Edit tour

Windows Analysis Report
8CO4P3HwDt.exe

Overview

General Information

Sample name:	8CO4P3HwDt.exe renamed because original name is a hash value
Original sample name:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b.exe
Analysis ID:	1551213
MD5:	c3c8df0d6043078abdf157a68d37eb96
SHA1:	4ef0b88e12b3770fbaa6e5683b15b51c130f38ad
SHA256:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

8CO4P3HwDt.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\8CO4P3HwDt.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

uzqv2crbnrrqx7oiosyki.exe (PID: 7468 cmdline: "C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

usncdvbjyrwr.exe (PID: 7568 cmdline: "C:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

usncdvbjyrwr.exe (PID: 7484 cmdline: C:\oblimpyrbviueg\usncdvbjyrwr.exe MD5: C3C8DF0D6043078ABDF157A68D37EB96)

hrzceasx.exe (PID: 7544 cmdline: uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

usncdvbjyrwr.exe (PID: 8076 cmdline: "c:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

hrzceasx.exe (PID: 8096 cmdline: uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

usncdvbjyrwr.exe (PID: 1864 cmdline: "c:\oblimpyrbviueg\usncdvbjyrwr.exe" MD5: C3C8DF0D6043078ABDF157A68D37EB96)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:57:44.173974+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.9	55230	TCP
2024-11-07T15:58:22.267999+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.9	55406	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:57:34.089037+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.9	49763	TCP
2024-11-07T15:57:37.035091+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.9	55203	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:57:34.089037+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.9	49763	TCP
2024-11-07T15:57:37.035091+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.9	55203	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:57:34.540257+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	50727	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:57:34.452629+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	62561	UDP
2024-11-07T15:58:57.037748+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	62249	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:57:33.711828+0100	2815568	1	A Network Trojan was detected	192.168.2.9	49763	18.143.155.63	80	TCP
2024-11-07T15:58:56.883402+0100	2815568	1	A Network Trojan was detected	192.168.2.9	55409	54.244.188.177	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:57:33.711828+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.9	49763	18.143.155.63	80	TCP
2024-11-07T15:58:56.883402+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.9	55409	54.244.188.177	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8CO4P3HwDt.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\oblimpyrbviueg\hrzceasx.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2

Multi AV Scanner detection for dropped file

Source: C:\oblimpyrbviueg\hrzceasx.exe	ReversingLabs: Detection: 89%
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	ReversingLabs: Detection: 89%
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: 8CO4P3HwDt.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Joe Sandbox ML: detected
Source: C:\oblimpyrbviueg\hrzceasx.exe	Joe Sandbox ML: detected
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8CO4P3HwDt.exe

Joe Sandbox ML: detected

Source: 8CO4P3HwDt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8CO4P3HwDt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_00C2A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00C2A780
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: 2_2_00CDA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00CDA780
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_004AA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_004AA780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DBA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00DBA780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00D6A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00D6A780

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.9:49763 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.9:55409 -> 54.244.188.177:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadernothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net

Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63
Source: Joe Sandbox View	IP Address: 85.214.228.140 85.214.228.140

Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.9:49763 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.9:49763
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.9:49763
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.9:62561
Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.9:50727
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.9:55203
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.9:55203
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.9:62249
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.9:55409 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.9:55230
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.9:55406

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C5F820 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket,

0_2_00C5F820

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net

Source: global traffic	DNS traffic detected: DNS query: leadernothing.net
Source: global traffic	DNS traffic detected: DNS query: heavennothing.net
Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net
Source: global traffic	DNS traffic detected: DNS query: leaderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavenbusiness.net
Source: global traffic	DNS traffic detected: DNS query: leaderappear.net
Source: global traffic	DNS traffic detected: DNS query: heavenappear.net
Source: global traffic	DNS traffic detected: DNS query: heavymanner.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanner.net
Source: global traffic	DNS traffic detected: DNS query: heavyanother.net
Source: global traffic	DNS traffic detected: DNS query: gentleanother.net
Source: global traffic	DNS traffic detected: DNS query: heavybusiness.net
Source: global traffic	DNS traffic detected: DNS query: gentlebusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavyappear.net
Source: global traffic	DNS traffic detected: DNS query: gentleappear.net
Source: global traffic	DNS traffic detected: DNS query: variousmanner.net
Source: global traffic	DNS traffic detected: DNS query: returnmanner.net
Source: global traffic	DNS traffic detected: DNS query: variousanother.net
Source: global traffic	DNS traffic detected: DNS query: returnanother.net
Source: global traffic	DNS traffic detected: DNS query: variousbusiness.net
Source: global traffic	DNS traffic detected: DNS query: returnbusiness.net
Source: global traffic	DNS traffic detected: DNS query: variousappear.net
Source: global traffic	DNS traffic detected: DNS query: returnappear.net
Source: global traffic	DNS traffic detected: DNS query: degreeinstead.net
Source: global traffic	DNS traffic detected: DNS query: forwardinstead.net
Source: global traffic	DNS traffic detected: DNS query: degreeexplain.net
Source: global traffic	DNS traffic detected: DNS query: forwardexplain.net
Source: global traffic	DNS traffic detected: DNS query: degreebright.net
Source: global traffic	DNS traffic detected: DNS query: forwardbright.net
Source: global traffic	DNS traffic detected: DNS query: degreeinside.net
Source: global traffic	DNS traffic detected: DNS query: forwardinside.net
Source: global traffic	DNS traffic detected: DNS query: answerinstead.net
Source: global traffic	DNS traffic detected: DNS query: glassinstead.net
Source: global traffic	DNS traffic detected: DNS query: answerexplain.net
Source: global traffic	DNS traffic detected: DNS query: glassexplain.net
Source: global traffic	DNS traffic detected: DNS query: answerbright.net
Source: global traffic	DNS traffic detected: DNS query: glassbright.net

Source: usncdvbjyrwr.exe, 00000003.00000002.2158288617.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, usncdvbjyrwr.exe, 00000009.00000002.3192620815.0000000000F67000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	File created: C:\Windows\oblimpyrbviueg\	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\Windows\oblimpyrbviueg\vqipymk4ju	Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

File deleted: C:\Windows\oblimpyrbviueg\vqipymk4ju

Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_00C3ACF0	0_2_00C3ACF0
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: 2_2_00CF10DA	2_2_00CF10DA
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: 2_2_00CEACF0	2_2_00CEACF0
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_004BACF0	3_2_004BACF0
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DD10DA	4_2_00DD10DA
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DCACF0	4_2_00DCACF0
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00D810DA	10_2_00D810DA
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00D7ACF0	10_2_00D7ACF0

Source: 8CO4P3HwDt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.winEXE@14/5@334/4

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00C22250
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00CD2250
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_004A2250
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_00DB2250
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00D62250

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C44C00 CreateToolhelp32Snapshot,Process32First,CreateToolhelp32Snapshot,Module32First,CloseHandle,Process32Next,CloseHandle,

0_2_00C44C00

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C2AD00 StartServiceCtrlDispatcherA,

0_2_00C2AD00

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_00C2AD00 StartServiceCtrlDispatcherA,	0_2_00C2AD00
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: 2_2_00CDAD00 StartServiceCtrlDispatcherA,	2_2_00CDAD00
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_004AAD00 StartServiceCtrlDispatcherA,	3_2_004AAD00
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DBAD00 StartServiceCtrlDispatcherA,	4_2_00DBAD00
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00D6AD00 StartServiceCtrlDispatcherA,	10_2_00D6AD00

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe

Mutant created: NULL

Source: 8CO4P3HwDt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8CO4P3HwDt.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

File read: C:\Users\user\Desktop\8CO4P3HwDt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8CO4P3HwDt.exe "C:\Users\user\Desktop\8CO4P3HwDt.exe"
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Process created: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe "C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe"
Source: unknown	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe C:\oblimpyrbviueg\usncdvbjyrwr.exe
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "C:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\oblimpyrbviueg\hrzceasx.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\oblimpyrbviueg\hrzceasx.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Process created: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe "C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "C:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "c:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Process created: C:\oblimpyrbviueg\hrzceasx.exe uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Process created: C:\oblimpyrbviueg\usncdvbjyrwr.exe "c:\oblimpyrbviueg\usncdvbjyrwr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: 8CO4P3HwDt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C4C35F GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,

0_2_00C4C35F

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_00C61C80 push eax; ret	0_2_00C61C94
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_00C61C80 push eax; ret	0_2_00C61CBC
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_00C3D86B push 0B00C6D0h; ret	0_2_00C3D870
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: 2_2_00D11C80 push eax; ret	2_2_00D11C94
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: 2_2_00D11C80 push eax; ret	2_2_00D11CBC
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_004E1C80 push eax; ret	3_2_004E1C94
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_004E1C80 push eax; ret	3_2_004E1CBC
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DF1C80 push eax; ret	4_2_00DF1C94
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DF1C80 push eax; ret	4_2_00DF1CBC
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DCD86B push 0B00DFD0h; ret	4_2_00DCD870
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00DA1C80 push eax; ret	10_2_00DA1C94
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00DA1C80 push eax; ret	10_2_00DA1CBC
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00D7D86B push 0B00DAD0h; ret	10_2_00D7D870

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	File created: C:\oblimpyrbviueg\hrzceasx.exe	Jump to dropped file
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	File created: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	File created: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Jump to dropped file

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C2AD00 StartServiceCtrlDispatcherA,

0_2_00C2AD00

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

0_2_00C4C35F

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	0_2_00C42500
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_00CF2500
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	3_2_004C2500
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_00DD2500
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_00D82500

Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_00CD3770
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		3_2_004A3770

Source: C:\oblimpyrbviueg\hrzceasx.exe	Window / User API: threadDelayed 683	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Window / User API: threadDelayed 1192	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Window / User API: threadDelayed 647	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe	Window / User API: threadDelayed 1227	Jump to behavior

Source: C:\oblimpyrbviueg\hrzceasx.exe	Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_0-10005
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_3-10443

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 7552	Thread sleep time: -39996s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7548	Thread sleep count: 683 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7548	Thread sleep time: -683000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7548	Thread sleep count: 1192 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 7548	Thread sleep time: -1192000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 8080	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 8104	Thread sleep time: -35552s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe TID: 8080	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 8100	Thread sleep count: 647 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 8100	Thread sleep time: -647000s >= -30000s	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 8100	Thread sleep count: 1227 > 30	Jump to behavior
Source: C:\oblimpyrbviueg\hrzceasx.exe TID: 8100	Thread sleep time: -1227000s >= -30000s	Jump to behavior

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Last function: Thread delayed
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	Code function: 0_2_00C2A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00C2A780
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	Code function: 2_2_00CDA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00CDA780
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Code function: 3_2_004AA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_004AA780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 4_2_00DBA780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00DBA780
Source: C:\oblimpyrbviueg\hrzceasx.exe	Code function: 10_2_00D6A780 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00D6A780

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: uzqv2crbnrrqx7oiosyki.exe, 00000002.00000002.1392873208.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: usncdvbjyrwr.exe, 00000003.00000002.2158288617.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, usncdvbjyrwr.exe, 00000009.00000002.3192620815.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe	API call chain: ExitProcess graph end node	graph_0-10199
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	API call chain: ExitProcess graph end node	graph_2-11605
Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	API call chain: ExitProcess graph end node	graph_2-9810
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node
Source: C:\oblimpyrbviueg\hrzceasx.exe	API call chain: ExitProcess graph end node

Source: C:\oblimpyrbviueg\usncdvbjyrwr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

0_2_00C4C35F

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C55570 GetProcessHeap,RtlAllocateHeap,

0_2_00C55570

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C57710 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C57710

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C568B0 GetSystemTime,GetTickCount,

0_2_00C568B0

Source: C:\Users\user\Desktop\8CO4P3HwDt.exe

Code function: 0_2_00C315A0 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,

0_2_00C315A0

Source: C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	4 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
8CO4P3HwDt.exe	89%	ReversingLabs	Win32.Adware.Multiverze
8CO4P3HwDt.exe	100%	Avira	TR/Nivdort.Gen2
8CO4P3HwDt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\oblimpyrbviueg\usncdvbjyrwr.exe	100%	Avira	TR/Nivdort.Gen2
C:\oblimpyrbviueg\hrzceasx.exe	100%	Avira	TR/Nivdort.Gen2
C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	100%	Avira	TR/Nivdort.Gen2
C:\oblimpyrbviueg\usncdvbjyrwr.exe	100%	Joe Sandbox ML
C:\oblimpyrbviueg\hrzceasx.exe	100%	Joe Sandbox ML
C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	100%	Joe Sandbox ML
C:\oblimpyrbviueg\hrzceasx.exe	89%	ReversingLabs	Win32.Adware.Multiverze
C:\oblimpyrbviueg\usncdvbjyrwr.exe	89%	ReversingLabs	Win32.Adware.Multiverze
C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe	89%	ReversingLabs	Win32.Adware.Multiverze

Name	IP	Active	Malicious	Reputation
degreedaughter.net	85.214.228.140	true	false	high
7450.bodis.com	199.59.243.227	true	false	high
gentleanother.net	54.244.188.177	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
returnbottle.net	18.143.155.63	true	false	high
pleasantinstead.net	18.143.155.63	true	false	high
forwardpeople.net	unknown	unknown	false	high
degreeanother.net	unknown	unknown	false	high
degreeexplain.net	unknown	unknown	false	high
heaveninside.net	unknown	unknown	false	high
answerappear.net	unknown	unknown	false	high
heavybusiness.net	unknown	unknown	false	high
pleasantinside.net	unknown	unknown	false	high
requirebusiness.net	unknown	unknown	false	high
forwardinside.net	unknown	unknown	false	high
glassmanner.net	unknown	unknown	false	high
answerexplain.net	unknown	unknown	false	high
orderinside.net	unknown	unknown	false	high
variousappear.net	unknown	unknown	false	high
returnbright.net	unknown	unknown	false	high
difficultanother.net	unknown	unknown	false	high
heavyinside.net	unknown	unknown	false	high
forwardready.net	unknown	unknown	false	high
glassdaughter.net	unknown	unknown	false	high
necessarymanner.net	unknown	unknown	false	high
leadernothing.net	unknown	unknown	false	high
answeranother.net	unknown	unknown	false	high
leadermanner.net	unknown	unknown	false	high
heavybottle.net	unknown	unknown	false	high
heavenbright.net	unknown	unknown	false	high
heavydivide.net	unknown	unknown	false	high
degreebrown.net	unknown	unknown	false	high
gentleinstead.net	unknown	unknown	false	high
glassanother.net	unknown	unknown	false	high
heavenanother.net	unknown	unknown	false	high
difficultmanner.net	unknown	unknown	false	high
glassexplain.net	unknown	unknown	false	high
requireinside.net	unknown	unknown	false	high
heavenexplain.net	unknown	unknown	false	high
forwardbusiness.net	unknown	unknown	false	high
difficultexplain.net	unknown	unknown	false	high
gentleappear.net	unknown	unknown	false	high
pleasantbright.net	unknown	unknown	false	high
returnexplain.net	unknown	unknown	false	high
gentlemanner.net	unknown	unknown	false	high
answerdaughter.net	unknown	unknown	false	high
heardinside.net	unknown	unknown	false	high
requiremanner.net	unknown	unknown	false	high
gentleexplain.net	unknown	unknown	false	high
glassappear.net	unknown	unknown	false	high
necessaryanother.net	unknown	unknown	false	high
glassinside.net	unknown	unknown	false	high
difficultbright.net	unknown	unknown	false	high
heardbrown.net	unknown	unknown	true	unknown
glasspeople.net	unknown	unknown	false	high
requireinstead.net	unknown	unknown	false	high
necessaryinside.net	unknown	unknown	false	high
returndivide.net	unknown	unknown	false	high
heardinstead.net	unknown	unknown	false	high
variousbright.net	unknown	unknown	false	high
degreebusiness.net	unknown	unknown	false	high
answerbusiness.net	unknown	unknown	false	high
heavenbusiness.net	unknown	unknown	false	high
gentledivide.net	unknown	unknown	false	high
variousinstead.net	unknown	unknown	false	high
gentlestream.net	unknown	unknown	false	high
pleasantmanner.net	unknown	unknown	false	high
necessaryappear.net	unknown	unknown	false	high
pleasantbusiness.net	unknown	unknown	false	high
heardbright.net	unknown	unknown	false	high
heavenbottle.net	unknown	unknown	false	high
heavynothing.net	unknown	unknown	false	high
gentlebusiness.net	unknown	unknown	false	high
ordermanner.net	unknown	unknown	false	high
leaderbottle.net	unknown	unknown	false	high
pleasantanother.net	unknown	unknown	false	high
heavyanother.net	unknown	unknown	false	high
degreeinstead.net	unknown	unknown	false	high
degreepeople.net	unknown	unknown	false	high
answerready.net	unknown	unknown	false	high
difficultbrown.net	unknown	unknown	true	unknown
answerbright.net	unknown	unknown	false	high
heavennothing.net	unknown	unknown	false	high
returninside.net	unknown	unknown	false	high
forwardbright.net	unknown	unknown	false	high
difficultinside.net	unknown	unknown	false	high
heavybright.net	unknown	unknown	false	high
leaderanother.net	unknown	unknown	false	high
returninstead.net	unknown	unknown	false	high
difficultinstead.net	unknown	unknown	false	high
heavenappear.net	unknown	unknown	false	high
answerinside.net	unknown	unknown	false	high
degreebright.net	unknown	unknown	false	high
forwardbrown.net	unknown	unknown	false	high
heavyinstead.net	unknown	unknown	false	high
gentleinside.net	unknown	unknown	false	high
heardexplain.net	unknown	unknown	false	high
heavyappear.net	unknown	unknown	false	high
answerpeople.net	unknown	unknown	false	high
pleasantexplain.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	usncdvbjyrwr.exe, 00000003.00000002.2158288617.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, usncdvbjyrwr.exe, 00000009.00000002.3192620815.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	false
85.214.228.140	degreedaughter.net	Germany	6724	STRATOSTRATOAGDE	false
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false
54.244.188.177	gentleanother.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551213
Start date and time:	2024-11-07 15:56:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8CO4P3HwDt.exe renamed because original name is a hash value
Original Sample Name:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@14/5@334/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 43 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: 8CO4P3HwDt.exe

Simulations

Behavior and APIs

Time	Type	Description
09:58:00	API Interceptor	3688x Sleep call for process: hrzceasx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.143.155.63	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
85.214.228.140	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	dlynankz.biz/mfjpaqkdwglsvxqo

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gentleanother.net	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
degreedaughter.net	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
s-part-0017.t-0009.t-msedge.net	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://eu.docworkspace.com/d/sIGWvrvOeAYXvpLkG	Get hash	malicious	Unknown	Browse	13.107.246.45
	Q7oJsypKoV.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	xBzBOQwywT.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	aAr67hajkj.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	https://app.smartsheet.com/b/form/d72b00b027df4e38a9b052ac176790d8	Get hash	malicious	Unknown	Browse	13.107.246.45
	4fDCjpuTvi.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
	cONc2eILoR.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
7450.bodis.com	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
STRATOSTRATOAGDE	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	http://googe.de	Get hash	malicious	Unknown	Browse	85.214.62.112
BODIS-NJUS	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
AMAZON-02US	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177

Process:	C:\Users\user\Desktop\8CO4P3HwDt.exe
File Type:	data
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:EDGCf3:EL3
MD5:	46E5BCD6997E903847E4E88C16E5855E
SHA1:	378A9B0E6F3DA4C35C7711198509623232FF3BBF
SHA-256:	C7BB3FCAEF237E69116176515D297C58563485A620A8D12405ADE6D0B42F2EBB
SHA-512:	B79BA76D152EA659E77249942406F0618904EE10BF3AE3B1321ACE85EA70E45F67C37C22308BFAD3F8E74E197F7E8CD7790C9583204B6EE7998016A2DA38D249
Malicious:	false
Reputation:	low
Preview:	..&c..hh.

C:\oblimpyrbviueg\hrzceasx.exe

Download File

Process:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362496
Entropy (8bit):	6.788547539713091
Encrypted:	false
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
MD5:	C3C8DF0D6043078ABDF157A68D37EB96
SHA1:	4EF0B88E12B3770FBAA6E5683B15B51C130F38AD
SHA-256:	A45535760B1CAB75D55825736DCDEC6E9CC7D3521247731AF0E4010B3C9B005B
SHA-512:	A3E80BFC92D0959D5037385967EBCC3DB5022E075B0B86323FC23171B9B5123D49014E24CB6E2F6A7E2DAC145633B794D637BD22AA2F48EF3255A7E662050946
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....!zV............................0........ ....@.......................................@.....................................P.................................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\oblimpyrbviueg\usncdvbjyrwr.exe

Download File

Process:	C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362496
Entropy (8bit):	6.788547539713091
Encrypted:	false
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
MD5:	C3C8DF0D6043078ABDF157A68D37EB96
SHA1:	4EF0B88E12B3770FBAA6E5683B15B51C130F38AD
SHA-256:	A45535760B1CAB75D55825736DCDEC6E9CC7D3521247731AF0E4010B3C9B005B
SHA-512:	A3E80BFC92D0959D5037385967EBCC3DB5022E075B0B86323FC23171B9B5123D49014E24CB6E2F6A7E2DAC145633B794D637BD22AA2F48EF3255A7E662050946
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....!zV............................0........ ....@.......................................@.....................................P.................................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe

Download File

Process:	C:\Users\user\Desktop\8CO4P3HwDt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362496
Entropy (8bit):	6.788547539713091
Encrypted:	false
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
MD5:	C3C8DF0D6043078ABDF157A68D37EB96
SHA1:	4EF0B88E12B3770FBAA6E5683B15B51C130F38AD
SHA-256:	A45535760B1CAB75D55825736DCDEC6E9CC7D3521247731AF0E4010B3C9B005B
SHA-512:	A3E80BFC92D0959D5037385967EBCC3DB5022E075B0B86323FC23171B9B5123D49014E24CB6E2F6A7E2DAC145633B794D637BD22AA2F48EF3255A7E662050946
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O..O..O..4..O..N...O.B...O..@..O.B...O.Rich..O.........................PE..L....!zV............................0........ ....@.......................................@.....................................P.................................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...\|...........................@....reloc..(...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\oblimpyrbviueg\vqipymk4ju

Download File

Process:	C:\Users\user\Desktop\8CO4P3HwDt.exe
File Type:	data
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:EDGCf3:EL3
MD5:	46E5BCD6997E903847E4E88C16E5855E
SHA1:	378A9B0E6F3DA4C35C7711198509623232FF3BBF
SHA-256:	C7BB3FCAEF237E69116176515D297C58563485A620A8D12405ADE6D0B42F2EBB
SHA-512:	B79BA76D152EA659E77249942406F0618904EE10BF3AE3B1321ACE85EA70E45F67C37C22308BFAD3F8E74E197F7E8CD7790C9583204B6EE7998016A2DA38D249
Malicious:	false
Preview:	..&c..hh.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.788547539713091
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8CO4P3HwDt.exe
File size:	362'496 bytes
MD5:	c3c8df0d6043078abdf157a68d37eb96
SHA1:	4ef0b88e12b3770fbaa6e5683b15b51c130f38ad
SHA256:	a45535760b1cab75d55825736dcdec6e9cc7d3521247731af0e4010b3c9b005b
SHA512:	a3e80bfc92d0959d5037385967ebcc3db5022e075b0b86323fc23171b9b5123d49014e24cb6e2f6a7e2dac145633b794d637bd22aa2f48ef3255a7e662050946
SSDEEP:	6144:UsuM2SxOxXDp5YPIgX5ZzPQ4Hv1/NptKicU77pWmUFnaKaX4xHfG1rnvv28T1dcB:LuMrQ9p5YPXLzVHvxjtKP29cIzifyrnu
TLSH:	0D74E5FEDD8281EEDC42A0B8857B2773E3AD205477A861DB6180379464B99F4D93730B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q!...O...O...O...4...O...N...O..B....O...@...O..B....O.Rich..O.........................PE..L....!zV...........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x439d30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x567A21DA [Wed Dec 23 04:23:54 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	7a1c04e3869a3f036d363cbe0174fe1a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
movzx eax, word ptr [0044D468h]
sub esp, 08h
push esi
sub eax, 68644053h
push edi
mov word ptr [0044D468h], ax
call 00007F4DF50ABAB6h
mov esi, 00000001h
add word ptr [0044D090h], si
mov cx, word ptr [0044D35Ch]
mov dx, word ptr [0044D090h]
add word ptr [0044D35Ch], si
movsx eax, cx
movsx ecx, dx
add eax, BB104443h
cmp eax, ecx
jle 00007F4DF50ADAB4h
fld qword ptr [0044D118h]
fadd qword ptr [0044BC98h]
fstp qword ptr [0044D118h]
call 00007F4DF5097B3Fh
fld dword ptr [0044D470h]
fld1
fsub st(1), st(0)
fxch st(0), st(1)
fstp dword ptr [0044D470h]
mov edx, dword ptr [0044D4BCh]
mov dword ptr [ebp-04h], edx
fild dword ptr [ebp-04h]
fld dword ptr [0044D470h]
fadd qword ptr [0044BC90h]
fsubp st(1), st(0)
fcomp qword ptr [0044BC88h]
fstsw
test ah, 00000044h
jp 00007F4DF50ADB03h
mov ax, word ptr [0044D0D0h]
movsx ecx, ax
sub ecx, 755D6C2Bh
mov dword ptr [ebp-04h], ecx
fild dword ptr [ebp-04h]
fld dword ptr [0044D4E0h]
fadd qword ptr [0044BC80h]
fucompp
fstsw
fadd dword ptr [0000D4E0h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2003 (.NET) build 3077
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4bca0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4f000	0xc884	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0x11c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40ffa	0x41000	5a9a8d96b5f64734f57e7b2baaa57c62	False	0.5254845252403846	data	6.3165136802931405	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0xa2a6	0xa400	4d907b36f74b44746b114cc40fdbae71	False	0.7407583841463414	data	6.482155544995024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4d000	0x107c	0x600	73290f6375722a8ce1cd1240da1c5b65	False	0.8548177083333334	data	6.29086260359177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4f000	0xc928	0xca00	dbb909cb46c8431f801e8c1f33f54a36	False	0.6598275061881188	data	6.835926954483472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	SetTextJustification, GetMetaRgn, GetPixelFormat, GetFontUnicodeRanges, SetPixel, GetDCPenColor, GetGraphicsMode, SetTextColor, GetMapMode
USER32.dll	wvsprintfA, GetDlgItem, GetMenuCheckMarkDimensions, DrawTextA, GetMenuItemCount, GetWindowLongA, IsWindowUnicode, EnableWindow, SetFocus, GetMenu, SetDlgItemTextA, IsWindowEnabled, LoadIconA, GetScrollPos, PostMessageA, SetWindowTextA, GetMenuContextHelpId, EndDialog, CheckDlgButton, GetInputState, BeginPaint, GetForegroundWindow, MoveWindow, GetCursor, GetKeyboardType, RemovePropA, GetPropA, GetDialogBaseUnits, CharLowerBuffA, CallWindowProcA
KERNEL32.dll	GetModuleHandleA, CloseHandle, CreateFileA, WriteFile, GetFileSize, HeapReAlloc, FlushFileBuffers, LoadResource, GetFileTime, GetCurrentThreadId, GlobalFlags, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, SetFilePointer, GlobalHandle, LocalFlags, IsDebuggerPresent, GetProcAddress, GetVersion, GetLastError, GetStdHandle, HeapFree, ExitProcess, GetProcessHeap, HeapAlloc, GetSystemTime, SystemTimeToFileTime, lstrlenA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T15:57:33.711828+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.9	49763	18.143.155.63	80	TCP
2024-11-07T15:57:33.711828+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.9	49763	18.143.155.63	80	TCP
2024-11-07T15:57:34.089037+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.9	49763	TCP
2024-11-07T15:57:34.089037+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.9	49763	TCP
2024-11-07T15:57:34.452629+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.9	62561	UDP
2024-11-07T15:57:34.540257+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.9	50727	UDP
2024-11-07T15:57:37.035091+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.9	55203	TCP
2024-11-07T15:57:37.035091+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.9	55203	TCP
2024-11-07T15:57:44.173974+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.9	55230	TCP
2024-11-07T15:58:22.267999+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.9	55406	TCP
2024-11-07T15:58:56.883402+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.9	55409	54.244.188.177	80	TCP
2024-11-07T15:58:56.883402+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.9	55409	54.244.188.177	80	TCP
2024-11-07T15:58:57.037748+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.9	62249	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:57:31.278287888 CET	49758	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:31.283154964 CET	80	49758	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:31.283229113 CET	49758	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:31.283286095 CET	49758	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:31.288238049 CET	80	49758	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:31.941962004 CET	80	49758	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:31.941975117 CET	80	49758	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:31.942063093 CET	49758	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:31.981616020 CET	80	49758	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:31.981687069 CET	49758	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:31.981762886 CET	49758	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:31.987126112 CET	80	49758	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:32.217818022 CET	49763	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:32.223392010 CET	80	49763	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:32.223462105 CET	49763	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:32.223515987 CET	49763	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:32.228373051 CET	80	49763	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:33.668142080 CET	80	49763	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:33.711827993 CET	49763	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:34.089036942 CET	80	49763	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:34.089114904 CET	49763	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:34.089163065 CET	49763	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:34.094006062 CET	80	49763	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:36.082096100 CET	55203	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:57:36.090898037 CET	80	55203	54.244.188.177	192.168.2.9
Nov 7, 2024 15:57:36.091027021 CET	55203	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:57:36.091054916 CET	55203	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:57:36.097451925 CET	80	55203	54.244.188.177	192.168.2.9
Nov 7, 2024 15:57:36.919450045 CET	80	55203	54.244.188.177	192.168.2.9
Nov 7, 2024 15:57:36.961822987 CET	55203	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:57:37.035090923 CET	80	55203	54.244.188.177	192.168.2.9
Nov 7, 2024 15:57:37.035161018 CET	55203	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:57:37.035226107 CET	55203	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:57:37.040205002 CET	80	55203	54.244.188.177	192.168.2.9
Nov 7, 2024 15:57:38.500886917 CET	55213	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:38.505821943 CET	80	55213	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:38.505933046 CET	55213	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:38.506052017 CET	55213	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:38.510981083 CET	80	55213	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:39.139678001 CET	80	55213	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:39.139700890 CET	80	55213	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:39.139739990 CET	55213	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:39.139972925 CET	80	55213	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:39.140008926 CET	55213	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:39.140861988 CET	55213	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:57:39.145986080 CET	80	55213	199.59.243.227	192.168.2.9
Nov 7, 2024 15:57:39.724828959 CET	55218	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:39.729630947 CET	80	55218	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:39.729701996 CET	55218	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:39.729739904 CET	55218	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:39.736140013 CET	80	55218	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:41.151129007 CET	80	55218	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:41.196213961 CET	55218	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:41.593983889 CET	80	55218	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:41.594110966 CET	55218	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:41.594177961 CET	55218	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:57:41.598993063 CET	80	55218	18.143.155.63	192.168.2.9
Nov 7, 2024 15:57:43.311275005 CET	55231	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:57:43.316248894 CET	80	55231	85.214.228.140	192.168.2.9
Nov 7, 2024 15:57:43.316330910 CET	55231	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:57:43.316375971 CET	55231	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:57:43.321516037 CET	80	55231	85.214.228.140	192.168.2.9
Nov 7, 2024 15:57:44.187567949 CET	80	55231	85.214.228.140	192.168.2.9
Nov 7, 2024 15:57:44.187974930 CET	55231	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:57:44.194381952 CET	80	55231	85.214.228.140	192.168.2.9
Nov 7, 2024 15:57:44.194432974 CET	55231	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:58:51.406758070 CET	55407	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:51.411669016 CET	80	55407	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:51.411797047 CET	55407	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:51.411834002 CET	55407	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:51.416652918 CET	80	55407	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:52.100086927 CET	80	55407	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:52.100183010 CET	80	55407	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:52.100289106 CET	55407	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:52.131764889 CET	80	55407	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:52.131984949 CET	55407	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:52.132080078 CET	55407	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:52.136841059 CET	80	55407	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:52.221452951 CET	55408	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:52.226289988 CET	80	55408	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:52.226442099 CET	55408	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:52.226546049 CET	55408	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:52.231408119 CET	80	55408	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:53.663625002 CET	80	55408	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:53.711539030 CET	55408	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:54.079400063 CET	80	55408	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:54.079523087 CET	55408	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:54.079618931 CET	55408	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:54.084424019 CET	80	55408	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:55.976308107 CET	55409	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:58:55.981085062 CET	80	55409	54.244.188.177	192.168.2.9
Nov 7, 2024 15:58:55.981141090 CET	55409	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:58:55.981226921 CET	55409	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:58:55.986052036 CET	80	55409	54.244.188.177	192.168.2.9
Nov 7, 2024 15:58:56.832716942 CET	80	55409	54.244.188.177	192.168.2.9
Nov 7, 2024 15:58:56.883402109 CET	55409	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:58:56.949945927 CET	80	55409	54.244.188.177	192.168.2.9
Nov 7, 2024 15:58:56.950171947 CET	55409	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:58:56.950171947 CET	55409	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:58:56.955017090 CET	80	55409	54.244.188.177	192.168.2.9
Nov 7, 2024 15:58:57.401216030 CET	55410	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:57.406147003 CET	80	55410	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:57.406326056 CET	55410	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:57.406421900 CET	55410	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:57.411495924 CET	80	55410	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:58.096913099 CET	80	55410	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:58.096972942 CET	80	55410	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:58.097155094 CET	55410	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:58.129245043 CET	80	55410	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:58.129374027 CET	55410	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:58.129539967 CET	55410	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:58:58.135325909 CET	80	55410	199.59.243.227	192.168.2.9
Nov 7, 2024 15:58:58.473097086 CET	55411	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:58.478068113 CET	80	55411	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:58.478162050 CET	55411	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:58.478224993 CET	55411	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:58:58.483114004 CET	80	55411	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:59.912801027 CET	80	55411	18.143.155.63	192.168.2.9
Nov 7, 2024 15:58:59.961539984 CET	55411	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:59:00.329682112 CET	80	55411	18.143.155.63	192.168.2.9
Nov 7, 2024 15:59:00.329811096 CET	55411	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:59:00.329902887 CET	55411	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:59:00.334799051 CET	80	55411	18.143.155.63	192.168.2.9
Nov 7, 2024 15:59:01.738610029 CET	55412	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:59:01.743509054 CET	80	55412	85.214.228.140	192.168.2.9
Nov 7, 2024 15:59:01.743592024 CET	55412	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:59:01.743671894 CET	55412	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:59:01.748606920 CET	80	55412	85.214.228.140	192.168.2.9
Nov 7, 2024 15:59:02.612719059 CET	80	55412	85.214.228.140	192.168.2.9
Nov 7, 2024 15:59:02.613959074 CET	55412	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:59:02.619338989 CET	80	55412	85.214.228.140	192.168.2.9
Nov 7, 2024 15:59:02.619400978 CET	55412	80	192.168.2.9	85.214.228.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:57:30.244040012 CET	49340	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.274842024 CET	53	49340	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.276674986 CET	54751	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.286844015 CET	53	54751	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.288250923 CET	50502	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.298887968 CET	53	50502	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.299901962 CET	54461	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.309011936 CET	53	54461	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.325233936 CET	62882	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.335666895 CET	53	62882	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.354170084 CET	64322	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.363230944 CET	53	64322	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.395076990 CET	64029	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.404742002 CET	53	64029	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.552098989 CET	64594	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.561712027 CET	53	64594	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.682738066 CET	63265	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.715595007 CET	53	63265	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.722882986 CET	64840	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.732049942 CET	53	64840	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.732944012 CET	50023	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.741900921 CET	53	50023	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.742794991 CET	49923	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.774981976 CET	53	49923	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.775918007 CET	50217	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.807801962 CET	53	50217	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.808661938 CET	57661	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:30.839858055 CET	53	57661	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:30.849939108 CET	61880	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:31.275842905 CET	53	61880	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:31.982861996 CET	59790	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:31.993135929 CET	53	59790	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:31.994452000 CET	62137	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:32.004371881 CET	53	62137	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:32.005543947 CET	50509	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:32.014398098 CET	53	50509	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:32.015604019 CET	57460	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:32.025652885 CET	53	57460	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:32.026681900 CET	63969	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:32.217153072 CET	53	63969	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.090169907 CET	61958	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.099737883 CET	53	61958	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.100845098 CET	52153	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.110753059 CET	53	52153	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.111627102 CET	57297	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.143076897 CET	53	57297	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.144304991 CET	52623	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.153857946 CET	53	52623	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.154869080 CET	50522	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.193336010 CET	53	50522	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.194526911 CET	58375	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.227626085 CET	53	58375	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.228689909 CET	53291	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.387516975 CET	53	53291	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.388556004 CET	50388	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.399007082 CET	53	50388	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.400070906 CET	49974	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.412420988 CET	53	49974	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.413342953 CET	65326	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.420732975 CET	53	65326	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.421587944 CET	62561	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.452629089 CET	53	62561	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.453635931 CET	63364	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.466152906 CET	53	63364	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.467195988 CET	63498	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.497725964 CET	53	63498	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.498783112 CET	58051	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.529272079 CET	53	58051	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.530100107 CET	50727	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.540256977 CET	53	50727	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.541076899 CET	50646	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.572326899 CET	53	50646	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.573242903 CET	51926	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.583617926 CET	53	51926	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.584602118 CET	51790	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.595393896 CET	53	51790	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.596453905 CET	62398	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.607800007 CET	53	62398	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.608810902 CET	51197	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.639818907 CET	53	51197	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.640959978 CET	53705	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.651052952 CET	53	53705	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.651917934 CET	60706	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.662997961 CET	53	60706	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.663865089 CET	57959	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.700715065 CET	53	57959	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.701572895 CET	58388	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.712740898 CET	53	58388	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.713630915 CET	53244	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.724217892 CET	53	53244	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.725060940 CET	51905	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.756397963 CET	53	51905	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.757380962 CET	61801	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.789913893 CET	53	61801	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.790909052 CET	55972	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.821849108 CET	53	55972	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.823138952 CET	55881	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.834417105 CET	53	55881	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.835999012 CET	60692	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.846170902 CET	53	60692	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.847266912 CET	65350	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.857301950 CET	53	65350	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.858392954 CET	63138	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.868060112 CET	53	63138	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.869191885 CET	64125	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.878563881 CET	53	64125	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.879568100 CET	65002	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.889601946 CET	53	65002	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.890428066 CET	62168	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.899683952 CET	53	62168	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.900582075 CET	56551	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.910871029 CET	53	56551	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.911936045 CET	64000	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.943383932 CET	53	64000	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.944397926 CET	49800	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.976104975 CET	53	49800	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:34.977212906 CET	62985	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:34.984219074 CET	53	62985	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.604418039 CET	63814	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.614058018 CET	53	63814	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.615139008 CET	55938	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.626192093 CET	53	55938	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.627172947 CET	61262	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.657121897 CET	53	61262	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.661401033 CET	52892	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.693082094 CET	53	52892	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.694494009 CET	57775	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.726061106 CET	53	57775	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.727085114 CET	57087	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.738173962 CET	53	57087	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.739072084 CET	63614	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.748729944 CET	53	63614	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.749900103 CET	65117	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.762414932 CET	53	65117	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.769918919 CET	55128	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.781415939 CET	53	55128	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.785932064 CET	51913	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.818171978 CET	53	51913	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.819246054 CET	52880	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.830157995 CET	53	52880	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.831063032 CET	64032	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.840167046 CET	53	64032	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.841058016 CET	51607	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.851336956 CET	53	51607	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.852336884 CET	50131	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:35.860013962 CET	53	50131	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:35.861004114 CET	56648	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:36.081504107 CET	53	56648	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.036158085 CET	61807	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.045279980 CET	53	61807	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.046335936 CET	54250	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.057161093 CET	53	54250	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.058281898 CET	54936	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.089063883 CET	53	54936	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.090293884 CET	63548	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.100512981 CET	53	63548	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.101511955 CET	53667	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.111568928 CET	53	53667	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.112478018 CET	63937	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.122391939 CET	53	63937	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.123298883 CET	52365	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.132890940 CET	53	52365	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.133793116 CET	58507	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.144254923 CET	53	58507	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.145104885 CET	63614	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.305255890 CET	53	63614	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.306514978 CET	55254	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.313811064 CET	53	55254	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.314883947 CET	55883	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.324512005 CET	53	55883	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.325417042 CET	64362	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.487334013 CET	53	64362	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.488643885 CET	53408	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.519074917 CET	53	53408	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.520211935 CET	63070	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.550904989 CET	53	63070	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.552306890 CET	51633	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.562989950 CET	53	51633	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.564328909 CET	52584	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.595504999 CET	53	52584	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.596803904 CET	61152	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.607323885 CET	53	61152	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.608436108 CET	55421	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.765839100 CET	53	55421	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.767005920 CET	56063	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.776650906 CET	53	56063	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.777790070 CET	57613	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.787003994 CET	53	57613	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.788017988 CET	65235	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.797983885 CET	53	65235	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.798930883 CET	49710	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.957940102 CET	53	49710	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.959028006 CET	62144	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.968496084 CET	53	62144	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.969615936 CET	61798	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:37.979485035 CET	53	61798	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:37.980431080 CET	63950	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:38.153373003 CET	53	63950	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:38.154622078 CET	56888	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:38.499964952 CET	53	56888	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.141957998 CET	60016	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.172971010 CET	53	60016	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.174424887 CET	61826	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.184485912 CET	53	61826	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.185641050 CET	54079	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.349301100 CET	53	54079	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.350794077 CET	50155	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.360306978 CET	53	50155	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.361733913 CET	56426	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.369348049 CET	53	56426	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.370650053 CET	62348	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.380655050 CET	53	62348	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.382014036 CET	56178	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.413423061 CET	53	56178	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.414774895 CET	64417	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.423671007 CET	53	64417	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.424819946 CET	52984	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.455449104 CET	53	52984	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.458242893 CET	52903	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.623550892 CET	53	52903	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:39.625037909 CET	53437	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:39.724294901 CET	53	53437	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.595119953 CET	57590	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.605458021 CET	53	57590	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.606576920 CET	57490	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.637693882 CET	53	57490	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.638817072 CET	49468	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.648016930 CET	53	49468	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.649224997 CET	63471	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.659225941 CET	53	63471	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.660347939 CET	56792	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.691720963 CET	53	56792	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.692895889 CET	54909	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.702866077 CET	53	54909	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.703934908 CET	59561	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.736646891 CET	53	59561	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.737850904 CET	65250	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.746756077 CET	53	65250	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.747808933 CET	53505	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.756866932 CET	53	53505	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.757848978 CET	51972	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.767224073 CET	53	51972	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.769046068 CET	56753	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.800055027 CET	53	56753	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.801119089 CET	65485	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.808590889 CET	53	65485	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.809900045 CET	59787	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.841523886 CET	53	59787	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.842756033 CET	59971	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.853142977 CET	53	59971	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.929302931 CET	59488	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.939660072 CET	53	59488	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.940826893 CET	57315	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.950911045 CET	53	57315	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.957556009 CET	64424	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.967677116 CET	53	64424	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:41.988653898 CET	62997	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:41.997844934 CET	53	62997	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.007217884 CET	54003	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.014760971 CET	53	54003	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.032972097 CET	60000	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.188643932 CET	53	60000	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.218456030 CET	59311	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.228275061 CET	53	59311	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.234158039 CET	59719	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.243623018 CET	53	59719	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.258193970 CET	56607	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.269179106 CET	53	56607	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.273962975 CET	64422	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.552428007 CET	53	64422	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.553569078 CET	60832	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.563190937 CET	53	60832	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.565409899 CET	63449	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.597146988 CET	53	63449	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.598507881 CET	54866	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.609587908 CET	53	54866	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.610538006 CET	55684	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.642644882 CET	53	55684	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.643589973 CET	60824	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.653278112 CET	53	60824	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.656706095 CET	60917	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.667222977 CET	53	60917	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.668150902 CET	64241	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.699275017 CET	53	64241	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.700270891 CET	51725	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.711359024 CET	53	51725	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.712655067 CET	49819	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.723136902 CET	53	49819	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.724170923 CET	50711	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.756084919 CET	53	50711	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.759916067 CET	55756	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.770556927 CET	53	55756	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.771562099 CET	51044	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.781584024 CET	53	51044	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.782671928 CET	53371	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.794008017 CET	53	53371	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.794995070 CET	52568	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.805392027 CET	53	52568	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.806651115 CET	59481	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.816488028 CET	53	59481	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.817698002 CET	62313	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.977508068 CET	53	62313	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.978657007 CET	52094	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.988464117 CET	53	52094	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:42.989650965 CET	49384	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:42.999633074 CET	53	49384	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:43.000653982 CET	56284	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:43.161282063 CET	53	56284	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:43.162599087 CET	65098	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:43.193373919 CET	53	65098	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:43.194602966 CET	65141	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:43.203908920 CET	53	65141	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:43.205579042 CET	61174	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:43.310653925 CET	53	61174	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.188905954 CET	62143	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.199214935 CET	53	62143	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.200404882 CET	53111	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.236922026 CET	53	53111	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.238182068 CET	49691	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.249571085 CET	53	49691	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.250797987 CET	50526	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.261601925 CET	53	50526	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.272665024 CET	59554	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.304224014 CET	53	59554	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.305289030 CET	52537	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.314651012 CET	53	52537	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.316162109 CET	55128	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.328010082 CET	53	55128	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.329736948 CET	61743	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.361130953 CET	53	61743	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.362227917 CET	56329	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.371664047 CET	53	56329	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.372775078 CET	63395	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.388118982 CET	53	63395	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.389210939 CET	56429	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.399698973 CET	53	56429	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.400823116 CET	51157	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.431230068 CET	53	51157	1.1.1.1	192.168.2.9
Nov 7, 2024 15:57:44.432590008 CET	57398	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:57:44.442755938 CET	53	57398	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.156850100 CET	61489	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.188512087 CET	53	61489	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.190402031 CET	51384	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.199938059 CET	53	51384	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.201041937 CET	63022	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.211266041 CET	53	63022	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.212198019 CET	57433	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.220845938 CET	53	57433	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.222040892 CET	57609	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.232501030 CET	53	57609	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.233560085 CET	59032	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.243516922 CET	53	59032	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.247876883 CET	57154	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.257915020 CET	53	57154	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.259172916 CET	63168	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.267436981 CET	53	63168	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.268714905 CET	55043	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.280561924 CET	53	55043	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.281675100 CET	64962	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.291503906 CET	53	64962	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.292701960 CET	57231	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.325076103 CET	53	57231	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.326268911 CET	54876	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.358262062 CET	53	54876	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.359528065 CET	51034	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.371278048 CET	53	51034	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:51.372350931 CET	49810	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:51.403655052 CET	53	49810	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:52.133277893 CET	54550	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:52.163552999 CET	53	54550	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:52.165164948 CET	51248	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:52.174766064 CET	53	51248	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:52.177259922 CET	59266	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:52.208677053 CET	53	59266	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:52.210144997 CET	49738	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:52.219898939 CET	53	49738	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.080617905 CET	62565	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.089910030 CET	53	62565	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.091207027 CET	61114	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.100841999 CET	53	61114	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.101847887 CET	51067	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.110850096 CET	53	51067	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.111756086 CET	56687	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.121294975 CET	53	56687	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.122225046 CET	61397	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.155373096 CET	53	61397	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.156630993 CET	62994	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.167617083 CET	53	62994	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.168617010 CET	54405	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.178776979 CET	53	54405	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.179636955 CET	61858	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.189466953 CET	53	61858	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.190414906 CET	63856	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.221281052 CET	53	63856	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.222552061 CET	64092	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.254184961 CET	53	64092	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.255283117 CET	60517	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.286365986 CET	53	60517	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.287621021 CET	54369	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.298362017 CET	53	54369	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.299340963 CET	62210	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.308671951 CET	53	62210	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.309542894 CET	60078	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.319616079 CET	53	60078	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.320501089 CET	58439	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.351408005 CET	53	58439	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.352641106 CET	59791	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.361805916 CET	53	59791	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.362736940 CET	53459	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.534996033 CET	53	53459	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.536259890 CET	54186	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.545069933 CET	53	54186	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.546092033 CET	65394	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.577779055 CET	53	65394	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.578896046 CET	61941	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.589056015 CET	53	61941	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.589945078 CET	63621	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.620527029 CET	53	63621	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.621670961 CET	53708	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.631051064 CET	53	53708	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.632011890 CET	50605	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.641870022 CET	53	50605	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.642693043 CET	60043	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.651527882 CET	53	60043	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.652379990 CET	56478	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.682735920 CET	53	56478	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.683720112 CET	58807	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.693615913 CET	53	58807	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.694444895 CET	54007	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.704818010 CET	53	54007	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.705770969 CET	50036	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.716201067 CET	53	50036	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.717062950 CET	58147	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.747765064 CET	53	58147	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.748706102 CET	51896	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.757320881 CET	53	51896	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.758102894 CET	61028	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.767785072 CET	53	61028	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.768728018 CET	59646	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.799928904 CET	53	59646	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.804270983 CET	52970	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.836016893 CET	53	52970	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.837321043 CET	50615	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:54.992535114 CET	53	50615	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:54.993985891 CET	64894	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.153609037 CET	53	64894	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.154918909 CET	58968	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.319940090 CET	53	58968	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.321350098 CET	62458	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.332336903 CET	53	62458	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.333986998 CET	51528	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.344366074 CET	53	51528	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.346457958 CET	62623	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.355496883 CET	53	62623	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.359122992 CET	64238	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.371771097 CET	53	64238	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.373655081 CET	53446	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.384849072 CET	53	53446	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.387341022 CET	53192	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.418772936 CET	53	53192	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.420034885 CET	59134	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.431277037 CET	53	59134	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.432142973 CET	57134	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.442898035 CET	53	57134	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.443687916 CET	64524	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.475121021 CET	53	64524	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.546812057 CET	58337	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.557490110 CET	53	58337	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.585772038 CET	52634	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.747946024 CET	53	52634	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.750294924 CET	65358	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.760869980 CET	53	65358	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.785615921 CET	54835	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.817337990 CET	53	54835	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.818387032 CET	64666	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.849544048 CET	53	64666	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.850938082 CET	49774	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.883177996 CET	53	49774	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.896555901 CET	61187	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.906459093 CET	53	61187	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:55.964102030 CET	57620	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:55.974591970 CET	53	57620	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:56.951224089 CET	61873	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:56.962620974 CET	53	61873	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:56.963712931 CET	63994	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:56.973557949 CET	53	63994	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:56.974694967 CET	60391	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.005446911 CET	53	60391	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.006593943 CET	62249	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.037748098 CET	53	62249	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.038774967 CET	62085	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.046241045 CET	53	62085	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.047352076 CET	49383	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.056766033 CET	53	49383	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.057924032 CET	60164	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.070390940 CET	53	60164	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.071338892 CET	52123	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.081290007 CET	53	52123	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.082165003 CET	52928	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.112679005 CET	53	52928	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.113692999 CET	50868	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.124527931 CET	53	50868	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.125581980 CET	51689	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.135782003 CET	53	51689	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.136789083 CET	59483	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.146398067 CET	53	59483	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.147516012 CET	55282	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.156322956 CET	53	55282	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.157594919 CET	49153	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.188083887 CET	53	49153	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.189343929 CET	53749	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.200373888 CET	53	53749	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.201664925 CET	56651	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.234903097 CET	53	56651	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.236599922 CET	61501	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.246505022 CET	53	61501	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.247637033 CET	63338	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.278357029 CET	53	63338	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.279530048 CET	53040	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.289549112 CET	53	53040	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.290775061 CET	60208	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.300874949 CET	53	60208	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.301728010 CET	58263	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.313107014 CET	53	58263	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.314146042 CET	61192	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.345876932 CET	53	61192	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.347165108 CET	61812	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.378034115 CET	53	61812	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.379468918 CET	55083	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.389429092 CET	53	55083	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:57.390512943 CET	62153	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:57.400311947 CET	53	62153	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.130558014 CET	64867	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.141201973 CET	53	64867	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.143529892 CET	54569	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.153939009 CET	53	54569	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.157295942 CET	63888	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.167741060 CET	53	63888	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.168908119 CET	65071	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.200536966 CET	53	65071	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.202125072 CET	52655	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.234112978 CET	53	52655	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.321392059 CET	58271	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.353286028 CET	53	58271	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.359458923 CET	59172	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.370134115 CET	53	59172	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.380561113 CET	61988	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.389839888 CET	53	61988	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.398721933 CET	60946	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.408576965 CET	53	60946	1.1.1.1	192.168.2.9
Nov 7, 2024 15:58:58.425286055 CET	63417	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:58:58.434410095 CET	53	63417	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.330938101 CET	59606	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.340523958 CET	53	59606	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.341622114 CET	62957	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.500596046 CET	53	62957	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.502007961 CET	60431	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.511951923 CET	53	60431	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.513030052 CET	63541	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.522382021 CET	53	63541	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.523232937 CET	54466	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.533380032 CET	53	54466	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.534229040 CET	49248	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.543395042 CET	53	49248	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.544306040 CET	53753	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.575280905 CET	53	53753	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.576685905 CET	64585	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.607449055 CET	53	64585	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.608597994 CET	64140	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.619586945 CET	53	64140	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.620630026 CET	64156	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.651591063 CET	53	64156	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.657850981 CET	60014	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.668056965 CET	53	60014	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.669614077 CET	51178	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.700190067 CET	53	51178	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.701705933 CET	52980	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.711734056 CET	53	52980	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.712881088 CET	49512	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.722413063 CET	53	49512	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.723556042 CET	64784	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.754519939 CET	53	64784	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.755711079 CET	60975	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.787585974 CET	53	60975	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.788908958 CET	58109	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.821237087 CET	53	58109	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.824220896 CET	58508	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.835069895 CET	53	58508	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.836287022 CET	54931	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.846223116 CET	53	54931	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.847395897 CET	64534	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.877871990 CET	53	64534	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.879223108 CET	58216	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.888524055 CET	53	58216	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.889401913 CET	64704	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.920627117 CET	53	64704	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.921751976 CET	51148	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.929564953 CET	53	51148	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.930828094 CET	50099	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.945509911 CET	53	50099	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.947680950 CET	61557	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.979068041 CET	53	61557	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.980218887 CET	64802	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:00.989732981 CET	53	64802	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:00.990885019 CET	55137	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.001533031 CET	53	55137	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.003741980 CET	62599	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.014039040 CET	53	62599	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.090996027 CET	56945	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.124279976 CET	53	56945	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.130130053 CET	54530	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.140851974 CET	53	54530	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.160547972 CET	61645	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.169717073 CET	53	61645	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.224613905 CET	49281	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.234029055 CET	53	49281	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.274504900 CET	59163	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.305982113 CET	53	59163	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.362900019 CET	56805	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.370528936 CET	53	56805	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.412703991 CET	62137	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.444545031 CET	53	62137	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.458306074 CET	54068	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.468563080 CET	53	54068	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.475013971 CET	52995	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.485245943 CET	53	52995	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.489016056 CET	50025	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.498467922 CET	53	50025	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.507599115 CET	63621	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.518321037 CET	53	63621	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.519290924 CET	57565	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.530169964 CET	53	57565	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.531088114 CET	57954	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.690749884 CET	53	57954	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.691832066 CET	53454	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.702954054 CET	53	53454	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.705471992 CET	55333	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.715750933 CET	53	55333	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.716876030 CET	54141	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.726914883 CET	53	54141	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:01.727873087 CET	52700	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:01.737627029 CET	53	52700	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.616715908 CET	52451	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.647207022 CET	53	52451	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.649768114 CET	50443	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.680866003 CET	53	50443	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.683779955 CET	64395	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.693676949 CET	53	64395	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.696361065 CET	61940	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.869539022 CET	53	61940	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.870845079 CET	61477	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.881278992 CET	53	61477	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.882611990 CET	60225	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.913286924 CET	53	60225	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.914560080 CET	54539	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.924952030 CET	53	54539	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.926073074 CET	63034	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.958614111 CET	53	63034	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.959867954 CET	60361	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:02.970290899 CET	53	60361	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:02.971235037 CET	61485	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:03.001101017 CET	53	61485	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:03.002213955 CET	63609	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:03.033148050 CET	53	63609	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:03.034393072 CET	63341	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:03.044066906 CET	53	63341	1.1.1.1	192.168.2.9
Nov 7, 2024 15:59:03.045125008 CET	56921	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:59:03.056164980 CET	53	56921	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 15:57:30.244040012 CET	192.168.2.9	1.1.1.1	0x9565	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.276674986 CET	192.168.2.9	1.1.1.1	0x9c1e	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.288250923 CET	192.168.2.9	1.1.1.1	0x8e28	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.299901962 CET	192.168.2.9	1.1.1.1	0x4db1	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.325233936 CET	192.168.2.9	1.1.1.1	0x78fd	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.354170084 CET	192.168.2.9	1.1.1.1	0xf095	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.395076990 CET	192.168.2.9	1.1.1.1	0xed7	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.552098989 CET	192.168.2.9	1.1.1.1	0xc871	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.682738066 CET	192.168.2.9	1.1.1.1	0x50a5	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.722882986 CET	192.168.2.9	1.1.1.1	0x12bf	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.732944012 CET	192.168.2.9	1.1.1.1	0xdcaf	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.742794991 CET	192.168.2.9	1.1.1.1	0x990a	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.775918007 CET	192.168.2.9	1.1.1.1	0x4ce5	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.808661938 CET	192.168.2.9	1.1.1.1	0xd39	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.849939108 CET	192.168.2.9	1.1.1.1	0xd7d7	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:31.982861996 CET	192.168.2.9	1.1.1.1	0x3269	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:31.994452000 CET	192.168.2.9	1.1.1.1	0xaabf	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:32.005543947 CET	192.168.2.9	1.1.1.1	0x1a7f	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:32.015604019 CET	192.168.2.9	1.1.1.1	0xc492	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:32.026681900 CET	192.168.2.9	1.1.1.1	0x846b	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.090169907 CET	192.168.2.9	1.1.1.1	0x4ea6	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.100845098 CET	192.168.2.9	1.1.1.1	0xeeaa	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.111627102 CET	192.168.2.9	1.1.1.1	0x937e	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.144304991 CET	192.168.2.9	1.1.1.1	0x9b74	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.154869080 CET	192.168.2.9	1.1.1.1	0xe6e4	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.194526911 CET	192.168.2.9	1.1.1.1	0x2238	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.228689909 CET	192.168.2.9	1.1.1.1	0x3222	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.388556004 CET	192.168.2.9	1.1.1.1	0x678b	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.400070906 CET	192.168.2.9	1.1.1.1	0x9333	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.413342953 CET	192.168.2.9	1.1.1.1	0x9276	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.421587944 CET	192.168.2.9	1.1.1.1	0x1ab1	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.453635931 CET	192.168.2.9	1.1.1.1	0x5bca	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.467195988 CET	192.168.2.9	1.1.1.1	0x80fb	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.498783112 CET	192.168.2.9	1.1.1.1	0x2c2d	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.530100107 CET	192.168.2.9	1.1.1.1	0x265	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.541076899 CET	192.168.2.9	1.1.1.1	0x2b7d	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.573242903 CET	192.168.2.9	1.1.1.1	0x2fc4	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.584602118 CET	192.168.2.9	1.1.1.1	0xa24a	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.596453905 CET	192.168.2.9	1.1.1.1	0xab57	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.608810902 CET	192.168.2.9	1.1.1.1	0x1d99	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.640959978 CET	192.168.2.9	1.1.1.1	0x807a	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.651917934 CET	192.168.2.9	1.1.1.1	0x4325	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.663865089 CET	192.168.2.9	1.1.1.1	0xea4	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.701572895 CET	192.168.2.9	1.1.1.1	0x963	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.713630915 CET	192.168.2.9	1.1.1.1	0xae45	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.725060940 CET	192.168.2.9	1.1.1.1	0xfd01	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.757380962 CET	192.168.2.9	1.1.1.1	0xd3f3	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.790909052 CET	192.168.2.9	1.1.1.1	0xaafa	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.823138952 CET	192.168.2.9	1.1.1.1	0x76e3	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.835999012 CET	192.168.2.9	1.1.1.1	0x65d2	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.847266912 CET	192.168.2.9	1.1.1.1	0x63ec	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.858392954 CET	192.168.2.9	1.1.1.1	0x2896	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.869191885 CET	192.168.2.9	1.1.1.1	0xb64b	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.879568100 CET	192.168.2.9	1.1.1.1	0xac9b	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.890428066 CET	192.168.2.9	1.1.1.1	0xb950	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.900582075 CET	192.168.2.9	1.1.1.1	0xd832	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.911936045 CET	192.168.2.9	1.1.1.1	0x3857	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.944397926 CET	192.168.2.9	1.1.1.1	0x7d29	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.977212906 CET	192.168.2.9	1.1.1.1	0x35ff	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.604418039 CET	192.168.2.9	1.1.1.1	0xf9ca	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.615139008 CET	192.168.2.9	1.1.1.1	0x1cb2	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.627172947 CET	192.168.2.9	1.1.1.1	0x2257	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.661401033 CET	192.168.2.9	1.1.1.1	0x4436	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.694494009 CET	192.168.2.9	1.1.1.1	0xfd3d	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.727085114 CET	192.168.2.9	1.1.1.1	0x57aa	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.739072084 CET	192.168.2.9	1.1.1.1	0xdaff	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.749900103 CET	192.168.2.9	1.1.1.1	0x2e68	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.769918919 CET	192.168.2.9	1.1.1.1	0x434b	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.785932064 CET	192.168.2.9	1.1.1.1	0x3e87	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.819246054 CET	192.168.2.9	1.1.1.1	0x7450	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.831063032 CET	192.168.2.9	1.1.1.1	0x8e4b	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.841058016 CET	192.168.2.9	1.1.1.1	0xd213	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.852336884 CET	192.168.2.9	1.1.1.1	0xc259	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.861004114 CET	192.168.2.9	1.1.1.1	0xdf0f	Standard query (0)	gentleanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.036158085 CET	192.168.2.9	1.1.1.1	0x57d6	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.046335936 CET	192.168.2.9	1.1.1.1	0x6a47	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.058281898 CET	192.168.2.9	1.1.1.1	0x1b67	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.090293884 CET	192.168.2.9	1.1.1.1	0xd681	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.101511955 CET	192.168.2.9	1.1.1.1	0x14bd	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.112478018 CET	192.168.2.9	1.1.1.1	0x7011	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.123298883 CET	192.168.2.9	1.1.1.1	0xa169	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.133793116 CET	192.168.2.9	1.1.1.1	0x9782	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.145104885 CET	192.168.2.9	1.1.1.1	0xebf3	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.306514978 CET	192.168.2.9	1.1.1.1	0x3a1e	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.314883947 CET	192.168.2.9	1.1.1.1	0x267c	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.325417042 CET	192.168.2.9	1.1.1.1	0x3aea	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.488643885 CET	192.168.2.9	1.1.1.1	0xc68b	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.520211935 CET	192.168.2.9	1.1.1.1	0x1200	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.552306890 CET	192.168.2.9	1.1.1.1	0x21d3	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.564328909 CET	192.168.2.9	1.1.1.1	0x52c0	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.596803904 CET	192.168.2.9	1.1.1.1	0x5525	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.608436108 CET	192.168.2.9	1.1.1.1	0xd299	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.767005920 CET	192.168.2.9	1.1.1.1	0xd3d3	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.777790070 CET	192.168.2.9	1.1.1.1	0x6939	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.788017988 CET	192.168.2.9	1.1.1.1	0xdcf9	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.798930883 CET	192.168.2.9	1.1.1.1	0xd9e6	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.959028006 CET	192.168.2.9	1.1.1.1	0x85df	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.969615936 CET	192.168.2.9	1.1.1.1	0x719a	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.980431080 CET	192.168.2.9	1.1.1.1	0x7854	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:38.154622078 CET	192.168.2.9	1.1.1.1	0x43b0	Standard query (0)	glassbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.141957998 CET	192.168.2.9	1.1.1.1	0x3400	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.174424887 CET	192.168.2.9	1.1.1.1	0x7afd	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.185641050 CET	192.168.2.9	1.1.1.1	0x25ca	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.350794077 CET	192.168.2.9	1.1.1.1	0xfd2a	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.361733913 CET	192.168.2.9	1.1.1.1	0xb24e	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.370650053 CET	192.168.2.9	1.1.1.1	0xa065	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.382014036 CET	192.168.2.9	1.1.1.1	0x59f3	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.414774895 CET	192.168.2.9	1.1.1.1	0xb63	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.424819946 CET	192.168.2.9	1.1.1.1	0x3098	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.458242893 CET	192.168.2.9	1.1.1.1	0x1db1	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.625037909 CET	192.168.2.9	1.1.1.1	0xe618	Standard query (0)	pleasantinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.595119953 CET	192.168.2.9	1.1.1.1	0x6ee4	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.606576920 CET	192.168.2.9	1.1.1.1	0x6c47	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.638817072 CET	192.168.2.9	1.1.1.1	0xaca6	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.649224997 CET	192.168.2.9	1.1.1.1	0x1590	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.660347939 CET	192.168.2.9	1.1.1.1	0xc01f	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.692895889 CET	192.168.2.9	1.1.1.1	0x4d4d	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.703934908 CET	192.168.2.9	1.1.1.1	0x643c	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.737850904 CET	192.168.2.9	1.1.1.1	0xe231	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.747808933 CET	192.168.2.9	1.1.1.1	0x4424	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.757848978 CET	192.168.2.9	1.1.1.1	0xad4c	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.769046068 CET	192.168.2.9	1.1.1.1	0x6799	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.801119089 CET	192.168.2.9	1.1.1.1	0xee1c	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.809900045 CET	192.168.2.9	1.1.1.1	0x1cd	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.842756033 CET	192.168.2.9	1.1.1.1	0x978c	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.929302931 CET	192.168.2.9	1.1.1.1	0x154b	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.940826893 CET	192.168.2.9	1.1.1.1	0x469e	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.957556009 CET	192.168.2.9	1.1.1.1	0xedc5	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.988653898 CET	192.168.2.9	1.1.1.1	0x873e	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.007217884 CET	192.168.2.9	1.1.1.1	0x8b63	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.032972097 CET	192.168.2.9	1.1.1.1	0xa550	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.218456030 CET	192.168.2.9	1.1.1.1	0xd43	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.234158039 CET	192.168.2.9	1.1.1.1	0x8836	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.258193970 CET	192.168.2.9	1.1.1.1	0x2c	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.273962975 CET	192.168.2.9	1.1.1.1	0x5c80	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.553569078 CET	192.168.2.9	1.1.1.1	0x415f	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.565409899 CET	192.168.2.9	1.1.1.1	0xb495	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.598507881 CET	192.168.2.9	1.1.1.1	0x5728	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.610538006 CET	192.168.2.9	1.1.1.1	0xa1f7	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.643589973 CET	192.168.2.9	1.1.1.1	0x6f83	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.656706095 CET	192.168.2.9	1.1.1.1	0xad79	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.668150902 CET	192.168.2.9	1.1.1.1	0x217d	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.700270891 CET	192.168.2.9	1.1.1.1	0xc59a	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.712655067 CET	192.168.2.9	1.1.1.1	0x67f7	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.724170923 CET	192.168.2.9	1.1.1.1	0xbd04	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.759916067 CET	192.168.2.9	1.1.1.1	0x4eef	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.771562099 CET	192.168.2.9	1.1.1.1	0xb2f5	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.782671928 CET	192.168.2.9	1.1.1.1	0xba1b	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.794995070 CET	192.168.2.9	1.1.1.1	0x5974	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.806651115 CET	192.168.2.9	1.1.1.1	0xa6b9	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.817698002 CET	192.168.2.9	1.1.1.1	0xb2a	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.978657007 CET	192.168.2.9	1.1.1.1	0x73cf	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.989650965 CET	192.168.2.9	1.1.1.1	0x812e	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.000653982 CET	192.168.2.9	1.1.1.1	0xf6b5	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.162599087 CET	192.168.2.9	1.1.1.1	0x8f12	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.194602966 CET	192.168.2.9	1.1.1.1	0xc2ce	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.205579042 CET	192.168.2.9	1.1.1.1	0x65db	Standard query (0)	degreedaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.188905954 CET	192.168.2.9	1.1.1.1	0x9d73	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.200404882 CET	192.168.2.9	1.1.1.1	0x3c36	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.238182068 CET	192.168.2.9	1.1.1.1	0xe522	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.250797987 CET	192.168.2.9	1.1.1.1	0xb1fb	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.272665024 CET	192.168.2.9	1.1.1.1	0xab27	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.305289030 CET	192.168.2.9	1.1.1.1	0xde0b	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.316162109 CET	192.168.2.9	1.1.1.1	0x1025	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.329736948 CET	192.168.2.9	1.1.1.1	0xe4bf	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.362227917 CET	192.168.2.9	1.1.1.1	0x8adf	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.372775078 CET	192.168.2.9	1.1.1.1	0xa161	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.389210939 CET	192.168.2.9	1.1.1.1	0x5030	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.400823116 CET	192.168.2.9	1.1.1.1	0x7b17	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.432590008 CET	192.168.2.9	1.1.1.1	0x1cc6	Standard query (0)	heardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.156850100 CET	192.168.2.9	1.1.1.1	0xb736	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.190402031 CET	192.168.2.9	1.1.1.1	0x5a9f	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.201041937 CET	192.168.2.9	1.1.1.1	0x3d83	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.212198019 CET	192.168.2.9	1.1.1.1	0xfab9	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.222040892 CET	192.168.2.9	1.1.1.1	0x7e64	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.233560085 CET	192.168.2.9	1.1.1.1	0x6c7c	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.247876883 CET	192.168.2.9	1.1.1.1	0x3d2c	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.259172916 CET	192.168.2.9	1.1.1.1	0x793e	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.268714905 CET	192.168.2.9	1.1.1.1	0x244	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.281675100 CET	192.168.2.9	1.1.1.1	0xd62	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.292701960 CET	192.168.2.9	1.1.1.1	0x42df	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.326268911 CET	192.168.2.9	1.1.1.1	0x3eff	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.359528065 CET	192.168.2.9	1.1.1.1	0x75ec	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.372350931 CET	192.168.2.9	1.1.1.1	0x314e	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.133277893 CET	192.168.2.9	1.1.1.1	0xb968	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.165164948 CET	192.168.2.9	1.1.1.1	0x3025	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.177259922 CET	192.168.2.9	1.1.1.1	0xc13c	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.210144997 CET	192.168.2.9	1.1.1.1	0x3fff	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.080617905 CET	192.168.2.9	1.1.1.1	0x5d22	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.091207027 CET	192.168.2.9	1.1.1.1	0x4e13	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.101847887 CET	192.168.2.9	1.1.1.1	0xcc1d	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.111756086 CET	192.168.2.9	1.1.1.1	0x5c7f	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.122225046 CET	192.168.2.9	1.1.1.1	0x3f2c	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.156630993 CET	192.168.2.9	1.1.1.1	0xff91	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.168617010 CET	192.168.2.9	1.1.1.1	0x6c5	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.179636955 CET	192.168.2.9	1.1.1.1	0x561f	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.190414906 CET	192.168.2.9	1.1.1.1	0xd1c1	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.222552061 CET	192.168.2.9	1.1.1.1	0x3cff	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.255283117 CET	192.168.2.9	1.1.1.1	0x7c83	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.287621021 CET	192.168.2.9	1.1.1.1	0x5d8d	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.299340963 CET	192.168.2.9	1.1.1.1	0x77c7	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.309542894 CET	192.168.2.9	1.1.1.1	0xbc4a	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.320501089 CET	192.168.2.9	1.1.1.1	0x69ab	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.352641106 CET	192.168.2.9	1.1.1.1	0x879b	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.362736940 CET	192.168.2.9	1.1.1.1	0x67f1	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.536259890 CET	192.168.2.9	1.1.1.1	0x7edf	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.546092033 CET	192.168.2.9	1.1.1.1	0x1deb	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.578896046 CET	192.168.2.9	1.1.1.1	0xf9ba	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.589945078 CET	192.168.2.9	1.1.1.1	0xe358	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.621670961 CET	192.168.2.9	1.1.1.1	0x3f04	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.632011890 CET	192.168.2.9	1.1.1.1	0xa42a	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.642693043 CET	192.168.2.9	1.1.1.1	0x138c	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.652379990 CET	192.168.2.9	1.1.1.1	0xdb26	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.683720112 CET	192.168.2.9	1.1.1.1	0x1055	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.694444895 CET	192.168.2.9	1.1.1.1	0x43ae	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.705770969 CET	192.168.2.9	1.1.1.1	0xee03	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.717062950 CET	192.168.2.9	1.1.1.1	0xdd72	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.748706102 CET	192.168.2.9	1.1.1.1	0x525e	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.758102894 CET	192.168.2.9	1.1.1.1	0xcb	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.768728018 CET	192.168.2.9	1.1.1.1	0x90a9	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.804270983 CET	192.168.2.9	1.1.1.1	0x2fe0	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.837321043 CET	192.168.2.9	1.1.1.1	0x46ad	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.993985891 CET	192.168.2.9	1.1.1.1	0x8a36	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.154918909 CET	192.168.2.9	1.1.1.1	0xfba1	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.321350098 CET	192.168.2.9	1.1.1.1	0xe4c7	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.333986998 CET	192.168.2.9	1.1.1.1	0x8d51	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.346457958 CET	192.168.2.9	1.1.1.1	0xa229	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.359122992 CET	192.168.2.9	1.1.1.1	0x98ef	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.373655081 CET	192.168.2.9	1.1.1.1	0x4148	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.387341022 CET	192.168.2.9	1.1.1.1	0x6987	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.420034885 CET	192.168.2.9	1.1.1.1	0x7948	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.432142973 CET	192.168.2.9	1.1.1.1	0x2ac3	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.443687916 CET	192.168.2.9	1.1.1.1	0xa54e	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.546812057 CET	192.168.2.9	1.1.1.1	0x3052	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.585772038 CET	192.168.2.9	1.1.1.1	0xbb50	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.750294924 CET	192.168.2.9	1.1.1.1	0xd6d7	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.785615921 CET	192.168.2.9	1.1.1.1	0x9e63	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.818387032 CET	192.168.2.9	1.1.1.1	0x1000	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.850938082 CET	192.168.2.9	1.1.1.1	0xc9d5	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.896555901 CET	192.168.2.9	1.1.1.1	0xbfde	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.964102030 CET	192.168.2.9	1.1.1.1	0xffed	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:56.951224089 CET	192.168.2.9	1.1.1.1	0x880a	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:56.963712931 CET	192.168.2.9	1.1.1.1	0xbd78	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:56.974694967 CET	192.168.2.9	1.1.1.1	0x9e49	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.006593943 CET	192.168.2.9	1.1.1.1	0xa468	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.038774967 CET	192.168.2.9	1.1.1.1	0xa40b	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.047352076 CET	192.168.2.9	1.1.1.1	0xa4b6	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.057924032 CET	192.168.2.9	1.1.1.1	0x3480	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.071338892 CET	192.168.2.9	1.1.1.1	0x3062	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.082165003 CET	192.168.2.9	1.1.1.1	0xb88a	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.113692999 CET	192.168.2.9	1.1.1.1	0x11cf	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.125581980 CET	192.168.2.9	1.1.1.1	0x56b9	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.136789083 CET	192.168.2.9	1.1.1.1	0x5202	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.147516012 CET	192.168.2.9	1.1.1.1	0xdce8	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.157594919 CET	192.168.2.9	1.1.1.1	0x539a	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.189343929 CET	192.168.2.9	1.1.1.1	0x6527	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.201664925 CET	192.168.2.9	1.1.1.1	0xa437	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.236599922 CET	192.168.2.9	1.1.1.1	0xd7bc	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.247637033 CET	192.168.2.9	1.1.1.1	0xf664	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.279530048 CET	192.168.2.9	1.1.1.1	0xaa3	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.290775061 CET	192.168.2.9	1.1.1.1	0x767c	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.301728010 CET	192.168.2.9	1.1.1.1	0x5181	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.314146042 CET	192.168.2.9	1.1.1.1	0xec02	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.347165108 CET	192.168.2.9	1.1.1.1	0x49b6	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.379468918 CET	192.168.2.9	1.1.1.1	0xaf6c	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.390512943 CET	192.168.2.9	1.1.1.1	0x7886	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.130558014 CET	192.168.2.9	1.1.1.1	0x6bf2	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.143529892 CET	192.168.2.9	1.1.1.1	0xf4bc	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.157295942 CET	192.168.2.9	1.1.1.1	0x1fee	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.168908119 CET	192.168.2.9	1.1.1.1	0xc15d	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.202125072 CET	192.168.2.9	1.1.1.1	0x2a45	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.321392059 CET	192.168.2.9	1.1.1.1	0xcffc	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.359458923 CET	192.168.2.9	1.1.1.1	0xc6ef	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.380561113 CET	192.168.2.9	1.1.1.1	0xf930	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.398721933 CET	192.168.2.9	1.1.1.1	0x701f	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.425286055 CET	192.168.2.9	1.1.1.1	0xe08c	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.330938101 CET	192.168.2.9	1.1.1.1	0x120a	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.341622114 CET	192.168.2.9	1.1.1.1	0x7406	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.502007961 CET	192.168.2.9	1.1.1.1	0x6732	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.513030052 CET	192.168.2.9	1.1.1.1	0xa441	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.523232937 CET	192.168.2.9	1.1.1.1	0x74a8	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.534229040 CET	192.168.2.9	1.1.1.1	0xc549	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.544306040 CET	192.168.2.9	1.1.1.1	0xe777	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.576685905 CET	192.168.2.9	1.1.1.1	0x4020	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.608597994 CET	192.168.2.9	1.1.1.1	0xf345	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.620630026 CET	192.168.2.9	1.1.1.1	0x5e73	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.657850981 CET	192.168.2.9	1.1.1.1	0xea43	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.669614077 CET	192.168.2.9	1.1.1.1	0xb260	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.701705933 CET	192.168.2.9	1.1.1.1	0x18f2	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.712881088 CET	192.168.2.9	1.1.1.1	0x7253	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.723556042 CET	192.168.2.9	1.1.1.1	0x332e	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.755711079 CET	192.168.2.9	1.1.1.1	0x3429	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.788908958 CET	192.168.2.9	1.1.1.1	0xd0b7	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.824220896 CET	192.168.2.9	1.1.1.1	0xc206	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.836287022 CET	192.168.2.9	1.1.1.1	0x43ed	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.847395897 CET	192.168.2.9	1.1.1.1	0xd2d2	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.879223108 CET	192.168.2.9	1.1.1.1	0x8672	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.889401913 CET	192.168.2.9	1.1.1.1	0x637b	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.921751976 CET	192.168.2.9	1.1.1.1	0xbd4a	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.930828094 CET	192.168.2.9	1.1.1.1	0xafc3	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.947680950 CET	192.168.2.9	1.1.1.1	0x456a	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.980218887 CET	192.168.2.9	1.1.1.1	0x7d8	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.990885019 CET	192.168.2.9	1.1.1.1	0x9c29	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.003741980 CET	192.168.2.9	1.1.1.1	0x6414	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.090996027 CET	192.168.2.9	1.1.1.1	0x3fe3	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.130130053 CET	192.168.2.9	1.1.1.1	0xfa8b	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.160547972 CET	192.168.2.9	1.1.1.1	0xae54	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.224613905 CET	192.168.2.9	1.1.1.1	0x9f48	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.274504900 CET	192.168.2.9	1.1.1.1	0x47	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.362900019 CET	192.168.2.9	1.1.1.1	0x2794	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.412703991 CET	192.168.2.9	1.1.1.1	0xa24	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.458306074 CET	192.168.2.9	1.1.1.1	0xf15a	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.475013971 CET	192.168.2.9	1.1.1.1	0xd947	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.489016056 CET	192.168.2.9	1.1.1.1	0x9b11	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.507599115 CET	192.168.2.9	1.1.1.1	0x69ed	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.519290924 CET	192.168.2.9	1.1.1.1	0x23ae	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.531088114 CET	192.168.2.9	1.1.1.1	0x8425	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.691832066 CET	192.168.2.9	1.1.1.1	0x4012	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.705471992 CET	192.168.2.9	1.1.1.1	0x8303	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.716876030 CET	192.168.2.9	1.1.1.1	0x7fc5	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.727873087 CET	192.168.2.9	1.1.1.1	0xd485	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.616715908 CET	192.168.2.9	1.1.1.1	0x46bd	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.649768114 CET	192.168.2.9	1.1.1.1	0x6525	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.683779955 CET	192.168.2.9	1.1.1.1	0xe9ab	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.696361065 CET	192.168.2.9	1.1.1.1	0xfdc7	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.870845079 CET	192.168.2.9	1.1.1.1	0x9ca2	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.882611990 CET	192.168.2.9	1.1.1.1	0xf1ff	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.914560080 CET	192.168.2.9	1.1.1.1	0xe167	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.926073074 CET	192.168.2.9	1.1.1.1	0x16cd	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.959867954 CET	192.168.2.9	1.1.1.1	0xb742	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.971235037 CET	192.168.2.9	1.1.1.1	0x76ee	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:03.002213955 CET	192.168.2.9	1.1.1.1	0xfab8	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:03.034393072 CET	192.168.2.9	1.1.1.1	0x1784	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:03.045125008 CET	192.168.2.9	1.1.1.1	0x8db0	Standard query (0)	heardbrown.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 15:57:20.027928114 CET	1.1.1.1	192.168.2.9	0xdabd	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:57:20.027928114 CET	1.1.1.1	192.168.2.9	0xdabd	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.274842024 CET	1.1.1.1	192.168.2.9	0x9565	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.286844015 CET	1.1.1.1	192.168.2.9	0x9c1e	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.298887968 CET	1.1.1.1	192.168.2.9	0x8e28	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.309011936 CET	1.1.1.1	192.168.2.9	0x4db1	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.335666895 CET	1.1.1.1	192.168.2.9	0x78fd	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.363230944 CET	1.1.1.1	192.168.2.9	0xf095	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.404742002 CET	1.1.1.1	192.168.2.9	0xed7	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.561712027 CET	1.1.1.1	192.168.2.9	0xc871	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.715595007 CET	1.1.1.1	192.168.2.9	0x50a5	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.732049942 CET	1.1.1.1	192.168.2.9	0x12bf	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.741900921 CET	1.1.1.1	192.168.2.9	0xdcaf	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.774981976 CET	1.1.1.1	192.168.2.9	0x990a	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.807801962 CET	1.1.1.1	192.168.2.9	0x4ce5	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:30.839858055 CET	1.1.1.1	192.168.2.9	0xd39	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:31.275842905 CET	1.1.1.1	192.168.2.9	0xd7d7	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:57:31.275842905 CET	1.1.1.1	192.168.2.9	0xd7d7	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:31.993135929 CET	1.1.1.1	192.168.2.9	0x3269	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:32.004371881 CET	1.1.1.1	192.168.2.9	0xaabf	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:32.014398098 CET	1.1.1.1	192.168.2.9	0x1a7f	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:32.025652885 CET	1.1.1.1	192.168.2.9	0xc492	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:32.217153072 CET	1.1.1.1	192.168.2.9	0x846b	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.099737883 CET	1.1.1.1	192.168.2.9	0x4ea6	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.110753059 CET	1.1.1.1	192.168.2.9	0xeeaa	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.143076897 CET	1.1.1.1	192.168.2.9	0x937e	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.153857946 CET	1.1.1.1	192.168.2.9	0x9b74	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.193336010 CET	1.1.1.1	192.168.2.9	0xe6e4	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.227626085 CET	1.1.1.1	192.168.2.9	0x2238	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.387516975 CET	1.1.1.1	192.168.2.9	0x3222	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.399007082 CET	1.1.1.1	192.168.2.9	0x678b	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.412420988 CET	1.1.1.1	192.168.2.9	0x9333	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.420732975 CET	1.1.1.1	192.168.2.9	0x9276	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.452629089 CET	1.1.1.1	192.168.2.9	0x1ab1	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.466152906 CET	1.1.1.1	192.168.2.9	0x5bca	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.497725964 CET	1.1.1.1	192.168.2.9	0x80fb	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.529272079 CET	1.1.1.1	192.168.2.9	0x2c2d	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.540256977 CET	1.1.1.1	192.168.2.9	0x265	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.572326899 CET	1.1.1.1	192.168.2.9	0x2b7d	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.583617926 CET	1.1.1.1	192.168.2.9	0x2fc4	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.595393896 CET	1.1.1.1	192.168.2.9	0xa24a	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.607800007 CET	1.1.1.1	192.168.2.9	0xab57	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.639818907 CET	1.1.1.1	192.168.2.9	0x1d99	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.651052952 CET	1.1.1.1	192.168.2.9	0x807a	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.662997961 CET	1.1.1.1	192.168.2.9	0x4325	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.700715065 CET	1.1.1.1	192.168.2.9	0xea4	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.712740898 CET	1.1.1.1	192.168.2.9	0x963	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.724217892 CET	1.1.1.1	192.168.2.9	0xae45	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.756397963 CET	1.1.1.1	192.168.2.9	0xfd01	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.789913893 CET	1.1.1.1	192.168.2.9	0xd3f3	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.821849108 CET	1.1.1.1	192.168.2.9	0xaafa	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.834417105 CET	1.1.1.1	192.168.2.9	0x76e3	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.846170902 CET	1.1.1.1	192.168.2.9	0x65d2	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.857301950 CET	1.1.1.1	192.168.2.9	0x63ec	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.868060112 CET	1.1.1.1	192.168.2.9	0x2896	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.878563881 CET	1.1.1.1	192.168.2.9	0xb64b	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.889601946 CET	1.1.1.1	192.168.2.9	0xac9b	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.899683952 CET	1.1.1.1	192.168.2.9	0xb950	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.910871029 CET	1.1.1.1	192.168.2.9	0xd832	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.943383932 CET	1.1.1.1	192.168.2.9	0x3857	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:34.976104975 CET	1.1.1.1	192.168.2.9	0x7d29	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.614058018 CET	1.1.1.1	192.168.2.9	0xf9ca	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.626192093 CET	1.1.1.1	192.168.2.9	0x1cb2	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.657121897 CET	1.1.1.1	192.168.2.9	0x2257	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.693082094 CET	1.1.1.1	192.168.2.9	0x4436	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.726061106 CET	1.1.1.1	192.168.2.9	0xfd3d	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.738173962 CET	1.1.1.1	192.168.2.9	0x57aa	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.748729944 CET	1.1.1.1	192.168.2.9	0xdaff	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.762414932 CET	1.1.1.1	192.168.2.9	0x2e68	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.781415939 CET	1.1.1.1	192.168.2.9	0x434b	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.818171978 CET	1.1.1.1	192.168.2.9	0x3e87	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.830157995 CET	1.1.1.1	192.168.2.9	0x7450	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.840167046 CET	1.1.1.1	192.168.2.9	0x8e4b	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.851336956 CET	1.1.1.1	192.168.2.9	0xd213	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:35.860013962 CET	1.1.1.1	192.168.2.9	0xc259	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:36.081504107 CET	1.1.1.1	192.168.2.9	0xdf0f	No error (0)	gentleanother.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.045279980 CET	1.1.1.1	192.168.2.9	0x57d6	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.057161093 CET	1.1.1.1	192.168.2.9	0x6a47	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.089063883 CET	1.1.1.1	192.168.2.9	0x1b67	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.100512981 CET	1.1.1.1	192.168.2.9	0xd681	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.111568928 CET	1.1.1.1	192.168.2.9	0x14bd	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.122391939 CET	1.1.1.1	192.168.2.9	0x7011	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.132890940 CET	1.1.1.1	192.168.2.9	0xa169	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.144254923 CET	1.1.1.1	192.168.2.9	0x9782	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.305255890 CET	1.1.1.1	192.168.2.9	0xebf3	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.313811064 CET	1.1.1.1	192.168.2.9	0x3a1e	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.324512005 CET	1.1.1.1	192.168.2.9	0x267c	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.487334013 CET	1.1.1.1	192.168.2.9	0x3aea	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.519074917 CET	1.1.1.1	192.168.2.9	0xc68b	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.550904989 CET	1.1.1.1	192.168.2.9	0x1200	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.562989950 CET	1.1.1.1	192.168.2.9	0x21d3	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.595504999 CET	1.1.1.1	192.168.2.9	0x52c0	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.607323885 CET	1.1.1.1	192.168.2.9	0x5525	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.765839100 CET	1.1.1.1	192.168.2.9	0xd299	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.776650906 CET	1.1.1.1	192.168.2.9	0xd3d3	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.787003994 CET	1.1.1.1	192.168.2.9	0x6939	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.797983885 CET	1.1.1.1	192.168.2.9	0xdcf9	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.957940102 CET	1.1.1.1	192.168.2.9	0xd9e6	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.968496084 CET	1.1.1.1	192.168.2.9	0x85df	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:37.979485035 CET	1.1.1.1	192.168.2.9	0x719a	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:38.153373003 CET	1.1.1.1	192.168.2.9	0x7854	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:38.499964952 CET	1.1.1.1	192.168.2.9	0x43b0	No error (0)	glassbright.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:57:38.499964952 CET	1.1.1.1	192.168.2.9	0x43b0	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.172971010 CET	1.1.1.1	192.168.2.9	0x3400	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.184485912 CET	1.1.1.1	192.168.2.9	0x7afd	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.349301100 CET	1.1.1.1	192.168.2.9	0x25ca	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.360306978 CET	1.1.1.1	192.168.2.9	0xfd2a	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.369348049 CET	1.1.1.1	192.168.2.9	0xb24e	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.380655050 CET	1.1.1.1	192.168.2.9	0xa065	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.413423061 CET	1.1.1.1	192.168.2.9	0x59f3	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.423671007 CET	1.1.1.1	192.168.2.9	0xb63	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.455449104 CET	1.1.1.1	192.168.2.9	0x3098	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.623550892 CET	1.1.1.1	192.168.2.9	0x1db1	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:39.724294901 CET	1.1.1.1	192.168.2.9	0xe618	No error (0)	pleasantinstead.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.605458021 CET	1.1.1.1	192.168.2.9	0x6ee4	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.637693882 CET	1.1.1.1	192.168.2.9	0x6c47	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.648016930 CET	1.1.1.1	192.168.2.9	0xaca6	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.659225941 CET	1.1.1.1	192.168.2.9	0x1590	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.691720963 CET	1.1.1.1	192.168.2.9	0xc01f	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.702866077 CET	1.1.1.1	192.168.2.9	0x4d4d	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.736646891 CET	1.1.1.1	192.168.2.9	0x643c	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.746756077 CET	1.1.1.1	192.168.2.9	0xe231	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.756866932 CET	1.1.1.1	192.168.2.9	0x4424	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.767224073 CET	1.1.1.1	192.168.2.9	0xad4c	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.800055027 CET	1.1.1.1	192.168.2.9	0x6799	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.808590889 CET	1.1.1.1	192.168.2.9	0xee1c	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.841523886 CET	1.1.1.1	192.168.2.9	0x1cd	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.853142977 CET	1.1.1.1	192.168.2.9	0x978c	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.939660072 CET	1.1.1.1	192.168.2.9	0x154b	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.950911045 CET	1.1.1.1	192.168.2.9	0x469e	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.967677116 CET	1.1.1.1	192.168.2.9	0xedc5	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:41.997844934 CET	1.1.1.1	192.168.2.9	0x873e	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.014760971 CET	1.1.1.1	192.168.2.9	0x8b63	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.188643932 CET	1.1.1.1	192.168.2.9	0xa550	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.228275061 CET	1.1.1.1	192.168.2.9	0xd43	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.243623018 CET	1.1.1.1	192.168.2.9	0x8836	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.269179106 CET	1.1.1.1	192.168.2.9	0x2c	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.552428007 CET	1.1.1.1	192.168.2.9	0x5c80	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.563190937 CET	1.1.1.1	192.168.2.9	0x415f	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.597146988 CET	1.1.1.1	192.168.2.9	0xb495	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.609587908 CET	1.1.1.1	192.168.2.9	0x5728	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.642644882 CET	1.1.1.1	192.168.2.9	0xa1f7	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.653278112 CET	1.1.1.1	192.168.2.9	0x6f83	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.667222977 CET	1.1.1.1	192.168.2.9	0xad79	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.699275017 CET	1.1.1.1	192.168.2.9	0x217d	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.711359024 CET	1.1.1.1	192.168.2.9	0xc59a	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.723136902 CET	1.1.1.1	192.168.2.9	0x67f7	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.756084919 CET	1.1.1.1	192.168.2.9	0xbd04	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.770556927 CET	1.1.1.1	192.168.2.9	0x4eef	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.781584024 CET	1.1.1.1	192.168.2.9	0xb2f5	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.794008017 CET	1.1.1.1	192.168.2.9	0xba1b	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.805392027 CET	1.1.1.1	192.168.2.9	0x5974	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.816488028 CET	1.1.1.1	192.168.2.9	0xa6b9	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.977508068 CET	1.1.1.1	192.168.2.9	0xb2a	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.988464117 CET	1.1.1.1	192.168.2.9	0x73cf	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:42.999633074 CET	1.1.1.1	192.168.2.9	0x812e	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.161282063 CET	1.1.1.1	192.168.2.9	0xf6b5	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.193373919 CET	1.1.1.1	192.168.2.9	0x8f12	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.203908920 CET	1.1.1.1	192.168.2.9	0xc2ce	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:43.310653925 CET	1.1.1.1	192.168.2.9	0x65db	No error (0)	degreedaughter.net		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.199214935 CET	1.1.1.1	192.168.2.9	0x9d73	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.236922026 CET	1.1.1.1	192.168.2.9	0x3c36	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.249571085 CET	1.1.1.1	192.168.2.9	0xe522	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.261601925 CET	1.1.1.1	192.168.2.9	0xb1fb	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.304224014 CET	1.1.1.1	192.168.2.9	0xab27	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.314651012 CET	1.1.1.1	192.168.2.9	0xde0b	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.328010082 CET	1.1.1.1	192.168.2.9	0x1025	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.361130953 CET	1.1.1.1	192.168.2.9	0xe4bf	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.371664047 CET	1.1.1.1	192.168.2.9	0x8adf	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.388118982 CET	1.1.1.1	192.168.2.9	0xa161	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.399698973 CET	1.1.1.1	192.168.2.9	0x5030	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.431230068 CET	1.1.1.1	192.168.2.9	0x7b17	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:57:44.442755938 CET	1.1.1.1	192.168.2.9	0x1cc6	Name error (3)	heardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.188512087 CET	1.1.1.1	192.168.2.9	0xb736	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.199938059 CET	1.1.1.1	192.168.2.9	0x5a9f	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.211266041 CET	1.1.1.1	192.168.2.9	0x3d83	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.220845938 CET	1.1.1.1	192.168.2.9	0xfab9	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.232501030 CET	1.1.1.1	192.168.2.9	0x7e64	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.243516922 CET	1.1.1.1	192.168.2.9	0x6c7c	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.257915020 CET	1.1.1.1	192.168.2.9	0x3d2c	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.267436981 CET	1.1.1.1	192.168.2.9	0x793e	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.280561924 CET	1.1.1.1	192.168.2.9	0x244	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.291503906 CET	1.1.1.1	192.168.2.9	0xd62	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.325076103 CET	1.1.1.1	192.168.2.9	0x42df	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.358262062 CET	1.1.1.1	192.168.2.9	0x3eff	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.371278048 CET	1.1.1.1	192.168.2.9	0x75ec	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:51.403655052 CET	1.1.1.1	192.168.2.9	0x314e	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.163552999 CET	1.1.1.1	192.168.2.9	0xb968	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.174766064 CET	1.1.1.1	192.168.2.9	0x3025	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.208677053 CET	1.1.1.1	192.168.2.9	0xc13c	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:52.219898939 CET	1.1.1.1	192.168.2.9	0x3fff	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.089910030 CET	1.1.1.1	192.168.2.9	0x5d22	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.100841999 CET	1.1.1.1	192.168.2.9	0x4e13	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.110850096 CET	1.1.1.1	192.168.2.9	0xcc1d	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.121294975 CET	1.1.1.1	192.168.2.9	0x5c7f	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.155373096 CET	1.1.1.1	192.168.2.9	0x3f2c	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.167617083 CET	1.1.1.1	192.168.2.9	0xff91	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.178776979 CET	1.1.1.1	192.168.2.9	0x6c5	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.189466953 CET	1.1.1.1	192.168.2.9	0x561f	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.221281052 CET	1.1.1.1	192.168.2.9	0xd1c1	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.254184961 CET	1.1.1.1	192.168.2.9	0x3cff	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.286365986 CET	1.1.1.1	192.168.2.9	0x7c83	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.298362017 CET	1.1.1.1	192.168.2.9	0x5d8d	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.308671951 CET	1.1.1.1	192.168.2.9	0x77c7	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.319616079 CET	1.1.1.1	192.168.2.9	0xbc4a	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.351408005 CET	1.1.1.1	192.168.2.9	0x69ab	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.361805916 CET	1.1.1.1	192.168.2.9	0x879b	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.534996033 CET	1.1.1.1	192.168.2.9	0x67f1	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.545069933 CET	1.1.1.1	192.168.2.9	0x7edf	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.577779055 CET	1.1.1.1	192.168.2.9	0x1deb	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.589056015 CET	1.1.1.1	192.168.2.9	0xf9ba	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.620527029 CET	1.1.1.1	192.168.2.9	0xe358	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.631051064 CET	1.1.1.1	192.168.2.9	0x3f04	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.641870022 CET	1.1.1.1	192.168.2.9	0xa42a	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.651527882 CET	1.1.1.1	192.168.2.9	0x138c	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.682735920 CET	1.1.1.1	192.168.2.9	0xdb26	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.693615913 CET	1.1.1.1	192.168.2.9	0x1055	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.704818010 CET	1.1.1.1	192.168.2.9	0x43ae	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.716201067 CET	1.1.1.1	192.168.2.9	0xee03	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.747765064 CET	1.1.1.1	192.168.2.9	0xdd72	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.757320881 CET	1.1.1.1	192.168.2.9	0x525e	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.767785072 CET	1.1.1.1	192.168.2.9	0xcb	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.799928904 CET	1.1.1.1	192.168.2.9	0x90a9	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.836016893 CET	1.1.1.1	192.168.2.9	0x2fe0	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:54.992535114 CET	1.1.1.1	192.168.2.9	0x46ad	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.153609037 CET	1.1.1.1	192.168.2.9	0x8a36	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.319940090 CET	1.1.1.1	192.168.2.9	0xfba1	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.332336903 CET	1.1.1.1	192.168.2.9	0xe4c7	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.344366074 CET	1.1.1.1	192.168.2.9	0x8d51	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.355496883 CET	1.1.1.1	192.168.2.9	0xa229	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.371771097 CET	1.1.1.1	192.168.2.9	0x98ef	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.384849072 CET	1.1.1.1	192.168.2.9	0x4148	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.418772936 CET	1.1.1.1	192.168.2.9	0x6987	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.431277037 CET	1.1.1.1	192.168.2.9	0x7948	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.442898035 CET	1.1.1.1	192.168.2.9	0x2ac3	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.475121021 CET	1.1.1.1	192.168.2.9	0xa54e	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.557490110 CET	1.1.1.1	192.168.2.9	0x3052	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.747946024 CET	1.1.1.1	192.168.2.9	0xbb50	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.760869980 CET	1.1.1.1	192.168.2.9	0xd6d7	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.817337990 CET	1.1.1.1	192.168.2.9	0x9e63	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.849544048 CET	1.1.1.1	192.168.2.9	0x1000	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.883177996 CET	1.1.1.1	192.168.2.9	0xc9d5	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.906459093 CET	1.1.1.1	192.168.2.9	0xbfde	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:55.974591970 CET	1.1.1.1	192.168.2.9	0xffed	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:56.962620974 CET	1.1.1.1	192.168.2.9	0x880a	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:56.973557949 CET	1.1.1.1	192.168.2.9	0xbd78	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.005446911 CET	1.1.1.1	192.168.2.9	0x9e49	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.037748098 CET	1.1.1.1	192.168.2.9	0xa468	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.046241045 CET	1.1.1.1	192.168.2.9	0xa40b	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.056766033 CET	1.1.1.1	192.168.2.9	0xa4b6	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.070390940 CET	1.1.1.1	192.168.2.9	0x3480	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.081290007 CET	1.1.1.1	192.168.2.9	0x3062	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.112679005 CET	1.1.1.1	192.168.2.9	0xb88a	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.124527931 CET	1.1.1.1	192.168.2.9	0x11cf	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.135782003 CET	1.1.1.1	192.168.2.9	0x56b9	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.146398067 CET	1.1.1.1	192.168.2.9	0x5202	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.156322956 CET	1.1.1.1	192.168.2.9	0xdce8	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.188083887 CET	1.1.1.1	192.168.2.9	0x539a	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.200373888 CET	1.1.1.1	192.168.2.9	0x6527	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.234903097 CET	1.1.1.1	192.168.2.9	0xa437	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.246505022 CET	1.1.1.1	192.168.2.9	0xd7bc	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.278357029 CET	1.1.1.1	192.168.2.9	0xf664	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.289549112 CET	1.1.1.1	192.168.2.9	0xaa3	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.300874949 CET	1.1.1.1	192.168.2.9	0x767c	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.313107014 CET	1.1.1.1	192.168.2.9	0x5181	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.345876932 CET	1.1.1.1	192.168.2.9	0xec02	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.378034115 CET	1.1.1.1	192.168.2.9	0x49b6	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.389429092 CET	1.1.1.1	192.168.2.9	0xaf6c	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:57.400311947 CET	1.1.1.1	192.168.2.9	0x7886	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.141201973 CET	1.1.1.1	192.168.2.9	0x6bf2	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.153939009 CET	1.1.1.1	192.168.2.9	0xf4bc	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.167741060 CET	1.1.1.1	192.168.2.9	0x1fee	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.200536966 CET	1.1.1.1	192.168.2.9	0xc15d	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.234112978 CET	1.1.1.1	192.168.2.9	0x2a45	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.353286028 CET	1.1.1.1	192.168.2.9	0xcffc	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.370134115 CET	1.1.1.1	192.168.2.9	0xc6ef	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.389839888 CET	1.1.1.1	192.168.2.9	0xf930	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.408576965 CET	1.1.1.1	192.168.2.9	0x701f	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:58:58.434410095 CET	1.1.1.1	192.168.2.9	0xe08c	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.340523958 CET	1.1.1.1	192.168.2.9	0x120a	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.500596046 CET	1.1.1.1	192.168.2.9	0x7406	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.511951923 CET	1.1.1.1	192.168.2.9	0x6732	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.522382021 CET	1.1.1.1	192.168.2.9	0xa441	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.533380032 CET	1.1.1.1	192.168.2.9	0x74a8	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.543395042 CET	1.1.1.1	192.168.2.9	0xc549	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.575280905 CET	1.1.1.1	192.168.2.9	0xe777	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.607449055 CET	1.1.1.1	192.168.2.9	0x4020	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.619586945 CET	1.1.1.1	192.168.2.9	0xf345	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.651591063 CET	1.1.1.1	192.168.2.9	0x5e73	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.668056965 CET	1.1.1.1	192.168.2.9	0xea43	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.700190067 CET	1.1.1.1	192.168.2.9	0xb260	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.711734056 CET	1.1.1.1	192.168.2.9	0x18f2	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.722413063 CET	1.1.1.1	192.168.2.9	0x7253	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.754519939 CET	1.1.1.1	192.168.2.9	0x332e	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.787585974 CET	1.1.1.1	192.168.2.9	0x3429	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.821237087 CET	1.1.1.1	192.168.2.9	0xd0b7	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.835069895 CET	1.1.1.1	192.168.2.9	0xc206	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.846223116 CET	1.1.1.1	192.168.2.9	0x43ed	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.877871990 CET	1.1.1.1	192.168.2.9	0xd2d2	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.888524055 CET	1.1.1.1	192.168.2.9	0x8672	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.920627117 CET	1.1.1.1	192.168.2.9	0x637b	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.929564953 CET	1.1.1.1	192.168.2.9	0xbd4a	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.945509911 CET	1.1.1.1	192.168.2.9	0xafc3	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.979068041 CET	1.1.1.1	192.168.2.9	0x456a	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:00.989732981 CET	1.1.1.1	192.168.2.9	0x7d8	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.001533031 CET	1.1.1.1	192.168.2.9	0x9c29	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.014039040 CET	1.1.1.1	192.168.2.9	0x6414	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.124279976 CET	1.1.1.1	192.168.2.9	0x3fe3	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.140851974 CET	1.1.1.1	192.168.2.9	0xfa8b	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.169717073 CET	1.1.1.1	192.168.2.9	0xae54	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.234029055 CET	1.1.1.1	192.168.2.9	0x9f48	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.305982113 CET	1.1.1.1	192.168.2.9	0x47	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.370528936 CET	1.1.1.1	192.168.2.9	0x2794	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.444545031 CET	1.1.1.1	192.168.2.9	0xa24	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.468563080 CET	1.1.1.1	192.168.2.9	0xf15a	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.485245943 CET	1.1.1.1	192.168.2.9	0xd947	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.498467922 CET	1.1.1.1	192.168.2.9	0x9b11	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.518321037 CET	1.1.1.1	192.168.2.9	0x69ed	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.530169964 CET	1.1.1.1	192.168.2.9	0x23ae	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.690749884 CET	1.1.1.1	192.168.2.9	0x8425	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.702954054 CET	1.1.1.1	192.168.2.9	0x4012	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.715750933 CET	1.1.1.1	192.168.2.9	0x8303	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.726914883 CET	1.1.1.1	192.168.2.9	0x7fc5	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:01.737627029 CET	1.1.1.1	192.168.2.9	0xd485	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.647207022 CET	1.1.1.1	192.168.2.9	0x46bd	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.680866003 CET	1.1.1.1	192.168.2.9	0x6525	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.693676949 CET	1.1.1.1	192.168.2.9	0xe9ab	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.869539022 CET	1.1.1.1	192.168.2.9	0xfdc7	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.881278992 CET	1.1.1.1	192.168.2.9	0x9ca2	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.913286924 CET	1.1.1.1	192.168.2.9	0xf1ff	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.924952030 CET	1.1.1.1	192.168.2.9	0xe167	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.958614111 CET	1.1.1.1	192.168.2.9	0x16cd	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:02.970290899 CET	1.1.1.1	192.168.2.9	0xb742	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:03.001101017 CET	1.1.1.1	192.168.2.9	0x76ee	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:03.033148050 CET	1.1.1.1	192.168.2.9	0xfab8	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:03.044066906 CET	1.1.1.1	192.168.2.9	0x1784	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:59:03.056164980 CET	1.1.1.1	192.168.2.9	0x8db0	Name error (3)	heardbrown.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

variousstream.net

returnbottle.net

gentleanother.net

glassbright.net

pleasantinstead.net

degreedaughter.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49758	199.59.243.227	80	7484	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:57:31.283286095 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:57:31.941962004 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:57:31 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 6c485f05-6c2b-4aa3-a99f-16c6791b36f5 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=6c485f05-6c2b-4aa3-a99f-16c6791b36f5; expires=Thu, 07 Nov 2024 15:12:31 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:57:31.941975117 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmM0ODVmMDUtNmMyYi00YWEzLWE5OWYtMTZjNjc5MWIzNmY1IiwicGFnZV90aW1lIjoxNzMwOTkxND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49763	18.143.155.63	80	7484	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:57:32.223515987 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:57:33.668142080 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:57:33 GMT Content-Type: text/html Connection: close Set-Cookie: btst=d3a56fe7a69984ae78ecd3fb2f2c2114\|173.254.250.79\|1730991453\|1730991453\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	55203	54.244.188.177	80	7484	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:57:36.091054916 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 15:57:36.919450045 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:57:36 GMT Content-Type: text/html Connection: close Set-Cookie: btst=c93e8fd9223e223a9b7ae734029e0cb8\|173.254.250.79\|1730991456\|1730991456\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	55213	199.59.243.227	80	7484	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:57:38.506052017 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 15:57:39.139678001 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:57:39 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: 486fb622-8628-483e-bffb-8b57c7c2a5e2 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=486fb622-8628-483e-bffb-8b57c7c2a5e2; expires=Thu, 07 Nov 2024 15:12:39 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:57:39.139700890 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDg2ZmI2MjItODYyOC00ODNlLWJmZmItOGI1N2M3YzJhNWUyIiwicGFnZV90aW1lIjoxNzMwOTkxND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	55218	18.143.155.63	80	7484	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:57:39.729739904 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 15:57:41.151129007 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:57:40 GMT Content-Type: text/html Connection: close Set-Cookie: btst=3a18043ef44c15097c386a4da60b8269\|173.254.250.79\|1730991460\|1730991460\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	55231	85.214.228.140	80	7484	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:57:43.316375971 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 15:57:44.187567949 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 14:57:44 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	55407	199.59.243.227	80	8076	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:58:51.411834002 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:58:52.100086927 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:58:51 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 7042fef2-215c-4f57-9156-e1b5d66dbff6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=7042fef2-215c-4f57-9156-e1b5d66dbff6; expires=Thu, 07 Nov 2024 15:13:52 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:58:52.100183010 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzA0MmZlZjItMjE1Yy00ZjU3LTkxNTYtZTFiNWQ2NmRiZmY2IiwicGFnZV90aW1lIjoxNzMwOTkxNT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	55408	18.143.155.63	80	8076	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:58:52.226546049 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:58:53.663625002 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:58:53 GMT Content-Type: text/html Connection: close Set-Cookie: btst=6d0fac06736e20acb0c2a06fd03649bf\|173.254.250.79\|1730991533\|1730991533\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	55409	54.244.188.177	80	8076	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:58:55.981226921 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 15:58:56.832716942 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:58:56 GMT Content-Type: text/html Connection: close Set-Cookie: btst=6b192b3af321f9de65ef977b01cad39e\|173.254.250.79\|1730991536\|1730991536\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	55410	199.59.243.227	80	8076	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:58:57.406421900 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 15:58:58.096913099 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:58:57 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: b4ac1ea0-3d8f-4880-9256-e09eea62c86c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=b4ac1ea0-3d8f-4880-9256-e09eea62c86c; expires=Thu, 07 Nov 2024 15:13:58 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:58:58.096972942 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjRhYzFlYTAtM2Q4Zi00ODgwLTkyNTYtZTA5ZWVhNjJjODZjIiwicGFnZV90aW1lIjoxNzMwOTkxNT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	55411	18.143.155.63	80	8076	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:58:58.478224993 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 15:58:59.912801027 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:58:59 GMT Content-Type: text/html Connection: close Set-Cookie: btst=44fe13292ac826e7951f770d6513cbc4\|173.254.250.79\|1730991539\|1730991539\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	55412	85.214.228.140	80	8076	C:\oblimpyrbviueg\usncdvbjyrwr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:59:01.743671894 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 15:59:02.612719059 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 14:59:02 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Target ID:	0
Start time:	09:57:25
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\8CO4P3HwDt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8CO4P3HwDt.exe"
Imagebase:	0xc20000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:57:25
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe
Wow64 process (32bit):	true
Commandline:	"C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe"
Imagebase:	0xcd0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:57:25
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Wow64 process (32bit):	true
Commandline:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Imagebase:	0x4a0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:57:27
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\hrzceasx.exe
Wow64 process (32bit):	true
Commandline:	uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0xdb0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:57:28
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Wow64 process (32bit):	true
Commandline:	"C:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0x4a0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:58:46
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Wow64 process (32bit):	true
Commandline:	"c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0x4a0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:58:48
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\hrzceasx.exe
Wow64 process (32bit):	true
Commandline:	uwauanknl3ss "c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0xd60000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:00:23
Start date:	07/11/2024
Path:	C:\oblimpyrbviueg\usncdvbjyrwr.exe
Wow64 process (32bit):	true
Commandline:	"c:\oblimpyrbviueg\usncdvbjyrwr.exe"
Imagebase:	0x4a0000
File size:	362'496 bytes
MD5 hash:	C3C8DF0D6043078ABDF157A68D37EB96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	26.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	923
Total number of Limit Nodes:	18

Executed Functions

Function 00C4C35F Relevance: 273.3, APIs: 118, Strings: 35, Instructions: 5532libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00C4C4BB
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4C582
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4C605
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4C676
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4C72E
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4C81A
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4C8B1

Strings

h{), xrefs: 00C4F008
jhz*, xrefs: 00C4FCBA
h0, xrefs: 00C511E9
h[*, xrefs: 00C50EA3
h, xrefs: 00C501BA
h-), xrefs: 00C5147A
(S, xrefs: 00C51583
hd", xrefs: 00C4E1BF
h), xrefs: 00C4E929
hQ", xrefs: 00C51325
h:, xrefs: 00C4FF33
jhu<, xrefs: 00C4DC0D
h6, xrefs: 00C51841
jhl7, xrefs: 00C4D588
h\7, xrefs: 00C4FA94
hC", xrefs: 00C4F2E2
h., xrefs: 00C4D52D
h-<, xrefs: 00C51A01
,b/, xrefs: 00C4C9B6
hk#, xrefs: 00C4F7E0
hi*, xrefs: 00C50B40
hi+, xrefs: 00C4E3C0
j4h!, xrefs: 00C4C388
hq, xrefs: 00C4CEB6
h, xrefs: 00C4FC0B
h&(, xrefs: 00C506B1
a!l, xrefs: 00C4D991
jhb$, xrefs: 00C4EA44
h*, xrefs: 00C4DED2
h<, xrefs: 00C4C47F
C:\Users\user, xrefs: 00C515B6
hP, xrefs: 00C5088B
h, xrefs: 00C4D3E2
hO+, xrefs: 00C4E7D5
h{7, xrefs: 00C51281

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$hq$h{)$h{7$h$h$h)$h*$h.$h6$h<$jhz*$jhb$$jhl7$jhu<$j4h!$(S$,b/
API String ID: 667068680-2633433573
Opcode ID: 16ff41248366702c13c96242926463cfa897f1262abc9bd2678d20a7b388da3c
Instruction ID: 585c38120f4dd7b2b6e7d0df6cc0a7f1119643127e19f7ad41d5b7d4a2ecee8b
Opcode Fuzzy Hash: 16ff41248366702c13c96242926463cfa897f1262abc9bd2678d20a7b388da3c
Instruction Fuzzy Hash: DAB368B0F00605EBD720DFA7FD957AD7BB0FB88310B11805AE982A22B5DBF14961DB45

Function 00C315A0 Relevance: 33.1, APIs: 12, Strings: 6, Instructions: 1602fileCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00C6DFC0), ref: 00C316A3
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00C3187D
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00C31BED
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00C31C40
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00C31E18
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00C31F47
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C3247A

Strings

v-7P, xrefs: 00C32B64
#tG5, xrefs: 00C3289D
C:\Users\user, xrefs: 00C32210, 00C3230B
\, xrefs: 00C3296C
}3, xrefs: 00C31647
2V, xrefs: 00C31D3E

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Directory$Create$DeleteFileRemoveVersion
String ID: #tG5$2V$C:\Users\user$\$v-7P$}3
API String ID: 696612475-1592576725
Opcode ID: c949bb10c55ed816d408b81a607b237a4c434e5d77a95177e39476e63ee5ef62
Instruction ID: a10d653002775433a9162545653eb86a05d39806cb16170e3d00fd6c03e69a07
Opcode Fuzzy Hash: c949bb10c55ed816d408b81a607b237a4c434e5d77a95177e39476e63ee5ef62
Instruction Fuzzy Hash: 5FE279B0E04605DBCB249F63FD983AD7BB0FB89310F118169D983522B4EBF14AA5DB45

Function 00C2A780 Relevance: 7.8, APIs: 5, Instructions: 294
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8), ref: 00C2A899
FindFirstFileA.KERNELBASE(?,?), ref: 00C2A9FF
DeleteFileA.KERNELBASE(?), ref: 00C2AB11
FindNextFileA.KERNELBASE(00000000,?), ref: 00C2AB31
FindClose.KERNEL32(00000000), ref: 00C2AB4A

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: dd8a22260952ebbba134daaeb653149ee6e4b20c0484bde30f26029fabd34d7f
Instruction ID: fff960f04cf32d40bb45e4a0af6b3fd1d9e85775ed1e68f934c47629903731a3
Opcode Fuzzy Hash: dd8a22260952ebbba134daaeb653149ee6e4b20c0484bde30f26029fabd34d7f
Instruction Fuzzy Hash: FEC1AB70F04A19DBCB249F63FD683AD7BB1FB89310B118195E88793274DBB14AA5CB41

Function 00C57710 Relevance: 4.7, APIs: 3, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C316FF), ref: 00C577DE
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,00C316FF), ref: 00C57817
FreeSid.ADVAPI32(?,?,?,?,00C316FF), ref: 00C57918

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4bb5a3932ca676b58e3fd07e8c3bec99ee7ad59438021a40c8422908463839c8
Instruction ID: 49061c8bf4da97812ce37d6e19bb3cd4bbcefe3275ba301e56290d710a372ae6
Opcode Fuzzy Hash: 4bb5a3932ca676b58e3fd07e8c3bec99ee7ad59438021a40c8422908463839c8
Instruction Fuzzy Hash: FD61B0B4F05206EBC7208FA3ED887BD7B74FB88301B52815AD58252274DBF059A5CF56

Function 00C55570 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00C5EFAF,00C5EFAF,?,?,00000001), ref: 00C555B2
RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00C555B9

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a3b98f24c1ceb4d6822b755c3d438d211fa278b080d651e3e35255622590150a
Instruction ID: 18570f285560eabee08c7a9636a8b5aaa197b9c7a48ccb6a155000cfc7173df9
Opcode Fuzzy Hash: a3b98f24c1ceb4d6822b755c3d438d211fa278b080d651e3e35255622590150a
Instruction Fuzzy Hash: 9AF03074E45708EBCB20DF92FD5976DBF78FB48700F104065E80A97364DAB1AA50CB91

Function 00C4D366 Relevance: 230.4, APIs: 98, Strings: 31, Instructions: 4600libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D3C5
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D44E
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D4F9
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D575
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D60A
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D699
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D70E
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D817
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D89B
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D935
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4D9F0
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4DB13

Strings

h{), xrefs: 00C4F008
jhz*, xrefs: 00C4FCBA
h0, xrefs: 00C511E9
h[*, xrefs: 00C50EA3
h, xrefs: 00C501BA
h-), xrefs: 00C5147A
(S, xrefs: 00C51583
hd", xrefs: 00C4E1BF
h), xrefs: 00C4E929
hQ", xrefs: 00C51325
h:, xrefs: 00C4FF33
jhu<, xrefs: 00C4DC0D
h6, xrefs: 00C51841
jhl7, xrefs: 00C4D588
h\7, xrefs: 00C4FA94
hC", xrefs: 00C4F2E2
h., xrefs: 00C4D52D
h-<, xrefs: 00C51A01
hk#, xrefs: 00C4F7E0
hi*, xrefs: 00C50B40
hi+, xrefs: 00C4E3C0
h, xrefs: 00C4FC0B
h&(, xrefs: 00C506B1
a!l, xrefs: 00C4D991
jhb$, xrefs: 00C4EA44
h*, xrefs: 00C4DED2
C:\Users\user, xrefs: 00C515B6
hP, xrefs: 00C5088B
h, xrefs: 00C4D3E2
hO+, xrefs: 00C4E7D5
h{7, xrefs: 00C51281

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h$h)$h*$h.$h6$jhz*$jhb$$jhl7$jhu<$(S
API String ID: 190572456-2958529493
Opcode ID: 146e62bbf795d118ef1db9f21e16fe69315770af81f95fcb346cd92a6b414dcd
Instruction ID: 60d44f9f94a17e8cf2b784acd7d12bdb3cc68eb771bb191561296dd0ae3517e4
Opcode Fuzzy Hash: 146e62bbf795d118ef1db9f21e16fe69315770af81f95fcb346cd92a6b414dcd
Instruction Fuzzy Hash: 41A367B0F00605EBD720DFA7FD557AD7BB0FB88310F11805AE982A22A5DBF14A61DB45

Function 00C4E0B9 Relevance: 185.8, APIs: 79, Strings: 25, Instructions: 3825
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E0ED
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E1A4
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E290
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E32F
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E394
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E43A
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E501
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E5DD

Strings

h{), xrefs: 00C4F008
jhz*, xrefs: 00C4FCBA
h0, xrefs: 00C511E9
h[*, xrefs: 00C50EA3
h, xrefs: 00C501BA
h-), xrefs: 00C5147A
(S, xrefs: 00C51583
hd", xrefs: 00C4E1BF
h), xrefs: 00C4E929
hQ", xrefs: 00C51325
h:, xrefs: 00C4FF33
h6, xrefs: 00C51841
h\7, xrefs: 00C4FA94
hC", xrefs: 00C4F2E2
h-<, xrefs: 00C51A01
hk#, xrefs: 00C4F7E0
hi*, xrefs: 00C50B40
hi+, xrefs: 00C4E3C0
h, xrefs: 00C4FC0B
h&(, xrefs: 00C506B1
jhb$, xrefs: 00C4EA44
C:\Users\user, xrefs: 00C515B6
hP, xrefs: 00C5088B
hO+, xrefs: 00C4E7D5
h{7, xrefs: 00C51281

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 190572456-2648681185
Opcode ID: b5ca5f41caedc2cddfeee35fafc7e255257b4b0bedb342a906dedf32bed9c709
Instruction ID: 938b15293bc7455485e9d2e11ea335e10c770c8231650b3d285cdf30bf601bc5
Opcode Fuzzy Hash: b5ca5f41caedc2cddfeee35fafc7e255257b4b0bedb342a906dedf32bed9c709
Instruction Fuzzy Hash: 708368B4F01605EBD720DFA3FE557AD7BB0FB88310F218059E982A22A4DBF14961DB45

Function 00C4E6F6 Relevance: 168.0, APIs: 71, Strings: 23, Instructions: 3471
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E70E
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E7C2
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E849
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E903
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4E9A9
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EA2A
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EABF
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EB23
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EBA9
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EC61
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4ECEA
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4ED7B
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EDD9
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EEAD
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4EFED
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4F05C
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4F135
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4F19A
GetProcAddress.KERNEL32(76F70000,?), ref: 00C4F1F9
LoadLibraryA.KERNELBASE(?), ref: 00C4F26D
LoadLibraryA.KERNEL32(?), ref: 00C4F349
GetProcAddress.KERNEL32(761D0000,00000000), ref: 00C4F44D
GetProcAddress.KERNEL32(761D0000,?), ref: 00C4F515
GetProcAddress.KERNEL32(761D0000,?), ref: 00C4F5C3
GetProcAddress.KERNEL32(761D0000,?), ref: 00C4F6BD
GetProcAddress.KERNEL32(761D0000,?), ref: 00C4F7CB
GetProcAddress.KERNEL32(761D0000,?), ref: 00C4F8D9

Strings

h{), xrefs: 00C4F008
h-<, xrefs: 00C51A01
jhz*, xrefs: 00C4FCBA
hk#, xrefs: 00C4F7E0
hi*, xrefs: 00C50B40
h0, xrefs: 00C511E9
h[*, xrefs: 00C50EA3
h, xrefs: 00C501BA
h, xrefs: 00C4FC0B
h-), xrefs: 00C5147A
h&(, xrefs: 00C506B1
jhb$, xrefs: 00C4EA44
(S, xrefs: 00C51583
C:\Users\user, xrefs: 00C515B6
hP, xrefs: 00C5088B
h), xrefs: 00C4E929
hQ", xrefs: 00C51325
h:, xrefs: 00C4FF33
hO+, xrefs: 00C4E7D5
h{7, xrefs: 00C51281
h6, xrefs: 00C51841
h\7, xrefs: 00C4FA94
hC", xrefs: 00C4F2E2

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hi*$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 2238633743-3911754425
Opcode ID: 2be5f6db64d6b7339ff912ef72d5b9b46f1b5e41c391b6e1b2c65bc8eb7adf94
Instruction ID: bd29ab39d977b2d80c9b3baad3a4e3ce34b4655f32af0cdf6a3c304c921c6571
Opcode Fuzzy Hash: 2be5f6db64d6b7339ff912ef72d5b9b46f1b5e41c391b6e1b2c65bc8eb7adf94
Instruction Fuzzy Hash: 587367B4F01605EBD720DFA3FE557AD7BB0FB88310F218059D982A22A4DBF14A61DB45

Function 00C50F4E Relevance: 41.3, APIs: 15, Strings: 8, Instructions: 1085
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76DA0000,?), ref: 00C50FCA
GetProcAddress.KERNEL32(76DA0000,?), ref: 00C510D6
GetProcAddress.KERNEL32(76DA0000,?), ref: 00C511B4
GetProcAddress.KERNEL32(76DA0000,?), ref: 00C5126C
GetProcAddress.KERNEL32(76DA0000,?), ref: 00C51308
GetProcAddress.KERNEL32(76DA0000,?), ref: 00C51375
GetProcAddress.KERNEL32(76DA0000,?), ref: 00C5145D
GetProcAddress.KERNEL32(76DA0000,?), ref: 00C5151F

Part of subcall function 00C568B0: GetSystemTime.KERNEL32(?,?,00000001,?,?,?,00C51588,00000015,?), ref: 00C56967
Part of subcall function 00C568B0: GetTickCount.KERNEL32 ref: 00C56A58

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00C515C5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C51609
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C51658
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00C51674
GetTickCount.KERNEL32 ref: 00C517EE
GetCommandLineA.KERNEL32 ref: 00C51997

Strings

h-), xrefs: 00C5147A
h-<, xrefs: 00C51A01
(S, xrefs: 00C51583
C:\Users\user, xrefs: 00C515B6
hQ", xrefs: 00C51325
h0, xrefs: 00C511E9
h{7, xrefs: 00C51281
h6, xrefs: 00C51841

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: AddressProc$CreateMutex$CountTick$CommandEnvironmentLineSystemTimeVariable
String ID: C:\Users\user$h-)$h-<$h0$hQ"$h{7$h6$(S
API String ID: 116423738-1576329368
Opcode ID: beb75f2442768da1aeb657eb5d0a4aca6b1cf0b27859d4f0423d8ad9cd17ec58
Instruction ID: 74076a017e62b618e1f95ada33a14a6ba57c19fa2fe1ca96e5cd2ea5758f265f
Opcode Fuzzy Hash: beb75f2442768da1aeb657eb5d0a4aca6b1cf0b27859d4f0423d8ad9cd17ec58
Instruction Fuzzy Hash: 1CA269B4F01605EBC7249F63FE593AD7BB0FB88311F218059D983622A4DBF04AA5DB45

Function 00C32525 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C3259F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00C32891
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00C32A8F

Strings

v-7P, xrefs: 00C32B64
#tG5, xrefs: 00C3289D
\, xrefs: 00C3296C

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CreateDirectory$PathTemp
String ID: #tG5$\$v-7P
API String ID: 4115145201-232245755
Opcode ID: 2a8b72ea5fbbf967f149c6560fce9ba87ff7234ab7a6f61e2cb3169aa30f4395
Instruction ID: 51ee276e10d9c4f01c0179fb60b0d155005bba628a709719c7b17c028a761bf7
Opcode Fuzzy Hash: 2a8b72ea5fbbf967f149c6560fce9ba87ff7234ab7a6f61e2cb3169aa30f4395
Instruction Fuzzy Hash: 2042BAB1F04605DBCB249F63FE583AD7BB0FB89310F218195D583522A8EBF14AA5DB41

Function 00C37230 Relevance: 11.0, APIs: 7, Instructions: 456
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 00C3736B
ReadFile.KERNELBASE(00000000,000000FF,?,?,00000000,?,?,?,?,000000FF), ref: 00C373D9
CloseHandle.KERNELBASE(00000000,?,?,?,?,000000FF), ref: 00C373F2
GetTickCount.KERNEL32 ref: 00C374B7
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C3771A
WriteFile.KERNELBASE(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00C377BA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00C37845

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 64d50360ce05a29eee9241b7a9a8375c36507c48c3e15fefd24b62e83fc32c4d
Instruction ID: 5396eb3c9bf5c530f222841fd6534d397a81d15dcc776d038e7c668c0769e5c8
Opcode Fuzzy Hash: 64d50360ce05a29eee9241b7a9a8375c36507c48c3e15fefd24b62e83fc32c4d
Instruction Fuzzy Hash: 611289B1E04605DBC7248F67FD587AD7BB4FB89721F11825AD883922B4EBF048A1CB51

Function 00C46700 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 429
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00C4695B
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00C46C2D
CloseHandle.KERNEL32(?), ref: 00C46D57

Strings

[v"=, xrefs: 00C46799

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: [v"=
API String ID: 1065093856-2465089900
Opcode ID: dc368454a9b68d08fd52083dde9f1974a02a822f1b1d48381d82a31e040f30fc
Instruction ID: 5f8ad1c4bfe2ee6fd60a33358bde7f9c11a49dcc6ed28bc027cc938f68ae4114
Opcode Fuzzy Hash: dc368454a9b68d08fd52083dde9f1974a02a822f1b1d48381d82a31e040f30fc
Instruction Fuzzy Hash: 5A127AB0F04605DBC7249F57FD983AD7BB0FB89315F21809AD887922A4EBB049A1DB45

Function 00C33A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00C33BE8
CloseHandle.KERNEL32(00000000), ref: 00C33C04
CloseHandle.KERNEL32(?), ref: 00C33C38

Strings

D, xrefs: 00C33B27

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 0ffd4523150abda379f597969aff8e4a5312ef6a0adc80c32fb4fc0a7fbcea85
Instruction ID: f81570065a47d3f95643067320fc0821b8f90159d72679e255d96c43a775220a
Opcode Fuzzy Hash: 0ffd4523150abda379f597969aff8e4a5312ef6a0adc80c32fb4fc0a7fbcea85
Instruction Fuzzy Hash: 38618870F05A09EBD7209F93FE587AC7B30FB88310F218085D583662A8DBF05AA5CB45

Function 00C2AC20 Relevance: 3.1, APIs: 2, Instructions: 53
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00C2ACA0
CharLowerBuffA.USER32(?,00000000), ref: 00C2ACA8

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: becd751a3ce68f1296eda365e02562be8bf3ac208b1fb5de4601027f8f6e03d3
Instruction ID: c1b8fa8f3194521eaea30c58870b4134b7ea4d117a21c20ae5218b777ff9387f
Opcode Fuzzy Hash: becd751a3ce68f1296eda365e02562be8bf3ac208b1fb5de4601027f8f6e03d3
Instruction Fuzzy Hash: 6B114675F04A16DB83249F6BFC883AD3B74F7997207114155E88782264EBF05AA1CB8A

Function 00C44770 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00C2FCFC,00C2FCFC,?,?,?,?,00000001), ref: 00C447A0
RtlFreeHeap.NTDLL(00000000,?,?,?,00000001), ref: 00C447A7

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: aebf82d369a25cfebd1fe24ecec57dc150df38ea8ae4b28271a543657beaf45e
Instruction ID: bf975c847f5b0a3791f79bde217afb4db29c283576a1bb77b203d8c1d79c2cc0
Opcode Fuzzy Hash: aebf82d369a25cfebd1fe24ecec57dc150df38ea8ae4b28271a543657beaf45e
Instruction Fuzzy Hash: AA011274F05608EBCB209F93FD4836D7BB4FB89322F124082D98792164DBF00964DB51

Function 00C59D80 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C43E30: GetStdHandle.KERNEL32(000000F6,?,00000001,0000D92F,?,00C59D96), ref: 00C43E4E
Part of subcall function 00C43E30: GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,0000D92F,?,00C59D96), ref: 00C43EBA
Part of subcall function 00C43E30: GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,0000D92F,?,00C59D96), ref: 00C43F3A

ExitProcess.KERNEL32 ref: 00C59ED0

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: dea3226bc7c037fbde5756486ca11d9d7c1db816ca5f6fb22b8f1e348719f89e
Instruction ID: c5c6e54739c53ed13f2bccc975fffd662b16a806ddc2a2a5862ad8c52f7edef2
Opcode Fuzzy Hash: dea3226bc7c037fbde5756486ca11d9d7c1db816ca5f6fb22b8f1e348719f89e
Instruction Fuzzy Hash: B43169B4E05605EBC724EF27FA4536C3B71FB89311B6180A5C88392274DFB11EA2DB49

Function 00C3AA20 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00C3AB0F

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1b212a9f2fd3407558f6fe6efb04ab4c55bd1c8b7241772fdf3f4d93f62fc195
Instruction ID: cd45533e69955d9b43ee7715914028fade56e789f6c0e0b4de4a06e6d8ac34e0
Opcode Fuzzy Hash: 1b212a9f2fd3407558f6fe6efb04ab4c55bd1c8b7241772fdf3f4d93f62fc195
Instruction Fuzzy Hash: C52171B4E05205E7CB24AF63FB5439C3BB4FB49725B204455C88352364D7B14A51EF85

Non-executed Functions

Function 00C5F820 Relevance: 24.2, APIs: 11, Strings: 2, Instructions: 1429networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00C60491
setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 00C605C5
gethostbyname.WS2_32(?), ref: 00C60669
inet_ntoa.WS2_32(00000002), ref: 00C606D6
inet_addr.WS2_32(00000000), ref: 00C606DD
htons.WS2_32(00000050), ref: 00C6071A

Strings

/, xrefs: 00C5FA5E
`z{, xrefs: 00C60A91

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: gethostbynamehtonsinet_addrinet_ntoasetsockoptsocket
String ID: /$`z{
API String ID: 2269612703-3201032225
Opcode ID: 7fe58ef48a51469a22a703c7bdc11af31ff0bb888274c601cacf58ad62f0e82c
Instruction ID: 1f4383e967519073546cfcb687f1ff1981c8f242a2acf597f6b66ff043cf4a3a
Opcode Fuzzy Hash: 7fe58ef48a51469a22a703c7bdc11af31ff0bb888274c601cacf58ad62f0e82c
Instruction Fuzzy Hash: 02D28A70F00609DBC7249F63FD983AD7BB4FB89311B11806AD887622B4EBF149A5DB45

Function 00C22250 Relevance: 13.7, APIs: 9, Instructions: 246serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00C22303
CreateServiceA.ADVAPI32(00000000,01370748,01370748,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00C22375
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00C223DC
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C2240D
CloseServiceHandle.ADVAPI32(00000000), ref: 00C22426
OpenServiceA.ADVAPI32(00000000,01370748,00000010), ref: 00C224D5
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C224F8
CloseServiceHandle.ADVAPI32(00000000), ref: 00C2253C
CloseServiceHandle.ADVAPI32(00000000), ref: 00C225B9

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 03717149e91a56aa7bc89985d047f48c88f97587f24f07d2777fa82be4a25adf
Instruction ID: b67fe0664a960fe84a4ec0dd0a435f8331ee3ee427605fc7b7e0158804cd5d6d
Opcode Fuzzy Hash: 03717149e91a56aa7bc89985d047f48c88f97587f24f07d2777fa82be4a25adf
Instruction Fuzzy Hash: 60B134B4F05615EBC7249F63FD987AC7B70FB89710F118056E883A26A4E7F049A1CB45

Function 00C44C00 Relevance: 11.2, APIs: 7, Instructions: 660processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00C44D14
Process32First.KERNEL32(00000000,?), ref: 00C44E93
CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000000), ref: 00C4529B
Module32First.KERNEL32(00000000,?), ref: 00C452FF
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00C455C2
Process32Next.KERNEL32(0000000A,00000128), ref: 00C4564E
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C456DF

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID:
API String ID: 930127669-0
Opcode ID: 5c838b54d965ebb41ddcbf9ed3c9fab3de8af7924757940ebcc619920d7461cb
Instruction ID: d075d1e3f6bcf7ae5b75b766034ccd0addc3cad1731458875d25891ba75a51d4
Opcode Fuzzy Hash: 5c838b54d965ebb41ddcbf9ed3c9fab3de8af7924757940ebcc619920d7461cb
Instruction Fuzzy Hash: 6B528AB4F01605EBC7249F63FE583AC7BB4FB89311B228095D483622B4EBF149A5DB45

Function 00C42500 Relevance: 11.1, APIs: 5, Strings: 1, Instructions: 575serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000), ref: 00C42702
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000,?,00000000), ref: 00C42791
GetLastError.KERNEL32(?,00000000), ref: 00C4281B
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00C4290D

Part of subcall function 00C5B3F0: lstrlenA.KERNEL32(00000001,0136B419,?,00C494CD,?,00000024,00000000,00000001,?,?,00000000,?,?,?,?,?), ref: 00C5B47E

CloseServiceHandle.ADVAPI32(00000000), ref: 00C42D27

Strings

>]>, xrefs: 00C42D33

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicelstrlen
String ID: >]>
API String ID: 783426840-737585485
Opcode ID: ea240eb561b2a53b0e93aeaa450639e60a25db37fe5f47ca9128e271bf8a1fa9
Instruction ID: 0ef40cbb7074b26d0186e039d3f8b27486e6dba25c15d7f17d9f0882acef4968
Opcode Fuzzy Hash: ea240eb561b2a53b0e93aeaa450639e60a25db37fe5f47ca9128e271bf8a1fa9
Instruction Fuzzy Hash: 6542AFB4F05609DBC7249F63FE583AC7BB4FB88310B21815AD483A22B4EBF14965CB45

Function 00C568B0 Relevance: 3.1, APIs: 2, Instructions: 128timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,00000001,?,?,?,00C51588,00000015,?), ref: 00C56967
GetTickCount.KERNEL32 ref: 00C56A58

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CountSystemTickTime
String ID:
API String ID: 2164215191-0
Opcode ID: 7abb3d185508063e4adbaab8c1d26c0aea07ce943692c2d24baa50845db96102
Instruction ID: 1a2ee99809df2954d53c79e01fdc6276966e6c6ca1d2d506fe73e3cfa32f2509
Opcode Fuzzy Hash: 7abb3d185508063e4adbaab8c1d26c0aea07ce943692c2d24baa50845db96102
Instruction Fuzzy Hash: 89518FB1F04609EBC724EF93FE543AC7B70FB893107628195D483622B8EBB05A65DB45

Function 00C3ACF0 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

3k:, xrefs: 00C3B509

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID:
String ID: 3k:
API String ID: 0-1299657057
Opcode ID: 31dd7a6c55a7df468c2ec2d43ee82df00c830edc15f2afb63cb3884ed17a85af
Instruction ID: 56f66f0ce5976321aa1dabf6251c99edb4fce12d127e97fa489a02081f4a2ba1
Opcode Fuzzy Hash: 31dd7a6c55a7df468c2ec2d43ee82df00c830edc15f2afb63cb3884ed17a85af
Instruction Fuzzy Hash: B232E1B0F00605DBC724DF67FD983AC7BB0FB89310B22815AD487922B4EBB548A5CB45

Function 00C2AD00 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00C2AD74

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 6d750798f997dfb100a51f8709f57520b42bc128da4d1d19c39af0e8225abac9
Instruction ID: 18bdc0e8dcd25e15e356e2fdaf7d2159a25becb9901f626ceedec664b6c4e218
Opcode Fuzzy Hash: 6d750798f997dfb100a51f8709f57520b42bc128da4d1d19c39af0e8225abac9
Instruction Fuzzy Hash: 2E1133B4E04609DBC720DFA7F95839DBBB4FB88301F218196C887A3624D7B05A95DB85

Function 00C3CCA0 Relevance: 12.5, APIs: 8, Instructions: 454registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(01370748,00C59EE0), ref: 00C3CE80
SetServiceStatus.ADVAPI32(00000000,00C6D8CC), ref: 00C3CF35
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C3CF66
SetServiceStatus.ADVAPI32(00000000,00C6D8CC), ref: 00C3D018
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00C3D122
SetServiceStatus.ADVAPI32(00000000,00C6D8CC), ref: 00C3D1FD
CloseHandle.KERNEL32(00000000), ref: 00C3D254
SetServiceStatus.ADVAPI32(00000000,00C6D8CC), ref: 00C3D30E

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 69786710ad93e0fd959e56426b1a43f180952736656a6f857355787e2d16af06
Instruction ID: b3fd693867372687c45845d5e539b78d8e9692c45675876f2bafd0862ecc4d44
Opcode Fuzzy Hash: 69786710ad93e0fd959e56426b1a43f180952736656a6f857355787e2d16af06
Instruction Fuzzy Hash: 6F2227B4E05605EBC724DF63FA583AC7BB0FB89324B21859AD483932B4DBF15A51DB40

Function 00C42E80 Relevance: 10.9, APIs: 7, Instructions: 391processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000001), ref: 00C42FE6
Process32First.KERNEL32(00000000,?), ref: 00C43056

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: a413e9446776ca4ba8b348ad515176ff8e4ff4cbf50337f77d5c483e85de8d19
Instruction ID: 8b7375b524e1d8bc4fa6d9f3873a0ef3b490a5e75d094511d960d105c04451b2
Opcode Fuzzy Hash: a413e9446776ca4ba8b348ad515176ff8e4ff4cbf50337f77d5c483e85de8d19
Instruction Fuzzy Hash: EB0291B0E05605EBCB24DF63FE583AC7BB4FB99310B21819AD48392274DBF54A65DB40

Function 00C47790 Relevance: 9.3, APIs: 6, Instructions: 267filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C47872
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00C478DD
CloseHandle.KERNEL32(00000000), ref: 00C4796E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C47A84
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00C47ADF
CloseHandle.KERNEL32(00000000), ref: 00C47AFD

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 4209d835f259b4fd1f1f0f2cb2a8d31b0d5cb1deb861b75b6451646b492237f5
Instruction ID: 4d25ec45f530ed9937833137a9c880968178a972a4191b6cdb304feb9485b360
Opcode Fuzzy Hash: 4209d835f259b4fd1f1f0f2cb2a8d31b0d5cb1deb861b75b6451646b492237f5
Instruction Fuzzy Hash: 3FB190B1F05605EBC7209F67FE483AC7BB0FB88311B21455AD883622B4EBB05965DB85

Function 00C32FF0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 284processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C33115
Process32First.KERNEL32(00000000,00000128), ref: 00C33245
Process32Next.KERNEL32(00000000,00000128), ref: 00C3338B

Strings

Tr^Z, xrefs: 00C334BD

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID: Tr^Z
API String ID: 1238713047-2648191975
Opcode ID: 9084f3b5107fb3a891ef06c58a0cb6e3a904df79d78d4447d0bf1962f537cd8f
Instruction ID: 13eb235cb9556ae2fe83b90123eba66be07a189fca0d82dde4137b9dde65e307
Opcode Fuzzy Hash: 9084f3b5107fb3a891ef06c58a0cb6e3a904df79d78d4447d0bf1962f537cd8f
Instruction Fuzzy Hash: DAC18EB0F15645DBD7209F23FD983AC7B70FB84310F228195D483522B4DBB24AA9CB46

Function 00C43078 Relevance: 7.8, APIs: 5, Instructions: 262COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C431F8

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: OpenProcess
String ID:
API String ID: 3743895883-0
Opcode ID: e82f0711f42d66b6b566ff9ca7423e967c694a8e2742bd81df3f1fa387c5c98c
Instruction ID: 41922323ff0e2531d558178dc8059f2773bdacffcb18e61cf295baab06f2fd66
Opcode Fuzzy Hash: e82f0711f42d66b6b566ff9ca7423e967c694a8e2742bd81df3f1fa387c5c98c
Instruction Fuzzy Hash: 8AB1C0B0E05645DBCB24DF53FE583AD7BB0FB99311B218095D88362274EBF14A61DB40

Function 00C57990 Relevance: 7.6, APIs: 5, Instructions: 109synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00C57A41
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00C57A6A
CloseHandle.KERNEL32(00000000), ref: 00C57AB5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C57B09
CloseHandle.KERNEL32(?,?,000000FF), ref: 00C57B24

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: e8e7759b9723683bd713162d58a28411b5f196649d430edee3299405365c4641
Instruction ID: 60ef936bc0a7667a1666d20406af472cdcfc3bd58c6857be50bb479cb6e9e2d4
Opcode Fuzzy Hash: e8e7759b9723683bd713162d58a28411b5f196649d430edee3299405365c4641
Instruction Fuzzy Hash: 5F4132B4B04A19DBC3208F23FC5876C3BB4FB89721F118159E883422B8CBF498A5DB41

Function 00C5B680 Relevance: 6.3, APIs: 4, Instructions: 284fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,1212816C), ref: 00C5B826
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00C5B8A6
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C5B9EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00C5BA79

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID:
API String ID: 2564258376-0
Opcode ID: 2074ba24dd0992810f37704a14b7cd92b436ffb035a3cf6ff3203484b95224b1
Instruction ID: 498e58301c8eca5b981b46528febdb262a2e51ad0bb881488197dde8d049702b
Opcode Fuzzy Hash: 2074ba24dd0992810f37704a14b7cd92b436ffb035a3cf6ff3203484b95224b1
Instruction Fuzzy Hash: 63C188B4F00609EBC7209F67FE983AC3B74FB88311F218199D887562B0DBB059A5DB44

Function 00C43E30 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00000001,0000D92F,?,00C59D96), ref: 00C43E4E
GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,0000D92F,?,00C59D96), ref: 00C43EBA
GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,0000D92F,?,00C59D96), ref: 00C43F3A

Strings

8N6x, xrefs: 00C43F59

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Handle
String ID: 8N6x
API String ID: 2519475695-3105736675
Opcode ID: 1abd783757c3844334e41fb0d69cfb009680ec572cce855a8c3ed329f5a830d2
Instruction ID: e6768a17ecf644554f2e536c45907a1c6c898d33d0b4f66389175fc2ca0ef4eb
Opcode Fuzzy Hash: 1abd783757c3844334e41fb0d69cfb009680ec572cce855a8c3ed329f5a830d2
Instruction Fuzzy Hash: 543122B5F00204DBC7209F57FE9476C7BB4FBC8320B62812AE956822B4CAB04961DF56

Function 00C53BD9 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 249sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000355D0,00000000,00000000,00000000), ref: 00C53F6E
Sleep.KERNEL32(0000C350), ref: 00C53FF5

Strings

DH|(, xrefs: 00C53E05

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CreateSleepThread
String ID: DH|(
API String ID: 4202482776-4253307406
Opcode ID: b33a938217b01540e5b18bcb1a4ffe2206bd1adaedcbf72aa9a2be6eb62fc97e
Instruction ID: 3cdccc80656c05fbd1c2330b6c1ffe8de4fb096f9152be2440df9a606b984667
Opcode Fuzzy Hash: b33a938217b01540e5b18bcb1a4ffe2206bd1adaedcbf72aa9a2be6eb62fc97e
Instruction Fuzzy Hash: 0FB19870F04605EBD7209FA3FD597AD7BB4FB88300F114095E987662B0DBB04AA5EB46

Function 00C33276 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 00C3338B
CloseHandle.KERNEL32(00000000), ref: 00C33421

Strings

Tr^Z, xrefs: 00C334BD

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: 876f0c95fd3fecaf6d40f46af89f55673cbde5e2d0d8cf30c2e17ec335097244
Instruction ID: 72793b7655ffcaa03cae2db2b427b541756a4782d7d2ba9f81da812ba57369b9
Opcode Fuzzy Hash: 876f0c95fd3fecaf6d40f46af89f55673cbde5e2d0d8cf30c2e17ec335097244
Instruction Fuzzy Hash: 15519970B1464AC7CB308F23FD983AD3B30FB85310F1540A5C98396274DBB68AA9C746

Function 00C332B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 00C3338B
CloseHandle.KERNEL32(00000000), ref: 00C33421

Strings

Tr^Z, xrefs: 00C334BD

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: ff22aec739ec22873cbf412ab11935ff55ceb68d3614fc7c3846437995c1dcca
Instruction ID: 89a9d897655767250998829e30722163ba08b9146d5e33cc804e3c55f4074629
Opcode Fuzzy Hash: ff22aec739ec22873cbf412ab11935ff55ceb68d3614fc7c3846437995c1dcca
Instruction Fuzzy Hash: B7418870F1468AC7DB304F23FD983AC3B70FB85310F1540A5D98692270DBB68AA9CB46

Function 00C5B5A0 Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 00C5B5FB
HeapReAlloc.KERNEL32(00000000), ref: 00C5B602
GetProcessHeap.KERNEL32(00000000,?), ref: 00C5B632
HeapAlloc.KERNEL32(00000000), ref: 00C5B639

Memory Dump Source

Source File: 00000000.00000002.1413154755.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1413140171.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413184889.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413235319.0000000000C6D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413250325.0000000000C6F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_8CO4P3HwDt.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: a6bbb7842829308425746f1568f50113ec97148ffb92b6439d688ab9b85c3bfc
Instruction ID: 85df7a6548c54d091f61b3887d18fbc00eddeba5680c7909ed0fc2db688d1494
Opcode Fuzzy Hash: a6bbb7842829308425746f1568f50113ec97148ffb92b6439d688ab9b85c3bfc
Instruction Fuzzy Hash: 100188B4B00609DBCB20AF63FC4972D7B78FB89312F008244ED4786660EBB19890CB65

Analysis Process: uzqv2crbnrrqx7oiosyki.exePID: 7468, Parent PID: 7412COMMON

Execution Graph

Execution Coverage:	29.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00CD3770 Relevance: 25.8, APIs: 13, Strings: 1, Instructions: 1321
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00CD3AD7
LoadLibraryA.KERNELBASE(00000000), ref: 00CD3BD8
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CD3DAE
FreeLibrary.KERNEL32(?), ref: 00CD3DEF
HeapAlloc.KERNEL32(?,00000000,00000288), ref: 00CD3E51
FreeLibrary.KERNEL32(?), ref: 00CD3F0D

Strings

m}:m, xrefs: 00CD4643

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Library$FreeHeap$AddressAllocLoadProcProcess
String ID: m}:m
API String ID: 1564586625-2727069789
Opcode ID: d6295369eb84b3f279b48b834072a6695ca888b5b1b17bded32df9973bb3d96a
Instruction ID: 9192b15ab0939bfffa2230d3e528c41a038d40108cefea8da9637462a5757535
Opcode Fuzzy Hash: d6295369eb84b3f279b48b834072a6695ca888b5b1b17bded32df9973bb3d96a
Instruction Fuzzy Hash: 1DC277B0904715FBC7049F60FD881E97BB2FB89310B11C146D995E23A8EF3985A7CBA5

Function 00CD2250 Relevance: 13.7, APIs: 9, Instructions: 246
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00CD2303
CreateServiceA.ADVAPI32(00000000,01150588,01150588,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00CD2375
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00CD23DC
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00CD240D
CloseServiceHandle.SECHOST(00000000), ref: 00CD2426
OpenServiceA.ADVAPI32(00000000,01150588,00000010), ref: 00CD24D5
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00CD24F8
CloseServiceHandle.ADVAPI32(00000000), ref: 00CD253C
CloseServiceHandle.ADVAPI32(00000000), ref: 00CD25B9

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 4563478ab6bf83e7f252ca52a15eb2027cefd9188ca7795f6add46b186a6e698
Instruction ID: 2174f08de4b5350bd30bc90a69bb1637f5ee064870769065fa5e25f1cdc3fe19
Opcode Fuzzy Hash: 4563478ab6bf83e7f252ca52a15eb2027cefd9188ca7795f6add46b186a6e698
Instruction Fuzzy Hash: C1B12274A05324FBD7049F60ED886E87B72FB99710F11C046E891E23A8EF7485A3CB65

Function 00CFC35F Relevance: 273.3, APIs: 118, Strings: 35, Instructions: 5532libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00CFC4BB
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFC582
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFC605
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFC676
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFC72E
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFC81A
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFC8B1

Strings

j4h!, xrefs: 00CFC388
h:, xrefs: 00CFFF33
h0, xrefs: 00D011E9
hP, xrefs: 00D0088B
h-<, xrefs: 00D01A01
jhl7, xrefs: 00CFD588
jhu<, xrefs: 00CFDC0D
h), xrefs: 00CFE929
h, xrefs: 00CFD3E2
h[*, xrefs: 00D00EA3
h6, xrefs: 00D01841
(S, xrefs: 00D01583
h&(, xrefs: 00D006B1
h-), xrefs: 00D0147A
,b/, xrefs: 00CFC9B6
h*, xrefs: 00CFDED2
hi*, xrefs: 00D00B40
jhb$, xrefs: 00CFEA44
hC", xrefs: 00CFF2E2
h., xrefs: 00CFD52D
a!l, xrefs: 00CFD991
h, xrefs: 00D001BA
h, xrefs: 00CFFC0B
hd", xrefs: 00CFE1BF
hQ", xrefs: 00D01325
h{), xrefs: 00CFF008
hk#, xrefs: 00CFF7E0
hq, xrefs: 00CFCEB6
C:\Users\user, xrefs: 00D015B6
h{7, xrefs: 00D01281
hi+, xrefs: 00CFE3C0
hO+, xrefs: 00CFE7D5
jhz*, xrefs: 00CFFCBA
h\7, xrefs: 00CFFA94
h<, xrefs: 00CFC47F

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$hq$h{)$h{7$h$h$h)$h*$h.$h6$h<$jhz*$jhb$$jhl7$jhu<$j4h!$(S$,b/
API String ID: 667068680-2633433573
Opcode ID: 1a578eaa7862d12d071a2d95da1a540aef6680aaf282d0d734a4e816eeb6abf4
Instruction ID: 7f4f9e2ba922937a2abcbe5d5b5f686039f6c41cbd4cfe25e34df85d97f78baa
Opcode Fuzzy Hash: 1a578eaa7862d12d071a2d95da1a540aef6680aaf282d0d734a4e816eeb6abf4
Instruction Fuzzy Hash: B5B355B4A01718FBD7049FA4FD856E97BB2FB88310B11C049E990D23A5DF384A93DB65

Function 00CFD366 Relevance: 230.4, APIs: 98, Strings: 31, Instructions: 4600libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD3C5
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD44E
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD4F9
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD575
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD60A
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD699
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD70E
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD817
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD89B
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD935
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFD9F0
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFDB13

Strings

h:, xrefs: 00CFFF33
h0, xrefs: 00D011E9
hP, xrefs: 00D0088B
h-<, xrefs: 00D01A01
jhl7, xrefs: 00CFD588
jhu<, xrefs: 00CFDC0D
h), xrefs: 00CFE929
h, xrefs: 00CFD3E2
h[*, xrefs: 00D00EA3
h6, xrefs: 00D01841
(S, xrefs: 00D01583
h&(, xrefs: 00D006B1
h-), xrefs: 00D0147A
h*, xrefs: 00CFDED2
hi*, xrefs: 00D00B40
jhb$, xrefs: 00CFEA44
hC", xrefs: 00CFF2E2
h., xrefs: 00CFD52D
a!l, xrefs: 00CFD991
h, xrefs: 00D001BA
h, xrefs: 00CFFC0B
hd", xrefs: 00CFE1BF
hQ", xrefs: 00D01325
h{), xrefs: 00CFF008
hk#, xrefs: 00CFF7E0
C:\Users\user, xrefs: 00D015B6
h{7, xrefs: 00D01281
hi+, xrefs: 00CFE3C0
hO+, xrefs: 00CFE7D5
jhz*, xrefs: 00CFFCBA
h\7, xrefs: 00CFFA94

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$a!l$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h$h)$h*$h.$h6$jhz*$jhb$$jhl7$jhu<$(S
API String ID: 190572456-2958529493
Opcode ID: 083e20403c6108869732a7f45c61247e2b04bdfbfcd05f41b96d6f509c13a334
Instruction ID: d6340ed8a74602ad1ce34193484b8da16178f29380cea318780dde1ff555be39
Opcode Fuzzy Hash: 083e20403c6108869732a7f45c61247e2b04bdfbfcd05f41b96d6f509c13a334
Instruction Fuzzy Hash: 56A355B4901718FBD704DFA4FD456E97BB2FB88310B21C049E990D23A5DF384AA2DB65

Function 00CFE0B9 Relevance: 185.8, APIs: 79, Strings: 25, Instructions: 3825
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE0ED
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE1A4
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE290
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE32F
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE394
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE43A
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE501
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE5DD

Strings

h:, xrefs: 00CFFF33
h0, xrefs: 00D011E9
hP, xrefs: 00D0088B
h-<, xrefs: 00D01A01
h), xrefs: 00CFE929
h[*, xrefs: 00D00EA3
h6, xrefs: 00D01841
(S, xrefs: 00D01583
h&(, xrefs: 00D006B1
h-), xrefs: 00D0147A
hi*, xrefs: 00D00B40
jhb$, xrefs: 00CFEA44
hC", xrefs: 00CFF2E2
h, xrefs: 00D001BA
h, xrefs: 00CFFC0B
hd", xrefs: 00CFE1BF
hQ", xrefs: 00D01325
h{), xrefs: 00CFF008
hk#, xrefs: 00CFF7E0
C:\Users\user, xrefs: 00D015B6
h{7, xrefs: 00D01281
hi+, xrefs: 00CFE3C0
hO+, xrefs: 00CFE7D5
jhz*, xrefs: 00CFFCBA
h\7, xrefs: 00CFFA94

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 190572456-2648681185
Opcode ID: 0974f389ed7b31f20b5c888f08d2afc07f62a8170917fe189d7aeed4d3474906
Instruction ID: 0081e8252313d59cc60bc66a1657e5fff03dd4477ff8e0c98433ce068089fd6a
Opcode Fuzzy Hash: 0974f389ed7b31f20b5c888f08d2afc07f62a8170917fe189d7aeed4d3474906
Instruction Fuzzy Hash: 7E8345B4901718FBD7049FA4FE456E97BB2FB88310B21C059E990D23A4DF384A93DB65

Function 00CFE6F6 Relevance: 168.0, APIs: 71, Strings: 23, Instructions: 3471
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE70E
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE7C2
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE849
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE903
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFE9A9
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEA2A
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEABF
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEB23
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEBA9
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEC61
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFECEA
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFED7B
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEDD9
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEEAD
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFEFED
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFF05C
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFF135
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFF19A
GetProcAddress.KERNEL32(76F70000,?), ref: 00CFF1F9
LoadLibraryA.KERNELBASE(?), ref: 00CFF26D
LoadLibraryA.KERNEL32(?), ref: 00CFF349
GetProcAddress.KERNEL32(761D0000,00000000), ref: 00CFF44D
GetProcAddress.KERNEL32(761D0000,?), ref: 00CFF515
GetProcAddress.KERNEL32(761D0000,?), ref: 00CFF5C3
GetProcAddress.KERNEL32(761D0000,?), ref: 00CFF6BD
GetProcAddress.KERNEL32(761D0000,?), ref: 00CFF7CB
GetProcAddress.KERNEL32(761D0000,?), ref: 00CFF8D9

Strings

hC", xrefs: 00CFF2E2
h, xrefs: 00D001BA
h:, xrefs: 00CFFF33
h, xrefs: 00CFFC0B
h0, xrefs: 00D011E9
hQ", xrefs: 00D01325
hP, xrefs: 00D0088B
h{), xrefs: 00CFF008
h-<, xrefs: 00D01A01
hk#, xrefs: 00CFF7E0
C:\Users\user, xrefs: 00D015B6
h), xrefs: 00CFE929
h[*, xrefs: 00D00EA3
h6, xrefs: 00D01841
h{7, xrefs: 00D01281
hO+, xrefs: 00CFE7D5
(S, xrefs: 00D01583
h&(, xrefs: 00D006B1
h-), xrefs: 00D0147A
jhz*, xrefs: 00CFFCBA
hi*, xrefs: 00D00B40
h\7, xrefs: 00CFFA94
jhb$, xrefs: 00CFEA44

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hi*$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$(S
API String ID: 2238633743-3911754425
Opcode ID: af4742e56cf263af305318c11c5f89aa0ed3a856e41506d109ac017baec9dd58
Instruction ID: 5766e4c0c660aace8be6e0a8057fe216d89b5f1940f74d9a2a11040f9ff9fad6
Opcode Fuzzy Hash: af4742e56cf263af305318c11c5f89aa0ed3a856e41506d109ac017baec9dd58
Instruction Fuzzy Hash: DF7346B4901718FBD7049FA4FE456E97BB2FB88310B21C059E990D23A4DF384A93DB65

Function 00D00F4E Relevance: 41.3, APIs: 15, Strings: 8, Instructions: 1085
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76DA0000,?), ref: 00D00FCA
GetProcAddress.KERNEL32(76DA0000,?), ref: 00D010D6
GetProcAddress.KERNEL32(76DA0000,?), ref: 00D011B4
GetProcAddress.KERNEL32(76DA0000,?), ref: 00D0126C
GetProcAddress.KERNEL32(76DA0000,?), ref: 00D01308
GetProcAddress.KERNEL32(76DA0000,?), ref: 00D01375
GetProcAddress.KERNEL32(76DA0000,?), ref: 00D0145D
GetProcAddress.KERNEL32(76DA0000,?), ref: 00D0151F

Part of subcall function 00D068B0: GetSystemTime.KERNEL32(?,?,00000001,?,?,?,00D01588,00000015,?), ref: 00D06967
Part of subcall function 00D068B0: GetTickCount.KERNEL32 ref: 00D06A58

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00D015C5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D01609
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D01658
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00D01674
GetTickCount.KERNEL32 ref: 00D017EE
GetCommandLineA.KERNEL32 ref: 00D01997

Strings

h6, xrefs: 00D01841
h{7, xrefs: 00D01281
(S, xrefs: 00D01583
h0, xrefs: 00D011E9
h-), xrefs: 00D0147A
hQ", xrefs: 00D01325
h-<, xrefs: 00D01A01
C:\Users\user, xrefs: 00D015B6

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc$CreateMutex$CountTick$CommandEnvironmentLineSystemTimeVariable
String ID: C:\Users\user$h-)$h-<$h0$hQ"$h{7$h6$(S
API String ID: 116423738-1576329368
Opcode ID: 7d5ad00dbd51ab0a9e30a7b80fe76c0a0d5b7d0f51de90a130ea50e581614f96
Instruction ID: 3cc3d37395619f70f6412ae1c98c232583ed5531301de48f735a62c163e55203
Opcode Fuzzy Hash: 7d5ad00dbd51ab0a9e30a7b80fe76c0a0d5b7d0f51de90a130ea50e581614f96
Instruction Fuzzy Hash: 6DA267B4901719FBD7049F64FE492E97BB2FB88310B21C059D894D23A4DF384AA3DB65

Function 00CE15A0 Relevance: 33.1, APIs: 12, Strings: 6, Instructions: 1602fileCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00D1DFC0), ref: 00CE16A3
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00CE187D
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00CE1BED
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00CE1C40
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00CE1E18
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00CE1F47
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE247A

Strings

v-7P, xrefs: 00CE2B64
2V, xrefs: 00CE1D3E
#tG5, xrefs: 00CE289D
\, xrefs: 00CE296C
}3, xrefs: 00CE1647
C:\Users\user, xrefs: 00CE2210, 00CE230B

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Directory$Create$DeleteFileRemoveVersion
String ID: #tG5$2V$C:\Users\user$\$v-7P$}3
API String ID: 696612475-1592576725
Opcode ID: ee02520b115d3460cb27a8d2caedb35e1b59f830e0a72b599aff7fcf22f8d9dd
Instruction ID: 3cdee9c050b0a56c470a9ec729ae9d38f80e5402e2f66dc32292a3e6e832e422
Opcode Fuzzy Hash: ee02520b115d3460cb27a8d2caedb35e1b59f830e0a72b599aff7fcf22f8d9dd
Instruction Fuzzy Hash: BCE289B0900715FBD7049F61FD482E97BB2FB88310B21C159D895D23A8EF394AA7DB64

Function 00CE2525 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE259F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00CE2891
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00CE2A8F

Strings

v-7P, xrefs: 00CE2B64
#tG5, xrefs: 00CE289D
\, xrefs: 00CE296C

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CreateDirectory$PathTemp
String ID: #tG5$\$v-7P
API String ID: 4115145201-232245755
Opcode ID: c7e305bbca7fb8479da557543b24463b529c7fcbc3f16b460b8b64880ee733b6
Instruction ID: 5ffd546da240219fb2f6e93edff220ed8cb78013174d1ca65b9e0b9837c5317d
Opcode Fuzzy Hash: c7e305bbca7fb8479da557543b24463b529c7fcbc3f16b460b8b64880ee733b6
Instruction Fuzzy Hash: C242DCB1900714FBDB049F61FD482E87BB6FB88300B21C055D995D23A8EF354AA7DB64

Function 00CF6700 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 429
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00CF695B
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00CF6C2D
CloseHandle.KERNELBASE(?), ref: 00CF6D57

Strings

[v"=, xrefs: 00CF6799

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: [v"=
API String ID: 1065093856-2465089900
Opcode ID: c29c5a874a8e5da27481f9837b740d8f39e6b8c3480b9b2a78f26dbb77835525
Instruction ID: 528ae0800674339211434179e3b0b25ca2e23bbdbc8bc5ce09c7c0a718057b4e
Opcode Fuzzy Hash: c29c5a874a8e5da27481f9837b740d8f39e6b8c3480b9b2a78f26dbb77835525
Instruction Fuzzy Hash: A81245B0904719FBD7049F91FD482E97BB3FB89310B21C05AC885E23A8EF3455A2CB65

Function 00CE3A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00CE3BE8
CloseHandle.KERNEL32(00000000), ref: 00CE3C04
CloseHandle.KERNEL32(?), ref: 00CE3C38

Strings

D, xrefs: 00CE3B27

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: b99042fe57b0c94d2d85d044a378ba1969a1e584383ee378e5f7b06c733a9a11
Instruction ID: ef5a591e3d78f03d81fc911a1672f4f13c3eb9367895507a11c2f35f9e013c45
Opcode Fuzzy Hash: b99042fe57b0c94d2d85d044a378ba1969a1e584383ee378e5f7b06c733a9a11
Instruction Fuzzy Hash: 54612370A01B08FBD7009F91FE496D87B76FB88310F21C185D581A63A8DF3496A7DB24

Function 00D0B680 Relevance: 6.3, APIs: 4, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,1212816C), ref: 00D0B826
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00D0B8A6
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D0B9EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00D0BA79

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID:
API String ID: 2564258376-0
Opcode ID: 10bdda4db374ac3a374c9fc6e3deab7d4204eb5e9de77899d4d3bbad2fbbb884
Instruction ID: 1d316aff700135fac31e646be5255c7f3dc872f80ea9959cfcf5195240d98b36
Opcode Fuzzy Hash: 10bdda4db374ac3a374c9fc6e3deab7d4204eb5e9de77899d4d3bbad2fbbb884
Instruction Fuzzy Hash: DBC14474A00719FBD7049F64FD586E97B72FB88310B61C14AD984D23A0DF389A63DB68

Function 00CDAC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00CDACA0
CharLowerBuffA.USER32(?,00000000), ref: 00CDACA8

Strings

m}:m, xrefs: 00CDAC29

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID: m}:m
API String ID: 794975171-2727069789
Opcode ID: 5204245634e95ac6ccfdb885f84c5a6417606809ba04fb01914be327dff1cad8
Instruction ID: 52333def58a4d78040d7fe2f784c5e491914355476973f444138e5b595b7205e
Opcode Fuzzy Hash: 5204245634e95ac6ccfdb885f84c5a6417606809ba04fb01914be327dff1cad8
Instruction Fuzzy Hash: 29114C75604B25FB83049F64FC880E93B76FB88720311C245E895C2368EF3055A3CBB9

Function 00D07710 Relevance: 4.7, APIs: 3, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00CE16FF), ref: 00D077DE
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,00CE16FF), ref: 00D07817
FreeSid.ADVAPI32(?,?,?,?,00CE16FF), ref: 00D07918

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e69c615e04d8e18f4b86e60885bc76251c4408d0e3cf87c6704ddf0fb227535a
Instruction ID: 716cc751b7b315ef3fa9f2b3a339ab4bfc21157010c9c92337c195cd47c88fd7
Opcode Fuzzy Hash: e69c615e04d8e18f4b86e60885bc76251c4408d0e3cf87c6704ddf0fb227535a
Instruction Fuzzy Hash: 386147B4905719FBDB009FA5ED885E97B7AFB88300B51C04AD480E23A8DF389567CB75

Function 00CD7F46 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 942
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00CD8183

Strings

j~hF1, xrefs: 00CD839B

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: ComputerName
String ID: j~hF1
API String ID: 3545744682-796474751
Opcode ID: ed3d2b9c1008b5b1866aedc8c67e730642c08fe70a830ee0120c037c949ebc40
Instruction ID: 654f6b891c3203f0ee6cfd558ede1b641a64df3500c631d260a6dd7b622455cc
Opcode Fuzzy Hash: ed3d2b9c1008b5b1866aedc8c67e730642c08fe70a830ee0120c037c949ebc40
Instruction Fuzzy Hash: D3927AB0901719FBDB049F60FD542E87B72FB89310B21C04AD591E23A4EF355AABDB25

Function 00D06C40 Relevance: 3.4, APIs: 2, Instructions: 444
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00D06F67
GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00D07019

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 8245b12bc0387a7ca18c5f02d0e52ae554f035b0f8182952fced7570dc957b22
Instruction ID: 973663eadedac21b8a3af7f3b78ba3b21cd4bf991be95399214ed7db5c97badd
Opcode Fuzzy Hash: 8245b12bc0387a7ca18c5f02d0e52ae554f035b0f8182952fced7570dc957b22
Instruction Fuzzy Hash: DD1242B4904718FBD7009F61FD482E87BB2FB99710B21C14AD894D23A4EF3845A7CB69

Function 00CF4770 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00CDFCFC,00CDFCFC,?,?,?,?,00000001), ref: 00CF47A0
RtlFreeHeap.NTDLL(00000000,?,?,?,00000001), ref: 00CF47A7

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8e0b0fa3b1d5bce667b918fbc944355b459550123ced76a5e2f490fefc622065
Instruction ID: 7a270200e79c37341e7842be56fa7abfac15567f8a8315a933e53df2d174646c
Opcode Fuzzy Hash: 8e0b0fa3b1d5bce667b918fbc944355b459550123ced76a5e2f490fefc622065
Instruction Fuzzy Hash: 0901D274905B18FBD7009F60FE481E97B76FB88311B12C081E885D2364DF354AA6DB71

Function 00D05570 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00D0EFAF,00D0EFAF,?,?,00000001), ref: 00D055B2
RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00D055B9

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: dc35014f6e5502015425b827a37f7c41ae750a3cc279d2259e0aa475ee871158
Instruction ID: 6be8309c9aeeac43401c0f771c8f8a0f140bf587ae64503606a5eab933943655
Opcode Fuzzy Hash: dc35014f6e5502015425b827a37f7c41ae750a3cc279d2259e0aa475ee871158
Instruction Fuzzy Hash: 50F01C74A05308FBCB00DF90F9495A9BB79EB48310F10C155E809D7364DF31AA62CBA1

Function 00CEB950 Relevance: 1.7, APIs: 1, Instructions: 214fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00CEBB5D

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab5e36923a1778261dd204dfcd22c9febb1b591a9eda135023c0a9ddd9461e33
Instruction ID: 96ad6928ae03664e33cd5e303e0ee5db78073fe2c1698ae3d90d81ceb3d19177
Opcode Fuzzy Hash: ab5e36923a1778261dd204dfcd22c9febb1b591a9eda135023c0a9ddd9461e33
Instruction Fuzzy Hash: 2B9177B0905719FBD7049F65EE452E97BB2FB88310F21C156C981D23B4EF3849A6CB64

Function 00D09D80 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3E30: GetStdHandle.KERNEL32(000000F6,?,00000001,00007AB9,?,00D09D96), ref: 00CF3E4E
Part of subcall function 00CF3E30: GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,00007AB9,?,00D09D96), ref: 00CF3EBA
Part of subcall function 00CF3E30: GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,00007AB9,?,00D09D96), ref: 00CF3F3A

ExitProcess.KERNEL32 ref: 00D09ED0

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: 8e098a6e250c498727e4c1edb2f80fda3e2269ca9140882ca3055fdc5ae2c646
Instruction ID: 8f968261188f232700c7e8fab61952910210c6deedd172f027ce180773f3a7ce
Opcode Fuzzy Hash: 8e098a6e250c498727e4c1edb2f80fda3e2269ca9140882ca3055fdc5ae2c646
Instruction Fuzzy Hash: F2312EB0901B14FBD704AF24FA592E97B72FB89310B61C049D485D23A8DF3949A38B65

Function 00CEAA20 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00CEAB0F

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 78b56caec8dcd125dff8be60f6a348e3584c54d9fcd134f97801b746c28033fc
Instruction ID: d449d9c11e180c37a8a3f7eed6bf66b2048d16c693dedbf09c9f2174ef191dae
Opcode Fuzzy Hash: 78b56caec8dcd125dff8be60f6a348e3584c54d9fcd134f97801b746c28033fc
Instruction Fuzzy Hash: 992160B4905305FBCB04AF61EA841D83BB6FB48311B21C445D851D2368DF354A97DB64

Non-executed Functions

Function 00CDA780 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 294filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00CDA899
FindFirstFileA.KERNEL32(?,?), ref: 00CDA9FF
DeleteFileA.KERNEL32(?), ref: 00CDAB11
FindNextFileA.KERNEL32(00000000,?), ref: 00CDAB31
FindClose.KERNEL32(00000000), ref: 00CDAB4A

Strings

m}:m, xrefs: 00CDA9D0

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID: m}:m
API String ID: 1528862845-2727069789
Opcode ID: a179bf95795226b6f46f83bcbb9bdb4a6d4e0bee8d4821955b719e824c55fc68
Instruction ID: a7f8fdf7bca91a93f84f7b27e3f09586fbecfb715c18d956430c9269679010ec
Opcode Fuzzy Hash: a179bf95795226b6f46f83bcbb9bdb4a6d4e0bee8d4821955b719e824c55fc68
Instruction Fuzzy Hash: B2C17670A00B19FBCB049F60FD582E97BB2FB89310B11C185D895D23A4DF394AA7DB65

Function 00CECCA0 Relevance: 12.5, APIs: 8, Instructions: 454registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(01150588,00D09EE0), ref: 00CECE80
SetServiceStatus.ADVAPI32(00000000,00D1D8CC), ref: 00CECF35
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CECF66
SetServiceStatus.ADVAPI32(00000000,00D1D8CC), ref: 00CED018
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00CED122
SetServiceStatus.ADVAPI32(00000000,00D1D8CC), ref: 00CED1FD
CloseHandle.KERNEL32(00000000), ref: 00CED254
SetServiceStatus.ADVAPI32(00000000,00D1D8CC), ref: 00CED30E

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: cdc33b7ed1995d9a5615f8818ae9cd4f9f791e017f849ebff5fa752e6bff9174
Instruction ID: 91d679f8849bb94c5aa14241f5be4cf7d7cddf0ccec6ffc1361579038c2425e1
Opcode Fuzzy Hash: cdc33b7ed1995d9a5615f8818ae9cd4f9f791e017f849ebff5fa752e6bff9174
Instruction Fuzzy Hash: BB2200B4905719FBC704DF61FA881E87BB2FB98310B21C15AD881D2368EF355A93DB64

Function 00CE7230 Relevance: 11.0, APIs: 7, Instructions: 456fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 00CE736B
ReadFile.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,000000FF), ref: 00CE73D9
CloseHandle.KERNEL32(00000000,?,?,?,?,000000FF), ref: 00CE73F2
GetTickCount.KERNEL32 ref: 00CE74B7
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00CE771A
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00CE77BA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00CE7845

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 033e4b9d94facf7fa472eb041d99d9305e1ce438b20e5006794a11ede07f2e52
Instruction ID: 8a1ce0854dedc1ceec630027cdedd5e76e486f3c7b6144aa90b16b6759483152
Opcode Fuzzy Hash: 033e4b9d94facf7fa472eb041d99d9305e1ce438b20e5006794a11ede07f2e52
Instruction Fuzzy Hash: 7E1241B0904B14FBD7048F65FD482E97BB6FB98710B11C15AE891D23A4EF3845A3CB65

Function 00CF2E80 Relevance: 10.9, APIs: 7, Instructions: 391processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000001), ref: 00CF2FE6
Process32First.KERNEL32(00000000,?), ref: 00CF3056

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 5bbe0b613debb13b6caf5caf9328ac4e018c0908ee58e8a8f65afd35a9b7a3bc
Instruction ID: 20369ad913cf4255fb4216a081a1a0620b47271cdc9d4a2d52750ba3a4a8ea1a
Opcode Fuzzy Hash: 5bbe0b613debb13b6caf5caf9328ac4e018c0908ee58e8a8f65afd35a9b7a3bc
Instruction Fuzzy Hash: CC027AB4905729FBD7049F60FE482E87BB7FB99310B21C09AC891D2364EF354A52CB65

Function 00CF7790 Relevance: 9.3, APIs: 6, Instructions: 267filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00CF7872
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00CF78DD
CloseHandle.KERNEL32(00000000), ref: 00CF796E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF7A84
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00CF7ADF
CloseHandle.KERNEL32(00000000), ref: 00CF7AFD

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: ad0d0caf53239ef0c853461eef8b86a2120929ec849d845d5bd3f196ee8ea9ff
Instruction ID: 97c8c6158a2ea9e1d33c827b0cbc12a2cfd19ce65752f30dca72f3e979a3ef4f
Opcode Fuzzy Hash: ad0d0caf53239ef0c853461eef8b86a2120929ec849d845d5bd3f196ee8ea9ff
Instruction Fuzzy Hash: 16B16871A01719FBD7009FA4FD442E87BB2FB88311B21C55AD881E23A4EF345667CB65

Function 00CE2FF0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 284processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CE3115
Process32First.KERNEL32(00000000,00000128), ref: 00CE3245
Process32Next.KERNEL32(00000000,00000128), ref: 00CE338B

Strings

Tr^Z, xrefs: 00CE34BD

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID: Tr^Z
API String ID: 1238713047-2648191975
Opcode ID: d27e7d3a004a0fde0f427e08e829ec51f6f8f41adc896afb0c9070ceb0ba6491
Instruction ID: 9100ab6e66cca8171e8ff899fc817650d0549cc4a95348622dae791cdf2cacc2
Opcode Fuzzy Hash: d27e7d3a004a0fde0f427e08e829ec51f6f8f41adc896afb0c9070ceb0ba6491
Instruction Fuzzy Hash: 22C133B0901759FBDB009F61FD882E47B72FB88350B22C085D491D23A4EF3596ABCB65

Function 00CF3078 Relevance: 7.8, APIs: 5, Instructions: 262COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CF31F8

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: OpenProcess
String ID:
API String ID: 3743895883-0
Opcode ID: 07c9e2eb17e4e72d1ddb32fd9ec9c97f712f63a7e4aba2b536de184d44283d9d
Instruction ID: 12de31ddc9cf80585cdc1ea225b80e716bf9f0d0e16f76fff94bcd160cf75002
Opcode Fuzzy Hash: 07c9e2eb17e4e72d1ddb32fd9ec9c97f712f63a7e4aba2b536de184d44283d9d
Instruction Fuzzy Hash: 4CB17974905729FBD7049F20FE482E97BB2FB85310B21C096C895E2364EF354A63CB65

Function 00D07990 Relevance: 7.6, APIs: 5, Instructions: 109synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 00D07A41
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00D07A6A
CloseHandle.KERNEL32(00000000), ref: 00D07AB5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D07B09
CloseHandle.KERNEL32(?,?,000000FF), ref: 00D07B24

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 2415151026ff6feca31e93069d924ebffba2ec166cef0051ef55052973e580f3
Instruction ID: 21014e57783fe8af77b731922d5f6ef189046cd9cccaa3c4c8822edd771568c2
Opcode Fuzzy Hash: 2415151026ff6feca31e93069d924ebffba2ec166cef0051ef55052973e580f3
Instruction Fuzzy Hash: 3541E070544728FBD3049F10FC486E47BB6FB89721B11C14AE8A5C63A8CF7994A6CB75

Function 00D03BD9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 249sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000355D0,00000000,00000000,00000000), ref: 00D03F6E
Sleep.KERNEL32(0000C350), ref: 00D03FF5

Strings

DH|(, xrefs: 00D03E05
C:\oblimpyrbviueg\hrzceasx.exe, xrefs: 00D03E69

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CreateSleepThread
String ID: C:\oblimpyrbviueg\hrzceasx.exe$DH|(
API String ID: 4202482776-298854076
Opcode ID: 961f5f063daaae08b15b183db2cdf5822f8b078d4b74aaad51447448c9be6858
Instruction ID: e40f377186a9d60e9856b0deb1d58eefe1c2dba341976c100bace20c953350ff
Opcode Fuzzy Hash: 961f5f063daaae08b15b183db2cdf5822f8b078d4b74aaad51447448c9be6858
Instruction Fuzzy Hash: D0B14170A00B18FBE7009F64FD496E97BB6FB89300F11C085E585D23A4EF384A96DB65

Function 00CF3E30 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00000001,00007AB9,?,00D09D96), ref: 00CF3E4E
GetStdHandle.KERNEL32(000000F5,00000000,?,00000001,00007AB9,?,00D09D96), ref: 00CF3EBA
GetStdHandle.KERNEL32(000000F4,00000000,?,00000001,00007AB9,?,00D09D96), ref: 00CF3F3A

Strings

8N6x, xrefs: 00CF3F59

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Handle
String ID: 8N6x
API String ID: 2519475695-3105736675
Opcode ID: 42e856f19cb9111cedd02329da581663fd100cc03b16d4aabe70fccd7bbce945
Instruction ID: 35d7411911ee59689691825fbb6046672bd4a15c17215e3943b6b18809c2b548
Opcode Fuzzy Hash: 42e856f19cb9111cedd02329da581663fd100cc03b16d4aabe70fccd7bbce945
Instruction Fuzzy Hash: B4313FB1A00328FB83009F55FE844E57BB7FB89360762C14AE465C23A5DF314962CB76

Function 00CE3276 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 00CE338B
CloseHandle.KERNEL32(00000000), ref: 00CE3421

Strings

Tr^Z, xrefs: 00CE34BD

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: f842614046bbd50a10e57d1f541857f0903e8fc3295cf063e067bb0544ee8aad
Instruction ID: 3d5dde5d71e6e546d19b0bdb2c3268cdbb4ae52bad4e53f10d2d86e2d66d8026
Opcode Fuzzy Hash: f842614046bbd50a10e57d1f541857f0903e8fc3295cf063e067bb0544ee8aad
Instruction Fuzzy Hash: 7A517670600799EBDB108F21FD896E53B32FB88310F11C085C991C6360DF3A96ABC725

Function 00CE32B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 00CE338B
CloseHandle.KERNEL32(00000000), ref: 00CE3421

Strings

Tr^Z, xrefs: 00CE34BD

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID: Tr^Z
API String ID: 4007157957-2648191975
Opcode ID: 66aba8954995693f6bef5bb8f7e989758925cedb3fe7141fa6653d5e4b532082
Instruction ID: f3cc580d894a86a601ecd0f3f9ab2e859a6688378ac2d9b2a6fd5ff8dc2bb41d
Opcode Fuzzy Hash: 66aba8954995693f6bef5bb8f7e989758925cedb3fe7141fa6653d5e4b532082
Instruction Fuzzy Hash: 2C416970600799E7DB108F21FD896E43B76FB88310F11C095D995C2360DF3A96ABCB26

Function 00D0B5A0 Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 00D0B5FB
HeapReAlloc.KERNEL32(00000000), ref: 00D0B602
GetProcessHeap.KERNEL32(00000000,?), ref: 00D0B632
HeapAlloc.KERNEL32(00000000), ref: 00D0B639

Memory Dump Source

Source File: 00000002.00000002.1392759106.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000002.00000002.1392743805.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392787150.0000000000D12000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392803567.0000000000D1D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1392815882.0000000000D1F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd0000_uzqv2crbnrrqx7oiosyki.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c8f266a056059ea5990e8bbbe070703b01a13da00fbffea806e9571bc907da62
Instruction ID: efb4d55b5f3a537c75c1e8da227d92df9856ed37eb7e4b7bbaa89d230fefbbc2
Opcode Fuzzy Hash: c8f266a056059ea5990e8bbbe070703b01a13da00fbffea806e9571bc907da62
Instruction Fuzzy Hash: D50153B4A40719FBDB00AF60FC495AA7B3AFB99311B00C245E849C6760DF3694A2C775

Analysis Process: usncdvbjyrwr.exePID: 7484, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	33.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1193
Total number of Limit Nodes:	25

Executed Functions

Function 004CE0B9 Relevance: 191.1, APIs: 79, Strings: 28, Instructions: 3825
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76F70000,?), ref: 004CE0ED
GetProcAddress.KERNEL32(76F70000,?), ref: 004CE1A4
GetProcAddress.KERNEL32(76F70000,?), ref: 004CE290
GetProcAddress.KERNEL32(76F70000,?), ref: 004CE32F
GetProcAddress.KERNEL32(76F70000,?), ref: 004CE394
GetProcAddress.KERNEL32(76F70000,?), ref: 004CE43A
GetProcAddress.KERNEL32(76F70000,?), ref: 004CE501
GetProcAddress.KERNEL32(76F70000,?), ref: 004CE5DD

Strings

h:, xrefs: 004CFF33
h\7, xrefs: 004CFA94
PP8], xrefs: 004CF7F1
jhz*, xrefs: 004CFCBA
hd", xrefs: 004CE1BF
h&(, xrefs: 004D06B1
h, xrefs: 004D01BA
hC", xrefs: 004CF2E2
h[*, xrefs: 004D0EA3
h), xrefs: 004CE929
h6, xrefs: 004D1841
h, xrefs: 004CFC0B
hk#, xrefs: 004CF7E0
hP, xrefs: 004D088B
hO+, xrefs: 004CE7D5
@l, xrefs: 004D16BE
h{7, xrefs: 004D1281
h0, xrefs: 004D11E9
jhb$, xrefs: 004CEA44
hi*, xrefs: 004D0B40
h{), xrefs: 004CF008
(S, xrefs: 004D1583
h-), xrefs: 004D147A
h-<, xrefs: 004D1A01
hQ", xrefs: 004D1325
|'XB, xrefs: 004CE53E, 004CE56C, 004D14E4, 004D1502, 004D1BB9, 004D1BCC
hi+, xrefs: 004CE3C0
C:\Windows\system32\config\systemprofile, xrefs: 004D15B6

Memory Dump Source

Source File: 00000003.00000002.2157999556.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000003.00000002.2157973641.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158039885.00000000004E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158062605.00000000004ED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158080198.00000000004EF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4a0000_usncdvbjyrwr.jbxd

Similarity

API ID: AddressProc
String ID: @l$C:\Windows\system32\config\systemprofile$PP8]$h$h&($h-)$h-<$h0$h:$hC"$hO+$hP$hQ"$h[*$h\7$hd"$hi*$hi+$hk#$h{)$h{7$h$h)$h6$jhz*$jhb$$|'XB$(S
API String ID: 190572456-3608880617
Opcode ID: 55918e4c0933b99c571d3c73a1f8af6f371c3d0a740ce92ef3c3e2d12947ad38
Instruction ID: 1faa525f351a800a3eda4f367b49403f052579c817a99c7c93c5fb306d1d74d4
Opcode Fuzzy Hash: 55918e4c0933b99c571d3c73a1f8af6f371c3d0a740ce92ef3c3e2d12947ad38
Instruction Fuzzy Hash: 3B8389B4D01688EBD704DF60FEC46A97BB0FB88314F1181BAD9805E2A7DB355A60DB4D

Function 004DF820 Relevance: 31.2, APIs: 11, Strings: 6, Instructions: 1429
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 004E0491
setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 004E05C5
gethostbyname.WS2_32(?), ref: 004E0669
inet_ntoa.WS2_32(00000002), ref: 004E06D6
inet_addr.WS2_32(00000000), ref: 004E06DD
htons.WS2_32(00000050), ref: 004E071A

Strings

o^M, xrefs: 004E059F
`z{, xrefs: 004E0A91
PP8], xrefs: 004DFE5F
r-(W, xrefs: 004DFB1A
/, xrefs: 004DFA5E
|'XB, xrefs: 004E0A99

Memory Dump Source

Source File: 00000003.00000002.2157999556.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000003.00000002.2157973641.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158039885.00000000004E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158062605.00000000004ED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158080198.00000000004EF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4a0000_usncdvbjyrwr.jbxd

Similarity

API ID: gethostbynamehtonsinet_addrinet_ntoasetsockoptsocket
String ID: /$PP8]$o^M$r-(W$|'XB$`z{
API String ID: 2269612703-2391796989
Opcode ID: 1734e957deb75317ff0f721f1812cdeafe4118383865ebadbeaf87fb9c839be7
Instruction ID: 711b9be022cb2cd730bb03b76529cba86eb99cad37a62d6ae7c17065fcf79961
Opcode Fuzzy Hash: 1734e957deb75317ff0f721f1812cdeafe4118383865ebadbeaf87fb9c839be7
Instruction Fuzzy Hash: 2CD2DD74D00689EBC704EF61FDC46A87BB0FB98305F1181BAD8816E2A7EB354965CB4D

Function 004BCCA0 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 454
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00EAE638,004D9EE0), ref: 004BCE80
SetServiceStatus.SECHOST(00EBAF80,004ED8CC), ref: 004BCF35
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004BCF66
SetServiceStatus.ADVAPI32(00EBAF80,004ED8CC), ref: 004BD018
WaitForSingleObject.KERNEL32(00000204,00001388), ref: 004BD122
SetServiceStatus.ADVAPI32(00EBAF80,004ED8CC), ref: 004BD1FD
CloseHandle.KERNEL32(00000204), ref: 004BD254
SetServiceStatus.ADVAPI32(00EBAF80,004ED8CC), ref: 004BD30E

Strings

r-(W, xrefs: 004BD0A7, 004BD133, 004BD159
|'XB, xrefs: 004BD338, 004BD344
8, xrefs: 004BCE79

Memory Dump Source

Source File: 00000003.00000002.2157999556.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000003.00000002.2157973641.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158039885.00000000004E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158062605.00000000004ED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158080198.00000000004EF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4a0000_usncdvbjyrwr.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: 8$r-(W$|'XB
API String ID: 3399922960-2054407637
Opcode ID: 27af1481daf7782229ff1051e5888b3dcd49aabf04c9c199292fa54b682c8de3
Instruction ID: 88c5746f8f140e0404cef32645f7467eb68a07742b47b284a209f9792ea18ad4
Opcode Fuzzy Hash: 27af1481daf7782229ff1051e5888b3dcd49aabf04c9c199292fa54b682c8de3
Instruction Fuzzy Hash: FC225AB4D05685EFC704DF60FEC41A87BB0FB98324B2184BAC8819E2B6E7355A51DB4C

Function 004D6C40 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76DA0000,00000000), ref: 004D6F67
GetProcAddress.KERNEL32(76DA0000,00000000), ref: 004D7019

Strings

|'XB, xrefs: 004D71BA

Memory Dump Source

Source File: 00000003.00000002.2157999556.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000003.00000002.2157973641.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158039885.00000000004E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158062605.00000000004ED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158080198.00000000004EF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4a0000_usncdvbjyrwr.jbxd

Similarity

API ID: AddressProc
String ID: |'XB
API String ID: 190572456-3609159613
Opcode ID: a6fae5d6199d00ac2690912c1a94164e036af6eb0fb038868019346b0e922473
Instruction ID: 8036938ae81cc50ffd348b84f81070899dad188a1cf58a3c83658230291df66c
Opcode Fuzzy Hash: a6fae5d6199d00ac2690912c1a94164e036af6eb0fb038868019346b0e922473
Instruction Fuzzy Hash: D412AE74D00684EBCB009F61FDC82A9BB70FB98714F1585BAC8846E2B7EB3545A5CB4D

Function 004AAC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(2K,00000000,004B32EC,?), ref: 004AACA0
CharLowerBuffA.USER32(2K,00000000), ref: 004AACA8

Strings

2K, xrefs: 004AAC9C, 004AAC9F, 004AACA7

Memory Dump Source

Source File: 00000003.00000002.2157999556.00000000004A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000003.00000002.2157973641.00000000004A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158039885.00000000004E2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158062605.00000000004ED000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2158080198.00000000004EF000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4a0000_usncdvbjyrwr.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID: 2K
API String ID: 794975171-3897514229
Opcode ID: fab50fe513d80513eed3520eb6aa109208824fb1f8653fd8e42d349978c34355
Instruction ID: c9785ce6385f29306d22bb6655c20055054a5b8e89c051adb59f3633cf4fbf4a
Opcode Fuzzy Hash: fab50fe513d80513eed3520eb6aa109208824fb1f8653fd8e42d349978c34355
Instruction Fuzzy Hash: 82118F79D04A95DBC3049F28FDC80A97B75FB987203114679EC858F267EB305960CB8D

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8CO4P3HwDt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\oblimpyrbviueg\vqipymk4ju

C:\oblimpyrbviueg\hrzceasx.exe

C:\oblimpyrbviueg\usncdvbjyrwr.exe

C:\oblimpyrbviueg\uzqv2crbnrrqx7oiosyki.exe

C:\oblimpyrbviueg\vqipymk4ju

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
8CO4P3HwDt.exe

Function 00C2A780 Relevance: 7.8, APIs: 5, Instructions: 294
filesleepCOMMON

Function 00C57710 Relevance: 4.7, APIs: 3, Instructions: 152
memoryCOMMON

Function 00C55570 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Function 00C4E0B9 Relevance: 185.8, APIs: 79, Strings: 25, Instructions: 3825
libraryloaderCOMMON

Function 00C4E6F6 Relevance: 168.0, APIs: 71, Strings: 23, Instructions: 3471
libraryloaderCOMMON

Function 00C50F4E Relevance: 41.3, APIs: 15, Strings: 8, Instructions: 1085
libraryloadersynchronizationCOMMON

Function 00C32525 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 638
COMMON

Function 00C37230 Relevance: 11.0, APIs: 7, Instructions: 456
fileCOMMON

Function 00C46700 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 429
fileCOMMON

Function 00C33A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
processCOMMON

Function 00C2AC20 Relevance: 3.1, APIs: 2, Instructions: 53
stringCOMMON

Function 00C44770 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Function 00C59D80 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Function 00C3AA20 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre