xrefs: 00370B40
h, xrefs: 003701BA
h\7, xrefs: 0036FA94
h, xrefs: 0036D3E2
hC", xrefs: 0036F2E2
hO+, xrefs: 0036E7D5
jhl7, xrefs: 0036D588
h*, xrefs: 0036DED2
h, xrefs: 0036FC0B
h:, xrefs: 0036FF33
h), xrefs: 0036E929
jhb$, xrefs: 0036EA44
(S, xrefs: 00371583
jhu<, xrefs: 0036DC0D
h{), xrefs: 0036F008
h[*, xrefs: 00370EA3
hP, xrefs: 0037088B
h., xrefs: 0036D52D
h-), xrefs: 0037147A
C:\Users\user, xrefs: 003715B6
h-<, xrefs: 00371A01
h&(, xrefs: 003706B1
h{7, xrefs: 00371281
hd", xrefs: 0036E1BF
hk#, xrefs: 0036F7E0
hi+, xrefs: 0036E3C0

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h$h)$h*$h.$h6$jhz*$jhb$$jhl7$jhu<$(S
API String ID: 190572456-2603301341
Opcode ID: ba2abc73eb9a874547c9d206236d4eb8d9316fe42bd0bd87b40276e7d1786a90
Instruction ID: 81816ed464f16c834a7f29b98e1a61a546e78118b2b5a3ea91b7589ca1ba2be0
Opcode Fuzzy Hash: ba2abc73eb9a874547c9d206236d4eb8d9316fe42bd0bd87b40276e7d1786a90
Instruction Fuzzy Hash: 16A3B1B4900708EBDB06EFA5FD49AA97BBCFB88320F2184CAD540972F5DB345A50DB45

Function 0036E0B9 Relevance: 185.8, APIs: 79, Strings: 25, Instructions: 3825
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76E00000,?), ref: 0036E0ED
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E1A4
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E290
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E32F
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E394
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E43A
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E501
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E5DD

Strings

h0, xrefs: 003711E9
hQ", xrefs: 00371325
h6, xrefs: 00371841
jhz*, xrefs: 0036FCBA
h, xrefs: 003701BA
hi*, xrefs: 00370B40
h\7, xrefs: 0036FA94
hC", xrefs: 0036F2E2
hO+, xrefs: 0036E7D5
h, xrefs: 0036FC0B
h:, xrefs: 0036FF33
h), xrefs: 0036E929
jhb$, xrefs: 0036EA44
(S, xrefs: 00371583
h{), xrefs: 0036F008
h[*, xrefs: 00370EA3
hP, xrefs: 0037088B
C:\Users\user, xrefs: 003715B6
h-), xrefs: 0037147A
h-<, xrefs: 00371A01
h&(, xrefs: 003706B1
h{7, xrefs: 00371281
hd", xrefs: 0036E1BF
hk#, xrefs: 0036F7E0
hi+, xrefs: 0036E3C0

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 190572456-1105801417
Opcode ID: 96742d43e4806565672fb71a94c16460748cc9b4d7cfd1867c5b922f51bba934
Instruction ID: 9214ecd394f069b1e6e7d6d0f8f54bda781c0b93344ccaced009d146cfdff17e
Opcode Fuzzy Hash: 96742d43e4806565672fb71a94c16460748cc9b4d7cfd1867c5b922f51bba934
Instruction Fuzzy Hash: B283B1B4900708EBDB06EFA5FD499A97BBCFB88320F2184DAD580972F5DB344A50DB45

Function 0036E6F6 Relevance: 168.0, APIs: 71, Strings: 23, Instructions: 3471
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76E00000,?), ref: 0036E70E
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E7C2
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E849
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E903
GetProcAddress.KERNEL32(76E00000,?), ref: 0036E9A9
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EA2A
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EABF
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EB23
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EBA9
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EC61
GetProcAddress.KERNEL32(76E00000,?), ref: 0036ECEA
GetProcAddress.KERNEL32(76E00000,?), ref: 0036ED7B
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EDD9
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EEAD
GetProcAddress.KERNEL32(76E00000,?), ref: 0036EFED
GetProcAddress.KERNEL32(76E00000,?), ref: 0036F05C
GetProcAddress.KERNEL32(76E00000,?), ref: 0036F135
GetProcAddress.KERNEL32(76E00000,?), ref: 0036F19A
GetProcAddress.KERNEL32(76E00000,?), ref: 0036F1F9
LoadLibraryA.KERNELBASE(?), ref: 0036F26D
LoadLibraryA.KERNEL32(?), ref: 0036F349
GetProcAddress.KERNEL32(76FC0000,00000000), ref: 0036F44D
GetProcAddress.KERNEL32(76FC0000,?), ref: 0036F515
GetProcAddress.KERNEL32(76FC0000,?), ref: 0036F5C3
GetProcAddress.KERNEL32(76FC0000,?), ref: 0036F6BD
GetProcAddress.KERNEL32(76FC0000,?), ref: 0036F7CB
GetProcAddress.KERNEL32(76FC0000,?), ref: 0036F8D9

Strings

(S, xrefs: 00371583
h0, xrefs: 003711E9
hQ", xrefs: 00371325
h{), xrefs: 0036F008
h6, xrefs: 00371841
h[*, xrefs: 00370EA3
hP, xrefs: 0037088B
jhz*, xrefs: 0036FCBA
h, xrefs: 003701BA
C:\Users\user, xrefs: 003715B6
h-), xrefs: 0037147A
hi*, xrefs: 00370B40
h-<, xrefs: 00371A01
h\7, xrefs: 0036FA94
h&(, xrefs: 003706B1
hC", xrefs: 0036F2E2
hO+, xrefs: 0036E7D5
h{7, xrefs: 00371281
h, xrefs: 0036FC0B
h:, xrefs: 0036FF33
hk#, xrefs: 0036F7E0
h), xrefs: 0036E929
jhb$, xrefs: 0036EA44

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hi*$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 2238633743-2215104298
Opcode ID: cae113513f4da3297e1edc534aa6990e7305714355c58b676b12f911a032c5c5
Instruction ID: 2df149502c87f1ddc83d318846c4996031a6c0b2c7837985d4cc7a9c263880cc
Opcode Fuzzy Hash: cae113513f4da3297e1edc534aa6990e7305714355c58b676b12f911a032c5c5
Instruction Fuzzy Hash: 0773B0B4901708EBDB06EF65FE499A97BBCFB88320F2184DAD480972F4DB344A50DB45

Function 00370F4E Relevance: 41.3, APIs: 15, Strings: 8, Instructions: 1085
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F40000,?), ref: 00370FCA
GetProcAddress.KERNEL32(76F40000,?), ref: 003710D6
GetProcAddress.KERNEL32(76F40000,?), ref: 003711B4
GetProcAddress.KERNEL32(76F40000,?), ref: 0037126C
GetProcAddress.KERNEL32(76F40000,?), ref: 00371308
GetProcAddress.KERNEL32(76F40000,?), ref: 00371375
GetProcAddress.KERNEL32(76F40000,?), ref: 0037145D
GetProcAddress.KERNEL32(76F40000,?), ref: 0037151F

Part of subcall function 003768B0: GetSystemTime.KERNEL32(?,?,00000001,?,?,?,00371588,00000015,?), ref: 00376967
Part of subcall function 003768B0: GetTickCount.KERNEL32 ref: 00376A58

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 003715C5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00371609
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00371658
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00371674
GetTickCount.KERNEL32 ref: 003717EE
GetCommandLineA.KERNEL32 ref: 00371997

Strings

C:\Users\user, xrefs: 003715B6
h-), xrefs: 0037147A
(S, xrefs: 00371583
h0, xrefs: 003711E9
h-<, xrefs: 00371A01
hQ", xrefs: 00371325
h6, xrefs: 00371841
h{7, xrefs: 00371281

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc$CreateMutex$CountTick$CommandEnvironmentLineSystemTimeVariable
String ID: C:\Users\user$h-)$h-<$h0$hQ"$h{7$h6$(S
API String ID: 116423738-75577720
Opcode ID: 299a73fd80e300e1d2736a7eccdb345bfff8a742f8adabcd11d49983bbf6675c
Instruction ID: 2b337684d58539c4c2bad333b43eeac2c049e6131d0932be5eb03968d37bfc96
Opcode Fuzzy Hash: 299a73fd80e300e1d2736a7eccdb345bfff8a742f8adabcd11d49983bbf6675c
Instruction Fuzzy Hash: 39A2AEB4901709EBDB06EF61FE49AA97BBCFB88320F2184DAD485532F4DB344A51DB41

Function 003515A0 Relevance: 33.1, APIs: 12, Strings: 6, Instructions: 1602fileCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(0038DFC0), ref: 003516A3
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0035187D
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00351BED
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00351C40
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00351E18
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00351F47
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0035247A

Strings

C:\Users\user, xrefs: 00352210, 0035230B
}3, xrefs: 00351647
v-7P, xrefs: 00352B64
2V, xrefs: 00351D3E
#tG5, xrefs: 0035289D
\, xrefs: 0035296C

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Directory$Create$DeleteFileRemoveVersion
String ID: #tG5$2V$C:\Users\user$\$v-7P$}3
API String ID: 696612475-113834627
Opcode ID: 30ac91040d8940a8c3409baf226610a9b3c4f5d04b206f916ddae7a9632d1040
Instruction ID: 75873ce063ce65238cb1ff0740add53d6a168661099b54eda5a524bbf224b000
Opcode Fuzzy Hash: 30ac91040d8940a8c3409baf226610a9b3c4f5d04b206f916ddae7a9632d1040
Instruction Fuzzy Hash: 0FE2E2B4900705DBCB07AF60FD88AA97BBDFB89321F2185D9D981672F4EB304965CB44

Function 00352525 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0035259F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00352891
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00352A8F

Strings

v-7P, xrefs: 00352B64
#tG5, xrefs: 0035289D
\, xrefs: 0035296C

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CreateDirectory$PathTemp
String ID: #tG5$\$v-7P
API String ID: 4115145201-232245755
Opcode ID: c688f52da67a3cd3e86e38b44fbfb217c0d804662a2a1140aa9a8320712998d3
Instruction ID: 428412e76ca31809d133b788677b83200739b4b60172e3e1a1abf51cd5f799cc
Opcode Fuzzy Hash: c688f52da67a3cd3e86e38b44fbfb217c0d804662a2a1140aa9a8320712998d3
Instruction Fuzzy Hash: 444228B1900704DBCB07AF60FD48AA97BBCFB89321F6185D5D881572F8EB3159A8CB40

Function 00366700 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 429
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0036695B
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00366C2D
CloseHandle.KERNELBASE(?), ref: 00366D57

Strings

[v"=, xrefs: 00366799

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: [v"=
API String ID: 1065093856-2465089900
Opcode ID: 4213609a9dd4038e882ed45ba7f0fda5af407a28b4440533dea3333f86dd8f41
Instruction ID: 92e529f0f31be37d3e0750b0997e072f5f3576ceb5c6f7f71b701299b318a247
Opcode Fuzzy Hash: 4213609a9dd4038e882ed45ba7f0fda5af407a28b4440533dea3333f86dd8f41
Instruction Fuzzy Hash: BE12A0B4900709EBC7079F65FD996A97BBDFB85320F2180DAC885A32F8E7305961CB45

Function 00353A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00353BE8
CloseHandle.KERNEL32(00000000), ref: 00353C04
CloseHandle.KERNEL32(?), ref: 00353C38

Strings

D, xrefs: 00353B27

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 65109c47fb56cd6992d9eba669b3c03925520f108664436392c8289f3b61b387
Instruction ID: cf4a330df67e2e56b292751d41bfc23bf7e12bff27c5c38f90465a4aa0c9d02c
Opcode Fuzzy Hash: 65109c47fb56cd6992d9eba669b3c03925520f108664436392c8289f3b61b387
Instruction Fuzzy Hash: E3617AB0905B08EBD706DFA1FE49B987B7CFB88320F2284C5D581662F8DB3056A5DB00

Function 0037B680 Relevance: 6.3, APIs: 4, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,1212816C), ref: 0037B826
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 0037B8A6
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0037B9EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0037BA79

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID:
API String ID: 2564258376-0
Opcode ID: 07f4340c9f4c8ef61d382090c92958ebbd216e995102bb1a45b3b9a23543bc2c
Instruction ID: 14c82196ccb23610f8e0752ebde38fbb63e6e8eb908ebf146a62eb423c02f74e
Opcode Fuzzy Hash: 07f4340c9f4c8ef61d382090c92958ebbd216e995102bb1a45b3b9a23543bc2c
Instruction Fuzzy Hash: 81C19B74900708EBC707AF65FD48AA97B7CFB88321F2589CAD885572F0DB345A61DB44

Function 0034AC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 0034ACA0
CharLowerBuffA.USER32(?,00000000), ref: 0034ACA8

Strings

m}:m, xrefs: 0034AC29

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID: m}:m
API String ID: 794975171-2727069789
Opcode ID: 9b26f176a8a7d175a75de5e18794f80cec5c0341e2283acdc0b5cf918c2cc5f1
Instruction ID: d3c86a4487dec5ddcadaa27d69744a45475353204a14c5af6bf196dba3acb033
Opcode Fuzzy Hash: 9b26f176a8a7d175a75de5e18794f80cec5c0341e2283acdc0b5cf918c2cc5f1
Instruction Fuzzy Hash: 5C117379504B09DBC7479F28FC8C8A93B7CFB98B20F1541C5E885832E4EB305960CB85

Function 00377710 Relevance: 4.7, APIs: 3, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,003516FF), ref: 003777DE
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,003516FF), ref: 00377817
FreeSid.ADVAPI32(?,?,?,?,003516FF), ref: 00377918

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 617219819ab294e55ecf903dda10672df74fecfa390856b23a6671af3420317e
Instruction ID: 6b7893a5dec8e3a567d1d83b26bea3ac8d9aabd4c3a00c94fa4b9f8265b05580
Opcode Fuzzy Hash: 617219819ab294e55ecf903dda10672df74fecfa390856b23a6671af3420317e
Instruction Fuzzy Hash: 8361CEB4901309EBCB079FA6FD889A97B7DFB85320F5180CAD580632F4DB345964CB95

Function 00347F46 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 942
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00348183

Strings

j~hF1, xrefs: 0034839B

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: ComputerName
String ID: j~hF1
API String ID: 3545744682-796474751
Opcode ID: 9cb6534c0cf3ff7ce81cd23962d61f26d2341abd32361888a21add684ec8c985
Instruction ID: 1a01a37c99b38af210c2c9eb01b51a3bd59d0552c76ec2e562ad1ce181685d14
Opcode Fuzzy Hash: 9cb6534c0cf3ff7ce81cd23962d61f26d2341abd32361888a21add684ec8c985
Instruction Fuzzy Hash: 8D92B0B4901709EBCB07EF61FD48AA87B7CFB85320F2184CAD481662F4EB355A65DB44

Function 00376C40 Relevance: 3.4, APIs: 2, Instructions: 444
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F40000,00000000), ref: 00376F67
GetProcAddress.KERNEL32(76F40000,00000000), ref: 00377019

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 6652676377182bf128c1877feec3e95e45e2bce7b634d3e63b40beea462148da
Instruction ID: 286cc0596a7b39c6931e5bf4e159646e16e96fdc21cf9516f54a4d8a6f52cf90
Opcode Fuzzy Hash: 6652676377182bf128c1877feec3e95e45e2bce7b634d3e63b40beea462148da
Instruction Fuzzy Hash: 7112D2B8900704EBC703AF61FD486A87BBCFF89721F2185D6D885622F4EB3545A5CB45

Function 00364770 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0034FCFC,0034FCFC,?,?,?,?,00000001), ref: 003647A0
RtlFreeHeap.NTDLL(00000000,?,?,?,00000001), ref: 003647A7

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7b683233091823c89fa5278465bb1c9b9f3db1c91655c3ea6f66142deaef01f2
Instruction ID: 245665fee3ddc9ac46347451a4664b483b65da5b9b4c281ea6f1fe69ef41e69e
Opcode Fuzzy Hash: 7b683233091823c89fa5278465bb1c9b9f3db1c91655c3ea6f66142deaef01f2
Instruction Fuzzy Hash: FC011DB4905708EBC7429FA1FD8C5697B7CFF85321F1140C1D985975E4DB3006A4DB51

Function 00375570 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0037EFAF,0037EFAF,?,?,00000001), ref: 003755B2
RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 003755B9

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a4181db3d4fbef9fef44f9326a8dc1c3a45621ca36f97ea240fd6f7982ae0347
Instruction ID: 9fd59ecda8636f9c474b57986ceea649407896cf2a32c9099da56f958b52e639
Opcode Fuzzy Hash: a4181db3d4fbef9fef44f9326a8dc1c3a45621ca36f97ea240fd6f7982ae0347
Instruction Fuzzy Hash: 95F01CB8A05308EBCB01DF90FD49559BB7CEB48310F104495EC49973A4DA31AA50DB91

Function 0035B950 Relevance: 1.7, APIs: 1, Instructions: 214fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 0035BB5D

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 069b363ebcd2b84eabbe377c27cda04da3d726abb46272106e7b6a162977f342
Instruction ID: d83b81ed01201e9c3252f9c5b9d5fd9d1e17c1a469691d1caf1b425d1944f666
Opcode Fuzzy Hash: 069b363ebcd2b84eabbe377c27cda04da3d726abb46272106e7b6a162977f342
Instruction Fuzzy Hash: 7791F470904709DBC7079F61FE89AA97BBDFB84321F2181D6C981576F4EB344964CB40

Function 00379D80 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00363E30: GetStdHandle.KERNEL32(000000F6,?,00000001,00007AB9,?,00379D96), ref: 00363E4E
Part of subcall function 00363E30: GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,00007AB9,?,00379D96), ref: 00363EBA
Part of subcall function 00363E30: GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,00007AB9,?,00379D96), ref: 00363F3A

ExitProcess.KERNEL32 ref: 00379ED0

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: c968bd6b98b1961bbf7c3d2205aca95408bd3617c7f47995e0487a244f94990f
Instruction ID: 6c64bf98adf0eb8c1f827937648830badd586f9e5eda5d94cdf44a68c51ddd67
Opcode Fuzzy Hash: c968bd6b98b1961bbf7c3d2205aca95408bd3617c7f47995e0487a244f94990f
Instruction Fuzzy Hash: E73198B4900709EBCB07EF26FA485697B7DFB89321F6181C6C485936F5DB3409A1CB45

Function 0035AA20 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0035AB0F

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6d79b086ff72d97e88e3d4ea3d9015c8c68ace255e72d8f97cd3e8196c51268f
Instruction ID: a8da01de89c548954d520e31fc21c882017a6e0ea50fa171458263186d773d74
Opcode Fuzzy Hash: 6d79b086ff72d97e88e3d4ea3d9015c8c68ace255e72d8f97cd3e8196c51268f
Instruction Fuzzy Hash: 2F2162B8909706D7CB17AF60FA885983BBCFF44721F2189C5C881663A8E7314A55EF85

Non-executed Functions

Function 0034A780 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 294filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 0034A899
FindFirstFileA.KERNEL32(?,?), ref: 0034A9FF
DeleteFileA.KERNEL32(?), ref: 0034AB11
FindNextFileA.KERNEL32(00000000,?), ref: 0034AB31
FindClose.KERNEL32(00000000), ref: 0034AB4A

Strings

m}:m, xrefs: 0034A9D0

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID: m}:m
API String ID: 1528862845-2727069789
Opcode ID: 1ddb0891b031d77d85ce5e533ff9edb60374c4de621aa128fd833ac692da1ae4
Instruction ID: 9cc2271d9704a23e2b1f3f40e6984775a8d25d990853ceb09d06bffc3d81ef88
Opcode Fuzzy Hash: 1ddb0891b031d77d85ce5e533ff9edb60374c4de621aa128fd833ac692da1ae4
Instruction Fuzzy Hash: 4DC1DE74900B09DBCB07AF60FD585A97BBDFB89320F2181C5D885972E4EF315AA5CB41

Function 0035CCA0 Relevance: 12.5, APIs: 8, Instructions: 454registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(01510D60,00379EE0), ref: 0035CE80
SetServiceStatus.ADVAPI32(00000000,0038D8CC), ref: 0035CF35
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0035CF66
SetServiceStatus.ADVAPI32(00000000,0038D8CC), ref: 0035D018
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0035D122
SetServiceStatus.ADVAPI32(00000000,0038D8CC), ref: 0035D1FD
CloseHandle.KERNEL32(00000000), ref: 0035D254
SetServiceStatus.ADVAPI32(00000000,0038D8CC), ref: 0035D30E

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 56a653bb02ef128b01cbe72e06a765d76e79773632390eb6e11b095d3c3178ad
Instruction ID: f8459959e4a9f2a8ef94810d173d098f311215a582e9f58636faf12825915aa7
Opcode Fuzzy Hash: 56a653bb02ef128b01cbe72e06a765d76e79773632390eb6e11b095d3c3178ad
Instruction Fuzzy Hash: 3C226CB4905708EBC746EF61FE885987BBDFB88321F2184DAC881932F4DB314A55EB40

Function 00357230 Relevance: 11.0, APIs: 7, Instructions: 456fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 0035736B
ReadFile.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,000000FF), ref: 003573D9
CloseHandle.KERNEL32(00000000,?,?,?,?,000000FF), ref: 003573F2
GetTickCount.KERNEL32 ref: 003574B7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0035771A
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 003577BA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00357845

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 3106b8f7598e0ceb750bc0a61dcf407ee41d5e96f8f987d97fc5f670412b2a14
Instruction ID: 87b3bbe759bd3c2c09e6f16c444bf876b69bc6b7f628c5983d2e46af2e631c9f
Opcode Fuzzy Hash: 3106b8f7598e0ceb750bc0a61dcf407ee41d5e96f8f987d97fc5f670412b2a14
Instruction Fuzzy Hash: 3C1211B4904704DBC7079F65FC89AA97BBDFB89721F2180DAD881932F4EB3484A5CB51

Function 00362E80 Relevance: 10.9, APIs: 7, Instructions: 391processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000001), ref: 00362FE6
Process32First.KERNEL32(00000000,?), ref: 00363056

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: df1590b0d10355c14b6c69e4ca1ce3a018e17d503dd9af06c185668d6c715c15
Instruction ID: d8c929f19df54946491fb0268215c3b0b71e1ed1382fec648e05d8779ebd959e
Opcode Fuzzy Hash: df1590b0d10355c14b6c69e4ca1ce3a018e17d503dd9af06c185668d6c715c15
Instruction Fuzzy Hash: 1202B2B4905705EBCB079F61FE496A97BBDFB95320F2184DAC481A32F4EB354A64CB40

Function 00367790 Relevance: 9.3, APIs: 6, Instructions: 267filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00367872
GetFileTime.KERNEL32(00000000,?,?,?), ref: 003678DD
CloseHandle.KERNEL32(00000000), ref: 0036796E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00367A84
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00367ADF
CloseHandle.KERNEL32(00000000), ref: 00367AFD

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: d3b7c4c099b3f256f5c9cdfaa746064c334efc7ed8f53d9c212a96fdcebadcde
Instruction ID: f66799ee506cc07b3486aac8dbf4e0cfe915cb9bb3ab8dc66d26b83b3f076432
Opcode Fuzzy Hash: d3b7c4c099b3f256f5c9cdfaa746064c334efc7ed8f53d9c212a96fdcebadcde
Instruction Fuzzy Hash: 6FB1B2B5901709DFCB02AF65FD486A97BBCFB88321F2185DAD485632F4EB304965CB40

Function 00352FF0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 284processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00353115
Process32First.KERNEL32(00000000,00000128), ref: 00353245
Process32Next.KERNEL32(00000000,00000128), ref: 0035338B

Strings

Tr^Z, xrefs: 003534BD

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID: Tr^Z
API String ID: 1238713047-2648191975
Opcode ID: 544fba8a24ff388486a8e041bfe51b3122e06a9105d05dba28168f0cbc2eaeee
Instruction ID: dc003dd6a09988cdcbb1305bf551e1b67dde719936223eb6c225dca587e4959b
Opcode Fuzzy Hash: 544fba8a24ff388486a8e041bfe51b3122e06a9105d05dba28168f0cbc2eaeee
Instruction Fuzzy Hash: E9C1B1B0905B09DBDB039F21FD89AA47B7CFB84361F2285C5D881562F4EB3146A8DB46

Function 00363078 Relevance: 7.8, APIs: 5, Instructions: 262COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 003631F8

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: OpenProcess
String ID:
API String ID: 3743895883-0
Opcode ID: 1d0ba35bc90ed3f2088f37ade679d4bdd7a692aeaabcec59d0bcabbfa37e4152
Instruction ID: b6de0a5a85e125df7d66737aedb114267089c7b9f35cf681663a9ce844c3edbc
Opcode Fuzzy Hash: 1d0ba35bc90ed3f2088f37ade679d4bdd7a692aeaabcec59d0bcabbfa37e4152
Instruction Fuzzy Hash: 17B1A074805709DBCB07AF51FE496A97BBDFB86314F2184DAC881A32F4EB354A64DB40

Function 00377990 Relevance: 7.6, APIs: 5, Instructions: 109synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00377A41
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00377A6A
CloseHandle.KERNEL32(00000000), ref: 00377AB5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00377B09
CloseHandle.KERNEL32(?,?,000000FF), ref: 00377B24

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: fe860f6205934fadd450c7155229a8b3b4d72ce2e9e7b586c512014e19e07239
Instruction ID: c6adcb6f517f55355b21ae970ce0e227e5dc280814d40e068b93d1f2cfba735a
Opcode Fuzzy Hash: fe860f6205934fadd450c7155229a8b3b4d72ce2e9e7b586c512014e19e07239
Instruction Fuzzy Hash: EF417BB4200B18DBD7469F21FC89A647BBCFB88721F11C4C9E895463F4DB7594A4DB01

Function 00373BD9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 249sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000355D0,00000000,00000000,00000000), ref: 00373F6E
Sleep.KERNEL32(0000C350), ref: 00373FF5

Strings

C:\oblimpyrbviueg\hrzceasx.exe, xrefs: 00373E69
DH|(, xrefs: 00373E05

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CreateSleepThread
String ID: C:\oblimpyrbviueg\hrzceasx.exe$DH|(
API String ID: 4202482776-298854076
Opcode ID: 40b95a52c08ac691713ac6d32d696340a763ef7d1b38fb4b789b11691b5c686f
Instruction ID: 7e1b57f572c63554046294bbbdb06e636940c20f61fc02b87c6fcc5c5bacb490
Opcode Fuzzy Hash: 40b95a52c08ac691713ac6d32d696340a763ef7d1b38fb4b789b11691b5c686f
Instruction Fuzzy Hash: 81B1BD74900B08EBDB03AF64FD49AA97BBCFB89320F1184C6E585572F4EB344A55EB41

Function 00363E30 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00000001,00007AB9,?,00379D96), ref: 00363E4E
GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,00007AB9,?,00379D96), ref: 00363EBA
GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,00007AB9,?,00379D96), ref: 00363F3A

Strings

8N6x, xrefs: 00363F59

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Handle
String ID: 8N6x
API String ID: 2519475695-3105736675
Opcode ID: 6c02f08d05975e20965ca861e968a8eabb491480b285e17b9ae3268c1981a543
Instruction ID: a2c51592e2f4e2bf4eedd6914a9945b735dd6daa435c25c2c1616d9eecbe03e7
Opcode Fuzzy Hash: 6c02f08d05975e20965ca861e968a8eabb491480b285e17b9ae3268c1981a543
Instruction Fuzzy Hash: 873142B9900308DBC707AF26FD849597BADFB88320F6281DAD854972F4DB314920CF96

Function 00353276 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 0035338B
CloseHandle.KERNEL32(00000000), ref: 00353421

Strings

Tr^Z, xrefs: 003534BD

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: 6a80f7e380437e4833a142377fcc0b6bba49c2400fd3b86a59032e296d483ee8
Instruction ID: dd4b460fc13fe31bec71201fab8a0b553d9e6dbd5938a21a7d07d865c6bd65b0
Opcode Fuzzy Hash: 6a80f7e380437e4833a142377fcc0b6bba49c2400fd3b86a59032e296d483ee8
Instruction Fuzzy Hash: 3F51CEB4504B09C7DB139F21FD9AAA53B7CFB85361F2644C5C8815A1F0DB3686A9CB06

Function 003532B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 0035338B
CloseHandle.KERNEL32(00000000), ref: 00353421

Strings

Tr^Z, xrefs: 003534BD

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: 82b56f48159dec2366dfe6bbd945290123a9f43bc0f8339488ddfaa87850eed7
Instruction ID: 9ff996f84da1dab6f2b4c3a21f5ce69b9dacd4c7167474be4280addc7d5a786e
Opcode Fuzzy Hash: 82b56f48159dec2366dfe6bbd945290123a9f43bc0f8339488ddfaa87850eed7
Instruction Fuzzy Hash: 6541CFB4604709CBDB135F20FD9AAA43B7CFB85361F2644D5C885971F0DB368669CB06

Function 0037B5A0 Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 0037B5FB
HeapReAlloc.KERNEL32(00000000), ref: 0037B602
GetProcessHeap.KERNEL32(00000000,?), ref: 0037B632
HeapAlloc.KERNEL32(00000000), ref: 0037B639

Memory Dump Source

Source File: 00000002.00000002.2371828287.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000002.00000002.2371813480.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371856717.0000000000382000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371873054.000000000038D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.2371886403.000000000038F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_340000_uzqv383gxrrqx7oiosyki.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: e759ee24f321a2c8a6e19da8d56da495ff38b511d03bbc759846ff8d7cc51c9a
Instruction ID: 9f0135b0cc60011ff06b98a9c268af13d336a9ef44e6173ea764905967c48e32
Opcode Fuzzy Hash: e759ee24f321a2c8a6e19da8d56da495ff38b511d03bbc759846ff8d7cc51c9a
Instruction Fuzzy Hash: A0017CB5600709DBDB02AFA5FC4996A7B7CFB99321F0082C5EC49876A4DB319490C761

Analysis Process: usncdvbjyrwr.exePID: 6988, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	33.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1186
Total number of Limit Nodes:	24

Executed Functions

Function 00DCE0B9 Relevance: 187.6, APIs: 79, Strings: 26, Instructions: 3825
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE0ED
GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE1A4
GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE290
GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE32F
GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE394
GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE43A
GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE501
GetProcAddress.KERNEL32(76E00000,?), ref: 00DCE5DD

Strings

hQ", xrefs: 00DD1325
h6, xrefs: 00DD1841
hk#, xrefs: 00DCF7E0
C:\Windows\system32\config\systemprofile, xrefs: 00DD15B6
hP, xrefs: 00DD088B
h), xrefs: 00DCE929
h[*, xrefs: 00DD0EA3
(S, xrefs: 00DD1583
hi*, xrefs: 00DD0B40
jhb$, xrefs: 00DCEA44
jhz*, xrefs: 00DCFCBA
h\7, xrefs: 00DCFA94
hO+, xrefs: 00DCE7D5
hC", xrefs: 00DCF2E2
hd", xrefs: 00DCE1BF
PP8], xrefs: 00DCF7F1
h{), xrefs: 00DCF008
h:, xrefs: 00DCFF33
h, xrefs: 00DCFC0B
h-), xrefs: 00DD147A
hi+, xrefs: 00DCE3C0
h0, xrefs: 00DD11E9
h{7, xrefs: 00DD1281
h&(, xrefs: 00DD06B1
h, xrefs: 00DD01BA
h-<, xrefs: 00DD1A01

Memory Dump Source

Source File: 00000003.00000002.3139116083.0000000000DA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.3139097848.0000000000DA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139153484.0000000000DE2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139176994.0000000000DED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139196539.0000000000DEF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_usncdvbjyrwr.jbxd

Similarity

API ID: AddressProc
String ID: C:\Windows\system32\config\systemprofile$PP8]$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 190572456-2869994214
Opcode ID: 67cc2ffb4721c2966b8091dc08df2ec809b1d9406cae9580ad98ddee2f317ce7
Instruction ID: 86bd4c14d990329b83c3983fc469eedb2570bdc14952fd6f79675633f053f832
Opcode Fuzzy Hash: 67cc2ffb4721c2966b8091dc08df2ec809b1d9406cae9580ad98ddee2f317ce7
Instruction Fuzzy Hash: 588366B4900789EBD700BFA4FDC56A97BB2FB88310B218059D980DE3A4DF355A60DB75

Function 00DDF820 Relevance: 25.9, APIs: 11, Strings: 3, Instructions: 1429
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00DE0491
setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 00DE05C5
gethostbyname.WS2_32(?), ref: 00DE0669
inet_ntoa.WS2_32(00000002), ref: 00DE06D6
inet_addr.WS2_32(00000000), ref: 00DE06DD
htons.WS2_32(00000050), ref: 00DE071A

Strings

`z{, xrefs: 00DE0A91
/, xrefs: 00DDFA5E
PP8], xrefs: 00DDFE5F

Memory Dump Source

Source File: 00000003.00000002.3139116083.0000000000DA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.3139097848.0000000000DA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139153484.0000000000DE2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139176994.0000000000DED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139196539.0000000000DEF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_usncdvbjyrwr.jbxd

Similarity

API ID: gethostbynamehtonsinet_addrinet_ntoasetsockoptsocket
String ID: /$PP8]$`z{
API String ID: 2269612703-3784485062
Opcode ID: dc7982f31318f73cd40081ac12390366817c7cb34d642c0206044ca57c201efe
Instruction ID: 0b70ef83dbb0162aae6309e9000183c10dcaebd039a50c03408de3b958e30df4
Opcode Fuzzy Hash: dc7982f31318f73cd40081ac12390366817c7cb34d642c0206044ca57c201efe
Instruction Fuzzy Hash: 22D2AA74901789DBC704BF60FDD92A87BB2FB98310B21805AD885EE3A4EF314965CB75

Function 00DBCCA0 Relevance: 12.5, APIs: 8, Instructions: 454
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(0118E648,00DD9EE0), ref: 00DBCE80
SetServiceStatus.SECHOST(0119AFB0,00DED8CC), ref: 00DBCF35
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DBCF66
SetServiceStatus.ADVAPI32(0119AFB0,00DED8CC), ref: 00DBD018
WaitForSingleObject.KERNEL32(00000230,00001388), ref: 00DBD122
SetServiceStatus.ADVAPI32(0119AFB0,00DED8CC), ref: 00DBD1FD
CloseHandle.KERNEL32(00000230), ref: 00DBD254
SetServiceStatus.ADVAPI32(0119AFB0,00DED8CC), ref: 00DBD30E

Memory Dump Source

Source File: 00000003.00000002.3139116083.0000000000DA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.3139097848.0000000000DA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139153484.0000000000DE2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139176994.0000000000DED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139196539.0000000000DEF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_usncdvbjyrwr.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: e804ae401b954bddd356f96cea34238f2e2b928f1b3caa9e9ce2725dcbc3f0b4
Instruction ID: c3e98f9c76440bf5decedc4c5acb5c9e4195bae51c969b19dab5d726b73e58fb
Opcode Fuzzy Hash: e804ae401b954bddd356f96cea34238f2e2b928f1b3caa9e9ce2725dcbc3f0b4
Instruction Fuzzy Hash: CA2204B4905789EFC704FF61EAC45A87BB2FB98310B21805AC881DE3A4EF315A51DB74

Function 00DD6C40 Relevance: 3.4, APIs: 2, Instructions: 444libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F40000,00000000), ref: 00DD6F67
GetProcAddress.KERNEL32(76F40000,00000000), ref: 00DD7019

Memory Dump Source

Source File: 00000003.00000002.3139116083.0000000000DA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.3139097848.0000000000DA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139153484.0000000000DE2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139176994.0000000000DED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139196539.0000000000DEF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_usncdvbjyrwr.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 8a1dfdb005f101a3793ccd46f9183fffb20564bcb4faeb596313bc3e224dfe7c
Instruction ID: 3531ce282568d617e37d13dc4442774f7a2f0215f1b1b4a8191b77168c6a98a7
Opcode Fuzzy Hash: 8a1dfdb005f101a3793ccd46f9183fffb20564bcb4faeb596313bc3e224dfe7c
Instruction Fuzzy Hash: B8126874900B85EBC700BF60FDC82A87B72FB99710B15819AD884DE3A4EF3545A5CB79

Function 00DAAC20 Relevance: 3.1, APIs: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00DB32EC,00000000,00DB32EC,?), ref: 00DAACA0
CharLowerBuffA.USER32(00DB32EC,00000000), ref: 00DAACA8

Memory Dump Source

Source File: 00000003.00000002.3139116083.0000000000DA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000003.00000002.3139097848.0000000000DA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139153484.0000000000DE2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139176994.0000000000DED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3139196539.0000000000DEF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_da0000_usncdvbjyrwr.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 9e723e59d3e95b9e284758d9e78af4ce3453e1dcaf8a09d3b965a37e5c8992c4
Instruction ID: 5725ad6be0d05bec4b666a0a8050b80d3a05bb7793f8af531daceda58ce261e6
Opcode Fuzzy Hash: 9e723e59d3e95b9e284758d9e78af4ce3453e1dcaf8a09d3b965a37e5c8992c4
Instruction Fuzzy Hash: 2D114979904B85DBC304BF28FDC80A93B76FB887643554249E885CA368EF305960CBB9

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8CO4P3HwDt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\oblimpyrbviueg\vqipymk4ju

C:\oblimpyrbviueg\hrzceasx.exe

C:\oblimpyrbviueg\usncdvbjyrwr.exe

C:\oblimpyrbviueg\uzqv383gxrrqx7oiosyki.exe

C:\oblimpyrbviueg\vqipymk4ju

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
8CO4P3HwDt.exe

Function 008BA780 Relevance: 7.8, APIs: 5, Instructions: 294
filesleepCOMMON

Function 008E7710 Relevance: 4.7, APIs: 3, Instructions: 152
memoryCOMMON

Function 008E5570 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Function 008DE0B9 Relevance: 185.8, APIs: 79, Strings: 25, Instructions: 3825
libraryloaderCOMMON

Function 008DE6F6 Relevance: 168.0, APIs: 71, Strings: 23, Instructions: 3471
libraryloaderCOMMON

Function 008E0F4E Relevance: 41.3, APIs: 15, Strings: 8, Instructions: 1085
libraryloadersynchronizationCOMMON

Function 008C2525 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 638
COMMON

Function 008C7230 Relevance: 11.0, APIs: 7, Instructions: 456
fileCOMMON

Function 008D6700 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 429
fileCOMMON

Function 008C3A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
processCOMMON

Function 008BAC20 Relevance: 3.1, APIs: 2, Instructions: 53
stringCOMMON

Function 008D4770 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Function 008E9D80 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Function 008CAA20 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre