Edit tour

Windows Analysis Report
Z4KBs1USsJ.exe

Overview

General Information

Sample name:	Z4KBs1USsJ.exe renamed because original name is a hash value
Original sample name:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c.exe
Analysis ID:	1551221
MD5:	9c485842f954958288c2ecf17881439a
SHA1:	a12c829ff47dd3a496594d6527affb7eedd3bd11
SHA256:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Z4KBs1USsJ.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\Z4KBs1USsJ.exe" MD5: 9C485842F954958288C2ECF17881439A)

nflzf2rny8bxnz25kz2r.exe (PID: 7456 cmdline: "C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe" MD5: 9C485842F954958288C2ECF17881439A)

eqyozfmcsgls.exe (PID: 7560 cmdline: "C:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

eqyozfmcsgls.exe (PID: 7484 cmdline: C:\trshmfqlcbpta\eqyozfmcsgls.exe MD5: 9C485842F954958288C2ECF17881439A)

yrykdhhlfqp.exe (PID: 7524 cmdline: jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

eqyozfmcsgls.exe (PID: 7180 cmdline: "c:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

yrykdhhlfqp.exe (PID: 7196 cmdline: jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:05:03.405776+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49733	TCP
2024-11-07T16:05:43.191800+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49754	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:57.719373+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.4	49731	TCP
2024-11-07T16:05:00.001066+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49732	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:57.719373+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.4	49731	TCP
2024-11-07T16:05:00.001066+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49732	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:54.200420+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	57260	UDP

ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow [Advertise 0x02] Inbound (CVE-2019-11577)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:05:04.375496+0100	2849429	1	Attempted Administrator Privilege Gain	1.1.1.1	53	192.168.2.4	49870	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:05:00.161715+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	59935	UDP
2024-11-07T16:06:50.175538+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.4	60993	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:57.352154+0100	2815568	1	A Network Trojan was detected	192.168.2.4	49731	18.143.155.63	80	TCP
2024-11-07T16:06:32.790294+0100	2815568	1	A Network Trojan was detected	192.168.2.4	50009	199.59.243.227	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:57.352154+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.4	49731	18.143.155.63	80	TCP
2024-11-07T16:06:32.790294+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.4	50009	199.59.243.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Z4KBs1USsJ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2

Multi AV Scanner detection for dropped file

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	ReversingLabs: Detection: 92%
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	ReversingLabs: Detection: 92%
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: Z4KBs1USsJ.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Joe Sandbox ML: detected
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Joe Sandbox ML: detected
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Z4KBs1USsJ.exe

Joe Sandbox ML: detected

Source: Z4KBs1USsJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Z4KBs1USsJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CE7B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00CE7B00
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003D7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	1_2_003D7B00
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00287B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00287B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00E17B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	3_2_00E17B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_002F7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	10_2_002F7B00

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.4:49731 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.4:50009 -> 199.59.243.227:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63

Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.4:59935
Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.4:57260
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.4:49731 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2849429 - Severity 1 - ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow [Advertise 0x02] Inbound (CVE-2019-11577) : 1.1.1.1:53 -> 192.168.2.4:49870
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.4:50009 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.4:60993
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49733

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CCF079 recv,

0_2_00CCF079

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net

Source: global traffic	DNS traffic detected: DNS query: heavennothing.net
Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net
Source: global traffic	DNS traffic detected: DNS query: leaderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavenbusiness.net
Source: global traffic	DNS traffic detected: DNS query: leaderappear.net
Source: global traffic	DNS traffic detected: DNS query: heavenappear.net
Source: global traffic	DNS traffic detected: DNS query: heavymanner.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanner.net
Source: global traffic	DNS traffic detected: DNS query: heavyanother.net
Source: global traffic	DNS traffic detected: DNS query: gentleanother.net
Source: global traffic	DNS traffic detected: DNS query: heavybusiness.net
Source: global traffic	DNS traffic detected: DNS query: gentlebusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavyappear.net
Source: global traffic	DNS traffic detected: DNS query: gentleappear.net
Source: global traffic	DNS traffic detected: DNS query: variousmanner.net
Source: global traffic	DNS traffic detected: DNS query: returnmanner.net
Source: global traffic	DNS traffic detected: DNS query: variousanother.net
Source: global traffic	DNS traffic detected: DNS query: returnanother.net
Source: global traffic	DNS traffic detected: DNS query: variousbusiness.net
Source: global traffic	DNS traffic detected: DNS query: returnbusiness.net
Source: global traffic	DNS traffic detected: DNS query: variousappear.net
Source: global traffic	DNS traffic detected: DNS query: returnappear.net
Source: global traffic	DNS traffic detected: DNS query: degreeinstead.net
Source: global traffic	DNS traffic detected: DNS query: forwardinstead.net
Source: global traffic	DNS traffic detected: DNS query: degreeexplain.net
Source: global traffic	DNS traffic detected: DNS query: forwardexplain.net
Source: global traffic	DNS traffic detected: DNS query: degreebright.net
Source: global traffic	DNS traffic detected: DNS query: forwardbright.net
Source: global traffic	DNS traffic detected: DNS query: degreeinside.net
Source: global traffic	DNS traffic detected: DNS query: forwardinside.net
Source: global traffic	DNS traffic detected: DNS query: answerinstead.net
Source: global traffic	DNS traffic detected: DNS query: glassinstead.net
Source: global traffic	DNS traffic detected: DNS query: answerexplain.net
Source: global traffic	DNS traffic detected: DNS query: glassexplain.net
Source: global traffic	DNS traffic detected: DNS query: answerbright.net
Source: global traffic	DNS traffic detected: DNS query: glassbright.net
Source: global traffic	DNS traffic detected: DNS query: answerinside.net

Source: eqyozfmcsgls.exe, 00000002.00000002.2587655103.000000000077A000.00000004.00000020.00020000.00000000.sdmp, eqyozfmcsgls.exe, 00000009.00000002.2969760116.00000000012A7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	File created: C:\Windows\trshmfqlcbpta\	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

File deleted: C:\Windows\trshmfqlcbpta\no2uvy

Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CC9AC0	0_2_00CC9AC0
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003B9AC0	1_2_003B9AC0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00269AC0	2_2_00269AC0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00E15857	3_2_00E15857
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00DF9AC0	3_2_00DF9AC0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_002D9AC0	10_2_002D9AC0

Source: Z4KBs1USsJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@12/5@195/5

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00CB7DA0
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	1_2_003A7DA0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00257DA0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_00DE7DA0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_002C7DA0

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CEE950 CreateToolhelp32Snapshot,OpenProcess,CloseHandle,Process32Next,CloseHandle,

0_2_00CEE950

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CC7DE0 StartServiceCtrlDispatcherA,

0_2_00CC7DE0

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CC7DE0 StartServiceCtrlDispatcherA,	0_2_00CC7DE0
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003B7DE0 StartServiceCtrlDispatcherA,	1_2_003B7DE0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00267DE0 StartServiceCtrlDispatcherA,	2_2_00267DE0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00DF7DE0 StartServiceCtrlDispatcherA,	3_2_00DF7DE0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_002D7DE0 StartServiceCtrlDispatcherA,	10_2_002D7DE0

Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe

Mutant created: NULL

Source: Z4KBs1USsJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Z4KBs1USsJ.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

File read: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Z4KBs1USsJ.exe "C:\Users\user\Desktop\Z4KBs1USsJ.exe"
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Process created: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe "C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe"
Source: unknown	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe C:\trshmfqlcbpta\eqyozfmcsgls.exe
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "C:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Process created: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe "C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "C:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "c:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: Z4KBs1USsJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CD915F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,

0_2_00CD915F

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CE4285 push 0000002Bh; ret	0_2_00CE428A
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CE42B6 push 0000002Bh; ret	0_2_00CE428A
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CE1BE1 push 8B00CFE6h; ret	0_2_00CE1BE6
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CF1CD0 push eax; ret	0_2_00CF1CE4
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CF1CD0 push eax; ret	0_2_00CF1D0C
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003E1CD0 push eax; ret	1_2_003E1CE4
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003E1CD0 push eax; ret	1_2_003E1D0C
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003D4285 push 0000002Bh; ret	1_2_003D428A
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003D1BE1 push 8B003EE6h; ret	1_2_003D1BE6
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00291CD0 push eax; ret	2_2_00291CE4
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00291CD0 push eax; ret	2_2_00291D0C
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00284285 push 0000002Bh; ret	2_2_0028428A
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00281BE1 push 8B0029E6h; ret	2_2_00281BE6
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00E21CD0 push eax; ret	3_2_00E21CE4
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00E21CD0 push eax; ret	3_2_00E21D0C
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00E14285 push 0000002Bh; ret	3_2_00E1428A
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00E11BE1 push 8B00E2E6h; ret	3_2_00E11BE6
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_00301CD0 push eax; ret	10_2_00301CE4
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_00301CD0 push eax; ret	10_2_00301D0C
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_002F4285 push 0000002Bh; ret	10_2_002F428A
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_002F1BE1 push 8B0030E6h; ret	10_2_002F1BE6

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Jump to dropped file
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	File created: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	File created: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CC7DE0 StartServiceCtrlDispatcherA,

0_2_00CC7DE0

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

0_2_00CD915F

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	0_2_00CCD280
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	1_2_003BD280
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_0026D280
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	3_2_00DFD280
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_002DD280

Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		1_2_003DCBD0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_0028CBD0

Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Window / User API: threadDelayed 709			Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Window / User API: threadDelayed 1162			Jump to behavior

Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_1-12353
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-11019

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 7532	Thread sleep time: -39996s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 7528	Thread sleep count: 709 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 7528	Thread sleep time: -709000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 7528	Thread sleep count: 1162 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 7528	Thread sleep time: -1162000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 7188	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 7188	Thread sleep time: -12600000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 7188	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 7200	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 7200	Thread sleep time: -31000s >= -30000s	Jump to behavior

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Last function: Thread delayed
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Last function: Thread delayed
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Last function: Thread delayed
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Last function: Thread delayed
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00CE7B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00CE7B00
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	Code function: 1_2_003D7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	1_2_003D7B00
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 2_2_00287B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00287B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 3_2_00E17B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	3_2_00E17B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_002F7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	10_2_002F7B00

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: nflzf2rny8bxnz25kz2r.exe, 00000001.00000002.1796838903.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, eqyozfmcsgls.exe, 00000002.00000002.2587655103.000000000077A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: eqyozfmcsgls.exe, 00000009.00000002.2969760116.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	API call chain: ExitProcess graph end node	graph_0-12821
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	API call chain: ExitProcess graph end node	graph_0-11465
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	API call chain: ExitProcess graph end node	graph_1-10251
Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	API call chain: ExitProcess graph end node	graph_1-10476
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	API call chain: ExitProcess graph end node	graph_2-9714
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	API call chain: ExitProcess graph end node	graph_2-11441
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	API call chain: ExitProcess graph end node

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

0_2_00CD915F

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CEC960 GetProcessHeap,RtlAllocateHeap,

0_2_00CEC960

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CF0C20 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CF0C20

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00CD8230 GetSystemTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00CD8230

Source: C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	3 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Z4KBs1USsJ.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
Z4KBs1USsJ.exe	100%	Avira	TR/Nivdort.Gen2
Z4KBs1USsJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\trshmfqlcbpta\eqyozfmcsgls.exe	100%	Avira	TR/Nivdort.Gen2
C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	100%	Avira	TR/Nivdort.Gen2
C:\trshmfqlcbpta\yrykdhhlfqp.exe	100%	Avira	TR/Nivdort.Gen2
C:\trshmfqlcbpta\eqyozfmcsgls.exe	100%	Joe Sandbox ML
C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	100%	Joe Sandbox ML
C:\trshmfqlcbpta\yrykdhhlfqp.exe	100%	Joe Sandbox ML
C:\trshmfqlcbpta\eqyozfmcsgls.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\trshmfqlcbpta\yrykdhhlfqp.exe	92%	ReversingLabs	Win32.Spyware.Nivdort

Name	IP	Active	Malicious	Reputation
degreedaughter.net	85.214.228.140	true	false	high
7450.bodis.com	199.59.243.227	true	false	high
gentleanother.net	54.244.188.177	true	false	high
returnbottle.net	18.143.155.63	true	false	high
difficultpeople.net	13.248.169.48	true	false	unknown
pleasantinstead.net	18.143.155.63	true	false	high
forwardpeople.net	unknown	unknown	false	high
degreeanother.net	unknown	unknown	false	high
degreeexplain.net	unknown	unknown	false	high
heaveninside.net	unknown	unknown	false	high
answerappear.net	unknown	unknown	false	high
heavybusiness.net	unknown	unknown	false	high
pleasantinside.net	unknown	unknown	false	high
requirebusiness.net	unknown	unknown	false	high
forwardinside.net	unknown	unknown	false	high
glassmanner.net	unknown	unknown	false	high
answerexplain.net	unknown	unknown	false	high
orderinside.net	unknown	unknown	false	high
variousappear.net	unknown	unknown	false	high
returnbright.net	unknown	unknown	false	high
difficultanother.net	unknown	unknown	false	high
heavyinside.net	unknown	unknown	false	high
forwardready.net	unknown	unknown	false	high
glassdaughter.net	unknown	unknown	false	high
necessarymanner.net	unknown	unknown	false	high
answeranother.net	unknown	unknown	false	high
leadermanner.net	unknown	unknown	false	high
heavybottle.net	unknown	unknown	false	high
heavenbright.net	unknown	unknown	false	high
heavydivide.net	unknown	unknown	false	high
degreebrown.net	unknown	unknown	false	high
gentleinstead.net	unknown	unknown	false	high
glassanother.net	unknown	unknown	false	high
heavenanother.net	unknown	unknown	false	high
difficultmanner.net	unknown	unknown	false	high
glassexplain.net	unknown	unknown	false	high
requireinside.net	unknown	unknown	false	high
heavenexplain.net	unknown	unknown	false	high
forwardbusiness.net	unknown	unknown	false	high
difficultexplain.net	unknown	unknown	false	high
gentleappear.net	unknown	unknown	false	high
pleasantbright.net	unknown	unknown	false	high
returnexplain.net	unknown	unknown	false	high
gentlemanner.net	unknown	unknown	false	high
answerdaughter.net	unknown	unknown	false	high
heardinside.net	unknown	unknown	false	high
requiremanner.net	unknown	unknown	false	high
gentleexplain.net	unknown	unknown	false	high
glassappear.net	unknown	unknown	false	high
necessaryanother.net	unknown	unknown	false	high
glassinside.net	unknown	unknown	false	high
difficultbright.net	unknown	unknown	false	high
heardbrown.net	unknown	unknown	true	unknown
glasspeople.net	unknown	unknown	false	high
requireinstead.net	unknown	unknown	false	high
necessaryinside.net	unknown	unknown	false	high
returndivide.net	unknown	unknown	false	high
heardinstead.net	unknown	unknown	false	high
variousbright.net	unknown	unknown	false	high
degreebusiness.net	unknown	unknown	false	high
answerbusiness.net	unknown	unknown	false	high
heavenbusiness.net	unknown	unknown	false	high
gentledivide.net	unknown	unknown	false	high
variousinstead.net	unknown	unknown	false	high
gentlestream.net	unknown	unknown	false	high
pleasantmanner.net	unknown	unknown	false	high
necessaryappear.net	unknown	unknown	false	high
pleasantbusiness.net	unknown	unknown	false	high
heardbright.net	unknown	unknown	false	high
heavenbottle.net	unknown	unknown	false	high
heavynothing.net	unknown	unknown	false	high
gentlebusiness.net	unknown	unknown	false	high
ordermanner.net	unknown	unknown	false	high
leaderbottle.net	unknown	unknown	false	high
pleasantanother.net	unknown	unknown	false	high
heavyanother.net	unknown	unknown	false	high
degreeinstead.net	unknown	unknown	false	high
degreepeople.net	unknown	unknown	false	high
answerready.net	unknown	unknown	false	high
difficultbrown.net	unknown	unknown	true	unknown
answerbright.net	unknown	unknown	false	high
heavennothing.net	unknown	unknown	false	high
returninside.net	unknown	unknown	false	high
forwardbright.net	unknown	unknown	false	high
difficultinside.net	unknown	unknown	false	high
heavybright.net	unknown	unknown	false	high
leaderanother.net	unknown	unknown	false	high
returninstead.net	unknown	unknown	false	high
difficultinstead.net	unknown	unknown	false	high
heavenappear.net	unknown	unknown	false	high
answerinside.net	unknown	unknown	false	high
degreebright.net	unknown	unknown	false	high
forwardbrown.net	unknown	unknown	false	high
heavyinstead.net	unknown	unknown	false	high
gentleinside.net	unknown	unknown	false	high
heardexplain.net	unknown	unknown	false	high
heavyappear.net	unknown	unknown	false	high
answerpeople.net	unknown	unknown	false	high
pleasantexplain.net	unknown	unknown	false	high
requireexplain.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	eqyozfmcsgls.exe, 00000002.00000002.2587655103.000000000077A000.00000004.00000020.00020000.00000000.sdmp, eqyozfmcsgls.exe, 00000009.00000002.2969760116.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	difficultpeople.net	United States	16509	AMAZON-02US	false
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	false
85.214.228.140	degreedaughter.net	Germany	6724	STRATOSTRATOAGDE	false
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false
54.244.188.177	gentleanother.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551221
Start date and time:	2024-11-07 16:03:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Z4KBs1USsJ.exe renamed because original name is a hash value
Original Sample Name:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@12/5@195/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 48 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: Z4KBs1USsJ.exe

Simulations

Behavior and APIs

Time	Type	Description
10:05:26	API Interceptor	1840x Sleep call for process: yrykdhhlfqp.exe modified
10:06:15	API Interceptor	298x Sleep call for process: eqyozfmcsgls.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	Y7isAhMKal.exe	Get hash	malicious	FormBook	Browse	www.how2.guru/20wk/
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	www.sonoscan.org/ew98/
	3NvALxFlHV.exe	Get hash	malicious	FormBook	Browse	www.solidarity.rocks/hezo/
	FzmC0FwV6y.exe	Get hash	malicious	FormBook	Browse	www.virtu.industries/uln2/
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.telforce.one/ykhz/
	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	www.ulula.org/4w1b/
	IbRV4I7MrS.exe	Get hash	malicious	FormBook	Browse	www.ila.beauty/izfe/
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	www.notepad.mobi/zut6/?Q2_4=Kt4qQSLgj4HorxpxZIZ4p+EAwKHWi+XN9OiBuCBJU5cikXkc2Sk5R2gtgSdO+P2tW+5SfoOeVCvwWIOnLXM8QNp6yDsCjrxQ3ZxiPCiDnoMvdK5RCpNRC70=&uXP=1HX8
	r6lOHDg9N9.exe	Get hash	malicious	FormBook	Browse	www.polarmuseum.info/9u26/
	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	www.ipk.app/phav/
18.143.155.63	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gentleanother.net	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
returnbottle.net	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
degreedaughter.net	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
7450.bodis.com	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
STRATOSTRATOAGDE	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
AMAZON-02US	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
BODIS-NJUS	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

Process:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:4fvY:4fA
MD5:	85E8A64738DBED21EB974E9C24DFC70E
SHA1:	6CCD809DCC6BA61DC6E10CF5F4D8EF9CAD1CF6A9
SHA-256:	C59DC12ABDA7846B6CD7255C13F3E38FC7B4DC1163790EAE8242DC8985289C69
SHA-512:	EAE03EFEB2E4D709C3C5EF853EC23AA07DA765C3103A042A097FE7632FE209DD628ABADDE0C9F735420F9091DDAC13BAA7B24AE6B92FC118FA50648E1EAB7B7C
Malicious:	false
Reputation:	low
Preview:	..k`..ff.=

C:\trshmfqlcbpta\eqyozfmcsgls.exe

Download File

Process:	C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364032
Entropy (8bit):	6.7838151372886095
Encrypted:	false
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
MD5:	9C485842F954958288C2ECF17881439A
SHA1:	A12C829FF47DD3A496594D6527AFFB7EEDD3BD11
SHA-256:	2C44774360D281F890AD8869E2C1AA05A4EE7FE92FBF0D9AB20508AA7FBA7F8C
SHA-512:	FCD500025E6F097544168EE0277CD1765006C28EFA0D1BB40DB6CA7FF0C8EA2AC13A46567F138C15D11DEA016BC00AB989E76DE00FF0BBC3ACC587332FE57EB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...................~.....B......p....B.....Rich............................PE..L.... zV.............................B.......0....@.......................................@.....................................P...............................p....................................................0..$............................text...J........................... ..`.rdata.......0......................@..@.data...l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe

Download File

Process:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364032
Entropy (8bit):	6.7838151372886095
Encrypted:	false
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
MD5:	9C485842F954958288C2ECF17881439A
SHA1:	A12C829FF47DD3A496594D6527AFFB7EEDD3BD11
SHA-256:	2C44774360D281F890AD8869E2C1AA05A4EE7FE92FBF0D9AB20508AA7FBA7F8C
SHA-512:	FCD500025E6F097544168EE0277CD1765006C28EFA0D1BB40DB6CA7FF0C8EA2AC13A46567F138C15D11DEA016BC00AB989E76DE00FF0BBC3ACC587332FE57EB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...................~.....B......p....B.....Rich............................PE..L.... zV.............................B.......0....@.......................................@.....................................P...............................p....................................................0..$............................text...J........................... ..`.rdata.......0......................@..@.data...l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\trshmfqlcbpta\no2uvy

Download File

Process:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:4fvY:4fA
MD5:	85E8A64738DBED21EB974E9C24DFC70E
SHA1:	6CCD809DCC6BA61DC6E10CF5F4D8EF9CAD1CF6A9
SHA-256:	C59DC12ABDA7846B6CD7255C13F3E38FC7B4DC1163790EAE8242DC8985289C69
SHA-512:	EAE03EFEB2E4D709C3C5EF853EC23AA07DA765C3103A042A097FE7632FE209DD628ABADDE0C9F735420F9091DDAC13BAA7B24AE6B92FC118FA50648E1EAB7B7C
Malicious:	false
Reputation:	low
Preview:	..k`..ff.=

C:\trshmfqlcbpta\yrykdhhlfqp.exe

Download File

Process:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364032
Entropy (8bit):	6.7838151372886095
Encrypted:	false
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
MD5:	9C485842F954958288C2ECF17881439A
SHA1:	A12C829FF47DD3A496594D6527AFFB7EEDD3BD11
SHA-256:	2C44774360D281F890AD8869E2C1AA05A4EE7FE92FBF0D9AB20508AA7FBA7F8C
SHA-512:	FCD500025E6F097544168EE0277CD1765006C28EFA0D1BB40DB6CA7FF0C8EA2AC13A46567F138C15D11DEA016BC00AB989E76DE00FF0BBC3ACC587332FE57EB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...................~.....B......p....B.....Rich............................PE..L.... zV.............................B.......0....@.......................................@.....................................P...............................p....................................................0..$............................text...J........................... ..`.rdata.......0......................@..@.data...l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7838151372886095
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Z4KBs1USsJ.exe
File size:	364'032 bytes
MD5:	9c485842f954958288c2ecf17881439a
SHA1:	a12c829ff47dd3a496594d6527affb7eedd3bd11
SHA256:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c
SHA512:	fcd500025e6f097544168ee0277cd1765006c28efa0d1bb40db6ca7ff0c8ea2ac13a46567f138c15d11dea016bc00ab989e76de00ff0bbc3acc587332fe57eb4
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
TLSH:	E274F9ADDE8105EEDC02A0FC081533B7D7AD600573EAB4DB5A923B86597F8E4D93160B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q........................~......B........p......B......Rich............................PE..L.... zV...........................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4142d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x567A20EB [Wed Dec 23 04:19:55 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c03c44838b405c72c00efe457c9026f9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 08h
mov eax, dword ptr [0044E1A8h]
sub eax, 50B51EBEh
mov dword ptr [0044E55Ch], eax
dec dword ptr [0044E1A8h]
push esi
call 00007FCAB8B5FD34h
add dword ptr [0044E1E8h], 9B877EBEh
call 00007FCAB8B404E5h
fld dword ptr [0044E118h]
fsub qword ptr [00446F50h]
push 0044312Ch
push 00443124h
fstp dword ptr [0044E118h]
fld dword ptr [0044E118h]
fadd qword ptr [0044CCE8h]
fsub qword ptr [0044CCE0h]
fistp qword ptr [ebp-08h]
mov cx, word ptr [ebp-08h]
mov word ptr [0044E440h], cx
call 00007FCAB8B46234h
mov edx, dword ptr [0044E188h]
imul edx, edx, 4A6DB410h
add esp, 08h
mov dword ptr [0044E188h], edx
call 00007FCAB8B2708Ah
mov esi, eax
fld qword ptr [0044E0B8h]
fsub qword ptr [0044CCD8h]
fstp qword ptr [0044E0B8h]
call 00007FCAB8B36691h
movzx eax, word ptr [0044E4ACh]
sub eax, 32D8D7ECh
push esi
mov word ptr [0044E4ACh], ax
call dword ptr [00443074h]
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+10h]
push ebx

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2003 (.NET) build 3077
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ccf0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x124	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4104a	0x41200	693764a56948dc94cd53bba265aaf427	False	0.5246221209213052	data	6.301261590363873	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0xa2fc	0xa400	6412b2e88610d7f6ca621a54b3ba5591	False	0.7431640625	data	6.52046081980572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0x116c	0x800	20f815c092ca7c2f037dedc4f231f4f1	False	0.734375	data	5.652927311962374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x50000	0xca0e	0xcc00	adf383d4fba3ad0ef9d03f6937a8f44f	False	0.6534734987745098	data	6.833275130925352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	SetSystemPaletteUse, GetDCPenColor, SetTextCharacterExtra, GetFontLanguageInfo, GetDCBrushColor, GetObjectType, GetNearestColor, GetBkColor
USER32.dll	IsWindowEnabled, SetDlgItemTextA, RemovePropA, GetMenuItemCount, SetWindowTextA, GetPropA, GetInputState, GetWindowLongA, SendMessageA, SetFocus, GetCursor, EndPaint, WindowFromDC, DrawTextA, GetDialogBaseUnits, GetWindowContextHelpId, GetMenuContextHelpId, BeginPaint, LoadIconA, GetDlgItem, GetScrollPos, EnableWindow, GetMenuCheckMarkDimensions, EndDialog, GetMenuItemID, ShowWindow, GetQueueStatus, wvsprintfA, CharLowerBuffA, GetWindowDC
KERNEL32.dll	CreateFileA, CloseHandle, LockResource, GetLastError, SetFilePointer, FindResourceA, LocalFlags, GetModuleHandleA, GetVersion, GetTickCount, GetCurrentProcessId, SizeofResource, GlobalHandle, GetDriveTypeA, DeleteFileA, GetProcAddress, MoveFileA, GlobalAlloc, LoadResource, GlobalSize, ExitProcess, GetSystemTime, SystemTimeToFileTime, WriteFile, HeapFree, GetFileTime, GetFileSize, HeapReAlloc, GetProcessHeap, HeapAlloc, lstrlenA, GetStdHandle

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T16:04:54.200420+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.4	57260	UDP
2024-11-07T16:04:57.352154+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.4	49731	18.143.155.63	80	TCP
2024-11-07T16:04:57.352154+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.4	49731	18.143.155.63	80	TCP
2024-11-07T16:04:57.719373+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.4	49731	TCP
2024-11-07T16:04:57.719373+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.4	49731	TCP
2024-11-07T16:05:00.001066+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.4	49732	TCP
2024-11-07T16:05:00.001066+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.4	49732	TCP
2024-11-07T16:05:00.161715+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.4	59935	UDP
2024-11-07T16:05:03.405776+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49733	TCP
2024-11-07T16:05:04.375496+0100	2849429	ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow [Advertise 0x02] Inbound (CVE-2019-11577)	1	1.1.1.1	53	192.168.2.4	49870	UDP
2024-11-07T16:05:43.191800+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49754	TCP
2024-11-07T16:06:32.790294+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.4	50009	199.59.243.227	80	TCP
2024-11-07T16:06:32.790294+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.4	50009	199.59.243.227	80	TCP
2024-11-07T16:06:50.175538+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.4	60993	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 16:04:54.907028913 CET	49730	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:04:54.911993027 CET	80	49730	199.59.243.227	192.168.2.4
Nov 7, 2024 16:04:54.912066936 CET	49730	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:04:54.912143946 CET	49730	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:04:54.917021036 CET	80	49730	199.59.243.227	192.168.2.4
Nov 7, 2024 16:04:55.537199974 CET	80	49730	199.59.243.227	192.168.2.4
Nov 7, 2024 16:04:55.537226915 CET	80	49730	199.59.243.227	192.168.2.4
Nov 7, 2024 16:04:55.537291050 CET	49730	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:04:55.537592888 CET	80	49730	199.59.243.227	192.168.2.4
Nov 7, 2024 16:04:55.537637949 CET	49730	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:04:55.539736032 CET	49730	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:04:55.545085907 CET	80	49730	199.59.243.227	192.168.2.4
Nov 7, 2024 16:04:55.861843109 CET	49731	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:04:55.867842913 CET	80	49731	18.143.155.63	192.168.2.4
Nov 7, 2024 16:04:55.867953062 CET	49731	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:04:55.868019104 CET	49731	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:04:55.874584913 CET	80	49731	18.143.155.63	192.168.2.4
Nov 7, 2024 16:04:57.304246902 CET	80	49731	18.143.155.63	192.168.2.4
Nov 7, 2024 16:04:57.352154016 CET	49731	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:04:57.719372988 CET	80	49731	18.143.155.63	192.168.2.4
Nov 7, 2024 16:04:57.719480991 CET	49731	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:04:57.719640017 CET	49731	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:04:57.725100994 CET	80	49731	18.143.155.63	192.168.2.4
Nov 7, 2024 16:04:59.037698984 CET	49732	80	192.168.2.4	54.244.188.177
Nov 7, 2024 16:04:59.042615891 CET	80	49732	54.244.188.177	192.168.2.4
Nov 7, 2024 16:04:59.042691946 CET	49732	80	192.168.2.4	54.244.188.177
Nov 7, 2024 16:04:59.042748928 CET	49732	80	192.168.2.4	54.244.188.177
Nov 7, 2024 16:04:59.047606945 CET	80	49732	54.244.188.177	192.168.2.4
Nov 7, 2024 16:04:59.883291006 CET	80	49732	54.244.188.177	192.168.2.4
Nov 7, 2024 16:04:59.930357933 CET	49732	80	192.168.2.4	54.244.188.177
Nov 7, 2024 16:05:00.001065969 CET	80	49732	54.244.188.177	192.168.2.4
Nov 7, 2024 16:05:00.001354933 CET	49732	80	192.168.2.4	54.244.188.177
Nov 7, 2024 16:05:00.001354933 CET	49732	80	192.168.2.4	54.244.188.177
Nov 7, 2024 16:05:00.006268024 CET	80	49732	54.244.188.177	192.168.2.4
Nov 7, 2024 16:05:00.865619898 CET	49734	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:05:00.870459080 CET	80	49734	199.59.243.227	192.168.2.4
Nov 7, 2024 16:05:00.870532036 CET	49734	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:05:00.870626926 CET	49734	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:05:00.875629902 CET	80	49734	199.59.243.227	192.168.2.4
Nov 7, 2024 16:05:01.522624016 CET	80	49734	199.59.243.227	192.168.2.4
Nov 7, 2024 16:05:01.522636890 CET	80	49734	199.59.243.227	192.168.2.4
Nov 7, 2024 16:05:01.522648096 CET	80	49734	199.59.243.227	192.168.2.4
Nov 7, 2024 16:05:01.522708893 CET	49734	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:05:01.552058935 CET	80	49734	199.59.243.227	192.168.2.4
Nov 7, 2024 16:05:01.552223921 CET	49734	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:05:01.554883003 CET	49734	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:05:01.559714079 CET	80	49734	199.59.243.227	192.168.2.4
Nov 7, 2024 16:05:02.250397921 CET	49736	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:05:02.255266905 CET	80	49736	18.143.155.63	192.168.2.4
Nov 7, 2024 16:05:02.255336046 CET	49736	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:05:02.255408049 CET	49736	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:05:02.260198116 CET	80	49736	18.143.155.63	192.168.2.4
Nov 7, 2024 16:05:03.695981979 CET	80	49736	18.143.155.63	192.168.2.4
Nov 7, 2024 16:05:03.742686033 CET	49736	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:05:04.116147041 CET	80	49736	18.143.155.63	192.168.2.4
Nov 7, 2024 16:05:04.116286993 CET	49736	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:05:04.116287947 CET	49736	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:05:04.121931076 CET	80	49736	18.143.155.63	192.168.2.4
Nov 7, 2024 16:05:05.160934925 CET	49740	80	192.168.2.4	85.214.228.140
Nov 7, 2024 16:05:05.165899992 CET	80	49740	85.214.228.140	192.168.2.4
Nov 7, 2024 16:05:05.166383982 CET	49740	80	192.168.2.4	85.214.228.140
Nov 7, 2024 16:05:05.166482925 CET	49740	80	192.168.2.4	85.214.228.140
Nov 7, 2024 16:05:05.171622038 CET	80	49740	85.214.228.140	192.168.2.4
Nov 7, 2024 16:05:06.027467966 CET	80	49740	85.214.228.140	192.168.2.4
Nov 7, 2024 16:05:06.027825117 CET	49740	80	192.168.2.4	85.214.228.140
Nov 7, 2024 16:05:06.033968925 CET	80	49740	85.214.228.140	192.168.2.4
Nov 7, 2024 16:05:06.038367033 CET	49740	80	192.168.2.4	85.214.228.140
Nov 7, 2024 16:05:06.275218010 CET	49742	80	192.168.2.4	13.248.169.48
Nov 7, 2024 16:05:06.281337023 CET	80	49742	13.248.169.48	192.168.2.4
Nov 7, 2024 16:05:06.281404972 CET	49742	80	192.168.2.4	13.248.169.48
Nov 7, 2024 16:05:06.281502008 CET	49742	80	192.168.2.4	13.248.169.48
Nov 7, 2024 16:05:06.286518097 CET	80	49742	13.248.169.48	192.168.2.4
Nov 7, 2024 16:05:06.956911087 CET	80	49742	13.248.169.48	192.168.2.4
Nov 7, 2024 16:05:06.957477093 CET	49742	80	192.168.2.4	13.248.169.48
Nov 7, 2024 16:05:06.963052034 CET	80	49742	13.248.169.48	192.168.2.4
Nov 7, 2024 16:05:06.963128090 CET	49742	80	192.168.2.4	13.248.169.48
Nov 7, 2024 16:06:32.167057037 CET	50009	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:06:32.173322916 CET	80	50009	199.59.243.227	192.168.2.4
Nov 7, 2024 16:06:32.173413038 CET	50009	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:06:32.173445940 CET	50009	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:06:32.180404902 CET	80	50009	199.59.243.227	192.168.2.4
Nov 7, 2024 16:06:32.789855003 CET	80	50009	199.59.243.227	192.168.2.4
Nov 7, 2024 16:06:32.790231943 CET	80	50009	199.59.243.227	192.168.2.4
Nov 7, 2024 16:06:32.790293932 CET	50009	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:06:32.790692091 CET	80	50009	199.59.243.227	192.168.2.4
Nov 7, 2024 16:06:32.790744066 CET	50009	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:06:32.790816069 CET	50009	80	192.168.2.4	199.59.243.227
Nov 7, 2024 16:06:32.795828104 CET	80	50009	199.59.243.227	192.168.2.4
Nov 7, 2024 16:06:38.087543964 CET	50010	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:06:38.092464924 CET	80	50010	18.143.155.63	192.168.2.4
Nov 7, 2024 16:06:38.092566967 CET	50010	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:06:38.092623949 CET	50010	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:06:38.097414970 CET	80	50010	18.143.155.63	192.168.2.4
Nov 7, 2024 16:06:39.517577887 CET	80	50010	18.143.155.63	192.168.2.4
Nov 7, 2024 16:06:39.570651054 CET	50010	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:06:39.933727026 CET	80	50010	18.143.155.63	192.168.2.4
Nov 7, 2024 16:06:39.933851004 CET	50010	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:06:39.933895111 CET	50010	80	192.168.2.4	18.143.155.63
Nov 7, 2024 16:06:39.939887047 CET	80	50010	18.143.155.63	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 16:04:54.189924955 CET	57260	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.200419903 CET	53	57260	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.206903934 CET	52259	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.219999075 CET	53	52259	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.221950054 CET	58984	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.253200054 CET	53	58984	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.256988049 CET	50714	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.290348053 CET	53	50714	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.291469097 CET	53968	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.303440094 CET	53	53968	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.305102110 CET	58958	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.315578938 CET	53	58958	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.316859961 CET	60581	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.324276924 CET	53	60581	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.326898098 CET	51278	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.359157085 CET	53	51278	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.360816002 CET	64193	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.370357037 CET	53	64193	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.372478008 CET	56147	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.385688066 CET	53	56147	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.387679100 CET	52269	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.398996115 CET	53	52269	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.400621891 CET	52576	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.410888910 CET	53	52576	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.457907915 CET	59339	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.491067886 CET	53	59339	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:54.509449005 CET	49854	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:54.904262066 CET	53	49854	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:55.541145086 CET	64377	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:55.552711010 CET	53	64377	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:55.555949926 CET	64620	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:55.566612959 CET	53	64620	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:55.567648888 CET	59009	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:55.576980114 CET	53	59009	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:55.580024958 CET	58014	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:55.591037989 CET	53	58014	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:55.593947887 CET	52125	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:55.861198902 CET	53	52125	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.720808983 CET	55014	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.880759954 CET	53	55014	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.882046938 CET	60388	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.892527103 CET	53	60388	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.894428968 CET	59077	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.904081106 CET	53	59077	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.905062914 CET	50116	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.917500973 CET	53	50116	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.918353081 CET	63259	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.927932024 CET	53	63259	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.928781033 CET	60208	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.936007977 CET	53	60208	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.936825037 CET	54467	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.948159933 CET	53	54467	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.949007034 CET	52843	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.958625078 CET	53	52843	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.959469080 CET	51845	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:57.991414070 CET	53	51845	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:57.992337942 CET	64590	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.022387981 CET	53	64590	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.024627924 CET	57923	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.056603909 CET	53	57923	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.057682991 CET	54245	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.090033054 CET	53	54245	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.091136932 CET	53924	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.122102022 CET	53	53924	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.123147964 CET	62012	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.133614063 CET	53	62012	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.134504080 CET	50794	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.145179033 CET	53	50794	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.146123886 CET	62646	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.178527117 CET	53	62646	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.179404020 CET	60394	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.211016893 CET	53	60394	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.212244034 CET	62325	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.243115902 CET	53	62325	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.244807959 CET	55467	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.254080057 CET	53	55467	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.256033897 CET	63727	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.286492109 CET	53	63727	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.287724018 CET	58981	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.294895887 CET	53	58981	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.295831919 CET	63024	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.303555012 CET	53	63024	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.304575920 CET	49439	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.314418077 CET	53	49439	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.315474987 CET	59748	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.349380016 CET	53	59748	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.350497007 CET	59598	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.359190941 CET	53	59598	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.360302925 CET	62621	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.390963078 CET	53	62621	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.392524958 CET	49873	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.423623085 CET	53	49873	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.425239086 CET	54829	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.456094980 CET	53	54829	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.457153082 CET	50824	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.466806889 CET	53	50824	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.467777014 CET	61353	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.477857113 CET	53	61353	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.478909969 CET	50989	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.489209890 CET	53	50989	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.490185022 CET	60441	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.500163078 CET	53	60441	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.501054049 CET	64872	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.511293888 CET	53	64872	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.512191057 CET	50198	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.519716024 CET	53	50198	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.520663023 CET	51035	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.531354904 CET	53	51035	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.532332897 CET	60745	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.542033911 CET	53	60745	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.543133974 CET	52775	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.554037094 CET	53	52775	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.554989100 CET	50575	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.567521095 CET	53	50575	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.569005966 CET	65232	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.579879045 CET	53	65232	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.584738970 CET	61229	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.594399929 CET	53	61229	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.595326900 CET	59919	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.605148077 CET	53	59919	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.606024027 CET	59774	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.614495039 CET	53	59774	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.615483046 CET	53106	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.627567053 CET	53	53106	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.628494024 CET	52072	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.660479069 CET	53	52072	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.661559105 CET	62675	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.691994905 CET	53	62675	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.693311930 CET	58993	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.725949049 CET	53	58993	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.727188110 CET	49804	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.760831118 CET	53	49804	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.762094975 CET	50762	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.770543098 CET	53	50762	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.771603107 CET	55478	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.784092903 CET	53	55478	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.785095930 CET	50287	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.795584917 CET	53	50287	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.796479940 CET	54743	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.806926966 CET	53	54743	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.807818890 CET	59030	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.817090034 CET	53	59030	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.818089962 CET	52147	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:58.825211048 CET	53	52147	1.1.1.1	192.168.2.4
Nov 7, 2024 16:04:58.826162100 CET	62640	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:04:59.037065983 CET	53	62640	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.002224922 CET	61245	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.009818077 CET	53	61245	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.010828972 CET	49191	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.020450115 CET	53	49191	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.021446943 CET	64289	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.034321070 CET	53	64289	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.037533998 CET	53322	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.069628954 CET	53	53322	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.074352026 CET	56087	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.083796024 CET	53	56087	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.085217953 CET	60787	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.096335888 CET	53	60787	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.097291946 CET	58201	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.106129885 CET	53	58201	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.107141018 CET	58870	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.114543915 CET	53	58870	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.118740082 CET	61904	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.129522085 CET	53	61904	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.130482912 CET	54705	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.140705109 CET	53	54705	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.141597986 CET	51158	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.151382923 CET	53	51158	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.152327061 CET	59935	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.161715031 CET	53	59935	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.162679911 CET	61539	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.194441080 CET	53	61539	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.196857929 CET	60212	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.230015039 CET	53	60212	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.231228113 CET	49571	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.241339922 CET	53	49571	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.242676973 CET	52601	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.273755074 CET	53	52601	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.275264025 CET	51385	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.285602093 CET	53	51385	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.286953926 CET	55216	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.318568945 CET	53	55216	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.319971085 CET	62984	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.328983068 CET	53	62984	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.329936981 CET	56528	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.361294985 CET	53	56528	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.362437963 CET	52052	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.372600079 CET	53	52052	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.373574972 CET	57845	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.406697035 CET	53	57845	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.407687902 CET	61800	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.421549082 CET	53	61800	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.422451019 CET	61488	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.452759027 CET	53	61488	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.453669071 CET	57310	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.461416960 CET	53	57310	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:00.462332964 CET	50044	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:00.864927053 CET	53	50044	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:01.562894106 CET	52263	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:01.572969913 CET	53	52263	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:01.579677105 CET	50561	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:01.611439943 CET	53	50561	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:01.619323969 CET	59147	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:01.628695011 CET	53	59147	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:01.635469913 CET	62801	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:01.667732000 CET	53	62801	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:01.788912058 CET	62451	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:01.801692963 CET	53	62451	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:01.808388948 CET	55198	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:01.819549084 CET	53	55198	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:01.871407032 CET	59349	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:01.882194996 CET	53	59349	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:02.007749081 CET	63123	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:02.015680075 CET	53	63123	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:02.016896963 CET	56220	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:02.027652025 CET	53	56220	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:02.037857056 CET	54926	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:02.048932076 CET	53	54926	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:02.057152033 CET	56907	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:02.249733925 CET	53	56907	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.117227077 CET	57732	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.148355007 CET	53	57732	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.149779081 CET	50322	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.183098078 CET	53	50322	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.184248924 CET	51901	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.194468021 CET	53	51901	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.195462942 CET	62062	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.203191996 CET	53	62062	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.204103947 CET	61988	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.355967045 CET	53	61988	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.357017994 CET	62183	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.364325047 CET	53	62183	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.365748882 CET	49870	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.375495911 CET	53	49870	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.376810074 CET	55140	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.390676022 CET	53	55140	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.392452002 CET	52606	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.405225039 CET	53	52606	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.406948090 CET	49585	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.439543962 CET	53	49585	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.441410065 CET	56271	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.451236010 CET	53	56271	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.458623886 CET	63351	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.493665934 CET	53	63351	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.497203112 CET	49431	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.507563114 CET	53	49431	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.508858919 CET	54622	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.519648075 CET	53	54622	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.520595074 CET	63078	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.531299114 CET	53	63078	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.532231092 CET	52718	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.563673973 CET	53	52718	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.564938068 CET	60158	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.575758934 CET	53	60158	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.576790094 CET	59874	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.588294029 CET	53	59874	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.589378119 CET	60743	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.600090027 CET	53	60743	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.600955963 CET	57780	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.632162094 CET	53	57780	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.633599997 CET	54268	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.645191908 CET	53	54268	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.646426916 CET	60293	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.653584003 CET	53	60293	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.654524088 CET	58354	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.665297985 CET	53	58354	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.666299105 CET	56950	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.698378086 CET	53	56950	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.699525118 CET	56719	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.732264042 CET	53	56719	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.733573914 CET	64598	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.743381023 CET	53	64598	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.744409084 CET	61846	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.751539946 CET	53	61846	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.752465963 CET	50702	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.783241034 CET	53	50702	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.784626007 CET	54633	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.815834999 CET	53	54633	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.819534063 CET	51662	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.829435110 CET	53	51662	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.831254959 CET	64411	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.841718912 CET	53	64411	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.843167067 CET	62197	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.852559090 CET	53	62197	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.853494883 CET	59682	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.863934040 CET	53	59682	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.864950895 CET	61033	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.896553993 CET	53	61033	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.897753954 CET	61014	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.907135010 CET	53	61014	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.908179045 CET	52585	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.918781996 CET	53	52585	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.919841051 CET	52222	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.929996014 CET	53	52222	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.931329966 CET	61788	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.962565899 CET	53	61788	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.964085102 CET	62208	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:04.974029064 CET	53	62208	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:04.975780010 CET	51764	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:05.007333994 CET	53	51764	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:05.008968115 CET	59181	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:05.039340019 CET	53	59181	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:05.041735888 CET	55891	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:05.051673889 CET	53	55891	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:05.052817106 CET	65243	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:05.063307047 CET	53	65243	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:05.064377069 CET	56522	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:05.074811935 CET	53	56522	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:05.075865984 CET	51556	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:05.087179899 CET	53	51556	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:05.089648962 CET	60707	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:05.156780005 CET	53	60707	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.028831959 CET	63119	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.059942961 CET	53	63119	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.063021898 CET	51211	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.072577000 CET	53	51211	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.073652983 CET	62952	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.104614019 CET	53	62952	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.107445002 CET	52981	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.116384029 CET	53	52981	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.118963957 CET	64979	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.152873039 CET	53	64979	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.154149055 CET	49594	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.164575100 CET	53	49594	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.166157961 CET	52949	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.176767111 CET	53	52949	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.179332972 CET	51616	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.186789036 CET	53	51616	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.191303015 CET	61875	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.201827049 CET	53	61875	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.208862066 CET	52698	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.220041990 CET	53	52698	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.223308086 CET	49393	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.231368065 CET	53	49393	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.232415915 CET	50815	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.243381023 CET	53	50815	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.247242928 CET	58136	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.258080959 CET	53	58136	1.1.1.1	192.168.2.4
Nov 7, 2024 16:05:06.259433985 CET	59583	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:05:06.274605989 CET	53	59583	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:19.438178062 CET	53968	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:19.447700024 CET	53	53968	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:20.462446928 CET	54682	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:20.472373962 CET	53	54682	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:21.478005886 CET	54652	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:21.510130882 CET	53	54652	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:22.524883986 CET	57794	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:22.794306040 CET	53	57794	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:23.806179047 CET	65450	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:23.816114902 CET	53	65450	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:24.822308064 CET	58282	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:24.833151102 CET	53	58282	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:25.837861061 CET	50399	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:25.847810030 CET	53	50399	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:26.853127003 CET	64542	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:26.868854046 CET	53	64542	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:27.884213924 CET	62211	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:27.928298950 CET	53	62211	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:28.949404001 CET	61556	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:28.959005117 CET	53	61556	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:29.962431908 CET	52668	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:29.974649906 CET	53	52668	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:30.978415012 CET	53178	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:31.151197910 CET	53	53178	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:33.806227922 CET	64735	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:33.817281008 CET	53	64735	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:34.821968079 CET	52749	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:34.833677053 CET	53	52749	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:35.838566065 CET	59322	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:36.025531054 CET	53	59322	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:37.040834904 CET	53905	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:37.072115898 CET	53	53905	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:40.947031975 CET	56571	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:40.956051111 CET	53	56571	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:42.032239914 CET	61556	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:42.062161922 CET	53	61556	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:43.120524883 CET	64240	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:43.153575897 CET	53	64240	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:44.167402029 CET	60656	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:44.178715944 CET	53	60656	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:45.181189060 CET	64948	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:45.192327976 CET	53	64948	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:46.199157000 CET	60623	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:46.209359884 CET	53	60623	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:47.379148960 CET	61169	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:47.521555901 CET	53	61169	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:49.089530945 CET	56783	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:49.123215914 CET	53	56783	1.1.1.1	192.168.2.4
Nov 7, 2024 16:06:50.143105030 CET	60993	53	192.168.2.4	1.1.1.1
Nov 7, 2024 16:06:50.175538063 CET	53	60993	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 16:04:54.189924955 CET	192.168.2.4	1.1.1.1	0x4101	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.206903934 CET	192.168.2.4	1.1.1.1	0x2fe9	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.221950054 CET	192.168.2.4	1.1.1.1	0xd4f8	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.256988049 CET	192.168.2.4	1.1.1.1	0xdb88	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.291469097 CET	192.168.2.4	1.1.1.1	0x1bf3	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.305102110 CET	192.168.2.4	1.1.1.1	0x23db	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.316859961 CET	192.168.2.4	1.1.1.1	0x11bf	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.326898098 CET	192.168.2.4	1.1.1.1	0x316b	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.360816002 CET	192.168.2.4	1.1.1.1	0x5700	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.372478008 CET	192.168.2.4	1.1.1.1	0x1291	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.387679100 CET	192.168.2.4	1.1.1.1	0xf9c1	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.400621891 CET	192.168.2.4	1.1.1.1	0xa6e6	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.457907915 CET	192.168.2.4	1.1.1.1	0xbc30	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.509449005 CET	192.168.2.4	1.1.1.1	0xa2c9	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.541145086 CET	192.168.2.4	1.1.1.1	0xae01	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.555949926 CET	192.168.2.4	1.1.1.1	0x54dc	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.567648888 CET	192.168.2.4	1.1.1.1	0x7583	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.580024958 CET	192.168.2.4	1.1.1.1	0x41fd	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.593947887 CET	192.168.2.4	1.1.1.1	0x5875	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.720808983 CET	192.168.2.4	1.1.1.1	0x36d9	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.882046938 CET	192.168.2.4	1.1.1.1	0xa8c5	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.894428968 CET	192.168.2.4	1.1.1.1	0x44b7	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.905062914 CET	192.168.2.4	1.1.1.1	0x6bb4	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.918353081 CET	192.168.2.4	1.1.1.1	0x45ba	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.928781033 CET	192.168.2.4	1.1.1.1	0x2b1e	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.936825037 CET	192.168.2.4	1.1.1.1	0xa46b	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.949007034 CET	192.168.2.4	1.1.1.1	0xea9f	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.959469080 CET	192.168.2.4	1.1.1.1	0x73f8	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.992337942 CET	192.168.2.4	1.1.1.1	0xd2d9	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.024627924 CET	192.168.2.4	1.1.1.1	0x3c1d	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.057682991 CET	192.168.2.4	1.1.1.1	0x1465	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.091136932 CET	192.168.2.4	1.1.1.1	0xf828	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.123147964 CET	192.168.2.4	1.1.1.1	0x284e	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.134504080 CET	192.168.2.4	1.1.1.1	0xf926	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.146123886 CET	192.168.2.4	1.1.1.1	0x2b02	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.179404020 CET	192.168.2.4	1.1.1.1	0x4da8	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.212244034 CET	192.168.2.4	1.1.1.1	0xc5ba	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.244807959 CET	192.168.2.4	1.1.1.1	0xde38	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.256033897 CET	192.168.2.4	1.1.1.1	0xfa00	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.287724018 CET	192.168.2.4	1.1.1.1	0xd1e	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.295831919 CET	192.168.2.4	1.1.1.1	0x7f04	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.304575920 CET	192.168.2.4	1.1.1.1	0x12cb	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.315474987 CET	192.168.2.4	1.1.1.1	0xdca4	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.350497007 CET	192.168.2.4	1.1.1.1	0xdd28	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.360302925 CET	192.168.2.4	1.1.1.1	0xb176	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.392524958 CET	192.168.2.4	1.1.1.1	0x37c9	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.425239086 CET	192.168.2.4	1.1.1.1	0x351a	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.457153082 CET	192.168.2.4	1.1.1.1	0xce23	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.467777014 CET	192.168.2.4	1.1.1.1	0x3f45	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.478909969 CET	192.168.2.4	1.1.1.1	0x5173	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.490185022 CET	192.168.2.4	1.1.1.1	0x487d	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.501054049 CET	192.168.2.4	1.1.1.1	0x3b9	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.512191057 CET	192.168.2.4	1.1.1.1	0x7935	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.520663023 CET	192.168.2.4	1.1.1.1	0x65bf	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.532332897 CET	192.168.2.4	1.1.1.1	0x8a46	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.543133974 CET	192.168.2.4	1.1.1.1	0xe981	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.554989100 CET	192.168.2.4	1.1.1.1	0xd86c	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.569005966 CET	192.168.2.4	1.1.1.1	0xc801	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.584738970 CET	192.168.2.4	1.1.1.1	0x6273	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.595326900 CET	192.168.2.4	1.1.1.1	0x4c37	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.606024027 CET	192.168.2.4	1.1.1.1	0xa40f	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.615483046 CET	192.168.2.4	1.1.1.1	0x4947	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.628494024 CET	192.168.2.4	1.1.1.1	0x2400	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.661559105 CET	192.168.2.4	1.1.1.1	0x3bb6	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.693311930 CET	192.168.2.4	1.1.1.1	0xc8a0	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.727188110 CET	192.168.2.4	1.1.1.1	0xc69	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.762094975 CET	192.168.2.4	1.1.1.1	0x9e28	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.771603107 CET	192.168.2.4	1.1.1.1	0x440c	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.785095930 CET	192.168.2.4	1.1.1.1	0x10b1	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.796479940 CET	192.168.2.4	1.1.1.1	0x3b12	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.807818890 CET	192.168.2.4	1.1.1.1	0x92a4	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.818089962 CET	192.168.2.4	1.1.1.1	0xda5f	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.826162100 CET	192.168.2.4	1.1.1.1	0x9689	Standard query (0)	gentleanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.002224922 CET	192.168.2.4	1.1.1.1	0xbd1f	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.010828972 CET	192.168.2.4	1.1.1.1	0x79a0	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.021446943 CET	192.168.2.4	1.1.1.1	0xf738	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.037533998 CET	192.168.2.4	1.1.1.1	0xe207	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.074352026 CET	192.168.2.4	1.1.1.1	0x93c7	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.085217953 CET	192.168.2.4	1.1.1.1	0x68f8	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.097291946 CET	192.168.2.4	1.1.1.1	0x7669	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.107141018 CET	192.168.2.4	1.1.1.1	0x76e9	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.118740082 CET	192.168.2.4	1.1.1.1	0x12ae	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.130482912 CET	192.168.2.4	1.1.1.1	0xab79	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.141597986 CET	192.168.2.4	1.1.1.1	0xa316	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.152327061 CET	192.168.2.4	1.1.1.1	0x46d9	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.162679911 CET	192.168.2.4	1.1.1.1	0x13e	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.196857929 CET	192.168.2.4	1.1.1.1	0x7859	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.231228113 CET	192.168.2.4	1.1.1.1	0x8ab4	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.242676973 CET	192.168.2.4	1.1.1.1	0x2803	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.275264025 CET	192.168.2.4	1.1.1.1	0xf398	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.286953926 CET	192.168.2.4	1.1.1.1	0x1860	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.319971085 CET	192.168.2.4	1.1.1.1	0xd0e9	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.329936981 CET	192.168.2.4	1.1.1.1	0xda26	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.362437963 CET	192.168.2.4	1.1.1.1	0xced0	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.373574972 CET	192.168.2.4	1.1.1.1	0x43dc	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.407687902 CET	192.168.2.4	1.1.1.1	0xceef	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.422451019 CET	192.168.2.4	1.1.1.1	0x88b3	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.453669071 CET	192.168.2.4	1.1.1.1	0xa99	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.462332964 CET	192.168.2.4	1.1.1.1	0x5b70	Standard query (0)	glassbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.562894106 CET	192.168.2.4	1.1.1.1	0xec7f	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.579677105 CET	192.168.2.4	1.1.1.1	0x34fc	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.619323969 CET	192.168.2.4	1.1.1.1	0xae20	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.635469913 CET	192.168.2.4	1.1.1.1	0xb186	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.788912058 CET	192.168.2.4	1.1.1.1	0xad0a	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.808388948 CET	192.168.2.4	1.1.1.1	0xd86f	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.871407032 CET	192.168.2.4	1.1.1.1	0x8474	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.007749081 CET	192.168.2.4	1.1.1.1	0xa08d	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.016896963 CET	192.168.2.4	1.1.1.1	0x71e1	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.037857056 CET	192.168.2.4	1.1.1.1	0x6065	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.057152033 CET	192.168.2.4	1.1.1.1	0x5baa	Standard query (0)	pleasantinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.117227077 CET	192.168.2.4	1.1.1.1	0x1f07	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.149779081 CET	192.168.2.4	1.1.1.1	0xb7e7	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.184248924 CET	192.168.2.4	1.1.1.1	0x8c66	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.195462942 CET	192.168.2.4	1.1.1.1	0x7f09	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.204103947 CET	192.168.2.4	1.1.1.1	0xe9cb	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.357017994 CET	192.168.2.4	1.1.1.1	0xd987	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.365748882 CET	192.168.2.4	1.1.1.1	0x2cb	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.376810074 CET	192.168.2.4	1.1.1.1	0xc307	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.392452002 CET	192.168.2.4	1.1.1.1	0x986a	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.406948090 CET	192.168.2.4	1.1.1.1	0x8d0d	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.441410065 CET	192.168.2.4	1.1.1.1	0x966e	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.458623886 CET	192.168.2.4	1.1.1.1	0x313a	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.497203112 CET	192.168.2.4	1.1.1.1	0x7da1	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.508858919 CET	192.168.2.4	1.1.1.1	0x4eb	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.520595074 CET	192.168.2.4	1.1.1.1	0x4491	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.532231092 CET	192.168.2.4	1.1.1.1	0xfc8e	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.564938068 CET	192.168.2.4	1.1.1.1	0x7154	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.576790094 CET	192.168.2.4	1.1.1.1	0x944c	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.589378119 CET	192.168.2.4	1.1.1.1	0x2109	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.600955963 CET	192.168.2.4	1.1.1.1	0xaa4f	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.633599997 CET	192.168.2.4	1.1.1.1	0x9157	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.646426916 CET	192.168.2.4	1.1.1.1	0xf6a6	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.654524088 CET	192.168.2.4	1.1.1.1	0x77f7	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.666299105 CET	192.168.2.4	1.1.1.1	0x940c	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.699525118 CET	192.168.2.4	1.1.1.1	0x48b3	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.733573914 CET	192.168.2.4	1.1.1.1	0x818a	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.744409084 CET	192.168.2.4	1.1.1.1	0xb217	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.752465963 CET	192.168.2.4	1.1.1.1	0x97c4	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.784626007 CET	192.168.2.4	1.1.1.1	0x2701	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.819534063 CET	192.168.2.4	1.1.1.1	0xe64a	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.831254959 CET	192.168.2.4	1.1.1.1	0xc493	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.843167067 CET	192.168.2.4	1.1.1.1	0x697c	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.853494883 CET	192.168.2.4	1.1.1.1	0xcb7e	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.864950895 CET	192.168.2.4	1.1.1.1	0xcd7a	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.897753954 CET	192.168.2.4	1.1.1.1	0x9909	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.908179045 CET	192.168.2.4	1.1.1.1	0xa15c	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.919841051 CET	192.168.2.4	1.1.1.1	0xaf25	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.931329966 CET	192.168.2.4	1.1.1.1	0x3c50	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.964085102 CET	192.168.2.4	1.1.1.1	0x9311	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.975780010 CET	192.168.2.4	1.1.1.1	0x75f8	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.008968115 CET	192.168.2.4	1.1.1.1	0x185e	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.041735888 CET	192.168.2.4	1.1.1.1	0x33dd	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.052817106 CET	192.168.2.4	1.1.1.1	0x1802	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.064377069 CET	192.168.2.4	1.1.1.1	0xb824	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.075865984 CET	192.168.2.4	1.1.1.1	0xdbd2	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.089648962 CET	192.168.2.4	1.1.1.1	0xeeeb	Standard query (0)	degreedaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.028831959 CET	192.168.2.4	1.1.1.1	0xf60e	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.063021898 CET	192.168.2.4	1.1.1.1	0xfd9f	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.073652983 CET	192.168.2.4	1.1.1.1	0xe96f	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.107445002 CET	192.168.2.4	1.1.1.1	0x4db9	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.118963957 CET	192.168.2.4	1.1.1.1	0x7c6	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.154149055 CET	192.168.2.4	1.1.1.1	0x6a7e	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.166157961 CET	192.168.2.4	1.1.1.1	0xeee7	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.179332972 CET	192.168.2.4	1.1.1.1	0x5b6b	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.191303015 CET	192.168.2.4	1.1.1.1	0x8d4e	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.208862066 CET	192.168.2.4	1.1.1.1	0xb174	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.223308086 CET	192.168.2.4	1.1.1.1	0x21e7	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.232415915 CET	192.168.2.4	1.1.1.1	0x1d50	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.247242928 CET	192.168.2.4	1.1.1.1	0x234f	Standard query (0)	heardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.259433985 CET	192.168.2.4	1.1.1.1	0xe8e9	Standard query (0)	difficultpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.438178062 CET	192.168.2.4	1.1.1.1	0x45b2	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.462446928 CET	192.168.2.4	1.1.1.1	0x86ee	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:21.478005886 CET	192.168.2.4	1.1.1.1	0x97a7	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.524883986 CET	192.168.2.4	1.1.1.1	0x4e2b	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.806179047 CET	192.168.2.4	1.1.1.1	0x862d	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.822308064 CET	192.168.2.4	1.1.1.1	0xbff7	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.837861061 CET	192.168.2.4	1.1.1.1	0x8f9f	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:26.853127003 CET	192.168.2.4	1.1.1.1	0x923f	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:27.884213924 CET	192.168.2.4	1.1.1.1	0xa4cc	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:28.949404001 CET	192.168.2.4	1.1.1.1	0xcfe0	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:29.962431908 CET	192.168.2.4	1.1.1.1	0xe16	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:30.978415012 CET	192.168.2.4	1.1.1.1	0x8226	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:33.806227922 CET	192.168.2.4	1.1.1.1	0xe563	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:34.821968079 CET	192.168.2.4	1.1.1.1	0x29fc	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:35.838566065 CET	192.168.2.4	1.1.1.1	0xe3bb	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:37.040834904 CET	192.168.2.4	1.1.1.1	0xa767	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:40.947031975 CET	192.168.2.4	1.1.1.1	0x1ac8	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:42.032239914 CET	192.168.2.4	1.1.1.1	0x843e	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:43.120524883 CET	192.168.2.4	1.1.1.1	0xb0a3	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:44.167402029 CET	192.168.2.4	1.1.1.1	0xc306	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:45.181189060 CET	192.168.2.4	1.1.1.1	0xc6da	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:46.199157000 CET	192.168.2.4	1.1.1.1	0xa252	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:47.379148960 CET	192.168.2.4	1.1.1.1	0x1664	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:49.089530945 CET	192.168.2.4	1.1.1.1	0x1bb9	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:50.143105030 CET	192.168.2.4	1.1.1.1	0xdfe9	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 16:04:54.200419903 CET	1.1.1.1	192.168.2.4	0x4101	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.219999075 CET	1.1.1.1	192.168.2.4	0x2fe9	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.253200054 CET	1.1.1.1	192.168.2.4	0xd4f8	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.290348053 CET	1.1.1.1	192.168.2.4	0xdb88	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.303440094 CET	1.1.1.1	192.168.2.4	0x1bf3	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.315578938 CET	1.1.1.1	192.168.2.4	0x23db	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.324276924 CET	1.1.1.1	192.168.2.4	0x11bf	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.359157085 CET	1.1.1.1	192.168.2.4	0x316b	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.370357037 CET	1.1.1.1	192.168.2.4	0x5700	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.385688066 CET	1.1.1.1	192.168.2.4	0x1291	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.398996115 CET	1.1.1.1	192.168.2.4	0xf9c1	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.410888910 CET	1.1.1.1	192.168.2.4	0xa6e6	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.491067886 CET	1.1.1.1	192.168.2.4	0xbc30	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.904262066 CET	1.1.1.1	192.168.2.4	0xa2c9	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 16:04:54.904262066 CET	1.1.1.1	192.168.2.4	0xa2c9	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.552711010 CET	1.1.1.1	192.168.2.4	0xae01	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.566612959 CET	1.1.1.1	192.168.2.4	0x54dc	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.576980114 CET	1.1.1.1	192.168.2.4	0x7583	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.591037989 CET	1.1.1.1	192.168.2.4	0x41fd	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.861198902 CET	1.1.1.1	192.168.2.4	0x5875	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.880759954 CET	1.1.1.1	192.168.2.4	0x36d9	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.892527103 CET	1.1.1.1	192.168.2.4	0xa8c5	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.904081106 CET	1.1.1.1	192.168.2.4	0x44b7	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.917500973 CET	1.1.1.1	192.168.2.4	0x6bb4	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.927932024 CET	1.1.1.1	192.168.2.4	0x45ba	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.936007977 CET	1.1.1.1	192.168.2.4	0x2b1e	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.948159933 CET	1.1.1.1	192.168.2.4	0xa46b	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.958625078 CET	1.1.1.1	192.168.2.4	0xea9f	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.991414070 CET	1.1.1.1	192.168.2.4	0x73f8	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.022387981 CET	1.1.1.1	192.168.2.4	0xd2d9	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.056603909 CET	1.1.1.1	192.168.2.4	0x3c1d	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.090033054 CET	1.1.1.1	192.168.2.4	0x1465	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.122102022 CET	1.1.1.1	192.168.2.4	0xf828	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.133614063 CET	1.1.1.1	192.168.2.4	0x284e	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.145179033 CET	1.1.1.1	192.168.2.4	0xf926	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.178527117 CET	1.1.1.1	192.168.2.4	0x2b02	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.211016893 CET	1.1.1.1	192.168.2.4	0x4da8	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.243115902 CET	1.1.1.1	192.168.2.4	0xc5ba	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.254080057 CET	1.1.1.1	192.168.2.4	0xde38	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.286492109 CET	1.1.1.1	192.168.2.4	0xfa00	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.294895887 CET	1.1.1.1	192.168.2.4	0xd1e	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.303555012 CET	1.1.1.1	192.168.2.4	0x7f04	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.314418077 CET	1.1.1.1	192.168.2.4	0x12cb	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.349380016 CET	1.1.1.1	192.168.2.4	0xdca4	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.359190941 CET	1.1.1.1	192.168.2.4	0xdd28	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.390963078 CET	1.1.1.1	192.168.2.4	0xb176	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.423623085 CET	1.1.1.1	192.168.2.4	0x37c9	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.456094980 CET	1.1.1.1	192.168.2.4	0x351a	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.466806889 CET	1.1.1.1	192.168.2.4	0xce23	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.477857113 CET	1.1.1.1	192.168.2.4	0x3f45	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.489209890 CET	1.1.1.1	192.168.2.4	0x5173	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.500163078 CET	1.1.1.1	192.168.2.4	0x487d	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.511293888 CET	1.1.1.1	192.168.2.4	0x3b9	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.519716024 CET	1.1.1.1	192.168.2.4	0x7935	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.531354904 CET	1.1.1.1	192.168.2.4	0x65bf	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.542033911 CET	1.1.1.1	192.168.2.4	0x8a46	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.554037094 CET	1.1.1.1	192.168.2.4	0xe981	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.567521095 CET	1.1.1.1	192.168.2.4	0xd86c	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.579879045 CET	1.1.1.1	192.168.2.4	0xc801	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.594399929 CET	1.1.1.1	192.168.2.4	0x6273	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.605148077 CET	1.1.1.1	192.168.2.4	0x4c37	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.614495039 CET	1.1.1.1	192.168.2.4	0xa40f	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.627567053 CET	1.1.1.1	192.168.2.4	0x4947	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.660479069 CET	1.1.1.1	192.168.2.4	0x2400	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.691994905 CET	1.1.1.1	192.168.2.4	0x3bb6	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.725949049 CET	1.1.1.1	192.168.2.4	0xc8a0	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.760831118 CET	1.1.1.1	192.168.2.4	0xc69	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.770543098 CET	1.1.1.1	192.168.2.4	0x9e28	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.784092903 CET	1.1.1.1	192.168.2.4	0x440c	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.795584917 CET	1.1.1.1	192.168.2.4	0x10b1	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.806926966 CET	1.1.1.1	192.168.2.4	0x3b12	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.817090034 CET	1.1.1.1	192.168.2.4	0x92a4	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.825211048 CET	1.1.1.1	192.168.2.4	0xda5f	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.037065983 CET	1.1.1.1	192.168.2.4	0x9689	No error (0)	gentleanother.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.009818077 CET	1.1.1.1	192.168.2.4	0xbd1f	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.020450115 CET	1.1.1.1	192.168.2.4	0x79a0	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.034321070 CET	1.1.1.1	192.168.2.4	0xf738	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.069628954 CET	1.1.1.1	192.168.2.4	0xe207	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.083796024 CET	1.1.1.1	192.168.2.4	0x93c7	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.096335888 CET	1.1.1.1	192.168.2.4	0x68f8	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.106129885 CET	1.1.1.1	192.168.2.4	0x7669	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.114543915 CET	1.1.1.1	192.168.2.4	0x76e9	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.129522085 CET	1.1.1.1	192.168.2.4	0x12ae	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.140705109 CET	1.1.1.1	192.168.2.4	0xab79	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.151382923 CET	1.1.1.1	192.168.2.4	0xa316	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.161715031 CET	1.1.1.1	192.168.2.4	0x46d9	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.194441080 CET	1.1.1.1	192.168.2.4	0x13e	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.230015039 CET	1.1.1.1	192.168.2.4	0x7859	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.241339922 CET	1.1.1.1	192.168.2.4	0x8ab4	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.273755074 CET	1.1.1.1	192.168.2.4	0x2803	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.285602093 CET	1.1.1.1	192.168.2.4	0xf398	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.318568945 CET	1.1.1.1	192.168.2.4	0x1860	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.328983068 CET	1.1.1.1	192.168.2.4	0xd0e9	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.361294985 CET	1.1.1.1	192.168.2.4	0xda26	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.372600079 CET	1.1.1.1	192.168.2.4	0xced0	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.406697035 CET	1.1.1.1	192.168.2.4	0x43dc	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.421549082 CET	1.1.1.1	192.168.2.4	0xceef	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.452759027 CET	1.1.1.1	192.168.2.4	0x88b3	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.461416960 CET	1.1.1.1	192.168.2.4	0xa99	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.864927053 CET	1.1.1.1	192.168.2.4	0x5b70	No error (0)	glassbright.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 16:05:00.864927053 CET	1.1.1.1	192.168.2.4	0x5b70	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.572969913 CET	1.1.1.1	192.168.2.4	0xec7f	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.611439943 CET	1.1.1.1	192.168.2.4	0x34fc	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.628695011 CET	1.1.1.1	192.168.2.4	0xae20	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.667732000 CET	1.1.1.1	192.168.2.4	0xb186	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.801692963 CET	1.1.1.1	192.168.2.4	0xad0a	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.819549084 CET	1.1.1.1	192.168.2.4	0xd86f	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.882194996 CET	1.1.1.1	192.168.2.4	0x8474	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.015680075 CET	1.1.1.1	192.168.2.4	0xa08d	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.027652025 CET	1.1.1.1	192.168.2.4	0x71e1	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.048932076 CET	1.1.1.1	192.168.2.4	0x6065	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.249733925 CET	1.1.1.1	192.168.2.4	0x5baa	No error (0)	pleasantinstead.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.148355007 CET	1.1.1.1	192.168.2.4	0x1f07	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.183098078 CET	1.1.1.1	192.168.2.4	0xb7e7	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.194468021 CET	1.1.1.1	192.168.2.4	0x8c66	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.203191996 CET	1.1.1.1	192.168.2.4	0x7f09	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.355967045 CET	1.1.1.1	192.168.2.4	0xe9cb	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.364325047 CET	1.1.1.1	192.168.2.4	0xd987	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.375495911 CET	1.1.1.1	192.168.2.4	0x2cb	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.390676022 CET	1.1.1.1	192.168.2.4	0xc307	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.405225039 CET	1.1.1.1	192.168.2.4	0x986a	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.439543962 CET	1.1.1.1	192.168.2.4	0x8d0d	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.451236010 CET	1.1.1.1	192.168.2.4	0x966e	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.493665934 CET	1.1.1.1	192.168.2.4	0x313a	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.507563114 CET	1.1.1.1	192.168.2.4	0x7da1	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.519648075 CET	1.1.1.1	192.168.2.4	0x4eb	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.531299114 CET	1.1.1.1	192.168.2.4	0x4491	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.563673973 CET	1.1.1.1	192.168.2.4	0xfc8e	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.575758934 CET	1.1.1.1	192.168.2.4	0x7154	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.588294029 CET	1.1.1.1	192.168.2.4	0x944c	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.600090027 CET	1.1.1.1	192.168.2.4	0x2109	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.632162094 CET	1.1.1.1	192.168.2.4	0xaa4f	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.645191908 CET	1.1.1.1	192.168.2.4	0x9157	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.653584003 CET	1.1.1.1	192.168.2.4	0xf6a6	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.665297985 CET	1.1.1.1	192.168.2.4	0x77f7	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.698378086 CET	1.1.1.1	192.168.2.4	0x940c	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.732264042 CET	1.1.1.1	192.168.2.4	0x48b3	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.743381023 CET	1.1.1.1	192.168.2.4	0x818a	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.751539946 CET	1.1.1.1	192.168.2.4	0xb217	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.783241034 CET	1.1.1.1	192.168.2.4	0x97c4	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.815834999 CET	1.1.1.1	192.168.2.4	0x2701	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.829435110 CET	1.1.1.1	192.168.2.4	0xe64a	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.841718912 CET	1.1.1.1	192.168.2.4	0xc493	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.852559090 CET	1.1.1.1	192.168.2.4	0x697c	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.863934040 CET	1.1.1.1	192.168.2.4	0xcb7e	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.896553993 CET	1.1.1.1	192.168.2.4	0xcd7a	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.907135010 CET	1.1.1.1	192.168.2.4	0x9909	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.918781996 CET	1.1.1.1	192.168.2.4	0xa15c	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.929996014 CET	1.1.1.1	192.168.2.4	0xaf25	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.962565899 CET	1.1.1.1	192.168.2.4	0x3c50	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.974029064 CET	1.1.1.1	192.168.2.4	0x9311	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.007333994 CET	1.1.1.1	192.168.2.4	0x75f8	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.039340019 CET	1.1.1.1	192.168.2.4	0x185e	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.051673889 CET	1.1.1.1	192.168.2.4	0x33dd	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.063307047 CET	1.1.1.1	192.168.2.4	0x1802	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.074811935 CET	1.1.1.1	192.168.2.4	0xb824	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.087179899 CET	1.1.1.1	192.168.2.4	0xdbd2	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.156780005 CET	1.1.1.1	192.168.2.4	0xeeeb	No error (0)	degreedaughter.net		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.059942961 CET	1.1.1.1	192.168.2.4	0xf60e	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.072577000 CET	1.1.1.1	192.168.2.4	0xfd9f	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.104614019 CET	1.1.1.1	192.168.2.4	0xe96f	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.116384029 CET	1.1.1.1	192.168.2.4	0x4db9	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.152873039 CET	1.1.1.1	192.168.2.4	0x7c6	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.164575100 CET	1.1.1.1	192.168.2.4	0x6a7e	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.176767111 CET	1.1.1.1	192.168.2.4	0xeee7	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.186789036 CET	1.1.1.1	192.168.2.4	0x5b6b	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.201827049 CET	1.1.1.1	192.168.2.4	0x8d4e	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.220041990 CET	1.1.1.1	192.168.2.4	0xb174	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.231368065 CET	1.1.1.1	192.168.2.4	0x21e7	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.243381023 CET	1.1.1.1	192.168.2.4	0x1d50	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.258080959 CET	1.1.1.1	192.168.2.4	0x234f	Name error (3)	heardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.274605989 CET	1.1.1.1	192.168.2.4	0xe8e9	No error (0)	difficultpeople.net		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.274605989 CET	1.1.1.1	192.168.2.4	0xe8e9	No error (0)	difficultpeople.net		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.447700024 CET	1.1.1.1	192.168.2.4	0x45b2	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.472373962 CET	1.1.1.1	192.168.2.4	0x86ee	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:21.510130882 CET	1.1.1.1	192.168.2.4	0x97a7	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.794306040 CET	1.1.1.1	192.168.2.4	0x4e2b	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.816114902 CET	1.1.1.1	192.168.2.4	0x862d	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.833151102 CET	1.1.1.1	192.168.2.4	0xbff7	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.847810030 CET	1.1.1.1	192.168.2.4	0x8f9f	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:26.868854046 CET	1.1.1.1	192.168.2.4	0x923f	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:27.928298950 CET	1.1.1.1	192.168.2.4	0xa4cc	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:28.959005117 CET	1.1.1.1	192.168.2.4	0xcfe0	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:29.974649906 CET	1.1.1.1	192.168.2.4	0xe16	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:31.151197910 CET	1.1.1.1	192.168.2.4	0x8226	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:33.817281008 CET	1.1.1.1	192.168.2.4	0xe563	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:34.833677053 CET	1.1.1.1	192.168.2.4	0x29fc	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:36.025531054 CET	1.1.1.1	192.168.2.4	0xe3bb	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:37.072115898 CET	1.1.1.1	192.168.2.4	0xa767	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:40.956051111 CET	1.1.1.1	192.168.2.4	0x1ac8	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:42.062161922 CET	1.1.1.1	192.168.2.4	0x843e	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:43.153575897 CET	1.1.1.1	192.168.2.4	0xb0a3	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:44.178715944 CET	1.1.1.1	192.168.2.4	0xc306	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:45.192327976 CET	1.1.1.1	192.168.2.4	0xc6da	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:46.209359884 CET	1.1.1.1	192.168.2.4	0xa252	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:47.521555901 CET	1.1.1.1	192.168.2.4	0x1664	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:49.123215914 CET	1.1.1.1	192.168.2.4	0x1bb9	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:50.175538063 CET	1.1.1.1	192.168.2.4	0xdfe9	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

variousstream.net

returnbottle.net

gentleanother.net

glassbright.net

pleasantinstead.net

degreedaughter.net

difficultpeople.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	199.59.243.227	80	7484	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:04:54.912143946 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 16:04:55.537199974 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:04:55 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 460cf9e4-b458-45d9-95f1-3b32ae2058e5 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=460cf9e4-b458-45d9-95f1-3b32ae2058e5; expires=Thu, 07 Nov 2024 15:19:55 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:04:55.537226915 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDYwY2Y5ZTQtYjQ1OC00NWQ5LTk1ZjEtM2IzMmFlMjA1OGU1IiwicGFnZV90aW1lIjoxNzMwOTkxOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	18.143.155.63	80	7484	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:04:55.868019104 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 16:04:57.304246902 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:04:57 GMT Content-Type: text/html Connection: close Set-Cookie: btst=4dafae4e0fe0a6a71a6b23ce86887fb4\|173.254.250.79\|1730991897\|1730991897\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	54.244.188.177	80	7484	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:04:59.042748928 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 16:04:59.883291006 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:04:59 GMT Content-Type: text/html Connection: close Set-Cookie: btst=6909153e77a71ff5c3ab35eb5d315fe6\|173.254.250.79\|1730991899\|1730991899\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	199.59.243.227	80	7484	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:00.870626926 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 16:05:01.522624016 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:05:01 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: 02605240-9e2c-4a13-8307-c732674d1c0f cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=02605240-9e2c-4a13-8307-c732674d1c0f; expires=Thu, 07 Nov 2024 15:20:01 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:05:01.522636890 CET	212	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDI2MDUyNDAtOWUyYy00YTEzLTgzMDctYzczMjY3NGQxYzB
Nov 7, 2024 16:05:01.522648096 CET	303	IN	Data Raw: 6d 49 69 77 69 63 47 46 6e 5a 56 39 30 61 57 31 6c 49 6a 6f 78 4e 7a 4d 77 4f 54 6b 78 4f 54 41 78 4c 43 4a 77 59 57 64 6c 58 33 56 79 62 43 49 36 49 6d 68 30 64 48 41 36 4c 79 39 6e 62 47 46 7a 63 32 4a 79 61 57 64 6f 64 43 35 75 5a 58 51 76 61 Data Ascii: mIiwicGFnZV90aW1lIjoxNzMwOTkxOTAxLCJwYWdlX3VybCI6Imh0dHA6Ly9nbGFzc2JyaWdodC5uZXQvaW5kZXgucGhwIiwicGFnZV9tZXRob2QiOiJHRVQiLCJwYWdlX3JlcXVlc3QiOnt9LCJwYWdlX2hlYWRlcnMiOnt9LCJob3N0IjoiZ2xhc3NicmlnaHQubmV0IiwiaXAiOiIxNzMuMjU0LjI1MC43OSJ9Cg==";</sc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49736	18.143.155.63	80	7484	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:02.255408049 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 16:05:03.695981979 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:05:03 GMT Content-Type: text/html Connection: close Set-Cookie: btst=35bcd985c4ceec6cd9f7563066f33934\|173.254.250.79\|1730991903\|1730991903\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	85.214.228.140	80	7484	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:05.166482925 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 16:05:06.027467966 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 15:05:05 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	13.248.169.48	80	7484	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:06.281502008 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: difficultpeople.net
Nov 7, 2024 16:05:06.956911087 CET	254	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 07 Nov 2024 15:05:06 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50009	199.59.243.227	80	7180	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:32.173445940 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 16:06:32.789855003 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:06:32 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: bd33c4fb-c208-49bb-acab-8707f1969c4d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=bd33c4fb-c208-49bb-acab-8707f1969c4d; expires=Thu, 07 Nov 2024 15:21:32 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:06:32.790231943 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmQzM2M0ZmItYzIwOC00OWJiLWFjYWItODcwN2YxOTY5YzRkIiwicGFnZV90aW1lIjoxNzMwOTkxOT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50010	18.143.155.63	80	7180	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:38.092623949 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 16:06:39.517577887 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:06:39 GMT Content-Type: text/html Connection: close Set-Cookie: btst=85b606f6e52f4ff2c1d5704fcd452371\|173.254.250.79\|1730991999\|1730991999\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Target ID:	0
Start time:	10:04:44
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Z4KBs1USsJ.exe"
Imagebase:	0xcb0000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:04:46
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe
Wow64 process (32bit):	true
Commandline:	"C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe"
Imagebase:	0x3a0000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:04:48
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Wow64 process (32bit):	true
Commandline:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Imagebase:	0x250000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:04:51
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\yrykdhhlfqp.exe
Wow64 process (32bit):	true
Commandline:	jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0xde0000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:04:52
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Wow64 process (32bit):	true
Commandline:	"C:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0x250000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:06:12
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Wow64 process (32bit):	true
Commandline:	"c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0x250000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:06:15
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\yrykdhhlfqp.exe
Wow64 process (32bit):	true
Commandline:	jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0x2c0000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	29.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	10

Executed Functions

Function 00CD915F Relevance: 267.9, APIs: 113, Strings: 37, Instructions: 5361libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(74DD0000,?), ref: 00CD91B1
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CD927C
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CD9341

Strings

f}?, xrefs: 00CDD295
jhF , xrefs: 00CDCBF2
ht6, xrefs: 00CD9BE9
hE:, xrefs: 00CDB42B
x, xrefs: 00CDE843
v":, xrefs: 00CDD12A
hU&, xrefs: 00CDB59B
h-, xrefs: 00CDCA96
wfQN, xrefs: 00CDC765, 00CDE429
O, xrefs: 00CDE96C
jhH6, xrefs: 00CDA26F
h7:, xrefs: 00CDC338
hb&, xrefs: 00CD9C89
h*6, xrefs: 00CDD111
jhe6, xrefs: 00CDCD51
hW:, xrefs: 00CDCC62
hg5, xrefs: 00CDC238
hT4, xrefs: 00CDBAD2
hx+, xrefs: 00CDC45D
CB!, xrefs: 00CDC4BB
jhE4, xrefs: 00CD9F4D
h2., xrefs: 00CDA348
hp5, xrefs: 00CDD55A
h^., xrefs: 00CDB1C9
hU., xrefs: 00CDC760
h{4, xrefs: 00CDA131
hL+, xrefs: 00CDA836
hk4, xrefs: 00CDD81C
jhn., xrefs: 00CDAA92
C:\Users\user, xrefs: 00CDE1A3
h_+, xrefs: 00CDDAA7
hk, xrefs: 00CDE187
hB., xrefs: 00CDDED2
jh5, xrefs: 00CDC6B1
h$, xrefs: 00CD9E6F
jh&., xrefs: 00CDA56A
A-1, xrefs: 00CDDF9A, 00CDDFCA

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc
String ID: A-1$C:\Users\user$CB!$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hb&$hg5$hk$hk4$hp5$ht6$hx+$h{4$h$$h-$jh&.$jhH6$jh5$jhE4$jhF $jhe6$jhn.$v":$wfQN$O$x
API String ID: 190572456-3820754370
Opcode ID: c087e0804ce38c9445f984018fecad441f7d3d6e8921bd948a4d2f0bca6592d3
Instruction ID: 228f50045503d0e9cb2e26a425bbf2fc99715447f2c51c7fbb798a2efe8e44e5
Opcode Fuzzy Hash: c087e0804ce38c9445f984018fecad441f7d3d6e8921bd948a4d2f0bca6592d3
Instruction Fuzzy Hash: 88B3AD74900609EBE704DFA5FD897BD7BB5FB88310B11845AE580A33B5EB340A64EB47

Function 00CE7B00 Relevance: 8.0, APIs: 5, Instructions: 501
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8,?,00000001), ref: 00CE7CC0
FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,00000001), ref: 00CE7E95

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: FileFindFirstSleep
String ID:
API String ID: 4158786080-0
Opcode ID: d3db1f309f56567a4f546bb8c197282c72d8a917ac31fb42070450c1e419dbc2
Instruction ID: d1f4609b2224f32529083a290136379ca8c23901a24918fbbee50830af801e77
Opcode Fuzzy Hash: d3db1f309f56567a4f546bb8c197282c72d8a917ac31fb42070450c1e419dbc2
Instruction Fuzzy Hash: F722D170904619DBDB089FA2FD583BC7BB6FB98310B218959D481932B4FB310A69DF47

Function 00CF0C20 Relevance: 4.6, APIs: 3, Instructions: 146
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001,?,?,?,00CD0ECB), ref: 00CF0CE0
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,00CD0ECB), ref: 00CF0D3F
FreeSid.ADVAPI32(?,?,?,?,00CD0ECB), ref: 00CF0E03

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a88baf271a4d2586130a5f221ca1a7eb22a1c1ecdd21bd95e7dc627bbafce61a
Instruction ID: ce9c7f67b888816c0d08ebf8904299a701d2cb6fd84087882f5c153359a23205
Opcode Fuzzy Hash: a88baf271a4d2586130a5f221ca1a7eb22a1c1ecdd21bd95e7dc627bbafce61a
Instruction Fuzzy Hash: 0C510030900219DBC704CFA5FC88BBD7FBAFB54711B12855EE981A22B1EB340628DB57

Function 00CEC960 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00CD0494,?,00CD0494,?), ref: 00CEC97F
RtlAllocateHeap.NTDLL(00000000,?,00CD0494,?), ref: 00CEC986

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 39f44513a00501d2414f111bfdf1bc7158c7ee5d464e9ac0ff88230792aff147
Instruction ID: 7438a2e9099990b41d206bd09f8931e8002b8c22a0cb18ce15279132a01f0da3
Opcode Fuzzy Hash: 39f44513a00501d2414f111bfdf1bc7158c7ee5d464e9ac0ff88230792aff147
Instruction Fuzzy Hash: FDD092B1141208ABDA009BA4AC4DB697B68A708701F510805F20C86260CB706254CB53

Function 00CDA25E Relevance: 216.1, APIs: 89, Strings: 32, Instructions: 4394
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA2B5
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA332
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA406
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA4E1
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA5D9

Strings

f}?, xrefs: 00CDD295
jhF , xrefs: 00CDCBF2
hE:, xrefs: 00CDB42B
x, xrefs: 00CDE843
v":, xrefs: 00CDD12A
hU&, xrefs: 00CDB59B
h-, xrefs: 00CDCA96
wfQN, xrefs: 00CDC765, 00CDE429
O, xrefs: 00CDE96C
jhH6, xrefs: 00CDA26F
h7:, xrefs: 00CDC338
h*6, xrefs: 00CDD111
jhe6, xrefs: 00CDCD51
hW:, xrefs: 00CDCC62
hg5, xrefs: 00CDC238
hT4, xrefs: 00CDBAD2
hx+, xrefs: 00CDC45D
CB!, xrefs: 00CDC4BB
h2., xrefs: 00CDA348
hp5, xrefs: 00CDD55A
h^., xrefs: 00CDB1C9
hU., xrefs: 00CDC760
hL+, xrefs: 00CDA836
hk4, xrefs: 00CDD81C
jhn., xrefs: 00CDAA92
C:\Users\user, xrefs: 00CDE1A3
h_+, xrefs: 00CDDAA7
hk, xrefs: 00CDE187
hB., xrefs: 00CDDED2
jh5, xrefs: 00CDC6B1
jh&., xrefs: 00CDA56A
A-1, xrefs: 00CDDF9A, 00CDDFCA

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc
String ID: A-1$C:\Users\user$CB!$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hg5$hk$hk4$hp5$hx+$h-$jh&.$jhH6$jh5$jhF $jhe6$jhn.$v":$wfQN$O$x
API String ID: 190572456-3282903742
Opcode ID: 4fee255f0e0cb74610195759f7b1c23186476d750af5669b6115bab7f6853d4e
Instruction ID: c13c4885bb81ac621b0eaf20b1682f35575fac765c561e6189d64ab8957b976a
Opcode Fuzzy Hash: 4fee255f0e0cb74610195759f7b1c23186476d750af5669b6115bab7f6853d4e
Instruction Fuzzy Hash: 9593AD74900609EBE704DFA5FD897BD7BB5FB88310B11845AE580A33B5EB340A64EB47

Function 00CDA547 Relevance: 205.5, APIs: 85, Strings: 30, Instructions: 4234
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA5D9
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA651
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA6E0
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA7CF
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA895
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDA9D1
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDAA6B
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDAB67
GetProcAddress.KERNEL32(74DD0000,?), ref: 00CDAC47

Strings

f}?, xrefs: 00CDD295
jhF , xrefs: 00CDCBF2
hE:, xrefs: 00CDB42B
x, xrefs: 00CDE843
v":, xrefs: 00CDD12A
hU&, xrefs: 00CDB59B
h-, xrefs: 00CDCA96
wfQN, xrefs: 00CDC765, 00CDE429
O, xrefs: 00CDE96C
h7:, xrefs: 00CDC338
h*6, xrefs: 00CDD111
jhe6, xrefs: 00CDCD51
hW:, xrefs: 00CDCC62
hg5, xrefs: 00CDC238
hT4, xrefs: 00CDBAD2
hx+, xrefs: 00CDC45D
CB!, xrefs: 00CDC4BB
hp5, xrefs: 00CDD55A
h^., xrefs: 00CDB1C9
hU., xrefs: 00CDC760
hL+, xrefs: 00CDA836
hk4, xrefs: 00CDD81C
jhn., xrefs: 00CDAA92
C:\Users\user, xrefs: 00CDE1A3
h_+, xrefs: 00CDDAA7
hk, xrefs: 00CDE187
hB., xrefs: 00CDDED2
jh5, xrefs: 00CDC6B1
jh&., xrefs: 00CDA56A
A-1, xrefs: 00CDDF9A, 00CDDFCA

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc
String ID: A-1$C:\Users\user$CB!$f}?$h*6$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hg5$hk$hk4$hp5$hx+$h-$jh&.$jh5$jhF $jhe6$jhn.$v":$wfQN$O$x
API String ID: 190572456-1033628882
Opcode ID: 4aa95bd776224bdf9afecb9577af1717b5e55c17784163420377693a6569e47c
Instruction ID: d9d23e7fc226c0dcb79d885aa4fdbc7aa722d13068f032850e17ab92cd5c002e
Opcode Fuzzy Hash: 4aa95bd776224bdf9afecb9577af1717b5e55c17784163420377693a6569e47c
Instruction Fuzzy Hash: 5E93AD74900609EBE704DFA1FD897BD7BB5FB88310B11845AE581A33B5EB340A64EB47

Function 00CDBE53 Relevance: 130.5, APIs: 50, Strings: 23, Instructions: 2769
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00CDBF33
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC0E8
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC15F

Strings

f}?, xrefs: 00CDD295
CB!, xrefs: 00CDC4BB
hp5, xrefs: 00CDD55A
jhF , xrefs: 00CDCBF2
hU., xrefs: 00CDC760
x, xrefs: 00CDE843
v":, xrefs: 00CDD12A
h-, xrefs: 00CDCA96
hk4, xrefs: 00CDD81C
wfQN, xrefs: 00CDC765, 00CDE429
O, xrefs: 00CDE96C
C:\Users\user, xrefs: 00CDE1A3
h_+, xrefs: 00CDDAA7
hk, xrefs: 00CDE187
h7:, xrefs: 00CDC338
hB., xrefs: 00CDDED2
jh5, xrefs: 00CDC6B1
h*6, xrefs: 00CDD111
jhe6, xrefs: 00CDCD51
hW:, xrefs: 00CDCC62
hg5, xrefs: 00CDC238
hx+, xrefs: 00CDC45D
A-1, xrefs: 00CDDF9A, 00CDDFCA

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: A-1$C:\Users\user$CB!$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$wfQN$O$x
API String ID: 2238633743-46324631
Opcode ID: af0da04b664a494f390724287dd0ec0bbeb290f6d93fba19e66436d4c17440e3
Instruction ID: 16f0465c08c8ca9bdf77f77db1b8ca62be2eba0cb90f239daf5b717b53e5498b
Opcode Fuzzy Hash: af0da04b664a494f390724287dd0ec0bbeb290f6d93fba19e66436d4c17440e3
Instruction Fuzzy Hash: 48438F74900609EBE704DFA1FD497BD7BB5FB88310F21845AE581A23B5EB340A64EB47

Function 00CDBEEE Relevance: 130.5, APIs: 50, Strings: 23, Instructions: 2745
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00CDBF33
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC0E8
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC15F

Strings

f}?, xrefs: 00CDD295
CB!, xrefs: 00CDC4BB
hp5, xrefs: 00CDD55A
jhF , xrefs: 00CDCBF2
hU., xrefs: 00CDC760
x, xrefs: 00CDE843
v":, xrefs: 00CDD12A
h-, xrefs: 00CDCA96
hk4, xrefs: 00CDD81C
wfQN, xrefs: 00CDC765, 00CDE429
O, xrefs: 00CDE96C
C:\Users\user, xrefs: 00CDE1A3
h_+, xrefs: 00CDDAA7
hk, xrefs: 00CDE187
h7:, xrefs: 00CDC338
hB., xrefs: 00CDDED2
jh5, xrefs: 00CDC6B1
h*6, xrefs: 00CDD111
jhe6, xrefs: 00CDCD51
hW:, xrefs: 00CDCC62
hg5, xrefs: 00CDC238
hx+, xrefs: 00CDC45D
A-1, xrefs: 00CDDF9A, 00CDDFCA

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: A-1$C:\Users\user$CB!$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$wfQN$O$x
API String ID: 2238633743-46324631
Opcode ID: 076bfd13a32847c3e74df91672d5ba6b9f4b5696ceff529b031e57650608120e
Instruction ID: 6804cf83ae6fc4392139a124778e224ddd4bb22d3564039be99c09fe3e7524f3
Opcode Fuzzy Hash: 076bfd13a32847c3e74df91672d5ba6b9f4b5696ceff529b031e57650608120e
Instruction Fuzzy Hash: EF438E74900609EBE704DFA1FD497BD7BB5FB88310F21845AE581A23B5EB340A64EB47

Function 00CDC587 Relevance: 107.4, APIs: 41, Strings: 19, Instructions: 2379
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC632
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC69E
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC74B
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC7DE
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC891
GetProcAddress.KERNEL32(74D60000,?), ref: 00CDC97C

Strings

f}?, xrefs: 00CDD295
hp5, xrefs: 00CDD55A
jhF , xrefs: 00CDCBF2
hU., xrefs: 00CDC760
x, xrefs: 00CDE843
v":, xrefs: 00CDD12A
h-, xrefs: 00CDCA96
hk4, xrefs: 00CDD81C
wfQN, xrefs: 00CDC765, 00CDE429
O, xrefs: 00CDE96C
C:\Users\user, xrefs: 00CDE1A3
h_+, xrefs: 00CDDAA7
hk, xrefs: 00CDE187
hB., xrefs: 00CDDED2
jh5, xrefs: 00CDC6B1
h*6, xrefs: 00CDD111
jhe6, xrefs: 00CDCD51
hW:, xrefs: 00CDCC62
A-1, xrefs: 00CDDF9A, 00CDDFCA

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc
String ID: A-1$C:\Users\user$f}?$h*6$hB.$hU.$hW:$h_+$hk$hk4$hp5$h-$jh5$jhF $jhe6$v":$wfQN$O$x
API String ID: 190572456-3613722682
Opcode ID: f3cf5a01744b9fc9f8cd72a664597734c2e5e091fbca8b27709ee3d2dec5aaaa
Instruction ID: 0f0f5bca5116552a4cef2954cadbc7c133583d139de044528db3413e6d941b21
Opcode Fuzzy Hash: f3cf5a01744b9fc9f8cd72a664597734c2e5e091fbca8b27709ee3d2dec5aaaa
Instruction Fuzzy Hash: 3F338D74900609EBDB04DFA1FD497BD7BB5FB88310B21845AE581A33B5EB340A64EB47

Function 00CD0D80 Relevance: 26.2, APIs: 11, Strings: 3, Instructions: 1701fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00CD1070
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00CD1337
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00CD1444
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00CD15BA
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00CD17C7
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CD1DD6
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CD1E83
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00CD222B
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00CD247F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00CD270C
SetFileAttributesA.KERNELBASE(00000000,00000002,?,?,?,?,?,?,00000000), ref: 00CD28B9

Strings

C:\Users\user, xrefs: 00CD1AE8, 00CD1C31
\, xrefs: 00CD2314
A-1, xrefs: 00CD115F, 00CD1165

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemove
String ID: A-1$C:\Users\user$\
API String ID: 2326410248-1223462428
Opcode ID: e42a8ded97272a7d6674edef392727735ec4f46d21dbd9352c0ad4e7565b08fe
Instruction ID: f71a2916962c305a412b3794b6618f44306212c1ab933eff1c4b069704839725
Opcode Fuzzy Hash: e42a8ded97272a7d6674edef392727735ec4f46d21dbd9352c0ad4e7565b08fe
Instruction Fuzzy Hash: 30F2C070900609DBEB04DF61FD587BC3BB5FB98310F21859AD985A32B5EB310AA4DB47

Function 00CEDFE0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 443
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 00CEE0FE
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,000000FF), ref: 00CEE219
CloseHandle.KERNELBASE(00000000,?,?,?,?,000000FF), ref: 00CEE252
GetTickCount.KERNEL32 ref: 00CEE2E3
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00CEE592
WriteFile.KERNELBASE(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00CEE62B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00CEE644

Strings

}*@o, xrefs: 00CEE56F
{foQ, xrefs: 00CEE5B0
*?|r, xrefs: 00CEE53E

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID: *?|r${foQ$}*@o
API String ID: 3478262135-1153267046
Opcode ID: 27b3ce2ed6395d5164d1033b5a76545c0478294c1d865c411428e544819b7914
Instruction ID: 9d19447f31fce220b87f38116d387527628548ef66da5eedde2fed54f6593083
Opcode Fuzzy Hash: 27b3ce2ed6395d5164d1033b5a76545c0478294c1d865c411428e544819b7914
Instruction Fuzzy Hash: 330221B0900609DBDB049F65FD887BD7FB6FB98301F218459E881932B4EB350AA4CB57

Function 00CBCEB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00002E0F,012BDA58,00000000,00000000,00000000,00000008,00000000,00000000,00000044,00000000,?,?,?,?,?,00000000), ref: 00CBD02A
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00CBD04E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CBD0C9

Strings

D, xrefs: 00CBCF2E

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: e80731b82027ddd1a712f129b4c6a19c6101f197bb35c5899dd05fffb18c8f77
Instruction ID: dd96b830959e0ef3662364c3ce4e684bf8bbe231e0a997027fbab7813ef94da3
Opcode Fuzzy Hash: e80731b82027ddd1a712f129b4c6a19c6101f197bb35c5899dd05fffb18c8f77
Instruction Fuzzy Hash: A081DF70901619DBE700AFA1FD887BD3B71FB44314F228549E582A72B8FB350965DB87

Function 00CD3C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,?,FFFFFFFF,00000000,?,?,?,?,00000000,?), ref: 00CD3D9D
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000), ref: 00CD3FC3
CloseHandle.KERNEL32(00000000), ref: 00CD410F

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 45f781d01f18258191df29731a1d7c86348771dad47e7b201e9fb4518f8eac5c
Instruction ID: 7d4f062b2e08e8a6356efa725492741b4c2e3ceae9a6d7a4e4d552413df99453
Opcode Fuzzy Hash: 45f781d01f18258191df29731a1d7c86348771dad47e7b201e9fb4518f8eac5c
Instruction Fuzzy Hash: B1D1E371900609DBE7049FA4FD883BD3F75FB98710B218959E981932B4EB314A64DF47

Function 00CD7B30 Relevance: 3.1, APIs: 2, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00CB650A,00CB650A,00CC435B), ref: 00CD7BF9
RtlFreeHeap.NTDLL(00000000), ref: 00CD7C00

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2c8d79c2f2f2dea449b1b6d09cc5957f5f297d9487bab20db608adfccfe37e25
Instruction ID: 96eb2f22c2606d92b2aca83df99c4054f18bcc0d54912cc8901e9954c1ff40a9
Opcode Fuzzy Hash: 2c8d79c2f2f2dea449b1b6d09cc5957f5f297d9487bab20db608adfccfe37e25
Instruction Fuzzy Hash: CE216875805208EBD710DFA4EA483BC7FB5F754721B22825AD94563270EB350A64DB93

Function 00CBACD0 Relevance: 3.0, APIs: 2, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(00CEEC02,00000000,00CEEC02,?), ref: 00CBAD0C
CharLowerBuffA.USER32(00CEEC02,00000000), ref: 00CBAD14

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 8035ffba9dcdb56021dd6fdf384efca5a6d302de8162e8be5fd7de1fcae5b3d1
Instruction ID: 17f759ab74f3074a4c4ccee10256212732dbbe7dac60ebd7eec64b9291f41fdd
Opcode Fuzzy Hash: 8035ffba9dcdb56021dd6fdf384efca5a6d302de8162e8be5fd7de1fcae5b3d1
Instruction Fuzzy Hash: 19F03478901218FB8B00EFA5EA487AD7BB8FF09310B008185EC4093321CB309A10CB93

Function 00CECAC0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00CECB26

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ddd9c6568ee742f3b125d016af2396b4975608b66c72feefe922df6810a4897e
Instruction ID: 7f0b67fa080a9c7ba1587ab703d44e0ea246ccd89f098c8b25514cc5d43d3b9f
Opcode Fuzzy Hash: ddd9c6568ee742f3b125d016af2396b4975608b66c72feefe922df6810a4897e
Instruction Fuzzy Hash: 37F0583410060ACBC708AFB4FC0873D7F79FB84700B228529D88083234EB344969DB83

Function 00CC435B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00CC4387

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d24602cd8b013ebee407631d2fbfae82f12b2c750eaa7679e50055e315b7a6c5
Instruction ID: d3fc06c0a25ec77d6b3eeb4bb4835f862523ba75e99f8b7c21bba80fa41525e1
Opcode Fuzzy Hash: d24602cd8b013ebee407631d2fbfae82f12b2c750eaa7679e50055e315b7a6c5
Instruction Fuzzy Hash: C1D01235440535DAC3407FB6FE4C73D3E65BA40B21301514AF489D12B0DE70445CE757

Non-executed Functions

Function 00CB7DA0 Relevance: 12.2, APIs: 8, Instructions: 222serviceCOMMON

Download Yara Rule

APIs

CreateServiceA.ADVAPI32(00000000,012B3C08,012B3C08,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00CB7E74
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00CB7EF3
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00CB7F2A
CloseServiceHandle.ADVAPI32(00000000), ref: 00CB7F4E
OpenServiceA.ADVAPI32(00000000,012B3C08,00000010), ref: 00CB7FB2
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00CB804A
CloseServiceHandle.ADVAPI32(00000000), ref: 00CB8063
CloseServiceHandle.ADVAPI32(00000000), ref: 00CB8098

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: Service$CloseHandle$Start$ChangeConfig2CreateOpen
String ID:
API String ID: 229943926-0
Opcode ID: e24d7c697f545c4e189785551a0ef667d93ee268917192887bf9a5835cd88a16
Instruction ID: 12e5dfe38952073376561d7f7f936e5cd34ac53374213e441419513fb858dd34
Opcode Fuzzy Hash: e24d7c697f545c4e189785551a0ef667d93ee268917192887bf9a5835cd88a16
Instruction Fuzzy Hash: DEA1AD74804619EBE7009FA1FC887FC7F75FB98711F12858AE885A22B0EB3105A4CB47

Function 00CEE950 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 341processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000,00000001), ref: 00CEEAE8
OpenProcess.KERNEL32(00000002,00000000,?), ref: 00CEECC0
CloseHandle.KERNEL32(00000000), ref: 00CEED5F
Process32Next.KERNEL32(00000000,00000128), ref: 00CEEE38
CloseHandle.KERNEL32(00000000), ref: 00CEEE7C

Strings

wfQN, xrefs: 00CEECF4

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseHandle$CreateNextOpenProcessProcess32SnapshotToolhelp32
String ID: wfQN
API String ID: 1219847958-2838687785
Opcode ID: 507c22c615fcb40015b2959eedd9f0db7ab03674239ff4651721f705450ab864
Instruction ID: 22af3dda27ea287cb8cf7d15086f82bfb7288dde59a9c6e5b9400ef6cce8fe42
Opcode Fuzzy Hash: 507c22c615fcb40015b2959eedd9f0db7ab03674239ff4651721f705450ab864
Instruction Fuzzy Hash: E0E1E270900619DBD700DF62FD8C7BC7FB1FB98350B218999D881A22B5EB354AA4DB47

Function 00CCD280 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 509serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00CCD5BC
GetLastError.KERNEL32 ref: 00CCD5E5
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00CCD6F7

Strings

wfQN, xrefs: 00CCD8C1

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: EnumServicesStatus$ErrorLast
String ID: wfQN
API String ID: 1500475886-2838687785
Opcode ID: 02541c5f478ff19cb1931050e34564366a06c3315391754550afec294706c6a6
Instruction ID: 50334a08d6e1d101f6b029b66722d80a2190a5eb4317e715898c83fdb98fcff0
Opcode Fuzzy Hash: 02541c5f478ff19cb1931050e34564366a06c3315391754550afec294706c6a6
Instruction Fuzzy Hash: 1632AFB4D01609EBD704DF61FE887BC7BB5FB98310B21845AD485A22B4EB314A64DF47

Function 00CD8230 Relevance: 4.6, APIs: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,00CE6CE7,?,?,?,?,00CBF288), ref: 00CD82F2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00CE6CE7,?,?,?,?,00CBF288), ref: 00CD8312
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD8390

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: Time$System$FileUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1858273683-0
Opcode ID: dfcc31ec33f2975551f33c8a4941a6c704d5a897c9cc4ed411397c5c09c71c5a
Instruction ID: 4b548671314744c7ee0a06960f5890fddc1cc8801d5731f202f033c29632df13
Opcode Fuzzy Hash: dfcc31ec33f2975551f33c8a4941a6c704d5a897c9cc4ed411397c5c09c71c5a
Instruction Fuzzy Hash: C9515A7490560ADBDB04DFA1FD887BD7B75FB88310B218646E981A3274EB304A64CB47

Function 00CCF079 Relevance: 1.8, APIs: 1, Instructions: 304networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000009,?,00000400,00000000), ref: 00CCF0A4
closesocket.WS2_32(00000009), ref: 00CCF642

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: closesocketrecv
String ID:
API String ID: 485150354-0
Opcode ID: 8665f7192676b2b903ab3f1cdf7627ad35655a1fa59be226ca06fd3fdace7e6d
Instruction ID: 3888adda7b8908e4e7407df6cc207024a96ca5783610f452cc383b6075af1dca
Opcode Fuzzy Hash: 8665f7192676b2b903ab3f1cdf7627ad35655a1fa59be226ca06fd3fdace7e6d
Instruction Fuzzy Hash: F0D1B070A00608DBDB04DFA1FD887BD7B76FB98700F22846DE585922B5EB3046A5DB47

Function 00CC7DE0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00CC7E71

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 33153b238bc014fe0e0c6720912befbd5f6391a4ce70ea23581ba03966a7dde0
Instruction ID: cc6bf4c64e01787d7a0cbe662ed8e0397414bf5d082fb763333c24359c69e819
Opcode Fuzzy Hash: 33153b238bc014fe0e0c6720912befbd5f6391a4ce70ea23581ba03966a7dde0
Instruction Fuzzy Hash: 28117934804609DBDB04DFA4ED583BD7FB1FB89720B218559C894A32B4D73506A5CB97

Function 00CC9AC0 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e211720189cc5632d7be0b9fd54c7f8963361ad49e92c6da6d434ec3871e9f
Instruction ID: 47b0030b24b2f35eed01b22e8e352edad28d9ac93ac9491b38478070ca8eaf07
Opcode Fuzzy Hash: 94e211720189cc5632d7be0b9fd54c7f8963361ad49e92c6da6d434ec3871e9f
Instruction Fuzzy Hash: 3722AD70A00609DBDB049F66FD883BC7FB2FB88354B228559D481932B9EB314965DF87

Function 00CCA300 Relevance: 12.4, APIs: 8, Instructions: 360registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(012B3C08,Function_000114E0), ref: 00CCA47B
SetServiceStatus.ADVAPI32(00000000,00CFE9BC), ref: 00CCA590
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CCA5A6
SetServiceStatus.ADVAPI32(00000000,00CFE9BC), ref: 00CCA636
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00CCA6CB
SetServiceStatus.ADVAPI32(00000000,00CFE9BC), ref: 00CCA7A6
CloseHandle.KERNEL32(00000000), ref: 00CCA7D3
SetServiceStatus.ADVAPI32(00000000,00CFE9BC), ref: 00CCA8E5

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 8ded6289a64bcb6da2d1e35af2d0734861adb72d4eddef59201e92e10f68d3dc
Instruction ID: 06463f9ded9e977e7e8183050ccf6994f995a448ee9efebb84213e0df133430a
Opcode Fuzzy Hash: 8ded6289a64bcb6da2d1e35af2d0734861adb72d4eddef59201e92e10f68d3dc
Instruction Fuzzy Hash: C1F18C70901609DBE704DF65FE887BC3FB5FB98314B21855AD981932B4EB340A68EB07

Function 00CEA650 Relevance: 9.2, APIs: 6, Instructions: 244filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00CEA728
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00CEA7F1
CloseHandle.KERNEL32(00000000), ref: 00CEA810
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CEA8FB
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00CEA94E
CloseHandle.KERNEL32(00000000), ref: 00CEA990

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 8cc7bc0b2352c2c8ade4a3935913e7eb14881369e171dcfba4e95a718c47a886
Instruction ID: d4c96e510f84f2922c616d761cdac5b5abe3cc9f059e8a68c00d3293b23ae323
Opcode Fuzzy Hash: 8cc7bc0b2352c2c8ade4a3935913e7eb14881369e171dcfba4e95a718c47a886
Instruction Fuzzy Hash: E7A1CE70900219DFD704DFA9FD887BC7BB5FB88720B21855AE884932B4EB345A64DB53

Function 00CBAFE0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 304fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CBB0FE
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00CBB1A5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00CBB2BD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CBB30B

Strings

wfQN, xrefs: 00CBB0C7

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID: wfQN
API String ID: 2564258376-2838687785
Opcode ID: c8dd40bf4e17db063900bd77502602afb5a0b8e4173500e30928c3815b9bb349
Instruction ID: feff51854e4250758ad477cbeff64ec46bf66a01a813f151bc6d9313b89a8709
Opcode Fuzzy Hash: c8dd40bf4e17db063900bd77502602afb5a0b8e4173500e30928c3815b9bb349
Instruction Fuzzy Hash: 95D1AE70900608DBDB04DFA5FD887BD3B75FB88310F21815AE581922B4EB705A64EB57

Function 00CBBF59 Relevance: 7.8, APIs: 5, Instructions: 259processCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE8340: lstrlenA.KERNEL32(?,?,?,00CB7D41,?,?), ref: 00CE83A7

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00CBC157
Module32First.KERNEL32(00000000,00000224), ref: 00CBC1FE

Part of subcall function 00CCADE0: wvsprintfA.USER32(00002E0F,?,?), ref: 00CCAF24

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32lstrlenwvsprintf
String ID:
API String ID: 3143976151-0
Opcode ID: a2a968504baf00a58537d306637c4648eeeb094b40f721db6d28e84655b7f5cd
Instruction ID: 818349c9053e1f3c1eabc0f39961fa6fe7d31cd3124e0f29d9a666bcb7614141
Opcode Fuzzy Hash: a2a968504baf00a58537d306637c4648eeeb094b40f721db6d28e84655b7f5cd
Instruction Fuzzy Hash: 45B1AB70901218DBDB14DFA5FE887BC7BB1FB88310F228459E845A32B4EB340A64DB13

Function 00CC7A60 Relevance: 7.6, APIs: 5, Instructions: 127synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000001,00CEC80C), ref: 00CC7B1E
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00CC7B87
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CC7BA0
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00CC7BDF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CC7BFA

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: d2a73283792330c9707bada9691185db828cb418a486ef9d8d749eb041940344
Instruction ID: f81ca361dd16d2ff61e6e1a3e64128ce94c089f554f3d011ca0fb1aff7db0dc4
Opcode Fuzzy Hash: d2a73283792330c9707bada9691185db828cb418a486ef9d8d749eb041940344
Instruction Fuzzy Hash: 6D51B870500218EBE7049F26FD487BD3BB5FB98722F11C51AE8888A2B4EB744560DF13

Function 00CB8350 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 469sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00CB87E0
Sleep.KERNEL32(00015F90), ref: 00CB8A0F

Strings

$y0, xrefs: 00CB89AC
wfQN, xrefs: 00CB8878

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: FileModuleNameSleep
String ID: wfQN$$y0
API String ID: 4084727719-2136385076
Opcode ID: fdc861534b27ff7d51e3a2694d706a632fcfa5cc619a920d432561fbdbab3da9
Instruction ID: 8249ee2c2c8bf753a0e91614241333aa31b33a165fd4e0ba8dd12fa7528fa677
Opcode Fuzzy Hash: fdc861534b27ff7d51e3a2694d706a632fcfa5cc619a920d432561fbdbab3da9
Instruction Fuzzy Hash: A112DE70900619EBDB04DF65FD887BD7BB5FB98310F21859AE481932B5EB300A64EB47

Function 00CC95B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00CC9700
RegSetValueExA.ADVAPI32(?,012AFC10,00000000,00000001,?,00000000), ref: 00CC97AE
RegCloseKey.ADVAPI32(?), ref: 00CC9832

Strings

ue[, xrefs: 00CC9618

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseOpenValue
String ID: ue[
API String ID: 779948276-739068366
Opcode ID: 51fc38544ffed961ad06b35f9f10f01712f8e225930bce4b9ef6d88f13b4909b
Instruction ID: 61a1228dd5c844b666a76b80932f45a8145f0c9459e9547a70e9247307f310cf
Opcode Fuzzy Hash: 51fc38544ffed961ad06b35f9f10f01712f8e225930bce4b9ef6d88f13b4909b
Instruction Fuzzy Hash: A161DC30900619EBEB00AFA5FD887FD3B75FB98715B21444AE885923B4EB3245A4CB57

Function 00CB9C20 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 00CB9CBF
HeapReAlloc.KERNEL32(00000000), ref: 00CB9CC6
GetProcessHeap.KERNEL32(00000000,?), ref: 00CB9CF0
HeapAlloc.KERNEL32(00000000), ref: 00CB9CF7

Memory Dump Source

Source File: 00000000.00000002.1773386379.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1773374953.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773412479.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773426693.0000000000CFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1773439303.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_Z4KBs1USsJ.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c2e894ce1e28ef2e7da965fa8cbe08750444c2e56a7c3ebca34b3a3f830e0e95
Instruction ID: acc9772fe7f4612090a52a3d4cd04a56dcf069de03988c4293159c2ca6920651
Opcode Fuzzy Hash: c2e894ce1e28ef2e7da965fa8cbe08750444c2e56a7c3ebca34b3a3f830e0e95
Instruction Fuzzy Hash: B9214A74905609E7DB00AFA1FD087BD3F74FB49311F108585E98992374EB3246A8CB97

Analysis Process: nflzf2rny8bxnz25kz2r.exePID: 7456, Parent PID: 7408COMMON

Execution Graph

Execution Coverage:	32.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	19

Executed Functions

Function 003DCBD0 Relevance: 19.2, APIs: 12, Instructions: 1228
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000,?,?,?,?,?,00000001), ref: 003DCF42
GetProcAddress.KERNEL32(00000000,00000000), ref: 003DD041
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD0E9
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD17C
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD1D7
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD2BD
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD33C
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD404
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD441
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DD4C8
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DDEB5
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003DDF43

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Free$Library$Heap$AdaptersAllocInfo$AddressLoadProc
String ID:
API String ID: 2823868357-0
Opcode ID: 750660c665cb57c57d8154d8c98776c7155b98cc1d852f44abb8b08a1e9a4f44
Instruction ID: d5ea9110611ead239af1c36cb727fd95b41da136759344b0e1c4b5a5e16c122e
Opcode Fuzzy Hash: 750660c665cb57c57d8154d8c98776c7155b98cc1d852f44abb8b08a1e9a4f44
Instruction Fuzzy Hash: 19C2B075900699CBD7239F61FDC82A83B7CFB99310F124B5AD4856E2F8EB3148A4CB45

Function 003A7DA0 Relevance: 13.7, APIs: 9, Instructions: 222
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 003A7E23
CreateServiceA.ADVAPI32(00000000,009C02F0,009C02F0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 003A7E74
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 003A7EF3
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 003A7F2A
CloseServiceHandle.ADVAPI32(00000000), ref: 003A7F4E
OpenServiceA.ADVAPI32(00000000,009C02F0,00000010), ref: 003A7FB2
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 003A804A
CloseServiceHandle.ADVAPI32(00000000), ref: 003A8063
CloseServiceHandle.ADVAPI32(00000000), ref: 003A8098

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: e70b3c0292e5703dba5c2772ef78d04872591586a6fa321edd6fe6e15fd64f24
Instruction ID: f3f170e23c6a6e56b6c0c0aecf6bf605bd840502c97c42cafb4baebd99b6c26a
Opcode Fuzzy Hash: e70b3c0292e5703dba5c2772ef78d04872591586a6fa321edd6fe6e15fd64f24
Instruction Fuzzy Hash: 61A16A38804699EBD7329F61FCC96A87B7CFB59711F118B9AE9816E2E4D7310590CB40

Function 003C915F Relevance: 266.1, APIs: 113, Strings: 36, Instructions: 5361libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(74DD0000,?), ref: 003C91B1
GetProcAddress.KERNEL32(74DD0000,?), ref: 003C927C
GetProcAddress.KERNEL32(74DD0000,?), ref: 003C9341

Strings

x, xrefs: 003CE843
h^., xrefs: 003CB1C9
jhH6, xrefs: 003CA26F
H)p, xrefs: 003C915F, 003CCFA7, 003CCFAD, 003CDE3C, 003CDE50
hT4, xrefs: 003CBAD2
hk4, xrefs: 003CD81C
jh&., xrefs: 003CA56A
jhn., xrefs: 003CAA92
jh5, xrefs: 003CC6B1
h_+, xrefs: 003CDAA7
hE:, xrefs: 003CB42B
hL+, xrefs: 003CA836
f}?, xrefs: 003CD295
C:\Users\user, xrefs: 003CE1A3
O, xrefs: 003CE96C
h-, xrefs: 003CCA96
jhe6, xrefs: 003CCD51
hx+, xrefs: 003CC45D
jhE4, xrefs: 003C9F4D
hU., xrefs: 003CC760
hg5, xrefs: 003CC238
ht6, xrefs: 003C9BE9
v":, xrefs: 003CD12A
h7:, xrefs: 003CC338
h2., xrefs: 003CA348
hU&, xrefs: 003CB59B
h$, xrefs: 003C9E6F
hB., xrefs: 003CDED2
h*6, xrefs: 003CD111
h{4, xrefs: 003CA131
CB!, xrefs: 003CC4BB
hW:, xrefs: 003CCC62
hk, xrefs: 003CE187
jhF , xrefs: 003CCBF2
hb&, xrefs: 003C9C89
hp5, xrefs: 003CD55A

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hb&$hg5$hk$hk4$hp5$ht6$hx+$h{4$h$$h-$jh&.$jhH6$jh5$jhE4$jhF $jhe6$jhn.$v":$O$x
API String ID: 190572456-3070330483
Opcode ID: 0ccb2dc7e784d0bbea0532a363269e1a5366bfa6856f691292c86c1d06d56b06
Instruction ID: 892e28735a6eeb60fe95ab3cd8d48de4c98a1072b459c19981c9a034d7c4b65b
Opcode Fuzzy Hash: 0ccb2dc7e784d0bbea0532a363269e1a5366bfa6856f691292c86c1d06d56b06
Instruction Fuzzy Hash: 21B3AE74900689EBDB23DF61FDC56A97BBCFB88310F118B59E540AE2E8E7314960DB44

Function 003CA25E Relevance: 214.4, APIs: 89, Strings: 31, Instructions: 4394
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,?), ref: 003CA2B5
GetProcAddress.KERNEL32(74DD0000,?), ref: 003CA332
GetProcAddress.KERNEL32(74DD0000,?), ref: 003CA406
GetProcAddress.KERNEL32(74DD0000,?), ref: 003CA4E1
GetProcAddress.KERNEL32(74DD0000,?), ref: 003CA5D9

Strings

x, xrefs: 003CE843
h^., xrefs: 003CB1C9
jhH6, xrefs: 003CA26F
H)p, xrefs: 003CCFA7, 003CCFAD, 003CDE3C, 003CDE50
hT4, xrefs: 003CBAD2
hk4, xrefs: 003CD81C
jh&., xrefs: 003CA56A
jhn., xrefs: 003CAA92
jh5, xrefs: 003CC6B1
h_+, xrefs: 003CDAA7
hE:, xrefs: 003CB42B
hL+, xrefs: 003CA836
f}?, xrefs: 003CD295
C:\Users\user, xrefs: 003CE1A3
O, xrefs: 003CE96C
h-, xrefs: 003CCA96
jhe6, xrefs: 003CCD51
hx+, xrefs: 003CC45D
hU., xrefs: 003CC760
hg5, xrefs: 003CC238
v":, xrefs: 003CD12A
h7:, xrefs: 003CC338
h2., xrefs: 003CA348
hU&, xrefs: 003CB59B
hB., xrefs: 003CDED2
h*6, xrefs: 003CD111
CB!, xrefs: 003CC4BB
hW:, xrefs: 003CCC62
hk, xrefs: 003CE187
jhF , xrefs: 003CCBF2
hp5, xrefs: 003CD55A

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hg5$hk$hk4$hp5$hx+$h-$jh&.$jhH6$jh5$jhF $jhe6$jhn.$v":$O$x
API String ID: 190572456-2386322326
Opcode ID: 4eb372c71aa8c533891817b7c0796f031050e1e06cb35c16a785dfd12a8485d1
Instruction ID: 8dbdb6ac24510656c8ac0881412f271b7fead7befb4bc9528b9a2ceaf35bcb43
Opcode Fuzzy Hash: 4eb372c71aa8c533891817b7c0796f031050e1e06cb35c16a785dfd12a8485d1
Instruction Fuzzy Hash: 4993AF74900689EBDB23DF61FDC56A97BBCFB88310F118B59D580AE2E8E7314960DB44

Function 003CBE53 Relevance: 128.8, APIs: 50, Strings: 22, Instructions: 2769
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 003CBF33
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC0E8
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC15F

Strings

x, xrefs: 003CE843
H)p, xrefs: 003CCFA7, 003CCFAD, 003CDE3C, 003CDE50
hx+, xrefs: 003CC45D
hU., xrefs: 003CC760
hg5, xrefs: 003CC238
v":, xrefs: 003CD12A
h7:, xrefs: 003CC338
hk4, xrefs: 003CD81C
hB., xrefs: 003CDED2
h*6, xrefs: 003CD111
jh5, xrefs: 003CC6B1
h_+, xrefs: 003CDAA7
CB!, xrefs: 003CC4BB
f}?, xrefs: 003CD295
hW:, xrefs: 003CCC62
C:\Users\user, xrefs: 003CE1A3
h-, xrefs: 003CCA96
O, xrefs: 003CE96C
hk, xrefs: 003CE187
jhF , xrefs: 003CCBF2
jhe6, xrefs: 003CCD51
hp5, xrefs: 003CD55A

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$O$x
API String ID: 2238633743-3835535775
Opcode ID: 368ef49c806de35ee850b04d0c7de7bb982cc1d38476c1c1ffa9378ef21dd2f1
Instruction ID: 71ee29dace2b77f023d568f11751385ebe73805a8fd1a51862ba30a3271d62a3
Opcode Fuzzy Hash: 368ef49c806de35ee850b04d0c7de7bb982cc1d38476c1c1ffa9378ef21dd2f1
Instruction Fuzzy Hash: 8F439D74900689EBDB27DF61FDC96A97BBCFB88310F118759D580AE2E8D7304A60DB44

Function 003CBEEE Relevance: 128.7, APIs: 50, Strings: 22, Instructions: 2745
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 003CBF33
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC0E8
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC15F

Strings

x, xrefs: 003CE843
H)p, xrefs: 003CCFA7, 003CCFAD, 003CDE3C, 003CDE50
hx+, xrefs: 003CC45D
hU., xrefs: 003CC760
hg5, xrefs: 003CC238
v":, xrefs: 003CD12A
h7:, xrefs: 003CC338
hk4, xrefs: 003CD81C
hB., xrefs: 003CDED2
h*6, xrefs: 003CD111
jh5, xrefs: 003CC6B1
h_+, xrefs: 003CDAA7
CB!, xrefs: 003CC4BB
f}?, xrefs: 003CD295
hW:, xrefs: 003CCC62
C:\Users\user, xrefs: 003CE1A3
h-, xrefs: 003CCA96
O, xrefs: 003CE96C
hk, xrefs: 003CE187
jhF , xrefs: 003CCBF2
jhe6, xrefs: 003CCD51
hp5, xrefs: 003CD55A

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$O$x
API String ID: 2238633743-3835535775
Opcode ID: f2dd9619db80dce984ec7e2fbb72fe5813ba84a533303eb56438bc550f087e60
Instruction ID: c113533bc37152e483fc10a836292ecd6cf196f7918a46303ad00abcfd897953
Opcode Fuzzy Hash: f2dd9619db80dce984ec7e2fbb72fe5813ba84a533303eb56438bc550f087e60
Instruction Fuzzy Hash: 93438C74900689EBDB27DF61FDC96A97BBCFB88310F118759D580AE2E8D7304A60DB44

Function 003CC587 Relevance: 105.6, APIs: 41, Strings: 18, Instructions: 2379
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74D60000,?), ref: 003CC632
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC69E
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC74B
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC7DE
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC891
GetProcAddress.KERNEL32(74D60000,?), ref: 003CC97C

Strings

x, xrefs: 003CE843
H)p, xrefs: 003CCFA7, 003CCFAD, 003CDE3C, 003CDE50
hU., xrefs: 003CC760
v":, xrefs: 003CD12A
hk4, xrefs: 003CD81C
hB., xrefs: 003CDED2
h*6, xrefs: 003CD111
jh5, xrefs: 003CC6B1
h_+, xrefs: 003CDAA7
f}?, xrefs: 003CD295
hW:, xrefs: 003CCC62
C:\Users\user, xrefs: 003CE1A3
h-, xrefs: 003CCA96
O, xrefs: 003CE96C
hk, xrefs: 003CE187
jhF , xrefs: 003CCBF2
jhe6, xrefs: 003CCD51
hp5, xrefs: 003CD55A

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$H)p$f}?$h*6$hB.$hU.$hW:$h_+$hk$hk4$hp5$h-$jh5$jhF $jhe6$v":$O$x
API String ID: 190572456-3353252868
Opcode ID: 332a04ca1c414478c498f425c6edb9638f0d521388430ab4a4e56ffa845dcf5f
Instruction ID: d2637d960d5597b1137f4e1310d43d5358c294e79b7ca7d8064598d6a1cff88f
Opcode Fuzzy Hash: 332a04ca1c414478c498f425c6edb9638f0d521388430ab4a4e56ffa845dcf5f
Instruction Fuzzy Hash: 0F337C74900689EBDB27DF61FDC96A97BBCFB88310F118759D580AE2E8D7304A60DB44

Function 003C0D80 Relevance: 24.5, APIs: 11, Strings: 2, Instructions: 1701fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 003C1070
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 003C1337
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 003C1444
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 003C15BA
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 003C17C7
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003C1DD6
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003C1E83
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 003C222B
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 003C247F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 003C270C
SetFileAttributesA.KERNELBASE(00000000,00000002,?,?,?,?,?,?,00000000), ref: 003C28B9

Strings

\, xrefs: 003C2314
C:\Users\user, xrefs: 003C1AE8, 003C1C31

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemove
String ID: C:\Users\user$\
API String ID: 2326410248-732849219
Opcode ID: 3253b0b549e0f0001ed16fd7b4fd77f1df3920755fe2b75aab4611022b3f24f8
Instruction ID: a1d83b4ba8805df52fe190b1752a4709b016df16e86cead67404e645c33ae6be
Opcode Fuzzy Hash: 3253b0b549e0f0001ed16fd7b4fd77f1df3920755fe2b75aab4611022b3f24f8
Instruction Fuzzy Hash: DBF2DF74900689DBDB279F61FDC86A93B7CFB89310F114B59D581AE2F8EB3109A4DB40

Function 003D01C6 Relevance: 23.6, APIs: 12, Strings: 1, Instructions: 884
sleepfilethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 003D01FE
CloseHandle.KERNEL32(000000C8), ref: 003D0568
SetFileAttributesA.KERNELBASE(?,00000080), ref: 003D05A5
CopyFileA.KERNEL32(?,?,00000000), ref: 003D0679
SetFileAttributesA.KERNELBASE(?,00000002), ref: 003D06A8
Sleep.KERNELBASE(000003E8), ref: 003D0850

Part of subcall function 003DE950: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000,00000001), ref: 003DEAE8

Sleep.KERNEL32(000007D0), ref: 003D0A11
SetFileAttributesA.KERNEL32(C:\trshmfqlcbpta\yrykdhhlfqp.exe,00000080), ref: 003D0A76
CopyFileA.KERNEL32(?,C:\trshmfqlcbpta\yrykdhhlfqp.exe,00000000), ref: 003D0A96
SetFileAttributesA.KERNEL32(C:\trshmfqlcbpta\yrykdhhlfqp.exe,00000002), ref: 003D0ACF

Part of subcall function 003B68C0: CreateFileA.KERNEL32(00001D9F,80000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00001D9F,00000003), ref: 003B6AA4

CreateThread.KERNEL32(00000000,00000000,Function_0000EF70,00000000,00000000,00000000), ref: 003D0ECE
Sleep.KERNEL32(0000C350), ref: 003D10F4

Strings

C:\trshmfqlcbpta\yrykdhhlfqp.exe, xrefs: 003D0A71, 003D0A8A, 003D0AB0, 003D0E0A

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: File$Attributes$CreateSleep$Copy$CloseHandleSnapshotStartupThreadToolhelp32
String ID: C:\trshmfqlcbpta\yrykdhhlfqp.exe
API String ID: 753865460-4155721312
Opcode ID: b44f80dc95fed6a38c900a46a34ec71d2b29f993fb9a4e6aae80e1388da4379b
Instruction ID: 8ebf4ee6386992c7788be6b434c869bba8159abcc34b98b839ae82ab8d1b6929
Opcode Fuzzy Hash: b44f80dc95fed6a38c900a46a34ec71d2b29f993fb9a4e6aae80e1388da4379b
Instruction Fuzzy Hash: C782AC74901699DBEB279F61FDC82A93B7CFB98700F114B59D480AE2E8EB314964DF04

Function 003ACEB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00002E0F,009CDD78,00000000,00000000,00000000,00000008,00000000,00000000,00000044,00000000,?,?,?,?,?,00000000), ref: 003AD02A
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 003AD04E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003AD0C9

Strings

D, xrefs: 003ACF2E

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: e276ae1dcbbf233a1ce431bb2fd5527f1ba8c99754a850bb47561a148d09fc0c
Instruction ID: 2d765c03be0cc955e89ecaf53c554f4b20d6cd47ef1514dd06d2f0789c047c11
Opcode Fuzzy Hash: e276ae1dcbbf233a1ce431bb2fd5527f1ba8c99754a850bb47561a148d09fc0c
Instruction Fuzzy Hash: 4B818974900689DBD723AF61FDC86A93B7CFB49305F118B49E681AE2F8E7314960CB45

Function 003E0C20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001,?,?,?,003C0ECB), ref: 003E0CE0
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,003C0ECB), ref: 003E0D3F
FreeSid.ADVAPI32(?,?,?,?,003C0ECB), ref: 003E0E03

Strings

H)p, xrefs: 003E0DD0, 003E0DE7

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: H)p
API String ID: 3429775523-1687790836
Opcode ID: 9f94ad843fa73326d2673db39e5e5b1920ca66f19c20f169244eef9e2796edf8
Instruction ID: 7ee0daee6299c590f06a95a99ab45a237c7219ee4b5e90eede38114675aafbb3
Opcode Fuzzy Hash: 9f94ad843fa73326d2673db39e5e5b1920ca66f19c20f169244eef9e2796edf8
Instruction Fuzzy Hash: 3C5186349002D9DBCB268FA6FCC85A97BBCFB54311F018B5AE580AA2E4E3344958CB11

Function 003AAFE0 Relevance: 6.3, APIs: 4, Instructions: 304
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003AB0FE
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 003AB1A5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 003AB2BD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 003AB30B

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID:
API String ID: 2564258376-0
Opcode ID: 31ab3ef65139bd5f88c2194410084ff17994748ab2ae0f12b513a77fcf6aebe8
Instruction ID: d829411a0bd0d422d096864162164fbb2d17908759aa350b5ec9682d5c3a684f
Opcode Fuzzy Hash: 31ab3ef65139bd5f88c2194410084ff17994748ab2ae0f12b513a77fcf6aebe8
Instruction Fuzzy Hash: 85D1ED74A00294DBDB329F61FDC86A97B7CFB88311F118759E5819E2E4EB305AA0DF05

Function 003C3C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,?,FFFFFFFF,00000000,?,?,?,?,00000000,?), ref: 003C3D9D
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000), ref: 003C3FC3
CloseHandle.KERNELBASE(00000000), ref: 003C410F

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: be9803343c1a47df4e17fcd8bc2729953f938ebcbe7388201d4814fc55e244f3
Instruction ID: 2c58949bb1454b88b1c2333b5ee9e79aabd22118a8cfe22799e32699aa725ee1
Opcode Fuzzy Hash: be9803343c1a47df4e17fcd8bc2729953f938ebcbe7388201d4814fc55e244f3
Instruction Fuzzy Hash: BDD19B35900689DBE723AF61FDC86A93B7CFB98310F118B59D485AE2F8E7314960CB44

Function 003C41E0 Relevance: 3.4, APIs: 2, Instructions: 422
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75A70000,00000000), ref: 003C453F
GetProcAddress.KERNEL32(75A70000,00000000), ref: 003C45B2

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0ad11d566400e9304e803f13dfea9d0443a299d77e51c71e65c898f1be82f4c1
Instruction ID: cbe951018bea4647aed1a7993c9107d9a65311e0eecd1781e6c7bfb977808563
Opcode Fuzzy Hash: 0ad11d566400e9304e803f13dfea9d0443a299d77e51c71e65c898f1be82f4c1
Instruction Fuzzy Hash: 31027C75900699EBDB23AF52FCC42A83B7CFB89310F114B59D5806E2F8E73149A4CB55

Function 003C7B30 Relevance: 3.1, APIs: 2, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,003A650A,003A650A,[C;), ref: 003C7BF9
RtlFreeHeap.NTDLL(00000000), ref: 003C7C00

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 4b2ac9341dd09ec76e68d8659b4a88337ee08674b042e12008c54cdcc51c7889
Instruction ID: e4017726c0e9e17177bb284429ec86d728f1a5c8f51bbb8c948301ab07c3948e
Opcode Fuzzy Hash: 4b2ac9341dd09ec76e68d8659b4a88337ee08674b042e12008c54cdcc51c7889
Instruction Fuzzy Hash: 5D217879809288DBD732DF62EAC82987BBCF794321F224356D9446B2E0E7310E50DF90

Function 003AACD0 Relevance: 3.0, APIs: 2, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(003DEC02,00000000,003DEC02,?), ref: 003AAD0C
CharLowerBuffA.USER32(003DEC02,00000000), ref: 003AAD14

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 432e56beb23d0b9150a75be79760dd14781bfd2caaab1388800dc2374775857d
Instruction ID: 9f1a3fad8e4f953ba37040e6e6e9e9d895d285e643205bfef7ffd832f9ff3dfe
Opcode Fuzzy Hash: 432e56beb23d0b9150a75be79760dd14781bfd2caaab1388800dc2374775857d
Instruction Fuzzy Hash: 8AF03A79901258EB8721EF64E9884D97B7CFB09310F004285DC415B390C7305E80DB91

Function 003DC960 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,003C0494,?,003C0494,?), ref: 003DC97F
RtlAllocateHeap.NTDLL(00000000,?,003C0494,?), ref: 003DC986

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 599548fbfd1260c49b97999b87656dcd830e71bd549caf29adbe0b05cdcacce7
Instruction ID: 8baac8dac3609a835665a54edee5209ba17465d9b089f813fe95b87165e9cad7
Opcode Fuzzy Hash: 599548fbfd1260c49b97999b87656dcd830e71bd549caf29adbe0b05cdcacce7
Instruction Fuzzy Hash: 19D09271140288ABDA229BA4AC8DB957B6CA748711F500A04F20D8B2E4C77095508B56

Function 003C2B20 Relevance: 2.4, APIs: 1, Instructions: 864COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 003C2D1F

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 187536008f8b7e1c8cf487df6de795af6e225ae5491605832b93a9ec27907bf2
Instruction ID: a3ec74e871f00f76862286c139da77643e04deacaf83036a576c7ac1f5bc5f90
Opcode Fuzzy Hash: 187536008f8b7e1c8cf487df6de795af6e225ae5491605832b93a9ec27907bf2
Instruction Fuzzy Hash: EC82D174800689DBDB27AF61FDD86A87B7CFB58300F118B59D5816E2F4EB311A64CB41

Function 003B7430 Relevance: 1.7, APIs: 1, Instructions: 203fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 003B75B2

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6df79447f3ee72c7692689cce84ca71a26ae89a42239a622f8ca2fbc85b6f27d
Instruction ID: aa0aa202d36a026b6fe15f7f2bf6e128767a273082761c04fc4dec3899ccadf1
Opcode Fuzzy Hash: 6df79447f3ee72c7692689cce84ca71a26ae89a42239a622f8ca2fbc85b6f27d
Instruction Fuzzy Hash: D681CC74900689DBEB26DF51FDC92A87B78FB99710F114799D9806F2E8E7310A60DF40

Function 003DCAC0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 003DCB26

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 79bb6e46d205102d0a0a8fe9e7ac9f346d0cb13450c7d55de0bf76ce02682007
Instruction ID: 212bbfb25df3ac5da2f7977f6ade81844c36d305b96d6591a31988dd1848129f
Opcode Fuzzy Hash: 79bb6e46d205102d0a0a8fe9e7ac9f346d0cb13450c7d55de0bf76ce02682007
Instruction Fuzzy Hash: 06F03A38400689CBC72AAF26FCC84697B7DFB84700F018B15D4848E2F4E7308955CF45

Function 003B435B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 003B4387

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 8e4bbb887fe12773a7f9a91922032fdd8c2ae84523b6553576f372b0042b2ea5
Instruction ID: 5450b50b5afe7ac07a96f8582133534314a08d8d160def272e4917bcab2285ad
Opcode Fuzzy Hash: 8e4bbb887fe12773a7f9a91922032fdd8c2ae84523b6553576f372b0042b2ea5
Instruction Fuzzy Hash: 82D0C925410691CA82626F77BDC94263B6DBA40725B014342E4898D1F0EA708859DB56

Non-executed Functions

Function 003DDFE0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 443fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 003DE0FE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,000000FF), ref: 003DE219
CloseHandle.KERNEL32(00000000,?,?,?,?,000000FF), ref: 003DE252
GetTickCount.KERNEL32 ref: 003DE2E3
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003DE592
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 003DE62B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 003DE644

Strings

*?|r, xrefs: 003DE53E
{foQ, xrefs: 003DE5B0
}*@o, xrefs: 003DE56F

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID: *?|r${foQ$}*@o
API String ID: 3478262135-1153267046
Opcode ID: 4ea6ced063d18266e573afc6108c9b23baabad62f2416ab3eaed14b3bbb69500
Instruction ID: 11118b70207f5100f3422907545dabf487fa7cc736c6cc508998667448672646
Opcode Fuzzy Hash: 4ea6ced063d18266e573afc6108c9b23baabad62f2416ab3eaed14b3bbb69500
Instruction Fuzzy Hash: 5E021271900685DBDB27AF21FCC86B93BBDFB98301F114B5AE5855E2E8EB304990CB45

Function 003BA300 Relevance: 12.4, APIs: 8, Instructions: 360registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(009C02F0,Function_000114E0), ref: 003BA47B
SetServiceStatus.ADVAPI32(00000000,003EE9BC), ref: 003BA590
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003BA5A6
SetServiceStatus.ADVAPI32(00000000,003EE9BC), ref: 003BA636
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 003BA6CB
SetServiceStatus.ADVAPI32(00000000,003EE9BC), ref: 003BA7A6
CloseHandle.KERNEL32(00000000), ref: 003BA7D3
SetServiceStatus.ADVAPI32(00000000,003EE9BC), ref: 003BA8E5

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 7810d91aa63c106acd27704bff6977f5f87c41a6b89defb769b27547a4f094ba
Instruction ID: 3b8e7e3cc0a501428b958ba8f0504f50d785525c2306dafe9e04000bb64a1544
Opcode Fuzzy Hash: 7810d91aa63c106acd27704bff6977f5f87c41a6b89defb769b27547a4f094ba
Instruction Fuzzy Hash: 18F19974901684DBD7379F61FEC81A83BBCF799310F21875AE9849A2F4EB3409A4DB05

Function 003DA650 Relevance: 9.2, APIs: 6, Instructions: 244filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 003DA728
GetFileTime.KERNEL32(00000000,?,?,?), ref: 003DA7F1
CloseHandle.KERNEL32(00000000), ref: 003DA810
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003DA8FB
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 003DA94E
CloseHandle.KERNEL32(00000000), ref: 003DA990

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: d2117744adc65351001a08c0ec96b4cf22a9c3eb2eb72fb6f2c8c3561fbe1c28
Instruction ID: 294f0ece78be88c2b54caf00d285dbe02ebe29f9711a3c49f8ede7e03358201c
Opcode Fuzzy Hash: d2117744adc65351001a08c0ec96b4cf22a9c3eb2eb72fb6f2c8c3561fbe1c28
Instruction Fuzzy Hash: 09A1DD34A00295DBDB26DF65FDC86A87BBCF788310F11875AD8849B2E8D7305950CF44

Function 003DE950 Relevance: 7.8, APIs: 5, Instructions: 341processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000,00000001), ref: 003DEAE8
OpenProcess.KERNEL32(00000002,00000000,?), ref: 003DECC0
CloseHandle.KERNEL32(00000000), ref: 003DED5F
Process32Next.KERNEL32(00000000,00000128), ref: 003DEE38
CloseHandle.KERNEL32(00000000), ref: 003DEE7C

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: CloseHandle$CreateNextOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 1219847958-0
Opcode ID: 579517318116b341fc61629c2aa070be2663bfa9e04ecae51fc2145e2a276d8f
Instruction ID: 2602e87b10f49380649511e9586273e256a0e97ab2b9921a835d0e51789c3b74
Opcode Fuzzy Hash: 579517318116b341fc61629c2aa070be2663bfa9e04ecae51fc2145e2a276d8f
Instruction Fuzzy Hash: BCE1DF71900699DBDB23AF21FDC82A83FBCFB99311F114B55D481AE2E8E73149A4CB45

Function 003ABF59 Relevance: 7.8, APIs: 5, Instructions: 259processCOMMON

Download Yara Rule

APIs

Part of subcall function 003D8340: lstrlenA.KERNEL32(?,?,?,003A7D41,?,?), ref: 003D83A7

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 003AC157
Module32First.KERNEL32(00000000,00000224), ref: 003AC1FE

Part of subcall function 003BADE0: wvsprintfA.USER32(00002E0F,?,?), ref: 003BAF24

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32lstrlenwvsprintf
String ID:
API String ID: 3143976151-0
Opcode ID: 6b55f37a8afe7b5607b59cd56b079aeb9a9ae984d7474dfa61cc74e4d60beff3
Instruction ID: e8290941eea06584ee5d7e546428ea190079df34134fe6ceb06968a0c3b2d849
Opcode Fuzzy Hash: 6b55f37a8afe7b5607b59cd56b079aeb9a9ae984d7474dfa61cc74e4d60beff3
Instruction Fuzzy Hash: 1BB1BF74901288DBDB379F61FDC82A877BCFB99300F118659D4849E2E4E7344A90DF04

Function 003B7A60 Relevance: 7.6, APIs: 5, Instructions: 127synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000001,003DC80C), ref: 003B7B1E
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 003B7B87
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003B7BA0
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003B7BDF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003B7BFA

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: c6597b62391428942132af3cb82e39529734d93a7a331409c3779ee689d5e488
Instruction ID: b3eaf9da262c481442a7350cfccae47ab128603f41a8057300f13d82b082d527
Opcode Fuzzy Hash: c6597b62391428942132af3cb82e39529734d93a7a331409c3779ee689d5e488
Instruction Fuzzy Hash: 1D51BE71504294EBD7369F26FDC92A93BBCFB95721F008719E8898E2E8E7744850CF45

Function 003BAC30 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,003B4300), ref: 003BAC7F
GetStdHandle.KERNEL32(000000F5,00000000,?,?,003B4300), ref: 003BACFD
GetStdHandle.KERNEL32(000000F4,00000000,?,?,003B4300), ref: 003BAD6D

Strings

P>, xrefs: 003BAD70
0>, xrefs: 003BAD00

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Handle
String ID: 0>$P>
API String ID: 2519475695-3544978383
Opcode ID: c421320f02940f34db6e53b57756c0d7d6d1308bbbbb6285851eabf895482e71
Instruction ID: 36fb4d2e796549399ea5728292eeaab0aa20003ca5e08b4890f9c904b3e2b879
Opcode Fuzzy Hash: c421320f02940f34db6e53b57756c0d7d6d1308bbbbb6285851eabf895482e71
Instruction Fuzzy Hash: FD419C74804698DBDB22DF56FDC82997B7CFB89320F214795D5845A2F4DB301EA8CB44

Function 003B95B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 003B9700
RegSetValueExA.ADVAPI32(?,009C0B18,00000000,00000001,?,00000000), ref: 003B97AE
RegCloseKey.ADVAPI32(?), ref: 003B9832

Strings

ue[, xrefs: 003B9618

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: CloseOpenValue
String ID: ue[
API String ID: 779948276-739068366
Opcode ID: 996b7a161e355992d513b03f26f51f78831ac46ca87574f5b4f0f8d37ec123e2
Instruction ID: fccee425b0c88a7b2e88762eaad6e19c0ada4148b58005c958182629b772d439
Opcode Fuzzy Hash: 996b7a161e355992d513b03f26f51f78831ac46ca87574f5b4f0f8d37ec123e2
Instruction Fuzzy Hash: D261EC34900694EBE7229F60FDC82E93B7CFB99714F014246D8859E2F8EB3198A4CB55

Function 003A8350 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 469sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 003A87E0
Sleep.KERNEL32(00015F90), ref: 003A8A0F

Strings

$y0, xrefs: 003A89AC

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: FileModuleNameSleep
String ID: $y0
API String ID: 4084727719-3426688345
Opcode ID: 4ef4a11819e5611c5e7630a67c5962413b783f80bad78ef3ac89d4a7d773893f
Instruction ID: 055817b0431d9836d734b508c8fde6370343e7ccff4e1a0b5e4541b288665260
Opcode Fuzzy Hash: 4ef4a11819e5611c5e7630a67c5962413b783f80bad78ef3ac89d4a7d773893f
Instruction Fuzzy Hash: C012EF74900689DBDB279F61FDC42A93B7CFB89310F11479AE5819E2F4EB304AA0CB45

Function 003DA060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00005000,?,00000000,00000001,?,00000001,?,003B4D55,?,?), ref: 003DA17E
ReadFile.KERNEL32(?,?,00005000,00000000,00000000,?,00000000,?,00000001,?,003B4D55), ref: 003DA22D

Strings

UM;, xrefs: 003DA0F8

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: FileRead
String ID: UM;
API String ID: 2738559852-1642786085
Opcode ID: 476e813bc219299c98c9bee28f7c10f7bd48ae8dce49b08dae857225905723fe
Instruction ID: ee02d2c709397256890fbdfa55c7a7393eb78406e67d58af87fb220b5c31c22d
Opcode Fuzzy Hash: 476e813bc219299c98c9bee28f7c10f7bd48ae8dce49b08dae857225905723fe
Instruction Fuzzy Hash: A0518E74A0168ADBDB22DF54FDC86A93B3CFB89304F118B49E5085E2E8EB305964CF41

Function 003A9C20 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 003A9CBF
HeapReAlloc.KERNEL32(00000000), ref: 003A9CC6
GetProcessHeap.KERNEL32(00000000,?), ref: 003A9CF0
HeapAlloc.KERNEL32(00000000), ref: 003A9CF7

Memory Dump Source

Source File: 00000001.00000002.1796713466.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000001.00000002.1796696148.00000000003A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796745946.00000000003E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796762298.00000000003EE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1796777570.00000000003F0000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3a0000_nflzf2rny8bxnz25kz2r.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 1d6dc83f2ae7c6c1f27b8842b4d9e1a99ca31c45c161a2716ad81b79887aadeb
Instruction ID: 43544bf46b5d579a1d2e4e8f0cf1de939f15b6209f14771a52d97d2232c1968a
Opcode Fuzzy Hash: 1d6dc83f2ae7c6c1f27b8842b4d9e1a99ca31c45c161a2716ad81b79887aadeb
Instruction Fuzzy Hash: B0219674904789E7DB23AF60FD882693B7CFB49311F104B84E9895E3E4EB324994CB55

Analysis Process: eqyozfmcsgls.exePID: 7484, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	35.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	22

Executed Functions

Function 0027915F Relevance: 266.1, APIs: 113, Strings: 36, Instructions: 5361libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(74DD0000,?), ref: 002791B1
GetProcAddress.KERNEL32(74DD0000,?), ref: 0027927C
GetProcAddress.KERNEL32(74DD0000,?), ref: 00279341

Strings

xlx, xrefs: 0027E374
hx+, xrefs: 0027C45D
jhe6, xrefs: 0027CD51
h2., xrefs: 0027A348
jhE4, xrefs: 00279F4D
hk, xrefs: 0027E187
hL+, xrefs: 0027A836
h*6, xrefs: 0027D111
ht6, xrefs: 00279BE9
hb&, xrefs: 00279C89
h7:, xrefs: 0027C338
jhF , xrefs: 0027CBF2
hT4, xrefs: 0027BAD2
jhH6, xrefs: 0027A26F
hg5, xrefs: 0027C238
hU., xrefs: 0027C760
O, xrefs: 0027E96C
hU&, xrefs: 0027B59B
hp5, xrefs: 0027D55A
jh5, xrefs: 0027C6B1
hE:, xrefs: 0027B42B
h{4, xrefs: 0027A131
jhn., xrefs: 0027AA92
h$, xrefs: 00279E6F
jh&., xrefs: 0027A56A
CB!, xrefs: 0027C4BB
h-, xrefs: 0027CA96
f}?, xrefs: 0027D295
hk4, xrefs: 0027D81C
hB., xrefs: 0027DED2
C:\Windows\system32\config\systemprofile, xrefs: 0027E1A3
x, xrefs: 0027E843
h^., xrefs: 0027B1C9
v":, xrefs: 0027D12A
hW:, xrefs: 0027CC62
h_+, xrefs: 0027DAA7

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: AddressProc
String ID: C:\Windows\system32\config\systemprofile$CB!$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hb&$hg5$hk$hk4$hp5$ht6$hx+$h{4$h$$h-$jh&.$jhH6$jh5$jhE4$jhF $jhe6$jhn.$v":$xlx$O$x
API String ID: 190572456-1755171564
Opcode ID: 597c9caf7c5da02296aef685354e52299cc9c2594abbb2ed843db7557f6f26fc
Instruction ID: 458791a45475e06b1cc75d5cccffdce46dc8af041a4698fdb2045cd86d9c2f30
Opcode Fuzzy Hash: 597c9caf7c5da02296aef685354e52299cc9c2594abbb2ed843db7557f6f26fc
Instruction Fuzzy Hash: 39B39D74900609EBEF04DFA0FE8D6A97BB4FB98710B13845BE985623B4EB710960DF45

Function 00273C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,?,FFFFFFFF,00000000,?,?,?,?,00000000,?), ref: 00273D9D
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000), ref: 00273FC3
CloseHandle.KERNELBASE(00000000), ref: 0027410F

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 071242fae0928e14c2b94bf720a8ee6246577411b84ceb52f68a5ac62d07c121
Instruction ID: 3494a33dc95ac4d7f7d8c5cbb815c061e8c08f01dc420b0c31235d94cdebe13f
Opcode Fuzzy Hash: 071242fae0928e14c2b94bf720a8ee6246577411b84ceb52f68a5ac62d07c121
Instruction Fuzzy Hash: 4AD19071910609EBEF04EF60FD8D2B93B74FB98710B53899BD849A22B4EB314970DB45

Function 00290C20 Relevance: 4.6, APIs: 3, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001,?,?,?,00270ECB), ref: 00290CE0
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,00270ECB), ref: 00290D3F
FreeSid.ADVAPI32(?,?,?,?,00270ECB), ref: 00290E03

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: eea412ba7dcfdac5d325ef49934d7c60e0a0f6226016fedaea9f41a0591cc225
Instruction ID: e6719ab80756b68d78f4f7130f9b33c8a0ffda4b7b5a9e6e2fb7e62784abf4dd
Opcode Fuzzy Hash: eea412ba7dcfdac5d325ef49934d7c60e0a0f6226016fedaea9f41a0591cc225
Instruction Fuzzy Hash: 8151CC71905219EBDF04CFA5FD8C6BA7BB8FB54311B0385AFE885A22A0E7340568CB55

Function 00268C07 Relevance: 3.2, APIs: 2, Instructions: 153COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 00268D97
CloseHandle.KERNELBASE(00000000), ref: 00268DF2

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: c2041727dd7e6f19dad0167b1ce46e70cb93d96778833df2ad30eac9329e4f5d
Instruction ID: 1a28498e1157f94382322a6a1886f5cbbddb13bc24ff28bdd1e127fc48dab239
Opcode Fuzzy Hash: c2041727dd7e6f19dad0167b1ce46e70cb93d96778833df2ad30eac9329e4f5d
Instruction Fuzzy Hash: 82618C7481560ADBDF14CF60FE8C2A93B74FBA5350F67499BC888622A4DB310AA4DF11

Function 0025ACD0 Relevance: 3.0, APIs: 2, Instructions: 28stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,?,00000001), ref: 0025AD0C
CharLowerBuffA.USER32(?,00000000), ref: 0025AD14

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 866123d80b41731f22ce573b6919eaff08c62a8dabfd1bfaac8cd8e23b27434c
Instruction ID: 3d54267b64ca23a98ed6af050c146a2c51757b87c8c7ea37c40d2851ae22b92c
Opcode Fuzzy Hash: 866123d80b41731f22ce573b6919eaff08c62a8dabfd1bfaac8cd8e23b27434c
Instruction Fuzzy Hash: D8F0D4B9915218EBCB00DFA4FA4D4997BB8FB09710B118196EC4993320DB319E40DB96

Function 0028C960 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00270494,?,00270494,?), ref: 0028C97F
RtlAllocateHeap.NTDLL(00000000,?,00270494,?), ref: 0028C986

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 2b49c72c56fe1959b1bf48d04e001ab54e8d30b488d5917771ac538a1b1104f9
Instruction ID: 759c611c57e3c68b730e33c34d926de9f4f849d838392bfea66e2afed34fa1e3
Opcode Fuzzy Hash: 2b49c72c56fe1959b1bf48d04e001ab54e8d30b488d5917771ac538a1b1104f9
Instruction Fuzzy Hash: B0D0C971144208EBDB00DFE4FC4DB567BACF718701F920846F60C82260C77055508B55

Function 0026F079 Relevance: 1.8, APIs: 1, Instructions: 304networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000009,?,00000400,00000000), ref: 0026F0A4
closesocket.WS2_32(00000009), ref: 0026F642

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: closesocketrecv
String ID:
API String ID: 485150354-0
Opcode ID: 3796ad7c249b7bd8a3a27cab78f7b977ea4f3298ff16a6b953e9b5a3550a9281
Instruction ID: ea790999cfc8d793180248051e04dfb84c7ddc0908c25a4481c137eb275f752d
Opcode Fuzzy Hash: 3796ad7c249b7bd8a3a27cab78f7b977ea4f3298ff16a6b953e9b5a3550a9281
Instruction Fuzzy Hash: 12D18E71910609EBEF04EFA0FD9D6AD3B74FB98700F13445BD889622A4EB3149A5CF46

Function 002668C0 Relevance: 1.8, APIs: 1, Instructions: 252fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000001,00000000,00000000,00000000,?,00000708), ref: 00266AA4

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32dcff5f6064d136887203f877a221e58492dcb30ce5288a5a35e973cde335c3
Instruction ID: b29782dfb0e49e8d899c8e984ba8f49db9870217698cd6985c77cbf08396ad55
Opcode Fuzzy Hash: 32dcff5f6064d136887203f877a221e58492dcb30ce5288a5a35e973cde335c3
Instruction Fuzzy Hash: 30B1D271901604EBEF04DF60FD4D2B83BB4FB94715F23455BD885622B4EB3149A5CB85

Function 00267430 Relevance: 1.7, APIs: 1, Instructions: 203fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 002675B2

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3f4624ad8d553c0e5a2cb3618cedc46a44e19ff06a9d14a3914b354437bc4afb
Instruction ID: 2b9fefc620aca8b0378d2a11c80a1b838d6720200b8de7e738a3f97c91386ee6
Opcode Fuzzy Hash: 3f4624ad8d553c0e5a2cb3618cedc46a44e19ff06a9d14a3914b354437bc4afb
Instruction Fuzzy Hash: 9B818C70900605EBEF04DF64FE4D6A97BB4FB98714F2385ABD885632A4E7710AA0DF44

Function 002670F0 Relevance: 1.4, APIs: 1, Instructions: 188sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8,?,?,?,00000001,00000000,00000000,?,00000708), ref: 0026727B

Memory Dump Source

Source File: 00000002.00000002.2587559237.0000000000251000.00000020.00000001.01000000.00000005.sdmp, Offset: 00250000, based on PE: true

Associated: 00000002.00000002.2587545581.0000000000250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587587642.0000000000293000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587604697.000000000029E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2587621435.00000000002A0000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_250000_eqyozfmcsgls.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ed2ed0db25eadaf3b72f1fd1224087063e33c1a0cd624e34fcff3b731f23a975
Instruction ID: ff5f9ee1c943a7e6a5ce934f83382455e5ddcffa2f196a1714349c4519282bb1
Opcode Fuzzy Hash: ed2ed0db25eadaf3b72f1fd1224087063e33c1a0cd624e34fcff3b731f23a975
Instruction Fuzzy Hash: 1C71C370810615E7EF00EF24FD4D6A93B74FB89760B0744ABE889532B4EB7108B4CB55

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Z4KBs1USsJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\trshmfqlcbpta\no2uvy

C:\trshmfqlcbpta\eqyozfmcsgls.exe

C:\trshmfqlcbpta\nflzf2rny8bxnz25kz2r.exe

C:\trshmfqlcbpta\no2uvy

C:\trshmfqlcbpta\yrykdhhlfqp.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Z4KBs1USsJ.exe

Function 00CE7B00 Relevance: 8.0, APIs: 5, Instructions: 501
sleepfileCOMMON

Function 00CF0C20 Relevance: 4.6, APIs: 3, Instructions: 146
memoryCOMMON

Function 00CEC960 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Function 00CDA25E Relevance: 216.1, APIs: 89, Strings: 32, Instructions: 4394
libraryloaderCOMMON

Function 00CDA547 Relevance: 205.5, APIs: 85, Strings: 30, Instructions: 4234
libraryloaderCOMMON

Function 00CDBE53 Relevance: 130.5, APIs: 50, Strings: 23, Instructions: 2769
libraryloaderCOMMON

Function 00CDBEEE Relevance: 130.5, APIs: 50, Strings: 23, Instructions: 2745
libraryloaderCOMMON

Function 00CDC587 Relevance: 107.4, APIs: 41, Strings: 19, Instructions: 2379
libraryloaderCOMMON

Function 00CEDFE0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 443
fileCOMMON

Function 00CBCEB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
processCOMMON

Function 00CD3C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Function 00CD7B30 Relevance: 3.1, APIs: 2, Instructions: 62
memoryCOMMON

Function 00CBACD0 Relevance: 3.0, APIs: 2, Instructions: 28
stringCOMMON

Function 00CECAC0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre