Edit tour

Windows Analysis Report
Z4KBs1USsJ.exe

Overview

General Information

Sample name:	Z4KBs1USsJ.exe renamed because original name is a hash value
Original sample name:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c.exe
Analysis ID:	1551221
MD5:	9c485842f954958288c2ecf17881439a
SHA1:	a12c829ff47dd3a496594d6527affb7eedd3bd11
SHA256:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Z4KBs1USsJ.exe (PID: 4520 cmdline: "C:\Users\user\Desktop\Z4KBs1USsJ.exe" MD5: 9C485842F954958288C2ECF17881439A)

nflzf40di8bxnz25kz2r.exe (PID: 6836 cmdline: "C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe" MD5: 9C485842F954958288C2ECF17881439A)

eqyozfmcsgls.exe (PID: 3836 cmdline: "C:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

eqyozfmcsgls.exe (PID: 6720 cmdline: C:\trshmfqlcbpta\eqyozfmcsgls.exe MD5: 9C485842F954958288C2ECF17881439A)

yrykdhhlfqp.exe (PID: 5560 cmdline: jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

eqyozfmcsgls.exe (PID: 4940 cmdline: "c:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

yrykdhhlfqp.exe (PID: 828 cmdline: jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe" MD5: 9C485842F954958288C2ECF17881439A)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:12:21.656405+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.8	49710	TCP
2024-11-07T16:12:59.184508+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.8	49715	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:12:16.263052+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.8	49707	TCP
2024-11-07T16:12:18.476316+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.8	49708	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:12:16.263052+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.8	49707	TCP
2024-11-07T16:12:18.476316+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.8	49708	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:12:16.993403+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.8	61147	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:12:24.406925+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.8	51172	UDP
2024-11-07T16:13:39.781951+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.8	61665	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:12:15.899524+0100	2815568	1	A Network Trojan was detected	192.168.2.8	49707	18.143.155.63	80	TCP
2024-11-07T16:13:36.274373+0100	2815568	1	A Network Trojan was detected	192.168.2.8	49717	18.143.155.63	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:12:15.899524+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.8	49707	18.143.155.63	80	TCP
2024-11-07T16:13:36.274373+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.8	49717	18.143.155.63	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Z4KBs1USsJ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2

Multi AV Scanner detection for dropped file

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	ReversingLabs: Detection: 92%
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	ReversingLabs: Detection: 92%
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: Z4KBs1USsJ.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Joe Sandbox ML: detected
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Joe Sandbox ML: detected
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Z4KBs1USsJ.exe

Joe Sandbox ML: detected

Source: Z4KBs1USsJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Z4KBs1USsJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E57B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00E57B00
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00B17B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	2_2_00B17B00
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00137B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00137B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006D7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	4_2_006D7B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_009A7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	10_2_009A7B00

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.8:49707 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.8:49717 -> 18.143.155.63:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63

Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.8:61147
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.8:51172
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.8:49707 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.8:61665
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.8:49708
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.8:49707
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.8:49707
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.8:49717 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.8:49708
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49710
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49715

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E3F079 recv,

0_2_00E3F079

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net

Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net
Source: global traffic	DNS traffic detected: DNS query: leaderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavenbusiness.net
Source: global traffic	DNS traffic detected: DNS query: leaderappear.net
Source: global traffic	DNS traffic detected: DNS query: heavenappear.net
Source: global traffic	DNS traffic detected: DNS query: heavymanner.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanner.net
Source: global traffic	DNS traffic detected: DNS query: heavyanother.net
Source: global traffic	DNS traffic detected: DNS query: gentleanother.net
Source: global traffic	DNS traffic detected: DNS query: heavybusiness.net
Source: global traffic	DNS traffic detected: DNS query: gentlebusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavyappear.net
Source: global traffic	DNS traffic detected: DNS query: gentleappear.net
Source: global traffic	DNS traffic detected: DNS query: variousmanner.net
Source: global traffic	DNS traffic detected: DNS query: returnmanner.net
Source: global traffic	DNS traffic detected: DNS query: variousanother.net
Source: global traffic	DNS traffic detected: DNS query: returnanother.net
Source: global traffic	DNS traffic detected: DNS query: variousbusiness.net
Source: global traffic	DNS traffic detected: DNS query: returnbusiness.net
Source: global traffic	DNS traffic detected: DNS query: variousappear.net
Source: global traffic	DNS traffic detected: DNS query: returnappear.net
Source: global traffic	DNS traffic detected: DNS query: degreeinstead.net
Source: global traffic	DNS traffic detected: DNS query: forwardinstead.net
Source: global traffic	DNS traffic detected: DNS query: degreeexplain.net
Source: global traffic	DNS traffic detected: DNS query: forwardexplain.net
Source: global traffic	DNS traffic detected: DNS query: degreebright.net
Source: global traffic	DNS traffic detected: DNS query: forwardbright.net
Source: global traffic	DNS traffic detected: DNS query: degreeinside.net
Source: global traffic	DNS traffic detected: DNS query: forwardinside.net
Source: global traffic	DNS traffic detected: DNS query: answerinstead.net
Source: global traffic	DNS traffic detected: DNS query: glassinstead.net
Source: global traffic	DNS traffic detected: DNS query: answerexplain.net
Source: global traffic	DNS traffic detected: DNS query: glassexplain.net
Source: global traffic	DNS traffic detected: DNS query: answerbright.net
Source: global traffic	DNS traffic detected: DNS query: glassbright.net
Source: global traffic	DNS traffic detected: DNS query: answerinside.net
Source: global traffic	DNS traffic detected: DNS query: glassinside.net

Source: eqyozfmcsgls.exe, 00000003.00000002.2245205664.000000000161A000.00000004.00000020.00020000.00000000.sdmp, eqyozfmcsgls.exe, 00000009.00000002.3247833515.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	File created: C:\Windows\trshmfqlcbpta\	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	File created: C:\Windows\trshmfqlcbpta\no2uvy	Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

File deleted: C:\Windows\trshmfqlcbpta\no2uvy

Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E39AC0	0_2_00E39AC0
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00AF9AC0	2_2_00AF9AC0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00119AC0	3_2_00119AC0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006B9AC0	4_2_006B9AC0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_009A5857	10_2_009A5857
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_00989AC0	10_2_00989AC0

Source: Z4KBs1USsJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@12/5@333/5

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00E27DA0
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00AE7DA0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_00107DA0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_006A7DA0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00977DA0

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E2BC00 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Module32First,CloseHandle,Process32Next,CloseHandle,

0_2_00E2BC00

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E37DE0 StartServiceCtrlDispatcherA,

0_2_00E37DE0

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E37DE0 StartServiceCtrlDispatcherA,	0_2_00E37DE0
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00AF7DE0 StartServiceCtrlDispatcherA,	2_2_00AF7DE0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00117DE0 StartServiceCtrlDispatcherA,	3_2_00117DE0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006B7DE0 StartServiceCtrlDispatcherA,	4_2_006B7DE0
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_00987DE0 StartServiceCtrlDispatcherA,	10_2_00987DE0

Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe

Mutant created: NULL

Source: Z4KBs1USsJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Z4KBs1USsJ.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

File read: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Z4KBs1USsJ.exe "C:\Users\user\Desktop\Z4KBs1USsJ.exe"
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Process created: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe "C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe"
Source: unknown	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe C:\trshmfqlcbpta\eqyozfmcsgls.exe
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "C:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Process created: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe "C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "C:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Process created: C:\trshmfqlcbpta\eqyozfmcsgls.exe "c:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Process created: C:\trshmfqlcbpta\yrykdhhlfqp.exe jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: Z4KBs1USsJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E4915F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,

0_2_00E4915F

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E61CD0 push eax; ret	0_2_00E61CE4
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E61CD0 push eax; ret	0_2_00E61D0C
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E54285 push 0000002Bh; ret	0_2_00E5428A
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E51BE1 push 8B00E6E6h; ret	0_2_00E51BE6
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00B21CD0 push eax; ret	2_2_00B21CE4
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00B21CD0 push eax; ret	2_2_00B21D0C
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00B14285 push 0000002Bh; ret	2_2_00B1428A
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00B11BE1 push 8B00B2E6h; ret	2_2_00B11BE6
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00141CD0 push eax; ret	3_2_00141CE4
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00141CD0 push eax; ret	3_2_00141D0C
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00134285 push 0000002Bh; ret	3_2_0013428A
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00131BE1 push 8B0014E6h; ret	3_2_00131BE6
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006E1CD0 push eax; ret	4_2_006E1CE4
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006E1CD0 push eax; ret	4_2_006E1D0C
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006D4285 push 0000002Bh; ret	4_2_006D428A
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006D1BE1 push 8B006EE6h; ret	4_2_006D1BE6
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_009B1CD0 push eax; ret	10_2_009B1CE4
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_009B1CD0 push eax; ret	10_2_009B1D0C
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_009A4285 push 0000002Bh; ret	10_2_009A428A
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_009A1BE1 push 8B009BE6h; ret	10_2_009A1BE6

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	File created: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Jump to dropped file
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	File created: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Jump to dropped file
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	File created: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E37DE0 StartServiceCtrlDispatcherA,

0_2_00E37DE0

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

0_2_00E4915F

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	0_2_00E3D280
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_00AFD280
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	3_2_0011D280
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_006BD280
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_0098D280

Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_00B1CBD0
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		3_2_0013CBD0

Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Window / User API: threadDelayed 713	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Window / User API: threadDelayed 1160	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Window / User API: threadDelayed 694	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Window / User API: threadDelayed 1178	Jump to behavior

Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_2-13084
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-9701

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 964	Thread sleep time: -37774s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 5540	Thread sleep count: 713 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 5540	Thread sleep time: -713000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 5540	Thread sleep count: 1160 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 5540	Thread sleep time: -1160000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 4936	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 3660	Thread sleep time: -35552s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe TID: 4936	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 3504	Thread sleep count: 694 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 3504	Thread sleep time: -694000s >= -30000s	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 3504	Thread sleep count: 1178 > 30	Jump to behavior
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe TID: 3504	Thread sleep time: -1178000s >= -30000s	Jump to behavior

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Last function: Thread delayed
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Last function: Thread delayed
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	Code function: 0_2_00E57B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00E57B00
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	Code function: 2_2_00B17B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	2_2_00B17B00
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Code function: 3_2_00137B00 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00137B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 4_2_006D7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	4_2_006D7B00
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	Code function: 10_2_009A7B00 Sleep,FindFirstFileA,FindNextFileA,FindClose,	10_2_009A7B00

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: nflzf40di8bxnz25kz2r.exe, 00000002.00000002.1481587520.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, eqyozfmcsgls.exe, 00000003.00000002.2245205664.000000000161A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: eqyozfmcsgls.exe, 00000009.00000002.3247833515.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	API call chain: ExitProcess graph end node	graph_0-11501
Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe	API call chain: ExitProcess graph end node	graph_0-10107
Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	API call chain: ExitProcess graph end node	graph_2-11265
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	API call chain: ExitProcess graph end node	graph_3-11062
Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe	API call chain: ExitProcess graph end node	graph_3-11079
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	API call chain: ExitProcess graph end node
Source: C:\trshmfqlcbpta\yrykdhhlfqp.exe	API call chain: ExitProcess graph end node

Source: C:\trshmfqlcbpta\eqyozfmcsgls.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

0_2_00E4915F

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E5C960 GetProcessHeap,RtlAllocateHeap,

0_2_00E5C960

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E60C20 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E60C20

Source: C:\Users\user\Desktop\Z4KBs1USsJ.exe

Code function: 0_2_00E48230 GetSystemTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00E48230

Source: C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	3 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Z4KBs1USsJ.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
Z4KBs1USsJ.exe	100%	Avira	TR/Nivdort.Gen2
Z4KBs1USsJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\trshmfqlcbpta\eqyozfmcsgls.exe	100%	Avira	TR/Nivdort.Gen2
C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	100%	Avira	TR/Nivdort.Gen2
C:\trshmfqlcbpta\yrykdhhlfqp.exe	100%	Avira	TR/Nivdort.Gen2
C:\trshmfqlcbpta\eqyozfmcsgls.exe	100%	Joe Sandbox ML
C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	100%	Joe Sandbox ML
C:\trshmfqlcbpta\yrykdhhlfqp.exe	100%	Joe Sandbox ML
C:\trshmfqlcbpta\eqyozfmcsgls.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\trshmfqlcbpta\yrykdhhlfqp.exe	92%	ReversingLabs	Win32.Spyware.Nivdort

Name	IP	Active	Malicious	Reputation
degreedaughter.net	85.214.228.140	true	false	high
7450.bodis.com	199.59.243.227	true	false	high
gentleanother.net	54.244.188.177	true	false	high
returnbottle.net	18.143.155.63	true	false	high
difficultpeople.net	13.248.169.48	true	false	unknown
pleasantinstead.net	18.143.155.63	true	false	high
forwardpeople.net	unknown	unknown	false	high
degreeanother.net	unknown	unknown	false	high
degreeexplain.net	unknown	unknown	false	high
heaveninside.net	unknown	unknown	false	high
answerappear.net	unknown	unknown	false	high
heavybusiness.net	unknown	unknown	false	high
pleasantinside.net	unknown	unknown	false	high
requirebusiness.net	unknown	unknown	false	high
forwardinside.net	unknown	unknown	false	high
glassmanner.net	unknown	unknown	false	high
answerexplain.net	unknown	unknown	false	high
orderinside.net	unknown	unknown	false	high
variousappear.net	unknown	unknown	false	high
returnbright.net	unknown	unknown	false	high
difficultanother.net	unknown	unknown	false	high
heavyinside.net	unknown	unknown	false	high
forwardready.net	unknown	unknown	false	high
glassdaughter.net	unknown	unknown	false	high
necessarymanner.net	unknown	unknown	false	high
answeranother.net	unknown	unknown	false	high
leadermanner.net	unknown	unknown	false	high
heavybottle.net	unknown	unknown	false	high
heavenbright.net	unknown	unknown	false	high
heavydivide.net	unknown	unknown	false	high
degreebrown.net	unknown	unknown	false	high
gentleinstead.net	unknown	unknown	false	high
glassanother.net	unknown	unknown	false	high
heavenanother.net	unknown	unknown	false	high
difficultmanner.net	unknown	unknown	false	high
glassexplain.net	unknown	unknown	false	high
requireinside.net	unknown	unknown	false	high
heavenexplain.net	unknown	unknown	false	high
forwardbusiness.net	unknown	unknown	false	high
difficultexplain.net	unknown	unknown	false	high
gentleappear.net	unknown	unknown	false	high
pleasantbright.net	unknown	unknown	false	high
returnexplain.net	unknown	unknown	false	high
gentlemanner.net	unknown	unknown	false	high
answerdaughter.net	unknown	unknown	false	high
heardinside.net	unknown	unknown	false	high
requiremanner.net	unknown	unknown	false	high
gentleexplain.net	unknown	unknown	false	high
glassappear.net	unknown	unknown	false	high
necessaryanother.net	unknown	unknown	false	high
glassinside.net	unknown	unknown	false	high
difficultbright.net	unknown	unknown	false	high
heardbrown.net	unknown	unknown	true	unknown
glasspeople.net	unknown	unknown	false	high
requireinstead.net	unknown	unknown	false	high
necessaryinside.net	unknown	unknown	false	high
returndivide.net	unknown	unknown	false	high
heardinstead.net	unknown	unknown	false	high
variousbright.net	unknown	unknown	false	high
degreebusiness.net	unknown	unknown	false	high
answerbusiness.net	unknown	unknown	false	high
heavenbusiness.net	unknown	unknown	false	high
gentledivide.net	unknown	unknown	false	high
variousinstead.net	unknown	unknown	false	high
gentlestream.net	unknown	unknown	false	high
pleasantmanner.net	unknown	unknown	false	high
necessaryappear.net	unknown	unknown	false	high
heardpeople.net	unknown	unknown	true	unknown
pleasantbusiness.net	unknown	unknown	false	high
heardbright.net	unknown	unknown	false	high
heavenbottle.net	unknown	unknown	false	high
heavynothing.net	unknown	unknown	false	high
gentlebusiness.net	unknown	unknown	false	high
ordermanner.net	unknown	unknown	false	high
leaderbottle.net	unknown	unknown	false	high
pleasantanother.net	unknown	unknown	false	high
heavyanother.net	unknown	unknown	false	high
degreeinstead.net	unknown	unknown	false	high
degreepeople.net	unknown	unknown	false	high
answerready.net	unknown	unknown	false	high
difficultbrown.net	unknown	unknown	true	unknown
answerbright.net	unknown	unknown	false	high
returninside.net	unknown	unknown	false	high
forwardbright.net	unknown	unknown	false	high
difficultinside.net	unknown	unknown	false	high
heavybright.net	unknown	unknown	false	high
leaderanother.net	unknown	unknown	false	high
returninstead.net	unknown	unknown	false	high
difficultinstead.net	unknown	unknown	false	high
heavenappear.net	unknown	unknown	false	high
answerinside.net	unknown	unknown	false	high
degreebright.net	unknown	unknown	false	high
forwardbrown.net	unknown	unknown	false	high
heavyinstead.net	unknown	unknown	false	high
gentleinside.net	unknown	unknown	false	high
heardexplain.net	unknown	unknown	false	high
heavyappear.net	unknown	unknown	false	high
answerpeople.net	unknown	unknown	false	high
pleasantexplain.net	unknown	unknown	false	high
requireexplain.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	eqyozfmcsgls.exe, 00000003.00000002.2245205664.000000000161A000.00000004.00000020.00020000.00000000.sdmp, eqyozfmcsgls.exe, 00000009.00000002.3247833515.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	difficultpeople.net	United States	16509	AMAZON-02US	false
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	false
85.214.228.140	degreedaughter.net	Germany	6724	STRATOSTRATOAGDE	false
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false
54.244.188.177	gentleanother.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551221
Start date and time:	2024-11-07 16:11:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Z4KBs1USsJ.exe renamed because original name is a hash value
Original Sample Name:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@12/5@333/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 47 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: Z4KBs1USsJ.exe

Simulations

Behavior and APIs

Time	Type	Description
10:12:44	API Interceptor	3684x Sleep call for process: yrykdhhlfqp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	difficultpeople.net/index.php
	Y7isAhMKal.exe	Get hash	malicious	FormBook	Browse	www.how2.guru/20wk/
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	www.sonoscan.org/ew98/
	3NvALxFlHV.exe	Get hash	malicious	FormBook	Browse	www.solidarity.rocks/hezo/
	FzmC0FwV6y.exe	Get hash	malicious	FormBook	Browse	www.virtu.industries/uln2/
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.telforce.one/ykhz/
	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	www.ulula.org/4w1b/
	IbRV4I7MrS.exe	Get hash	malicious	FormBook	Browse	www.ila.beauty/izfe/
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	www.notepad.mobi/zut6/?Q2_4=Kt4qQSLgj4HorxpxZIZ4p+EAwKHWi+XN9OiBuCBJU5cikXkc2Sk5R2gtgSdO+P2tW+5SfoOeVCvwWIOnLXM8QNp6yDsCjrxQ3ZxiPCiDnoMvdK5RCpNRC70=&uXP=1HX8
18.143.155.63	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gentleanother.net	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
returnbottle.net	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
degreedaughter.net	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
7450.bodis.com	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
STRATOSTRATOAGDE	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
AMAZON-02US	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
BODIS-NJUS	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

Process:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:4fvY:4fA
MD5:	85E8A64738DBED21EB974E9C24DFC70E
SHA1:	6CCD809DCC6BA61DC6E10CF5F4D8EF9CAD1CF6A9
SHA-256:	C59DC12ABDA7846B6CD7255C13F3E38FC7B4DC1163790EAE8242DC8985289C69
SHA-512:	EAE03EFEB2E4D709C3C5EF853EC23AA07DA765C3103A042A097FE7632FE209DD628ABADDE0C9F735420F9091DDAC13BAA7B24AE6B92FC118FA50648E1EAB7B7C
Malicious:	false
Reputation:	low
Preview:	..k`..ff.=

C:\trshmfqlcbpta\eqyozfmcsgls.exe

Download File

Process:	C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364032
Entropy (8bit):	6.7838151372886095
Encrypted:	false
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
MD5:	9C485842F954958288C2ECF17881439A
SHA1:	A12C829FF47DD3A496594D6527AFFB7EEDD3BD11
SHA-256:	2C44774360D281F890AD8869E2C1AA05A4EE7FE92FBF0D9AB20508AA7FBA7F8C
SHA-512:	FCD500025E6F097544168EE0277CD1765006C28EFA0D1BB40DB6CA7FF0C8EA2AC13A46567F138C15D11DEA016BC00AB989E76DE00FF0BBC3ACC587332FE57EB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...................~.....B......p....B.....Rich............................PE..L.... zV.............................B.......0....@.......................................@.....................................P...............................p....................................................0..$............................text...J........................... ..`.rdata.......0......................@..@.data...l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe

Download File

Process:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364032
Entropy (8bit):	6.7838151372886095
Encrypted:	false
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
MD5:	9C485842F954958288C2ECF17881439A
SHA1:	A12C829FF47DD3A496594D6527AFFB7EEDD3BD11
SHA-256:	2C44774360D281F890AD8869E2C1AA05A4EE7FE92FBF0D9AB20508AA7FBA7F8C
SHA-512:	FCD500025E6F097544168EE0277CD1765006C28EFA0D1BB40DB6CA7FF0C8EA2AC13A46567F138C15D11DEA016BC00AB989E76DE00FF0BBC3ACC587332FE57EB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...................~.....B......p....B.....Rich............................PE..L.... zV.............................B.......0....@.......................................@.....................................P...............................p....................................................0..$............................text...J........................... ..`.rdata.......0......................@..@.data...l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\trshmfqlcbpta\no2uvy

Download File

Process:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:4fvY:4fA
MD5:	85E8A64738DBED21EB974E9C24DFC70E
SHA1:	6CCD809DCC6BA61DC6E10CF5F4D8EF9CAD1CF6A9
SHA-256:	C59DC12ABDA7846B6CD7255C13F3E38FC7B4DC1163790EAE8242DC8985289C69
SHA-512:	EAE03EFEB2E4D709C3C5EF853EC23AA07DA765C3103A042A097FE7632FE209DD628ABADDE0C9F735420F9091DDAC13BAA7B24AE6B92FC118FA50648E1EAB7B7C
Malicious:	false
Preview:	..k`..ff.=

C:\trshmfqlcbpta\yrykdhhlfqp.exe

Download File

Process:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364032
Entropy (8bit):	6.7838151372886095
Encrypted:	false
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
MD5:	9C485842F954958288C2ECF17881439A
SHA1:	A12C829FF47DD3A496594D6527AFFB7EEDD3BD11
SHA-256:	2C44774360D281F890AD8869E2C1AA05A4EE7FE92FBF0D9AB20508AA7FBA7F8C
SHA-512:	FCD500025E6F097544168EE0277CD1765006C28EFA0D1BB40DB6CA7FF0C8EA2AC13A46567F138C15D11DEA016BC00AB989E76DE00FF0BBC3ACC587332FE57EB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...................~.....B......p....B.....Rich............................PE..L.... zV.............................B.......0....@.......................................@.....................................P...............................p....................................................0..$............................text...J........................... ..`.rdata.......0......................@..@.data...l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7838151372886095
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Z4KBs1USsJ.exe
File size:	364'032 bytes
MD5:	9c485842f954958288c2ecf17881439a
SHA1:	a12c829ff47dd3a496594d6527affb7eedd3bd11
SHA256:	2c44774360d281f890ad8869e2c1aa05a4ee7fe92fbf0d9ab20508aa7fba7f8c
SHA512:	fcd500025e6f097544168ee0277cd1765006c28efa0d1bb40db6ca7ff0c8ea2ac13a46567f138c15d11dea016bc00ab989e76de00ff0bbc3acc587332fe57eb4
SSDEEP:	6144:PI3dxycctByFneZdUtr2hZV0JWZ85uLdH/ASBKPVJGj/DciGYpbPVnYOtgSmg3v6:PIicZVeia0JWyIDKPVUj7XlV9Yytmgfc
TLSH:	E274F9ADDE8105EEDC02A0FC081533B7D7AD600573EAB4DB5A923B86597F8E4D93160B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q........................~......B........p......B......Rich............................PE..L.... zV...........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4142d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x567A20EB [Wed Dec 23 04:19:55 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c03c44838b405c72c00efe457c9026f9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 08h
mov eax, dword ptr [0044E1A8h]
sub eax, 50B51EBEh
mov dword ptr [0044E55Ch], eax
dec dword ptr [0044E1A8h]
push esi
call 00007F8EB4C445D4h
add dword ptr [0044E1E8h], 9B877EBEh
call 00007F8EB4C24D85h
fld dword ptr [0044E118h]
fsub qword ptr [00446F50h]
push 0044312Ch
push 00443124h
fstp dword ptr [0044E118h]
fld dword ptr [0044E118h]
fadd qword ptr [0044CCE8h]
fsub qword ptr [0044CCE0h]
fistp qword ptr [ebp-08h]
mov cx, word ptr [ebp-08h]
mov word ptr [0044E440h], cx
call 00007F8EB4C2AAD4h
mov edx, dword ptr [0044E188h]
imul edx, edx, 4A6DB410h
add esp, 08h
mov dword ptr [0044E188h], edx
call 00007F8EB4C0B92Ah
mov esi, eax
fld qword ptr [0044E0B8h]
fsub qword ptr [0044CCD8h]
fstp qword ptr [0044E0B8h]
call 00007F8EB4C1AF31h
movzx eax, word ptr [0044E4ACh]
sub eax, 32D8D7ECh
push esi
mov word ptr [0044E4ACh], ax
call dword ptr [00443074h]
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+10h]
push ebx

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2003 (.NET) build 3077
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ccf0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x124	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4104a	0x41200	693764a56948dc94cd53bba265aaf427	False	0.5246221209213052	data	6.301261590363873	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0xa2fc	0xa400	6412b2e88610d7f6ca621a54b3ba5591	False	0.7431640625	data	6.52046081980572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0x116c	0x800	20f815c092ca7c2f037dedc4f231f4f1	False	0.734375	data	5.652927311962374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x50000	0xca0e	0xcc00	adf383d4fba3ad0ef9d03f6937a8f44f	False	0.6534734987745098	data	6.833275130925352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	SetSystemPaletteUse, GetDCPenColor, SetTextCharacterExtra, GetFontLanguageInfo, GetDCBrushColor, GetObjectType, GetNearestColor, GetBkColor
USER32.dll	IsWindowEnabled, SetDlgItemTextA, RemovePropA, GetMenuItemCount, SetWindowTextA, GetPropA, GetInputState, GetWindowLongA, SendMessageA, SetFocus, GetCursor, EndPaint, WindowFromDC, DrawTextA, GetDialogBaseUnits, GetWindowContextHelpId, GetMenuContextHelpId, BeginPaint, LoadIconA, GetDlgItem, GetScrollPos, EnableWindow, GetMenuCheckMarkDimensions, EndDialog, GetMenuItemID, ShowWindow, GetQueueStatus, wvsprintfA, CharLowerBuffA, GetWindowDC
KERNEL32.dll	CreateFileA, CloseHandle, LockResource, GetLastError, SetFilePointer, FindResourceA, LocalFlags, GetModuleHandleA, GetVersion, GetTickCount, GetCurrentProcessId, SizeofResource, GlobalHandle, GetDriveTypeA, DeleteFileA, GetProcAddress, MoveFileA, GlobalAlloc, LoadResource, GlobalSize, ExitProcess, GetSystemTime, SystemTimeToFileTime, WriteFile, HeapFree, GetFileTime, GetFileSize, HeapReAlloc, GetProcessHeap, HeapAlloc, lstrlenA, GetStdHandle

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T16:12:15.899524+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.8	49707	18.143.155.63	80	TCP
2024-11-07T16:12:15.899524+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.8	49707	18.143.155.63	80	TCP
2024-11-07T16:12:16.263052+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.8	49707	TCP
2024-11-07T16:12:16.263052+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.8	49707	TCP
2024-11-07T16:12:16.993403+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.8	61147	UDP
2024-11-07T16:12:18.476316+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.8	49708	TCP
2024-11-07T16:12:18.476316+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.8	49708	TCP
2024-11-07T16:12:21.656405+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.8	49710	TCP
2024-11-07T16:12:24.406925+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.8	51172	UDP
2024-11-07T16:12:59.184508+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.8	49715	TCP
2024-11-07T16:13:36.274373+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.8	49717	18.143.155.63	80	TCP
2024-11-07T16:13:36.274373+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.8	49717	18.143.155.63	80	TCP
2024-11-07T16:13:39.781951+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.8	61665	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 16:12:13.525911093 CET	49706	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:13.531758070 CET	80	49706	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:13.531891108 CET	49706	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:13.531960964 CET	49706	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:13.537319899 CET	80	49706	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:14.150000095 CET	80	49706	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:14.150036097 CET	80	49706	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:14.150142908 CET	49706	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:14.150799990 CET	80	49706	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:14.150852919 CET	49706	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:14.150981903 CET	49706	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:14.155709982 CET	80	49706	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:14.395925045 CET	49707	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:14.401869059 CET	80	49707	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:14.402196884 CET	49707	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:14.402296066 CET	49707	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:14.408025026 CET	80	49707	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:15.848074913 CET	80	49707	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:15.899523973 CET	49707	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:16.263051987 CET	80	49707	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:16.263140917 CET	49707	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:16.263194084 CET	49707	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:16.268695116 CET	80	49707	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:17.506383896 CET	49708	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:12:17.513621092 CET	80	49708	54.244.188.177	192.168.2.8
Nov 7, 2024 16:12:17.513839960 CET	49708	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:12:17.519769907 CET	49708	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:12:17.526458025 CET	80	49708	54.244.188.177	192.168.2.8
Nov 7, 2024 16:12:18.358709097 CET	80	49708	54.244.188.177	192.168.2.8
Nov 7, 2024 16:12:18.399573088 CET	49708	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:12:18.476315975 CET	80	49708	54.244.188.177	192.168.2.8
Nov 7, 2024 16:12:18.476527929 CET	49708	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:12:18.479016066 CET	49708	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:12:18.483865023 CET	80	49708	54.244.188.177	192.168.2.8
Nov 7, 2024 16:12:19.755569935 CET	49709	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:19.762315035 CET	80	49709	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:19.762432098 CET	49709	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:19.762486935 CET	49709	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:19.768405914 CET	80	49709	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:20.423696995 CET	80	49709	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:20.424107075 CET	80	49709	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:20.424226999 CET	49709	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:20.455960989 CET	80	49709	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:20.456069946 CET	49709	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:20.456125975 CET	49709	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:12:20.463124990 CET	80	49709	199.59.243.227	192.168.2.8
Nov 7, 2024 16:12:21.338090897 CET	49711	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:21.343020916 CET	80	49711	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:21.343092918 CET	49711	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:21.343183994 CET	49711	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:21.348016977 CET	80	49711	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:22.799196005 CET	80	49711	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:22.852571964 CET	49711	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:23.215425968 CET	80	49711	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:23.215485096 CET	49711	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:23.215569019 CET	49711	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:12:23.222491026 CET	80	49711	18.143.155.63	192.168.2.8
Nov 7, 2024 16:12:25.047863007 CET	49713	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:12:25.055449009 CET	80	49713	85.214.228.140	192.168.2.8
Nov 7, 2024 16:12:25.055532932 CET	49713	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:12:25.055661917 CET	49713	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:12:25.060570002 CET	80	49713	85.214.228.140	192.168.2.8
Nov 7, 2024 16:12:25.937597036 CET	80	49713	85.214.228.140	192.168.2.8
Nov 7, 2024 16:12:25.938077927 CET	49713	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:12:25.945452929 CET	80	49713	85.214.228.140	192.168.2.8
Nov 7, 2024 16:12:25.945537090 CET	49713	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:12:26.540572882 CET	49714	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:12:26.545764923 CET	80	49714	13.248.169.48	192.168.2.8
Nov 7, 2024 16:12:26.549596071 CET	49714	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:12:26.549643040 CET	49714	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:12:26.554801941 CET	80	49714	13.248.169.48	192.168.2.8
Nov 7, 2024 16:12:27.245536089 CET	80	49714	13.248.169.48	192.168.2.8
Nov 7, 2024 16:12:27.246036053 CET	49714	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:12:27.251302958 CET	80	49714	13.248.169.48	192.168.2.8
Nov 7, 2024 16:12:27.251384020 CET	49714	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:13:33.954083920 CET	49716	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:33.958940029 CET	80	49716	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:33.959022045 CET	49716	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:33.959125042 CET	49716	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:33.963924885 CET	80	49716	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:34.607412100 CET	80	49716	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:34.607681990 CET	80	49716	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:34.607753992 CET	49716	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:34.639729977 CET	80	49716	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:34.639939070 CET	49716	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:34.640049934 CET	49716	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:34.644982100 CET	80	49716	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:34.730794907 CET	49717	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:34.736015081 CET	80	49717	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:34.736170053 CET	49717	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:34.736294031 CET	49717	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:34.741257906 CET	80	49717	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:36.229701996 CET	80	49717	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:36.274373055 CET	49717	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:36.648452997 CET	80	49717	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:36.648610115 CET	49717	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:36.648720980 CET	49717	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:36.653579950 CET	80	49717	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:38.218720913 CET	49718	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:13:38.223553896 CET	80	49718	54.244.188.177	192.168.2.8
Nov 7, 2024 16:13:38.223654032 CET	49718	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:13:38.223678112 CET	49718	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:13:38.228604078 CET	80	49718	54.244.188.177	192.168.2.8
Nov 7, 2024 16:13:39.065949917 CET	80	49718	54.244.188.177	192.168.2.8
Nov 7, 2024 16:13:39.118158102 CET	49718	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:13:39.185698032 CET	80	49718	54.244.188.177	192.168.2.8
Nov 7, 2024 16:13:39.185785055 CET	49718	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:13:39.185877085 CET	49718	80	192.168.2.8	54.244.188.177
Nov 7, 2024 16:13:39.190697908 CET	80	49718	54.244.188.177	192.168.2.8
Nov 7, 2024 16:13:39.782948971 CET	49719	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:39.788938999 CET	80	49719	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:39.789026022 CET	49719	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:39.789078951 CET	49719	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:39.793925047 CET	80	49719	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:40.408759117 CET	80	49719	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:40.408790112 CET	80	49719	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:40.408854961 CET	49719	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:40.409797907 CET	80	49719	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:40.409847021 CET	49719	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:40.409871101 CET	49719	80	192.168.2.8	199.59.243.227
Nov 7, 2024 16:13:40.415308952 CET	80	49719	199.59.243.227	192.168.2.8
Nov 7, 2024 16:13:40.590640068 CET	49720	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:40.595690012 CET	80	49720	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:40.595978022 CET	49720	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:40.595978022 CET	49720	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:40.601134062 CET	80	49720	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:42.032536030 CET	80	49720	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:42.086848974 CET	49720	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:42.448095083 CET	80	49720	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:42.448302031 CET	49720	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:42.448302031 CET	49720	80	192.168.2.8	18.143.155.63
Nov 7, 2024 16:13:42.453258991 CET	80	49720	18.143.155.63	192.168.2.8
Nov 7, 2024 16:13:43.590827942 CET	49721	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:13:43.595829964 CET	80	49721	85.214.228.140	192.168.2.8
Nov 7, 2024 16:13:43.595962048 CET	49721	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:13:43.600956917 CET	49721	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:13:43.606425047 CET	80	49721	85.214.228.140	192.168.2.8
Nov 7, 2024 16:13:44.467159033 CET	80	49721	85.214.228.140	192.168.2.8
Nov 7, 2024 16:13:44.467619896 CET	49721	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:13:44.473278046 CET	80	49721	85.214.228.140	192.168.2.8
Nov 7, 2024 16:13:44.473350048 CET	49721	80	192.168.2.8	85.214.228.140
Nov 7, 2024 16:13:44.704108953 CET	49722	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:13:44.709124088 CET	80	49722	13.248.169.48	192.168.2.8
Nov 7, 2024 16:13:44.709255934 CET	49722	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:13:44.709309101 CET	49722	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:13:44.714168072 CET	80	49722	13.248.169.48	192.168.2.8
Nov 7, 2024 16:13:45.370276928 CET	80	49722	13.248.169.48	192.168.2.8
Nov 7, 2024 16:13:45.370676041 CET	49722	80	192.168.2.8	13.248.169.48
Nov 7, 2024 16:13:45.378635883 CET	80	49722	13.248.169.48	192.168.2.8
Nov 7, 2024 16:13:45.378705025 CET	49722	80	192.168.2.8	13.248.169.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 16:12:12.658591032 CET	61167	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.669739962 CET	53	61167	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.671572924 CET	56161	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.681611061 CET	53	56161	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.682770967 CET	58220	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.693552017 CET	53	58220	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.694642067 CET	52896	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.705760002 CET	53	52896	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.706985950 CET	59709	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.718158007 CET	53	59709	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.719356060 CET	65311	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.752892971 CET	53	65311	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.754944086 CET	57464	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.785792112 CET	53	57464	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.786772966 CET	64307	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.797009945 CET	53	64307	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.798799038 CET	56616	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:12.960258007 CET	53	56616	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:12.969625950 CET	54656	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:13.002311945 CET	53	54656	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:13.003727913 CET	62913	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:13.017816067 CET	53	62913	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:13.051289082 CET	49563	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:13.066886902 CET	53	49563	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:13.070808887 CET	55648	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:13.519804955 CET	53	55648	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:14.152255058 CET	65069	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:14.162575960 CET	53	65069	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:14.164313078 CET	52398	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:14.174874067 CET	53	52398	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:14.176687002 CET	53623	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:14.187325954 CET	53	53623	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:14.188982010 CET	54470	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:14.200014114 CET	53	54470	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:14.201469898 CET	59022	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:14.395093918 CET	53	59022	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.264441967 CET	53725	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.298578024 CET	53	53725	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.299870014 CET	50886	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.307548046 CET	53	50886	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.308514118 CET	65325	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.319325924 CET	53	65325	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.320313931 CET	63378	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.327584982 CET	53	63378	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.328927994 CET	57382	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.339422941 CET	53	57382	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.340508938 CET	56940	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.351438046 CET	53	56940	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.353010893 CET	57271	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.384951115 CET	53	57271	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.386457920 CET	60953	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.396013021 CET	53	60953	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.397114038 CET	60511	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.407633066 CET	53	60511	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.408674002 CET	61098	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.439676046 CET	53	61098	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.441426039 CET	61265	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.450536013 CET	53	61265	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.452064037 CET	54479	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.462754011 CET	53	54479	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.464356899 CET	51531	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.473781109 CET	53	51531	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.478166103 CET	59497	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.485709906 CET	53	59497	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.487003088 CET	57152	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.518136024 CET	53	57152	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.520315886 CET	53843	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.529642105 CET	53	53843	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.530782938 CET	59342	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.542331934 CET	53	59342	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.543431997 CET	54096	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.576138973 CET	53	54096	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.577719927 CET	62242	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.587138891 CET	53	62242	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.588249922 CET	54124	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.619071960 CET	53	54124	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.620562077 CET	61460	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.651568890 CET	53	61460	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.653248072 CET	53456	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.663929939 CET	53	53456	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.665441036 CET	63036	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.676635981 CET	53	63036	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.677861929 CET	50448	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.692259073 CET	53	50448	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.693645954 CET	61227	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.703753948 CET	53	61227	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.704962969 CET	61809	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.716300964 CET	53	61809	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.717472076 CET	65182	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.749413013 CET	53	65182	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.750860929 CET	50513	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.783396006 CET	53	50513	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.784921885 CET	54462	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.794751883 CET	53	54462	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.796094894 CET	53226	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.805634975 CET	53	53226	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.806802034 CET	56083	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.816931963 CET	53	56083	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.818319082 CET	52740	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.829364061 CET	53	52740	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.838143110 CET	51045	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.871968031 CET	53	51045	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.874104023 CET	55450	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.882240057 CET	53	55450	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.883443117 CET	60651	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.893686056 CET	53	60651	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.895005941 CET	49862	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.904486895 CET	53	49862	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.905572891 CET	54801	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.915641069 CET	53	54801	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.916847944 CET	62471	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.926336050 CET	53	62471	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.927434921 CET	55524	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.938700914 CET	53	55524	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.940215111 CET	51460	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.949714899 CET	53	51460	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.950992107 CET	60840	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.960544109 CET	53	60840	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.962337971 CET	61147	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:16.993402958 CET	53	61147	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:16.995125055 CET	56832	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.005770922 CET	53	56832	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.006980896 CET	64163	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.018451929 CET	53	64163	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.019687891 CET	63287	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.026772022 CET	53	63287	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.027996063 CET	54855	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.037878036 CET	53	54855	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.039031029 CET	56565	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.049290895 CET	53	56565	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.050605059 CET	61109	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.082875967 CET	53	61109	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.084207058 CET	51608	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.095828056 CET	53	51608	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.097002983 CET	62375	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.107474089 CET	53	62375	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.108437061 CET	54549	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.121788025 CET	53	54549	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.122881889 CET	50637	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.286870956 CET	53	50637	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.288295984 CET	53502	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.300226927 CET	53	53502	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:17.301199913 CET	65036	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:17.505764961 CET	53	65036	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.487555981 CET	52421	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.495363951 CET	53	52421	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.496356010 CET	52742	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.527422905 CET	53	52742	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.528778076 CET	65142	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.561306000 CET	53	65142	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.562454939 CET	65188	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.574141979 CET	53	65188	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.575238943 CET	52784	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.608161926 CET	53	52784	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.609226942 CET	54040	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.619729042 CET	53	54040	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.620606899 CET	60085	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.652642012 CET	53	60085	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.653656960 CET	64970	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.684916019 CET	53	64970	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.686110973 CET	49548	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.844466925 CET	53	49548	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.845778942 CET	55837	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.853090048 CET	53	55837	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.854104996 CET	57942	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.885565996 CET	53	57942	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.886537075 CET	64828	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.896159887 CET	53	64828	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.897272110 CET	55789	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.907351017 CET	53	55789	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.912467003 CET	60026	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:18.923140049 CET	53	60026	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:18.924134970 CET	51480	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.082365036 CET	53	51480	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.083997965 CET	62113	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.115977049 CET	53	62113	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.117177963 CET	56914	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.149039984 CET	53	56914	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.150317907 CET	65181	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.181504011 CET	53	65181	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.182734966 CET	59119	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.194755077 CET	53	59119	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.195986032 CET	55699	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.365108013 CET	53	55699	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.366374969 CET	63893	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.378401041 CET	53	63893	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.379467964 CET	49555	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.390233040 CET	53	49555	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.391216993 CET	53492	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.423769951 CET	53	53492	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.424896002 CET	56402	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.438155890 CET	53	56402	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.439070940 CET	49767	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.449651957 CET	53	49767	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:19.451056004 CET	57719	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:19.754926920 CET	53	57719	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.457230091 CET	63857	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.622225046 CET	53	63857	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.623440027 CET	62842	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.654361963 CET	53	62842	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.658363104 CET	65047	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.668072939 CET	53	65047	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.677730083 CET	53073	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.688569069 CET	53	53073	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.724421024 CET	64181	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.735869884 CET	53	64181	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.740470886 CET	53146	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.750840902 CET	53	53146	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.768342018 CET	60497	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.779275894 CET	53	60497	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.794516087 CET	65412	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.804164886 CET	53	65412	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.825314045 CET	63483	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.835325003 CET	53	63483	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.836509943 CET	54837	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:20.846573114 CET	53	54837	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:20.881064892 CET	49680	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:21.100975037 CET	53	49680	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.217183113 CET	64604	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.228279114 CET	53	64604	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.229840994 CET	61194	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.389710903 CET	53	61194	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.406239986 CET	64681	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.437397957 CET	53	64681	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.444636106 CET	55053	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.452392101 CET	53	55053	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.558150053 CET	50540	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.568766117 CET	53	50540	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.592533112 CET	50054	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.604115009 CET	53	50054	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.900039911 CET	62342	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.931540966 CET	53	62342	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.957045078 CET	53203	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.967864037 CET	53	53203	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:23.982719898 CET	63648	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:23.993489027 CET	53	63648	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.085830927 CET	59767	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.096070051 CET	53	59767	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.135464907 CET	62472	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.146157980 CET	53	62472	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.147439003 CET	64246	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.157629013 CET	53	64246	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.159003019 CET	58279	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.169706106 CET	53	58279	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.183129072 CET	53661	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.193196058 CET	53	53661	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.207024097 CET	55448	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.217485905 CET	53	55448	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.233350039 CET	50073	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.243807077 CET	53	50073	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.245328903 CET	59392	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.255598068 CET	53	59392	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.257179976 CET	49738	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.289156914 CET	53	49738	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.290810108 CET	52312	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.300859928 CET	53	52312	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.302517891 CET	63975	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.312597036 CET	53	63975	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.315234900 CET	62676	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.325180054 CET	53	62676	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.326690912 CET	49460	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.357415915 CET	53	49460	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.358851910 CET	63512	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.369992971 CET	53	63512	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.371931076 CET	56424	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.383040905 CET	53	56424	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.384424925 CET	55558	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.394778967 CET	53	55558	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.396404982 CET	51172	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.406924963 CET	53	51172	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.416672945 CET	63208	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.446752071 CET	53	63208	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.448143959 CET	56313	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.479171991 CET	53	56313	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.480567932 CET	62648	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.492805958 CET	53	62648	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.494174957 CET	65431	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.504036903 CET	53	65431	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.505448103 CET	64622	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.539933920 CET	53	64622	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.541474104 CET	51382	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.577322960 CET	53	51382	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.578809023 CET	58343	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.592513084 CET	53	58343	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.594118118 CET	63149	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.608143091 CET	53	63149	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.609671116 CET	58137	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.623187065 CET	53	58137	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.624552965 CET	64715	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.636755943 CET	53	64715	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.638371944 CET	58599	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.651299953 CET	53	58599	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.652702093 CET	52704	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.663695097 CET	53	52704	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.665081024 CET	50366	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.676693916 CET	53	50366	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.678152084 CET	55062	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.688747883 CET	53	55062	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.690143108 CET	61556	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.699640989 CET	53	61556	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.700902939 CET	56065	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.731410980 CET	53	56065	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.733990908 CET	49895	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.745218992 CET	53	49895	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.747826099 CET	58420	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.759074926 CET	53	58420	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.760354996 CET	65393	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:24.770875931 CET	53	65393	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:24.772049904 CET	64367	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:25.046963930 CET	53	64367	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:25.939040899 CET	59191	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:25.951529980 CET	53	59191	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:25.952702045 CET	53444	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:25.985491991 CET	53	53444	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:25.990603924 CET	65098	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.003395081 CET	53	65098	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.004766941 CET	59060	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.017863035 CET	53	59060	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.020158052 CET	63471	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.033489943 CET	53	63471	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.034857035 CET	60472	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.070688963 CET	53	60472	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.072132111 CET	58080	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.085134983 CET	53	58080	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.086424112 CET	65283	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.097270966 CET	53	65283	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.100729942 CET	52515	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.112544060 CET	53	52515	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.118012905 CET	49658	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.128628969 CET	53	49658	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.132642984 CET	53930	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.140130997 CET	53	53930	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.144186974 CET	58653	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.164038897 CET	53	58653	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.168699026 CET	57121	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.329334974 CET	53	57121	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:26.330617905 CET	56751	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:26.486390114 CET	53	56751	1.1.1.1	192.168.2.8
Nov 7, 2024 16:12:27.247185946 CET	56488	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:12:27.258933067 CET	53	56488	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.721349955 CET	56349	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.732633114 CET	53	56349	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.734586954 CET	59681	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.766608000 CET	53	59681	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.767868996 CET	51691	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.798937082 CET	53	51691	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.800344944 CET	56034	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.810980082 CET	53	56034	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.812136889 CET	53610	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.823857069 CET	53	53610	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.825086117 CET	61520	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.856715918 CET	53	61520	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.858232975 CET	54201	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.868496895 CET	53	54201	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.869761944 CET	58000	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.880374908 CET	53	58000	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.881658077 CET	57629	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.912332058 CET	53	57629	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.913718939 CET	52629	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.924088955 CET	53	52629	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.925759077 CET	49446	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.937391996 CET	53	49446	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:33.938733101 CET	51873	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:33.950222015 CET	53	51873	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:34.641437054 CET	61767	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:34.651272058 CET	53	61767	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:34.654856920 CET	59759	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:34.664747000 CET	53	59759	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:34.677088022 CET	55128	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:34.694068909 CET	53	55128	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:34.696800947 CET	57571	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:34.729141951 CET	53	57571	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.650027037 CET	59655	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.659857035 CET	53	59655	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.661201000 CET	60883	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.671179056 CET	53	60883	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.672399044 CET	50622	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.682795048 CET	53	50622	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.684073925 CET	54382	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.716902971 CET	53	54382	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.723681927 CET	60109	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.879935980 CET	53	60109	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.881370068 CET	56081	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.912470102 CET	53	56081	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.914069891 CET	49890	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.924432039 CET	53	49890	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.926309109 CET	57549	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.936080933 CET	53	57549	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.937215090 CET	64696	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.947231054 CET	53	64696	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.948508024 CET	50562	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.956003904 CET	53	50562	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.957019091 CET	50261	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:36.968039036 CET	53	50261	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:36.969116926 CET	50409	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.000092983 CET	53	50409	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.001290083 CET	62008	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.011141062 CET	53	62008	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.012108088 CET	57202	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.022382975 CET	53	57202	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.023226976 CET	58182	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.030688047 CET	53	58182	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.031527996 CET	52253	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.062282085 CET	53	52253	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.068205118 CET	58544	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.224692106 CET	53	58544	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.225912094 CET	61972	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.396047115 CET	53	61972	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.397372007 CET	50941	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.405807018 CET	53	50941	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.406812906 CET	58612	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.436980009 CET	53	58612	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.438241005 CET	59019	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.448615074 CET	53	59019	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.449764013 CET	56352	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.460299015 CET	53	56352	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.461261988 CET	52966	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.471323013 CET	53	52966	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.472327948 CET	49784	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.503621101 CET	53	49784	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.504765034 CET	52566	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.514709949 CET	53	52566	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.516762972 CET	49345	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.550309896 CET	53	49345	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.551435947 CET	59058	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.584427118 CET	53	59058	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.587224007 CET	57134	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.597692013 CET	53	57134	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.598920107 CET	64182	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.610080004 CET	53	64182	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.612865925 CET	53574	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.620373011 CET	53	53574	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.622834921 CET	65297	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.635580063 CET	53	65297	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.636768103 CET	65124	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.645472050 CET	53	65124	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.646586895 CET	59405	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.658638000 CET	53	59405	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.659884930 CET	59562	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.694175959 CET	53	59562	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.695436954 CET	52140	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.707482100 CET	53	52140	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.708751917 CET	52380	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.720673084 CET	53	52380	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.721798897 CET	63327	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.733386040 CET	53	63327	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.735259056 CET	60012	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.748981953 CET	53	60012	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.754230022 CET	49294	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.765798092 CET	53	49294	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.766984940 CET	62020	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.778470039 CET	53	62020	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.779545069 CET	53494	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.813127995 CET	53	53494	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.814428091 CET	62381	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.847284079 CET	53	62381	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.848591089 CET	54901	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.858181000 CET	53	54901	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.859381914 CET	49516	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.869142056 CET	53	49516	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.870206118 CET	60939	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.900640965 CET	53	60939	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.901683092 CET	60200	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.913827896 CET	53	60200	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.914752007 CET	53103	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.926939964 CET	53	53103	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.927839994 CET	63728	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.958710909 CET	53	63728	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.960011959 CET	60120	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:37.971796036 CET	53	60120	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:37.972800970 CET	53976	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:38.007031918 CET	53	53976	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:38.008541107 CET	50145	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:38.170134068 CET	53	50145	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:38.171500921 CET	62959	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:38.181493044 CET	53	62959	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:38.183193922 CET	56122	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:38.217359066 CET	53	56122	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.186988115 CET	64178	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.196221113 CET	53	64178	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.197293997 CET	53226	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.207520008 CET	53	53226	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.208745003 CET	63391	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.217930079 CET	53	63391	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.218950033 CET	53795	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.230338097 CET	53	53795	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.231381893 CET	54481	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.244024038 CET	53	54481	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.244987965 CET	49754	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.419398069 CET	53	49754	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.420725107 CET	61042	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.451426029 CET	53	61042	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.452721119 CET	64829	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.464124918 CET	53	64829	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.465883970 CET	52266	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.497862101 CET	53	52266	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.499092102 CET	53776	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.530946970 CET	53	53776	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.531970024 CET	57827	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.542772055 CET	53	57827	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.543674946 CET	60232	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.574621916 CET	53	60232	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.575607061 CET	52329	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.606142044 CET	53	52329	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.607228994 CET	52185	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.617799044 CET	53	52185	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.618639946 CET	52351	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.629476070 CET	53	52351	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.630275011 CET	51413	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.661298990 CET	53	51413	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.662446976 CET	59474	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.669655085 CET	53	59474	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.670572996 CET	58218	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.702824116 CET	53	58218	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.703910112 CET	63206	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.713001966 CET	53	63206	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.714052916 CET	49766	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.724271059 CET	53	49766	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.725234985 CET	51575	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.735661983 CET	53	51575	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.736572027 CET	62703	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.747658968 CET	53	62703	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.748677015 CET	56725	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.759088993 CET	53	56725	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.760098934 CET	54158	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.770558119 CET	53	54158	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:39.771661997 CET	61665	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:39.781950951 CET	53	61665	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.410922050 CET	63940	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.442714930 CET	53	63940	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.444010019 CET	49567	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.475487947 CET	53	49567	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.477022886 CET	49537	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.487430096 CET	53	49537	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.488707066 CET	54886	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.499176979 CET	53	54886	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.502530098 CET	53429	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.514051914 CET	53	53429	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.515185118 CET	55822	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.525650978 CET	53	55822	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.526848078 CET	55503	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.536238909 CET	53	55503	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.537697077 CET	51680	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.545569897 CET	53	51680	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.546658993 CET	63759	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.556673050 CET	53	63759	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:40.557718039 CET	54154	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:40.588959932 CET	53	54154	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.449400902 CET	65087	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.459635973 CET	53	65087	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.460589886 CET	65271	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.472297907 CET	53	65271	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.473491907 CET	53620	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.505196095 CET	53	53620	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.506372929 CET	52254	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.537606001 CET	53	52254	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.539038897 CET	50113	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.570811987 CET	53	50113	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.583837032 CET	56333	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.615175009 CET	53	56333	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.616544962 CET	64646	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.625848055 CET	53	64646	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.627046108 CET	55812	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.658420086 CET	53	55812	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.659749985 CET	51346	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.669311047 CET	53	51346	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.670898914 CET	50802	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.682110071 CET	53	50802	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.683489084 CET	49290	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.693878889 CET	53	49290	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.695380926 CET	55854	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.706171036 CET	53	55854	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.707549095 CET	56144	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.717573881 CET	53	56144	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.718936920 CET	58066	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.730446100 CET	53	58066	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.731769085 CET	55370	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.743628025 CET	53	55370	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.744714975 CET	64450	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.755830050 CET	53	64450	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.756860018 CET	62967	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.788217068 CET	53	62967	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.789510965 CET	63239	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.823373079 CET	53	63239	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.824712038 CET	53866	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.858365059 CET	53	53866	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.859867096 CET	58592	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.873905897 CET	53	58592	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.875133991 CET	50083	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.888196945 CET	53	50083	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.890288115 CET	55038	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.901746988 CET	53	55038	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.910278082 CET	50034	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.921610117 CET	53	50034	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.923007965 CET	49610	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.933670044 CET	53	49610	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.935209036 CET	56688	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:42.945648909 CET	53	56688	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:42.988193989 CET	56199	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.021559954 CET	53	56199	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.054512978 CET	59417	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.064800978 CET	53	59417	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.066139936 CET	50416	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.077544928 CET	53	50416	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.091948032 CET	65000	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.102412939 CET	53	65000	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.116441011 CET	62046	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.148657084 CET	53	62046	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.151047945 CET	61127	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.161293983 CET	53	61127	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.163768053 CET	51739	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.173305988 CET	53	51739	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.186952114 CET	54032	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.218688965 CET	53	54032	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.299352884 CET	56644	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.310180902 CET	53	56644	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.311992884 CET	56375	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.321619987 CET	53	56375	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.322889090 CET	58637	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.359163046 CET	53	58637	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.362955093 CET	53953	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.394121885 CET	53	53953	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.395915985 CET	62070	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.405983925 CET	53	62070	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.407515049 CET	51744	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.437491894 CET	53	51744	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.439188957 CET	63243	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.449201107 CET	53	63243	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.451803923 CET	64579	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.462614059 CET	53	64579	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.496206045 CET	57122	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.526546955 CET	53	57122	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.535646915 CET	56145	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.545222044 CET	53	56145	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.546396017 CET	50560	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.577207088 CET	53	50560	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:43.578694105 CET	58159	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:43.589287996 CET	53	58159	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.468986988 CET	52721	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.479609013 CET	53	52721	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.480885983 CET	60792	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.512464046 CET	53	60792	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.513807058 CET	60401	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.524449110 CET	53	60401	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.526137114 CET	60851	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.539710999 CET	53	60851	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.541105032 CET	59817	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.558269978 CET	53	59817	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.559617996 CET	52677	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.571285009 CET	53	52677	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.573067904 CET	53557	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.584438086 CET	53	53557	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.585748911 CET	51751	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.594631910 CET	53	51751	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.595856905 CET	49210	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.606323004 CET	53	49210	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.607510090 CET	61493	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.617984056 CET	53	61493	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.619739056 CET	57830	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.653007030 CET	53	57830	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.654737949 CET	56491	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.687884092 CET	53	56491	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:44.689284086 CET	51888	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:44.702770948 CET	53	51888	1.1.1.1	192.168.2.8
Nov 7, 2024 16:13:45.371716022 CET	53915	53	192.168.2.8	1.1.1.1
Nov 7, 2024 16:13:45.384479046 CET	53	53915	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 16:12:12.658591032 CET	192.168.2.8	1.1.1.1	0x8506	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.671572924 CET	192.168.2.8	1.1.1.1	0xcfd	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.682770967 CET	192.168.2.8	1.1.1.1	0xc2c9	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.694642067 CET	192.168.2.8	1.1.1.1	0x9e4d	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.706985950 CET	192.168.2.8	1.1.1.1	0xb17b	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.719356060 CET	192.168.2.8	1.1.1.1	0x922d	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.754944086 CET	192.168.2.8	1.1.1.1	0x785c	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.786772966 CET	192.168.2.8	1.1.1.1	0x856d	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.798799038 CET	192.168.2.8	1.1.1.1	0xf6ba	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.969625950 CET	192.168.2.8	1.1.1.1	0xa153	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:13.003727913 CET	192.168.2.8	1.1.1.1	0x95a5	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:13.051289082 CET	192.168.2.8	1.1.1.1	0x6380	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:13.070808887 CET	192.168.2.8	1.1.1.1	0x718e	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.152255058 CET	192.168.2.8	1.1.1.1	0x1941	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.164313078 CET	192.168.2.8	1.1.1.1	0xf4fb	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.176687002 CET	192.168.2.8	1.1.1.1	0x2181	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.188982010 CET	192.168.2.8	1.1.1.1	0x8f88	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.201469898 CET	192.168.2.8	1.1.1.1	0xe688	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.264441967 CET	192.168.2.8	1.1.1.1	0x1f50	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.299870014 CET	192.168.2.8	1.1.1.1	0xc4fe	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.308514118 CET	192.168.2.8	1.1.1.1	0x920d	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.320313931 CET	192.168.2.8	1.1.1.1	0xdc36	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.328927994 CET	192.168.2.8	1.1.1.1	0x1c81	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.340508938 CET	192.168.2.8	1.1.1.1	0x5885	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.353010893 CET	192.168.2.8	1.1.1.1	0xc3df	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.386457920 CET	192.168.2.8	1.1.1.1	0xcf51	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.397114038 CET	192.168.2.8	1.1.1.1	0x1dc7	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.408674002 CET	192.168.2.8	1.1.1.1	0x9dda	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.441426039 CET	192.168.2.8	1.1.1.1	0x3484	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.452064037 CET	192.168.2.8	1.1.1.1	0x1e82	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.464356899 CET	192.168.2.8	1.1.1.1	0xcf69	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.478166103 CET	192.168.2.8	1.1.1.1	0xb706	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.487003088 CET	192.168.2.8	1.1.1.1	0xff71	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.520315886 CET	192.168.2.8	1.1.1.1	0x49ec	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.530782938 CET	192.168.2.8	1.1.1.1	0xd8d	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.543431997 CET	192.168.2.8	1.1.1.1	0xf334	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.577719927 CET	192.168.2.8	1.1.1.1	0xf5be	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.588249922 CET	192.168.2.8	1.1.1.1	0xa895	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.620562077 CET	192.168.2.8	1.1.1.1	0x14a8	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.653248072 CET	192.168.2.8	1.1.1.1	0xb7d0	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.665441036 CET	192.168.2.8	1.1.1.1	0xd088	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.677861929 CET	192.168.2.8	1.1.1.1	0x3ae2	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.693645954 CET	192.168.2.8	1.1.1.1	0x6de3	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.704962969 CET	192.168.2.8	1.1.1.1	0x75d4	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.717472076 CET	192.168.2.8	1.1.1.1	0xd26	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.750860929 CET	192.168.2.8	1.1.1.1	0x60bf	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.784921885 CET	192.168.2.8	1.1.1.1	0x129	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.796094894 CET	192.168.2.8	1.1.1.1	0xe0ea	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.806802034 CET	192.168.2.8	1.1.1.1	0xeb12	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.818319082 CET	192.168.2.8	1.1.1.1	0x3b16	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.838143110 CET	192.168.2.8	1.1.1.1	0xf143	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.874104023 CET	192.168.2.8	1.1.1.1	0x3a3f	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.883443117 CET	192.168.2.8	1.1.1.1	0xde4a	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.895005941 CET	192.168.2.8	1.1.1.1	0x623e	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.905572891 CET	192.168.2.8	1.1.1.1	0x5711	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.916847944 CET	192.168.2.8	1.1.1.1	0x4d01	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.927434921 CET	192.168.2.8	1.1.1.1	0xc9b2	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.940215111 CET	192.168.2.8	1.1.1.1	0x5a1	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.950992107 CET	192.168.2.8	1.1.1.1	0x211f	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.962337971 CET	192.168.2.8	1.1.1.1	0x783	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.995125055 CET	192.168.2.8	1.1.1.1	0xe0e7	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.006980896 CET	192.168.2.8	1.1.1.1	0xb6e7	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.019687891 CET	192.168.2.8	1.1.1.1	0xd3bc	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.027996063 CET	192.168.2.8	1.1.1.1	0xe4d3	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.039031029 CET	192.168.2.8	1.1.1.1	0x3e89	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.050605059 CET	192.168.2.8	1.1.1.1	0x97fd	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.084207058 CET	192.168.2.8	1.1.1.1	0x1c72	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.097002983 CET	192.168.2.8	1.1.1.1	0x5dfe	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.108437061 CET	192.168.2.8	1.1.1.1	0xa07a	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.122881889 CET	192.168.2.8	1.1.1.1	0x73f2	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.288295984 CET	192.168.2.8	1.1.1.1	0xd737	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.301199913 CET	192.168.2.8	1.1.1.1	0x3af0	Standard query (0)	gentleanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.487555981 CET	192.168.2.8	1.1.1.1	0xca2c	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.496356010 CET	192.168.2.8	1.1.1.1	0x53b0	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.528778076 CET	192.168.2.8	1.1.1.1	0xec3f	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.562454939 CET	192.168.2.8	1.1.1.1	0xf920	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.575238943 CET	192.168.2.8	1.1.1.1	0x984e	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.609226942 CET	192.168.2.8	1.1.1.1	0x51cc	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.620606899 CET	192.168.2.8	1.1.1.1	0x8a33	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.653656960 CET	192.168.2.8	1.1.1.1	0x2878	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.686110973 CET	192.168.2.8	1.1.1.1	0xe22e	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.845778942 CET	192.168.2.8	1.1.1.1	0x53bb	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.854104996 CET	192.168.2.8	1.1.1.1	0xfbf3	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.886537075 CET	192.168.2.8	1.1.1.1	0x1a6f	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.897272110 CET	192.168.2.8	1.1.1.1	0xb21e	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.912467003 CET	192.168.2.8	1.1.1.1	0xc6a8	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.924134970 CET	192.168.2.8	1.1.1.1	0x1ebf	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.083997965 CET	192.168.2.8	1.1.1.1	0xaba5	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.117177963 CET	192.168.2.8	1.1.1.1	0x2a31	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.150317907 CET	192.168.2.8	1.1.1.1	0xa246	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.182734966 CET	192.168.2.8	1.1.1.1	0x9fe6	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.195986032 CET	192.168.2.8	1.1.1.1	0xc169	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.366374969 CET	192.168.2.8	1.1.1.1	0x4c4d	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.379467964 CET	192.168.2.8	1.1.1.1	0x6c95	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.391216993 CET	192.168.2.8	1.1.1.1	0x9296	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.424896002 CET	192.168.2.8	1.1.1.1	0xe55f	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.439070940 CET	192.168.2.8	1.1.1.1	0x9cd6	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.451056004 CET	192.168.2.8	1.1.1.1	0x1ea3	Standard query (0)	glassbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.457230091 CET	192.168.2.8	1.1.1.1	0x970b	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.623440027 CET	192.168.2.8	1.1.1.1	0x954d	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.658363104 CET	192.168.2.8	1.1.1.1	0xb3a3	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.677730083 CET	192.168.2.8	1.1.1.1	0x1b	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.724421024 CET	192.168.2.8	1.1.1.1	0x6a03	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.740470886 CET	192.168.2.8	1.1.1.1	0xa90f	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.768342018 CET	192.168.2.8	1.1.1.1	0xb7d3	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.794516087 CET	192.168.2.8	1.1.1.1	0x427f	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.825314045 CET	192.168.2.8	1.1.1.1	0xaed7	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.836509943 CET	192.168.2.8	1.1.1.1	0x3872	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.881064892 CET	192.168.2.8	1.1.1.1	0x3dfc	Standard query (0)	pleasantinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.217183113 CET	192.168.2.8	1.1.1.1	0x177a	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.229840994 CET	192.168.2.8	1.1.1.1	0x9d3e	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.406239986 CET	192.168.2.8	1.1.1.1	0x737c	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.444636106 CET	192.168.2.8	1.1.1.1	0x3cd0	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.558150053 CET	192.168.2.8	1.1.1.1	0x8999	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.592533112 CET	192.168.2.8	1.1.1.1	0xafba	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.900039911 CET	192.168.2.8	1.1.1.1	0xfc8f	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.957045078 CET	192.168.2.8	1.1.1.1	0xfcb6	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.982719898 CET	192.168.2.8	1.1.1.1	0x8829	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.085830927 CET	192.168.2.8	1.1.1.1	0xe272	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.135464907 CET	192.168.2.8	1.1.1.1	0xabe5	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.147439003 CET	192.168.2.8	1.1.1.1	0x5936	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.159003019 CET	192.168.2.8	1.1.1.1	0x5a4d	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.183129072 CET	192.168.2.8	1.1.1.1	0x343a	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.207024097 CET	192.168.2.8	1.1.1.1	0xf18c	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.233350039 CET	192.168.2.8	1.1.1.1	0xbb56	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.245328903 CET	192.168.2.8	1.1.1.1	0x4a9b	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.257179976 CET	192.168.2.8	1.1.1.1	0x640	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.290810108 CET	192.168.2.8	1.1.1.1	0x4ba2	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.302517891 CET	192.168.2.8	1.1.1.1	0xab19	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.315234900 CET	192.168.2.8	1.1.1.1	0x2376	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.326690912 CET	192.168.2.8	1.1.1.1	0x7f12	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.358851910 CET	192.168.2.8	1.1.1.1	0x22a6	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.371931076 CET	192.168.2.8	1.1.1.1	0xb630	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.384424925 CET	192.168.2.8	1.1.1.1	0x524c	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.396404982 CET	192.168.2.8	1.1.1.1	0x2fd	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.416672945 CET	192.168.2.8	1.1.1.1	0x1157	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.448143959 CET	192.168.2.8	1.1.1.1	0xe111	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.480567932 CET	192.168.2.8	1.1.1.1	0xc82d	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.494174957 CET	192.168.2.8	1.1.1.1	0xca7d	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.505448103 CET	192.168.2.8	1.1.1.1	0x2b05	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.541474104 CET	192.168.2.8	1.1.1.1	0x394c	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.578809023 CET	192.168.2.8	1.1.1.1	0xa48a	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.594118118 CET	192.168.2.8	1.1.1.1	0x1833	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.609671116 CET	192.168.2.8	1.1.1.1	0x31d7	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.624552965 CET	192.168.2.8	1.1.1.1	0x8542	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.638371944 CET	192.168.2.8	1.1.1.1	0xcb70	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.652702093 CET	192.168.2.8	1.1.1.1	0x4563	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.665081024 CET	192.168.2.8	1.1.1.1	0xfd3c	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.678152084 CET	192.168.2.8	1.1.1.1	0x5822	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.690143108 CET	192.168.2.8	1.1.1.1	0xfed3	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.700902939 CET	192.168.2.8	1.1.1.1	0x98e0	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.733990908 CET	192.168.2.8	1.1.1.1	0xd044	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.747826099 CET	192.168.2.8	1.1.1.1	0x9d19	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.760354996 CET	192.168.2.8	1.1.1.1	0x5eb0	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.772049904 CET	192.168.2.8	1.1.1.1	0x4d31	Standard query (0)	degreedaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:25.939040899 CET	192.168.2.8	1.1.1.1	0xa68e	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:25.952702045 CET	192.168.2.8	1.1.1.1	0x8af1	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:25.990603924 CET	192.168.2.8	1.1.1.1	0xb03c	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.004766941 CET	192.168.2.8	1.1.1.1	0x19cc	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.020158052 CET	192.168.2.8	1.1.1.1	0x2f2a	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.034857035 CET	192.168.2.8	1.1.1.1	0x5ecc	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.072132111 CET	192.168.2.8	1.1.1.1	0x4419	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.086424112 CET	192.168.2.8	1.1.1.1	0x8ecc	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.100729942 CET	192.168.2.8	1.1.1.1	0x4be8	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.118012905 CET	192.168.2.8	1.1.1.1	0x6648	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.132642984 CET	192.168.2.8	1.1.1.1	0x7d24	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.144186974 CET	192.168.2.8	1.1.1.1	0xac7e	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.168699026 CET	192.168.2.8	1.1.1.1	0x350d	Standard query (0)	heardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.330617905 CET	192.168.2.8	1.1.1.1	0x1f7e	Standard query (0)	difficultpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:27.247185946 CET	192.168.2.8	1.1.1.1	0x4769	Standard query (0)	heardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.721349955 CET	192.168.2.8	1.1.1.1	0x6234	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.734586954 CET	192.168.2.8	1.1.1.1	0x606f	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.767868996 CET	192.168.2.8	1.1.1.1	0xf839	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.800344944 CET	192.168.2.8	1.1.1.1	0xbef0	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.812136889 CET	192.168.2.8	1.1.1.1	0xff41	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.825086117 CET	192.168.2.8	1.1.1.1	0xdf35	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.858232975 CET	192.168.2.8	1.1.1.1	0xbccf	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.869761944 CET	192.168.2.8	1.1.1.1	0x7a93	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.881658077 CET	192.168.2.8	1.1.1.1	0x2938	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.913718939 CET	192.168.2.8	1.1.1.1	0x33b3	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.925759077 CET	192.168.2.8	1.1.1.1	0x3cd	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.938733101 CET	192.168.2.8	1.1.1.1	0xc00c	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.641437054 CET	192.168.2.8	1.1.1.1	0xe328	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.654856920 CET	192.168.2.8	1.1.1.1	0xb84d	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.677088022 CET	192.168.2.8	1.1.1.1	0x5c1f	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.696800947 CET	192.168.2.8	1.1.1.1	0x75d8	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.650027037 CET	192.168.2.8	1.1.1.1	0xcbdc	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.661201000 CET	192.168.2.8	1.1.1.1	0x2686	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.672399044 CET	192.168.2.8	1.1.1.1	0xbc3a	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.684073925 CET	192.168.2.8	1.1.1.1	0xbbf7	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.723681927 CET	192.168.2.8	1.1.1.1	0x2d93	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.881370068 CET	192.168.2.8	1.1.1.1	0x1ae4	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.914069891 CET	192.168.2.8	1.1.1.1	0x513a	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.926309109 CET	192.168.2.8	1.1.1.1	0x2944	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.937215090 CET	192.168.2.8	1.1.1.1	0x544a	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.948508024 CET	192.168.2.8	1.1.1.1	0x2c08	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.957019091 CET	192.168.2.8	1.1.1.1	0x6792	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.969116926 CET	192.168.2.8	1.1.1.1	0xead	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.001290083 CET	192.168.2.8	1.1.1.1	0x67e0	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.012108088 CET	192.168.2.8	1.1.1.1	0xc933	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.023226976 CET	192.168.2.8	1.1.1.1	0x7f31	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.031527996 CET	192.168.2.8	1.1.1.1	0x34ad	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.068205118 CET	192.168.2.8	1.1.1.1	0x8b29	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.225912094 CET	192.168.2.8	1.1.1.1	0x361d	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.397372007 CET	192.168.2.8	1.1.1.1	0xbdc7	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.406812906 CET	192.168.2.8	1.1.1.1	0x3587	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.438241005 CET	192.168.2.8	1.1.1.1	0x7e5f	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.449764013 CET	192.168.2.8	1.1.1.1	0x6582	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.461261988 CET	192.168.2.8	1.1.1.1	0xeeb1	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.472327948 CET	192.168.2.8	1.1.1.1	0x1efc	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.504765034 CET	192.168.2.8	1.1.1.1	0xaa6e	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.516762972 CET	192.168.2.8	1.1.1.1	0xde22	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.551435947 CET	192.168.2.8	1.1.1.1	0x1137	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.587224007 CET	192.168.2.8	1.1.1.1	0xe03c	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.598920107 CET	192.168.2.8	1.1.1.1	0x625f	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.612865925 CET	192.168.2.8	1.1.1.1	0xb7df	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.622834921 CET	192.168.2.8	1.1.1.1	0x9a1a	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.636768103 CET	192.168.2.8	1.1.1.1	0x259e	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.646586895 CET	192.168.2.8	1.1.1.1	0x2df2	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.659884930 CET	192.168.2.8	1.1.1.1	0x5dc4	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.695436954 CET	192.168.2.8	1.1.1.1	0xac0b	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.708751917 CET	192.168.2.8	1.1.1.1	0x3945	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.721798897 CET	192.168.2.8	1.1.1.1	0x19f4	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.735259056 CET	192.168.2.8	1.1.1.1	0x743	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.754230022 CET	192.168.2.8	1.1.1.1	0x79d1	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.766984940 CET	192.168.2.8	1.1.1.1	0xab82	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.779545069 CET	192.168.2.8	1.1.1.1	0xcf93	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.814428091 CET	192.168.2.8	1.1.1.1	0x3d9d	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.848591089 CET	192.168.2.8	1.1.1.1	0x6824	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.859381914 CET	192.168.2.8	1.1.1.1	0x6d15	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.870206118 CET	192.168.2.8	1.1.1.1	0x7a49	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.901683092 CET	192.168.2.8	1.1.1.1	0xa4a7	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.914752007 CET	192.168.2.8	1.1.1.1	0xb9ca	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.927839994 CET	192.168.2.8	1.1.1.1	0x3235	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.960011959 CET	192.168.2.8	1.1.1.1	0xfd9f	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.972800970 CET	192.168.2.8	1.1.1.1	0xc5e6	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:38.008541107 CET	192.168.2.8	1.1.1.1	0xcbd8	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:38.171500921 CET	192.168.2.8	1.1.1.1	0xcc0e	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:38.183193922 CET	192.168.2.8	1.1.1.1	0x50f0	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.186988115 CET	192.168.2.8	1.1.1.1	0x77d9	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.197293997 CET	192.168.2.8	1.1.1.1	0xc716	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.208745003 CET	192.168.2.8	1.1.1.1	0xb72d	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.218950033 CET	192.168.2.8	1.1.1.1	0x9de5	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.231381893 CET	192.168.2.8	1.1.1.1	0xe7ab	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.244987965 CET	192.168.2.8	1.1.1.1	0x75c	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.420725107 CET	192.168.2.8	1.1.1.1	0x2fa5	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.452721119 CET	192.168.2.8	1.1.1.1	0xd509	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.465883970 CET	192.168.2.8	1.1.1.1	0xed98	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.499092102 CET	192.168.2.8	1.1.1.1	0xdb20	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.531970024 CET	192.168.2.8	1.1.1.1	0x37d2	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.543674946 CET	192.168.2.8	1.1.1.1	0x895b	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.575607061 CET	192.168.2.8	1.1.1.1	0x898b	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.607228994 CET	192.168.2.8	1.1.1.1	0xd08d	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.618639946 CET	192.168.2.8	1.1.1.1	0xb224	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.630275011 CET	192.168.2.8	1.1.1.1	0x5c7	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.662446976 CET	192.168.2.8	1.1.1.1	0xdd28	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.670572996 CET	192.168.2.8	1.1.1.1	0xf12e	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.703910112 CET	192.168.2.8	1.1.1.1	0xab8b	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.714052916 CET	192.168.2.8	1.1.1.1	0xd54a	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.725234985 CET	192.168.2.8	1.1.1.1	0xc2e	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.736572027 CET	192.168.2.8	1.1.1.1	0x858b	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.748677015 CET	192.168.2.8	1.1.1.1	0x5b2	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.760098934 CET	192.168.2.8	1.1.1.1	0xefbc	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.771661997 CET	192.168.2.8	1.1.1.1	0xb704	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.410922050 CET	192.168.2.8	1.1.1.1	0x233a	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.444010019 CET	192.168.2.8	1.1.1.1	0xcfd	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.477022886 CET	192.168.2.8	1.1.1.1	0x813c	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.488707066 CET	192.168.2.8	1.1.1.1	0x1db8	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.502530098 CET	192.168.2.8	1.1.1.1	0x1997	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.515185118 CET	192.168.2.8	1.1.1.1	0xc88e	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.526848078 CET	192.168.2.8	1.1.1.1	0xec1d	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.537697077 CET	192.168.2.8	1.1.1.1	0x52e8	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.546658993 CET	192.168.2.8	1.1.1.1	0x2aa6	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.557718039 CET	192.168.2.8	1.1.1.1	0x28ab	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.449400902 CET	192.168.2.8	1.1.1.1	0xc256	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.460589886 CET	192.168.2.8	1.1.1.1	0x37ca	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.473491907 CET	192.168.2.8	1.1.1.1	0xe935	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.506372929 CET	192.168.2.8	1.1.1.1	0xb80e	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.539038897 CET	192.168.2.8	1.1.1.1	0x68b2	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.583837032 CET	192.168.2.8	1.1.1.1	0x5a79	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.616544962 CET	192.168.2.8	1.1.1.1	0xef31	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.627046108 CET	192.168.2.8	1.1.1.1	0xe389	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.659749985 CET	192.168.2.8	1.1.1.1	0xe4fb	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.670898914 CET	192.168.2.8	1.1.1.1	0xafaf	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.683489084 CET	192.168.2.8	1.1.1.1	0x9e00	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.695380926 CET	192.168.2.8	1.1.1.1	0x4fdd	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.707549095 CET	192.168.2.8	1.1.1.1	0x711	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.718936920 CET	192.168.2.8	1.1.1.1	0xd37d	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.731769085 CET	192.168.2.8	1.1.1.1	0x4419	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.744714975 CET	192.168.2.8	1.1.1.1	0x115b	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.756860018 CET	192.168.2.8	1.1.1.1	0x809e	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.789510965 CET	192.168.2.8	1.1.1.1	0x1465	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.824712038 CET	192.168.2.8	1.1.1.1	0x878f	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.859867096 CET	192.168.2.8	1.1.1.1	0x1e00	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.875133991 CET	192.168.2.8	1.1.1.1	0x4f76	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.890288115 CET	192.168.2.8	1.1.1.1	0x6309	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.910278082 CET	192.168.2.8	1.1.1.1	0x7f5a	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.923007965 CET	192.168.2.8	1.1.1.1	0x7f5e	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.935209036 CET	192.168.2.8	1.1.1.1	0x4618	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.988193989 CET	192.168.2.8	1.1.1.1	0x8444	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.054512978 CET	192.168.2.8	1.1.1.1	0xd9fc	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.066139936 CET	192.168.2.8	1.1.1.1	0x15f2	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.091948032 CET	192.168.2.8	1.1.1.1	0xfea5	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.116441011 CET	192.168.2.8	1.1.1.1	0x44dd	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.151047945 CET	192.168.2.8	1.1.1.1	0xcc6	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.163768053 CET	192.168.2.8	1.1.1.1	0x9459	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.186952114 CET	192.168.2.8	1.1.1.1	0x87ef	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.299352884 CET	192.168.2.8	1.1.1.1	0x928c	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.311992884 CET	192.168.2.8	1.1.1.1	0x3f4a	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.322889090 CET	192.168.2.8	1.1.1.1	0xe9ab	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.362955093 CET	192.168.2.8	1.1.1.1	0x86d3	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.395915985 CET	192.168.2.8	1.1.1.1	0xafd6	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.407515049 CET	192.168.2.8	1.1.1.1	0x4e59	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.439188957 CET	192.168.2.8	1.1.1.1	0xd951	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.451803923 CET	192.168.2.8	1.1.1.1	0x5d3a	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.496206045 CET	192.168.2.8	1.1.1.1	0xdafa	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.535646915 CET	192.168.2.8	1.1.1.1	0xd382	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.546396017 CET	192.168.2.8	1.1.1.1	0x3225	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.578694105 CET	192.168.2.8	1.1.1.1	0xf982	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.468986988 CET	192.168.2.8	1.1.1.1	0x88e2	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.480885983 CET	192.168.2.8	1.1.1.1	0x94ef	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.513807058 CET	192.168.2.8	1.1.1.1	0x2e77	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.526137114 CET	192.168.2.8	1.1.1.1	0xb7f2	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.541105032 CET	192.168.2.8	1.1.1.1	0x9471	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.559617996 CET	192.168.2.8	1.1.1.1	0x2343	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.573067904 CET	192.168.2.8	1.1.1.1	0x4c84	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.585748911 CET	192.168.2.8	1.1.1.1	0xe96	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.595856905 CET	192.168.2.8	1.1.1.1	0xcef9	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.607510090 CET	192.168.2.8	1.1.1.1	0x9e2	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.619739056 CET	192.168.2.8	1.1.1.1	0xd00	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.654737949 CET	192.168.2.8	1.1.1.1	0x912a	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.689284086 CET	192.168.2.8	1.1.1.1	0x4616	Standard query (0)	heardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:45.371716022 CET	192.168.2.8	1.1.1.1	0xf9b7	Standard query (0)	heardpeople.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 16:12:12.669739962 CET	1.1.1.1	192.168.2.8	0x8506	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.681611061 CET	1.1.1.1	192.168.2.8	0xcfd	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.693552017 CET	1.1.1.1	192.168.2.8	0xc2c9	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.705760002 CET	1.1.1.1	192.168.2.8	0x9e4d	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.718158007 CET	1.1.1.1	192.168.2.8	0xb17b	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.752892971 CET	1.1.1.1	192.168.2.8	0x922d	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.785792112 CET	1.1.1.1	192.168.2.8	0x785c	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.797009945 CET	1.1.1.1	192.168.2.8	0x856d	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:12.960258007 CET	1.1.1.1	192.168.2.8	0xf6ba	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:13.002311945 CET	1.1.1.1	192.168.2.8	0xa153	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:13.017816067 CET	1.1.1.1	192.168.2.8	0x95a5	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:13.066886902 CET	1.1.1.1	192.168.2.8	0x6380	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:13.519804955 CET	1.1.1.1	192.168.2.8	0x718e	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 16:12:13.519804955 CET	1.1.1.1	192.168.2.8	0x718e	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.162575960 CET	1.1.1.1	192.168.2.8	0x1941	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.174874067 CET	1.1.1.1	192.168.2.8	0xf4fb	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.187325954 CET	1.1.1.1	192.168.2.8	0x2181	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.200014114 CET	1.1.1.1	192.168.2.8	0x8f88	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:14.395093918 CET	1.1.1.1	192.168.2.8	0xe688	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.298578024 CET	1.1.1.1	192.168.2.8	0x1f50	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.307548046 CET	1.1.1.1	192.168.2.8	0xc4fe	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.319325924 CET	1.1.1.1	192.168.2.8	0x920d	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.327584982 CET	1.1.1.1	192.168.2.8	0xdc36	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.339422941 CET	1.1.1.1	192.168.2.8	0x1c81	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.351438046 CET	1.1.1.1	192.168.2.8	0x5885	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.384951115 CET	1.1.1.1	192.168.2.8	0xc3df	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.396013021 CET	1.1.1.1	192.168.2.8	0xcf51	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.407633066 CET	1.1.1.1	192.168.2.8	0x1dc7	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.439676046 CET	1.1.1.1	192.168.2.8	0x9dda	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.450536013 CET	1.1.1.1	192.168.2.8	0x3484	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.462754011 CET	1.1.1.1	192.168.2.8	0x1e82	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.473781109 CET	1.1.1.1	192.168.2.8	0xcf69	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.485709906 CET	1.1.1.1	192.168.2.8	0xb706	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.518136024 CET	1.1.1.1	192.168.2.8	0xff71	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.529642105 CET	1.1.1.1	192.168.2.8	0x49ec	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.542331934 CET	1.1.1.1	192.168.2.8	0xd8d	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.576138973 CET	1.1.1.1	192.168.2.8	0xf334	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.587138891 CET	1.1.1.1	192.168.2.8	0xf5be	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.619071960 CET	1.1.1.1	192.168.2.8	0xa895	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.651568890 CET	1.1.1.1	192.168.2.8	0x14a8	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.663929939 CET	1.1.1.1	192.168.2.8	0xb7d0	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.676635981 CET	1.1.1.1	192.168.2.8	0xd088	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.692259073 CET	1.1.1.1	192.168.2.8	0x3ae2	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.703753948 CET	1.1.1.1	192.168.2.8	0x6de3	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.716300964 CET	1.1.1.1	192.168.2.8	0x75d4	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.749413013 CET	1.1.1.1	192.168.2.8	0xd26	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.783396006 CET	1.1.1.1	192.168.2.8	0x60bf	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.794751883 CET	1.1.1.1	192.168.2.8	0x129	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.805634975 CET	1.1.1.1	192.168.2.8	0xe0ea	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.816931963 CET	1.1.1.1	192.168.2.8	0xeb12	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.829364061 CET	1.1.1.1	192.168.2.8	0x3b16	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.871968031 CET	1.1.1.1	192.168.2.8	0xf143	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.882240057 CET	1.1.1.1	192.168.2.8	0x3a3f	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.893686056 CET	1.1.1.1	192.168.2.8	0xde4a	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.904486895 CET	1.1.1.1	192.168.2.8	0x623e	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.915641069 CET	1.1.1.1	192.168.2.8	0x5711	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.926336050 CET	1.1.1.1	192.168.2.8	0x4d01	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.938700914 CET	1.1.1.1	192.168.2.8	0xc9b2	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.949714899 CET	1.1.1.1	192.168.2.8	0x5a1	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.960544109 CET	1.1.1.1	192.168.2.8	0x211f	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:16.993402958 CET	1.1.1.1	192.168.2.8	0x783	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.005770922 CET	1.1.1.1	192.168.2.8	0xe0e7	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.018451929 CET	1.1.1.1	192.168.2.8	0xb6e7	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.026772022 CET	1.1.1.1	192.168.2.8	0xd3bc	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.037878036 CET	1.1.1.1	192.168.2.8	0xe4d3	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.049290895 CET	1.1.1.1	192.168.2.8	0x3e89	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.082875967 CET	1.1.1.1	192.168.2.8	0x97fd	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.095828056 CET	1.1.1.1	192.168.2.8	0x1c72	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.107474089 CET	1.1.1.1	192.168.2.8	0x5dfe	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.121788025 CET	1.1.1.1	192.168.2.8	0xa07a	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.286870956 CET	1.1.1.1	192.168.2.8	0x73f2	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.300226927 CET	1.1.1.1	192.168.2.8	0xd737	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:17.505764961 CET	1.1.1.1	192.168.2.8	0x3af0	No error (0)	gentleanother.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.495363951 CET	1.1.1.1	192.168.2.8	0xca2c	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.527422905 CET	1.1.1.1	192.168.2.8	0x53b0	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.561306000 CET	1.1.1.1	192.168.2.8	0xec3f	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.574141979 CET	1.1.1.1	192.168.2.8	0xf920	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.608161926 CET	1.1.1.1	192.168.2.8	0x984e	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.619729042 CET	1.1.1.1	192.168.2.8	0x51cc	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.652642012 CET	1.1.1.1	192.168.2.8	0x8a33	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.684916019 CET	1.1.1.1	192.168.2.8	0x2878	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.844466925 CET	1.1.1.1	192.168.2.8	0xe22e	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.853090048 CET	1.1.1.1	192.168.2.8	0x53bb	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.885565996 CET	1.1.1.1	192.168.2.8	0xfbf3	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.896159887 CET	1.1.1.1	192.168.2.8	0x1a6f	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.907351017 CET	1.1.1.1	192.168.2.8	0xb21e	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:18.923140049 CET	1.1.1.1	192.168.2.8	0xc6a8	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.082365036 CET	1.1.1.1	192.168.2.8	0x1ebf	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.115977049 CET	1.1.1.1	192.168.2.8	0xaba5	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.149039984 CET	1.1.1.1	192.168.2.8	0x2a31	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.181504011 CET	1.1.1.1	192.168.2.8	0xa246	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.194755077 CET	1.1.1.1	192.168.2.8	0x9fe6	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.365108013 CET	1.1.1.1	192.168.2.8	0xc169	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.378401041 CET	1.1.1.1	192.168.2.8	0x4c4d	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.390233040 CET	1.1.1.1	192.168.2.8	0x6c95	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.423769951 CET	1.1.1.1	192.168.2.8	0x9296	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.438155890 CET	1.1.1.1	192.168.2.8	0xe55f	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.449651957 CET	1.1.1.1	192.168.2.8	0x9cd6	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:19.754926920 CET	1.1.1.1	192.168.2.8	0x1ea3	No error (0)	glassbright.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 16:12:19.754926920 CET	1.1.1.1	192.168.2.8	0x1ea3	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.622225046 CET	1.1.1.1	192.168.2.8	0x970b	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.654361963 CET	1.1.1.1	192.168.2.8	0x954d	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.668072939 CET	1.1.1.1	192.168.2.8	0xb3a3	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.688569069 CET	1.1.1.1	192.168.2.8	0x1b	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.735869884 CET	1.1.1.1	192.168.2.8	0x6a03	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.750840902 CET	1.1.1.1	192.168.2.8	0xa90f	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.779275894 CET	1.1.1.1	192.168.2.8	0xb7d3	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.804164886 CET	1.1.1.1	192.168.2.8	0x427f	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.835325003 CET	1.1.1.1	192.168.2.8	0xaed7	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:20.846573114 CET	1.1.1.1	192.168.2.8	0x3872	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:21.100975037 CET	1.1.1.1	192.168.2.8	0x3dfc	No error (0)	pleasantinstead.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.228279114 CET	1.1.1.1	192.168.2.8	0x177a	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.389710903 CET	1.1.1.1	192.168.2.8	0x9d3e	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.437397957 CET	1.1.1.1	192.168.2.8	0x737c	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.452392101 CET	1.1.1.1	192.168.2.8	0x3cd0	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.568766117 CET	1.1.1.1	192.168.2.8	0x8999	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.604115009 CET	1.1.1.1	192.168.2.8	0xafba	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.931540966 CET	1.1.1.1	192.168.2.8	0xfc8f	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.967864037 CET	1.1.1.1	192.168.2.8	0xfcb6	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:23.993489027 CET	1.1.1.1	192.168.2.8	0x8829	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.096070051 CET	1.1.1.1	192.168.2.8	0xe272	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.146157980 CET	1.1.1.1	192.168.2.8	0xabe5	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.157629013 CET	1.1.1.1	192.168.2.8	0x5936	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.169706106 CET	1.1.1.1	192.168.2.8	0x5a4d	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.193196058 CET	1.1.1.1	192.168.2.8	0x343a	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.217485905 CET	1.1.1.1	192.168.2.8	0xf18c	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.243807077 CET	1.1.1.1	192.168.2.8	0xbb56	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.255598068 CET	1.1.1.1	192.168.2.8	0x4a9b	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.289156914 CET	1.1.1.1	192.168.2.8	0x640	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.300859928 CET	1.1.1.1	192.168.2.8	0x4ba2	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.312597036 CET	1.1.1.1	192.168.2.8	0xab19	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.325180054 CET	1.1.1.1	192.168.2.8	0x2376	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.357415915 CET	1.1.1.1	192.168.2.8	0x7f12	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.369992971 CET	1.1.1.1	192.168.2.8	0x22a6	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.383040905 CET	1.1.1.1	192.168.2.8	0xb630	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.394778967 CET	1.1.1.1	192.168.2.8	0x524c	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.406924963 CET	1.1.1.1	192.168.2.8	0x2fd	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.446752071 CET	1.1.1.1	192.168.2.8	0x1157	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.479171991 CET	1.1.1.1	192.168.2.8	0xe111	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.492805958 CET	1.1.1.1	192.168.2.8	0xc82d	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.504036903 CET	1.1.1.1	192.168.2.8	0xca7d	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.539933920 CET	1.1.1.1	192.168.2.8	0x2b05	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.577322960 CET	1.1.1.1	192.168.2.8	0x394c	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.592513084 CET	1.1.1.1	192.168.2.8	0xa48a	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.608143091 CET	1.1.1.1	192.168.2.8	0x1833	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.623187065 CET	1.1.1.1	192.168.2.8	0x31d7	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.636755943 CET	1.1.1.1	192.168.2.8	0x8542	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.651299953 CET	1.1.1.1	192.168.2.8	0xcb70	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.663695097 CET	1.1.1.1	192.168.2.8	0x4563	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.676693916 CET	1.1.1.1	192.168.2.8	0xfd3c	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.688747883 CET	1.1.1.1	192.168.2.8	0x5822	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.699640989 CET	1.1.1.1	192.168.2.8	0xfed3	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.731410980 CET	1.1.1.1	192.168.2.8	0x98e0	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.745218992 CET	1.1.1.1	192.168.2.8	0xd044	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.759074926 CET	1.1.1.1	192.168.2.8	0x9d19	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:24.770875931 CET	1.1.1.1	192.168.2.8	0x5eb0	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:25.046963930 CET	1.1.1.1	192.168.2.8	0x4d31	No error (0)	degreedaughter.net		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:25.951529980 CET	1.1.1.1	192.168.2.8	0xa68e	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:25.985491991 CET	1.1.1.1	192.168.2.8	0x8af1	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.003395081 CET	1.1.1.1	192.168.2.8	0xb03c	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.017863035 CET	1.1.1.1	192.168.2.8	0x19cc	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.033489943 CET	1.1.1.1	192.168.2.8	0x2f2a	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.070688963 CET	1.1.1.1	192.168.2.8	0x5ecc	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.085134983 CET	1.1.1.1	192.168.2.8	0x4419	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.097270966 CET	1.1.1.1	192.168.2.8	0x8ecc	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.112544060 CET	1.1.1.1	192.168.2.8	0x4be8	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.128628969 CET	1.1.1.1	192.168.2.8	0x6648	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.140130997 CET	1.1.1.1	192.168.2.8	0x7d24	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.164038897 CET	1.1.1.1	192.168.2.8	0xac7e	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.329334974 CET	1.1.1.1	192.168.2.8	0x350d	Name error (3)	heardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.486390114 CET	1.1.1.1	192.168.2.8	0x1f7e	No error (0)	difficultpeople.net		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:26.486390114 CET	1.1.1.1	192.168.2.8	0x1f7e	No error (0)	difficultpeople.net		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:12:27.258933067 CET	1.1.1.1	192.168.2.8	0x4769	Name error (3)	heardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.732633114 CET	1.1.1.1	192.168.2.8	0x6234	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.766608000 CET	1.1.1.1	192.168.2.8	0x606f	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.798937082 CET	1.1.1.1	192.168.2.8	0xf839	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.810980082 CET	1.1.1.1	192.168.2.8	0xbef0	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.823857069 CET	1.1.1.1	192.168.2.8	0xff41	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.856715918 CET	1.1.1.1	192.168.2.8	0xdf35	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.868496895 CET	1.1.1.1	192.168.2.8	0xbccf	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.880374908 CET	1.1.1.1	192.168.2.8	0x7a93	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.912332058 CET	1.1.1.1	192.168.2.8	0x2938	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.924088955 CET	1.1.1.1	192.168.2.8	0x33b3	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.937391996 CET	1.1.1.1	192.168.2.8	0x3cd	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:33.950222015 CET	1.1.1.1	192.168.2.8	0xc00c	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.651272058 CET	1.1.1.1	192.168.2.8	0xe328	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.664747000 CET	1.1.1.1	192.168.2.8	0xb84d	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.694068909 CET	1.1.1.1	192.168.2.8	0x5c1f	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:34.729141951 CET	1.1.1.1	192.168.2.8	0x75d8	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.659857035 CET	1.1.1.1	192.168.2.8	0xcbdc	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.671179056 CET	1.1.1.1	192.168.2.8	0x2686	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.682795048 CET	1.1.1.1	192.168.2.8	0xbc3a	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.716902971 CET	1.1.1.1	192.168.2.8	0xbbf7	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.879935980 CET	1.1.1.1	192.168.2.8	0x2d93	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.912470102 CET	1.1.1.1	192.168.2.8	0x1ae4	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.924432039 CET	1.1.1.1	192.168.2.8	0x513a	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.936080933 CET	1.1.1.1	192.168.2.8	0x2944	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.947231054 CET	1.1.1.1	192.168.2.8	0x544a	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.956003904 CET	1.1.1.1	192.168.2.8	0x2c08	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:36.968039036 CET	1.1.1.1	192.168.2.8	0x6792	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.000092983 CET	1.1.1.1	192.168.2.8	0xead	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.011141062 CET	1.1.1.1	192.168.2.8	0x67e0	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.022382975 CET	1.1.1.1	192.168.2.8	0xc933	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.030688047 CET	1.1.1.1	192.168.2.8	0x7f31	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.062282085 CET	1.1.1.1	192.168.2.8	0x34ad	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.224692106 CET	1.1.1.1	192.168.2.8	0x8b29	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.396047115 CET	1.1.1.1	192.168.2.8	0x361d	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.405807018 CET	1.1.1.1	192.168.2.8	0xbdc7	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.436980009 CET	1.1.1.1	192.168.2.8	0x3587	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.448615074 CET	1.1.1.1	192.168.2.8	0x7e5f	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.460299015 CET	1.1.1.1	192.168.2.8	0x6582	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.471323013 CET	1.1.1.1	192.168.2.8	0xeeb1	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.503621101 CET	1.1.1.1	192.168.2.8	0x1efc	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.514709949 CET	1.1.1.1	192.168.2.8	0xaa6e	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.550309896 CET	1.1.1.1	192.168.2.8	0xde22	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.584427118 CET	1.1.1.1	192.168.2.8	0x1137	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.597692013 CET	1.1.1.1	192.168.2.8	0xe03c	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.610080004 CET	1.1.1.1	192.168.2.8	0x625f	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.620373011 CET	1.1.1.1	192.168.2.8	0xb7df	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.635580063 CET	1.1.1.1	192.168.2.8	0x9a1a	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.645472050 CET	1.1.1.1	192.168.2.8	0x259e	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.658638000 CET	1.1.1.1	192.168.2.8	0x2df2	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.694175959 CET	1.1.1.1	192.168.2.8	0x5dc4	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.707482100 CET	1.1.1.1	192.168.2.8	0xac0b	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.720673084 CET	1.1.1.1	192.168.2.8	0x3945	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.733386040 CET	1.1.1.1	192.168.2.8	0x19f4	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.748981953 CET	1.1.1.1	192.168.2.8	0x743	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.765798092 CET	1.1.1.1	192.168.2.8	0x79d1	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.778470039 CET	1.1.1.1	192.168.2.8	0xab82	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.813127995 CET	1.1.1.1	192.168.2.8	0xcf93	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.847284079 CET	1.1.1.1	192.168.2.8	0x3d9d	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.858181000 CET	1.1.1.1	192.168.2.8	0x6824	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.869142056 CET	1.1.1.1	192.168.2.8	0x6d15	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.900640965 CET	1.1.1.1	192.168.2.8	0x7a49	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.913827896 CET	1.1.1.1	192.168.2.8	0xa4a7	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.926939964 CET	1.1.1.1	192.168.2.8	0xb9ca	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.958710909 CET	1.1.1.1	192.168.2.8	0x3235	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:37.971796036 CET	1.1.1.1	192.168.2.8	0xfd9f	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:38.007031918 CET	1.1.1.1	192.168.2.8	0xc5e6	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:38.170134068 CET	1.1.1.1	192.168.2.8	0xcbd8	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:38.181493044 CET	1.1.1.1	192.168.2.8	0xcc0e	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:38.217359066 CET	1.1.1.1	192.168.2.8	0x50f0	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.196221113 CET	1.1.1.1	192.168.2.8	0x77d9	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.207520008 CET	1.1.1.1	192.168.2.8	0xc716	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.217930079 CET	1.1.1.1	192.168.2.8	0xb72d	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.230338097 CET	1.1.1.1	192.168.2.8	0x9de5	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.244024038 CET	1.1.1.1	192.168.2.8	0xe7ab	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.419398069 CET	1.1.1.1	192.168.2.8	0x75c	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.451426029 CET	1.1.1.1	192.168.2.8	0x2fa5	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.464124918 CET	1.1.1.1	192.168.2.8	0xd509	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.497862101 CET	1.1.1.1	192.168.2.8	0xed98	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.530946970 CET	1.1.1.1	192.168.2.8	0xdb20	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.542772055 CET	1.1.1.1	192.168.2.8	0x37d2	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.574621916 CET	1.1.1.1	192.168.2.8	0x895b	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.606142044 CET	1.1.1.1	192.168.2.8	0x898b	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.617799044 CET	1.1.1.1	192.168.2.8	0xd08d	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.629476070 CET	1.1.1.1	192.168.2.8	0xb224	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.661298990 CET	1.1.1.1	192.168.2.8	0x5c7	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.669655085 CET	1.1.1.1	192.168.2.8	0xdd28	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.702824116 CET	1.1.1.1	192.168.2.8	0xf12e	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.713001966 CET	1.1.1.1	192.168.2.8	0xab8b	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.724271059 CET	1.1.1.1	192.168.2.8	0xd54a	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.735661983 CET	1.1.1.1	192.168.2.8	0xc2e	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.747658968 CET	1.1.1.1	192.168.2.8	0x858b	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.759088993 CET	1.1.1.1	192.168.2.8	0x5b2	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.770558119 CET	1.1.1.1	192.168.2.8	0xefbc	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:39.781950951 CET	1.1.1.1	192.168.2.8	0xb704	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.442714930 CET	1.1.1.1	192.168.2.8	0x233a	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.475487947 CET	1.1.1.1	192.168.2.8	0xcfd	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.487430096 CET	1.1.1.1	192.168.2.8	0x813c	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.499176979 CET	1.1.1.1	192.168.2.8	0x1db8	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.514051914 CET	1.1.1.1	192.168.2.8	0x1997	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.525650978 CET	1.1.1.1	192.168.2.8	0xc88e	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.536238909 CET	1.1.1.1	192.168.2.8	0xec1d	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.545569897 CET	1.1.1.1	192.168.2.8	0x52e8	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.556673050 CET	1.1.1.1	192.168.2.8	0x2aa6	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:40.588959932 CET	1.1.1.1	192.168.2.8	0x28ab	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.459635973 CET	1.1.1.1	192.168.2.8	0xc256	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.472297907 CET	1.1.1.1	192.168.2.8	0x37ca	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.505196095 CET	1.1.1.1	192.168.2.8	0xe935	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.537606001 CET	1.1.1.1	192.168.2.8	0xb80e	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.570811987 CET	1.1.1.1	192.168.2.8	0x68b2	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.615175009 CET	1.1.1.1	192.168.2.8	0x5a79	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.625848055 CET	1.1.1.1	192.168.2.8	0xef31	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.658420086 CET	1.1.1.1	192.168.2.8	0xe389	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.669311047 CET	1.1.1.1	192.168.2.8	0xe4fb	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.682110071 CET	1.1.1.1	192.168.2.8	0xafaf	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.693878889 CET	1.1.1.1	192.168.2.8	0x9e00	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.706171036 CET	1.1.1.1	192.168.2.8	0x4fdd	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.717573881 CET	1.1.1.1	192.168.2.8	0x711	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.730446100 CET	1.1.1.1	192.168.2.8	0xd37d	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.743628025 CET	1.1.1.1	192.168.2.8	0x4419	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.755830050 CET	1.1.1.1	192.168.2.8	0x115b	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.788217068 CET	1.1.1.1	192.168.2.8	0x809e	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.823373079 CET	1.1.1.1	192.168.2.8	0x1465	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.858365059 CET	1.1.1.1	192.168.2.8	0x878f	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.873905897 CET	1.1.1.1	192.168.2.8	0x1e00	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.888196945 CET	1.1.1.1	192.168.2.8	0x4f76	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.901746988 CET	1.1.1.1	192.168.2.8	0x6309	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.921610117 CET	1.1.1.1	192.168.2.8	0x7f5a	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.933670044 CET	1.1.1.1	192.168.2.8	0x7f5e	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:42.945648909 CET	1.1.1.1	192.168.2.8	0x4618	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.021559954 CET	1.1.1.1	192.168.2.8	0x8444	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.064800978 CET	1.1.1.1	192.168.2.8	0xd9fc	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.077544928 CET	1.1.1.1	192.168.2.8	0x15f2	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.102412939 CET	1.1.1.1	192.168.2.8	0xfea5	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.148657084 CET	1.1.1.1	192.168.2.8	0x44dd	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.161293983 CET	1.1.1.1	192.168.2.8	0xcc6	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.173305988 CET	1.1.1.1	192.168.2.8	0x9459	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.218688965 CET	1.1.1.1	192.168.2.8	0x87ef	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.310180902 CET	1.1.1.1	192.168.2.8	0x928c	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.321619987 CET	1.1.1.1	192.168.2.8	0x3f4a	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.359163046 CET	1.1.1.1	192.168.2.8	0xe9ab	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.394121885 CET	1.1.1.1	192.168.2.8	0x86d3	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.405983925 CET	1.1.1.1	192.168.2.8	0xafd6	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.437491894 CET	1.1.1.1	192.168.2.8	0x4e59	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.449201107 CET	1.1.1.1	192.168.2.8	0xd951	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.462614059 CET	1.1.1.1	192.168.2.8	0x5d3a	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.526546955 CET	1.1.1.1	192.168.2.8	0xdafa	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.545222044 CET	1.1.1.1	192.168.2.8	0xd382	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.577207088 CET	1.1.1.1	192.168.2.8	0x3225	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:43.589287996 CET	1.1.1.1	192.168.2.8	0xf982	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.479609013 CET	1.1.1.1	192.168.2.8	0x88e2	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.512464046 CET	1.1.1.1	192.168.2.8	0x94ef	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.524449110 CET	1.1.1.1	192.168.2.8	0x2e77	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.539710999 CET	1.1.1.1	192.168.2.8	0xb7f2	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.558269978 CET	1.1.1.1	192.168.2.8	0x9471	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.571285009 CET	1.1.1.1	192.168.2.8	0x2343	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.584438086 CET	1.1.1.1	192.168.2.8	0x4c84	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.594631910 CET	1.1.1.1	192.168.2.8	0xe96	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.606323004 CET	1.1.1.1	192.168.2.8	0xcef9	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.617984056 CET	1.1.1.1	192.168.2.8	0x9e2	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.653007030 CET	1.1.1.1	192.168.2.8	0xd00	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.687884092 CET	1.1.1.1	192.168.2.8	0x912a	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:44.702770948 CET	1.1.1.1	192.168.2.8	0x4616	Name error (3)	heardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:13:45.384479046 CET	1.1.1.1	192.168.2.8	0xf9b7	Name error (3)	heardpeople.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

variousstream.net

returnbottle.net

gentleanother.net

glassbright.net

pleasantinstead.net

degreedaughter.net

difficultpeople.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	199.59.243.227	80	6720	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:12:13.531960964 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 16:12:14.150000095 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:12:13 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: aae5e4f7-2039-4f45-bbb1-4c96fa115950 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=aae5e4f7-2039-4f45-bbb1-4c96fa115950; expires=Thu, 07 Nov 2024 15:27:14 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:12:14.150036097 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWFlNWU0ZjctMjAzOS00ZjQ1LWJiYjEtNGM5NmZhMTE1OTUwIiwicGFnZV90aW1lIjoxNzMwOTkyMz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	18.143.155.63	80	6720	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:12:14.402296066 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 16:12:15.848074913 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:12:15 GMT Content-Type: text/html Connection: close Set-Cookie: btst=7f11d9e5f9540f135b16da3dc70acaef\|173.254.250.79\|1730992335\|1730992335\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49708	54.244.188.177	80	6720	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:12:17.519769907 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 16:12:18.358709097 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:12:18 GMT Content-Type: text/html Connection: close Set-Cookie: btst=61185f5d2cbb44c58fc4943e4a8ce7d4\|173.254.250.79\|1730992338\|1730992338\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49709	199.59.243.227	80	6720	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:12:19.762486935 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 16:12:20.423696995 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:12:20 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: 28446992-40f0-47ee-8b6f-dfc6dfdb29d2 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=28446992-40f0-47ee-8b6f-dfc6dfdb29d2; expires=Thu, 07 Nov 2024 15:27:20 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:12:20.424107075 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjg0NDY5OTItNDBmMC00N2VlLThiNmYtZGZjNmRmZGIyOWQyIiwicGFnZV90aW1lIjoxNzMwOTkyMz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49711	18.143.155.63	80	6720	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:12:21.343183994 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 16:12:22.799196005 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:12:22 GMT Content-Type: text/html Connection: close Set-Cookie: btst=b8c316331d0c380201247b1c143026cd\|173.254.250.79\|1730992342\|1730992342\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49713	85.214.228.140	80	6720	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:12:25.055661917 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 16:12:25.937597036 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 15:12:25 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49714	13.248.169.48	80	6720	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:12:26.549643040 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: difficultpeople.net
Nov 7, 2024 16:12:27.245536089 CET	254	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 07 Nov 2024 15:12:27 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49716	199.59.243.227	80	4940	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:13:33.959125042 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 16:13:34.607412100 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:13:33 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 9e7ee06f-18c3-45c2-9d41-1dee63d0bd34 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=9e7ee06f-18c3-45c2-9d41-1dee63d0bd34; expires=Thu, 07 Nov 2024 15:28:34 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:13:34.607681990 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWU3ZWUwNmYtMThjMy00NWMyLTlkNDEtMWRlZTYzZDBiZDM0IiwicGFnZV90aW1lIjoxNzMwOTkyND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49717	18.143.155.63	80	4940	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:13:34.736294031 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 16:13:36.229701996 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:13:35 GMT Content-Type: text/html Connection: close Set-Cookie: btst=3b38f2b5eefd3a13f52cb1e45b49d651\|173.254.250.79\|1730992415\|1730992415\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49718	54.244.188.177	80	4940	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:13:38.223678112 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 16:13:39.065949917 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:13:38 GMT Content-Type: text/html Connection: close Set-Cookie: btst=f42a8a16d66b192cdba6c893ecdde618\|173.254.250.79\|1730992418\|1730992418\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49719	199.59.243.227	80	4940	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:13:39.789078951 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 16:13:40.408759117 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:13:39 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: de5d2001-662b-4f89-9012-6e3205d0e641 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=de5d2001-662b-4f89-9012-6e3205d0e641; expires=Thu, 07 Nov 2024 15:28:40 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:13:40.408790112 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGU1ZDIwMDEtNjYyYi00Zjg5LTkwMTItNmUzMjA1ZDBlNjQxIiwicGFnZV90aW1lIjoxNzMwOTkyND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49720	18.143.155.63	80	4940	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:13:40.595978022 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 16:13:42.032536030 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:13:41 GMT Content-Type: text/html Connection: close Set-Cookie: btst=8de03ff91530075904df958a56330767\|173.254.250.79\|1730992421\|1730992421\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49721	85.214.228.140	80	4940	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:13:43.600956917 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 16:13:44.467159033 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 15:13:44 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49722	13.248.169.48	80	4940	C:\trshmfqlcbpta\eqyozfmcsgls.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:13:44.709309101 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: difficultpeople.net
Nov 7, 2024 16:13:45.370276928 CET	254	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 07 Nov 2024 15:13:45 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Target ID:	0
Start time:	10:12:02
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\Z4KBs1USsJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Z4KBs1USsJ.exe"
Imagebase:	0xe20000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:12:04
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe
Wow64 process (32bit):	true
Commandline:	"C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe"
Imagebase:	0xae0000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:12:06
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Wow64 process (32bit):	true
Commandline:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Imagebase:	0x100000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:12:09
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\yrykdhhlfqp.exe
Wow64 process (32bit):	true
Commandline:	jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0x6a0000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:12:10
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Wow64 process (32bit):	true
Commandline:	"C:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0x100000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:13:28
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\eqyozfmcsgls.exe
Wow64 process (32bit):	true
Commandline:	"c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0x100000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:13:30
Start date:	07/11/2024
Path:	C:\trshmfqlcbpta\yrykdhhlfqp.exe
Wow64 process (32bit):	true
Commandline:	jmbk6ivdkgpf "c:\trshmfqlcbpta\eqyozfmcsgls.exe"
Imagebase:	0x970000
File size:	364'032 bytes
MD5 hash:	9C485842F954958288C2ECF17881439A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	20

Executed Functions

Function 00E4915F Relevance: 269.6, APIs: 113, Strings: 38, Instructions: 5361libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(75550000,?), ref: 00E491B1
GetProcAddress.KERNEL32(75550000,?), ref: 00E4927C
GetProcAddress.KERNEL32(75550000,?), ref: 00E49341

Strings

jh&., xrefs: 00E4A56A
hk4, xrefs: 00E4D81C
h*6, xrefs: 00E4D111
f}?, xrefs: 00E4D295
h_+, xrefs: 00E4DAA7
hL+, xrefs: 00E4A836
h7:, xrefs: 00E4C338
8+q, xrefs: 00E4E374
jhe6, xrefs: 00E4CD51
A-1, xrefs: 00E4DF9A, 00E4DFCA
O, xrefs: 00E4E96C
jh5, xrefs: 00E4C6B1
C:\Users\user, xrefs: 00E4E1A3
CB!, xrefs: 00E4C4BB
hU., xrefs: 00E4C760
jhn., xrefs: 00E4AA92
h{4, xrefs: 00E4A131
h2., xrefs: 00E4A348
hT4, xrefs: 00E4BAD2
jhH6, xrefs: 00E4A26F
v":, xrefs: 00E4D12A
ht6, xrefs: 00E49BE9
h$, xrefs: 00E49E6F
hU&, xrefs: 00E4B59B
hB., xrefs: 00E4DED2
hx+, xrefs: 00E4C45D
hE:, xrefs: 00E4B42B
hp5, xrefs: 00E4D55A
h-, xrefs: 00E4CA96
wfQN, xrefs: 00E4C765, 00E4E429
h^., xrefs: 00E4B1C9
jhF , xrefs: 00E4CBF2
hW:, xrefs: 00E4CC62
hk, xrefs: 00E4E187
x, xrefs: 00E4E843
jhE4, xrefs: 00E49F4D
hg5, xrefs: 00E4C238
hb&, xrefs: 00E49C89

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc
String ID: 8+q$A-1$C:\Users\user$CB!$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hb&$hg5$hk$hk4$hp5$ht6$hx+$h{4$h$$h-$jh&.$jhH6$jh5$jhE4$jhF $jhe6$jhn.$v":$wfQN$O$x
API String ID: 190572456-2761529995
Opcode ID: 66a04100fc49d7779a5903b1c2459290e5af45b99120c14179a88c2b517f335c
Instruction ID: 085d7757ed29f214281839cfe555dbeecb5d638973500294747057822751a23e
Opcode Fuzzy Hash: 66a04100fc49d7779a5903b1c2459290e5af45b99120c14179a88c2b517f335c
Instruction Fuzzy Hash: 19B38A78901608EFEB049F63FD495AB7BB4FB98390B118459E481B63F5EBF00968DB41

Function 00E57B00 Relevance: 8.0, APIs: 5, Instructions: 501
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8,?,00000001), ref: 00E57CC0
FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,00000001), ref: 00E57E95

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: FileFindFirstSleep
String ID:
API String ID: 4158786080-0
Opcode ID: 0716708a7e444aae6f4c3d51bf6e4e55543da1036e5b41962caf6ddbc327fb4c
Instruction ID: a7e2a668a3091c24da9ce4a84521d53a9747ccfac9204901a06d2ac0df67274f
Opcode Fuzzy Hash: 0716708a7e444aae6f4c3d51bf6e4e55543da1036e5b41962caf6ddbc327fb4c
Instruction Fuzzy Hash: A322CB78900605DFDB049F62FD582AB3BB5FB99391B118959D882B23F0FBB1096DCB40

Function 00E60C20 Relevance: 4.6, APIs: 3, Instructions: 146
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001,?,?,?,00E40ECB), ref: 00E60CE0
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,00E40ECB), ref: 00E60D3F
FreeSid.ADVAPI32(?,?,?,?,00E40ECB), ref: 00E60E03

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fcdb61c6e724db869997d547ad0f40a34853f2da974f1a216f00460f00ad97cc
Instruction ID: 0820039372f7f71204df25266c9aed5789c8d801637ebf4afde18c0862f4cdaa
Opcode Fuzzy Hash: fcdb61c6e724db869997d547ad0f40a34853f2da974f1a216f00460f00ad97cc
Instruction Fuzzy Hash: CF51A638904229DFC7048FABFD985BB7BB8FB54398B01855AE491B23E1EBB0051CCB51

Function 00E5C960 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00E40494,?,00E40494,?), ref: 00E5C97F
RtlAllocateHeap.NTDLL(00000000,?,00E40494,?), ref: 00E5C986

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 03160f791197e891dddb5d8e2229db7e7c5c18eff2873bd770660738bf789cb0
Instruction ID: 78152330048aa6d94df6ab8030bc5904e016a2b750aa5dba8cafdb6c85f0dd81
Opcode Fuzzy Hash: 03160f791197e891dddb5d8e2229db7e7c5c18eff2873bd770660738bf789cb0
Instruction Fuzzy Hash: 2AD09271180208EFD6409BA6BC4DB977B69A708795F500805F20DA22A0D7B051688B92

Function 00E4A25E Relevance: 217.9, APIs: 89, Strings: 33, Instructions: 4394
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,?), ref: 00E4A2B5
GetProcAddress.KERNEL32(75550000,?), ref: 00E4A332
GetProcAddress.KERNEL32(75550000,?), ref: 00E4A406
GetProcAddress.KERNEL32(75550000,?), ref: 00E4A4E1
GetProcAddress.KERNEL32(75550000,?), ref: 00E4A5D9

Strings

jh&., xrefs: 00E4A56A
hk4, xrefs: 00E4D81C
h*6, xrefs: 00E4D111
f}?, xrefs: 00E4D295
h_+, xrefs: 00E4DAA7
hL+, xrefs: 00E4A836
h7:, xrefs: 00E4C338
8+q, xrefs: 00E4E374
jhe6, xrefs: 00E4CD51
A-1, xrefs: 00E4DF9A, 00E4DFCA
O, xrefs: 00E4E96C
jh5, xrefs: 00E4C6B1
C:\Users\user, xrefs: 00E4E1A3
CB!, xrefs: 00E4C4BB
hU., xrefs: 00E4C760
jhn., xrefs: 00E4AA92
h2., xrefs: 00E4A348
hT4, xrefs: 00E4BAD2
jhH6, xrefs: 00E4A26F
v":, xrefs: 00E4D12A
hU&, xrefs: 00E4B59B
hB., xrefs: 00E4DED2
hx+, xrefs: 00E4C45D
hE:, xrefs: 00E4B42B
hp5, xrefs: 00E4D55A
h-, xrefs: 00E4CA96
wfQN, xrefs: 00E4C765, 00E4E429
h^., xrefs: 00E4B1C9
jhF , xrefs: 00E4CBF2
hW:, xrefs: 00E4CC62
hk, xrefs: 00E4E187
x, xrefs: 00E4E843
hg5, xrefs: 00E4C238

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc
String ID: 8+q$A-1$C:\Users\user$CB!$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hg5$hk$hk4$hp5$hx+$h-$jh&.$jhH6$jh5$jhF $jhe6$jhn.$v":$wfQN$O$x
API String ID: 190572456-4026228606
Opcode ID: 2f09c6d7a994df0cd9edec3a0aca4e8bf6d0c07a78be5ef9b0deb52c4eaca48f
Instruction ID: 1741b0986077d6c22aa064d6cd8a03f9932e786573bf682e771977bb6d27b3a8
Opcode Fuzzy Hash: 2f09c6d7a994df0cd9edec3a0aca4e8bf6d0c07a78be5ef9b0deb52c4eaca48f
Instruction Fuzzy Hash: 19938A78901608EFEB049F62FD495AB7BB4FB98390B118459D481B63F5EBF009ACDB41

Function 00E4BE53 Relevance: 132.3, APIs: 50, Strings: 24, Instructions: 2769
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00E4BF33
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C0E8
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C15F

Strings

hk4, xrefs: 00E4D81C
hB., xrefs: 00E4DED2
hx+, xrefs: 00E4C45D
h*6, xrefs: 00E4D111
f}?, xrefs: 00E4D295
h_+, xrefs: 00E4DAA7
h7:, xrefs: 00E4C338
8+q, xrefs: 00E4E374
hp5, xrefs: 00E4D55A
jhe6, xrefs: 00E4CD51
A-1, xrefs: 00E4DF9A, 00E4DFCA
h-, xrefs: 00E4CA96
O, xrefs: 00E4E96C
wfQN, xrefs: 00E4C765, 00E4E429
jh5, xrefs: 00E4C6B1
C:\Users\user, xrefs: 00E4E1A3
hU., xrefs: 00E4C760
jhF , xrefs: 00E4CBF2
CB!, xrefs: 00E4C4BB
hW:, xrefs: 00E4CC62
hk, xrefs: 00E4E187
x, xrefs: 00E4E843
v":, xrefs: 00E4D12A
hg5, xrefs: 00E4C238

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: 8+q$A-1$C:\Users\user$CB!$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$wfQN$O$x
API String ID: 2238633743-2260768066
Opcode ID: ff2c03c1d5053d65ccbe551476772d065a6bdc61456e694b34708091d1725151
Instruction ID: 919717091eb358a43f979a547833c133620c541524f6b7395b81f0813c784e2e
Opcode Fuzzy Hash: ff2c03c1d5053d65ccbe551476772d065a6bdc61456e694b34708091d1725151
Instruction Fuzzy Hash: 7A438B78901608EFDB049FA2FD495AB7BB4FB98394B118459D481B63F4EBF009ACDB41

Function 00E4BEEE Relevance: 132.2, APIs: 50, Strings: 24, Instructions: 2745
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00E4BF33
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C0E8
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C15F

Strings

hk4, xrefs: 00E4D81C
hB., xrefs: 00E4DED2
hx+, xrefs: 00E4C45D
h*6, xrefs: 00E4D111
f}?, xrefs: 00E4D295
h_+, xrefs: 00E4DAA7
h7:, xrefs: 00E4C338
8+q, xrefs: 00E4E374
hp5, xrefs: 00E4D55A
jhe6, xrefs: 00E4CD51
A-1, xrefs: 00E4DF9A, 00E4DFCA
h-, xrefs: 00E4CA96
O, xrefs: 00E4E96C
wfQN, xrefs: 00E4C765, 00E4E429
jh5, xrefs: 00E4C6B1
C:\Users\user, xrefs: 00E4E1A3
hU., xrefs: 00E4C760
jhF , xrefs: 00E4CBF2
CB!, xrefs: 00E4C4BB
hW:, xrefs: 00E4CC62
hk, xrefs: 00E4E187
x, xrefs: 00E4E843
v":, xrefs: 00E4D12A
hg5, xrefs: 00E4C238

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: 8+q$A-1$C:\Users\user$CB!$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$wfQN$O$x
API String ID: 2238633743-2260768066
Opcode ID: a2daa3eaa1c4bb42d12ea5dba26725a296918f3e9e700350425e9d935148cd2b
Instruction ID: 7a1810bf9de0041d4d6aa9eee9e01a9f99735efd7203f378c83318570f38edaf
Opcode Fuzzy Hash: a2daa3eaa1c4bb42d12ea5dba26725a296918f3e9e700350425e9d935148cd2b
Instruction Fuzzy Hash: 6F437B78901608EFDB049FA2FD495AB7BB4FB98394B118459D481B63F4EBF009ACDB41

Function 00E4C587 Relevance: 109.1, APIs: 41, Strings: 20, Instructions: 2379
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75340000,?), ref: 00E4C632
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C69E
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C74B
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C7DE
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C891
GetProcAddress.KERNEL32(75340000,?), ref: 00E4C97C

Strings

hk4, xrefs: 00E4D81C
hB., xrefs: 00E4DED2
h*6, xrefs: 00E4D111
f}?, xrefs: 00E4D295
h_+, xrefs: 00E4DAA7
8+q, xrefs: 00E4E374
hp5, xrefs: 00E4D55A
jhe6, xrefs: 00E4CD51
A-1, xrefs: 00E4DF9A, 00E4DFCA
h-, xrefs: 00E4CA96
O, xrefs: 00E4E96C
wfQN, xrefs: 00E4C765, 00E4E429
jh5, xrefs: 00E4C6B1
C:\Users\user, xrefs: 00E4E1A3
hU., xrefs: 00E4C760
jhF , xrefs: 00E4CBF2
hW:, xrefs: 00E4CC62
hk, xrefs: 00E4E187
x, xrefs: 00E4E843
v":, xrefs: 00E4D12A

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: AddressProc
String ID: 8+q$A-1$C:\Users\user$f}?$h*6$hB.$hU.$hW:$h_+$hk$hk4$hp5$h-$jh5$jhF $jhe6$v":$wfQN$O$x
API String ID: 190572456-4245673211
Opcode ID: 69aaa37e2d06f892c511557083bbc2479952b512e22849ea38e49db97981e9fa
Instruction ID: 26d0ab6fe2c3b0230e780a770c0d8b50f8ae22b6bd4937340938a77488f4ffd7
Opcode Fuzzy Hash: 69aaa37e2d06f892c511557083bbc2479952b512e22849ea38e49db97981e9fa
Instruction Fuzzy Hash: DF338B78901608EFDB049FA2FD495AB7BB4FB98394B118459D481B73E4EBF00A6CDB41

Function 00E40D80 Relevance: 26.2, APIs: 11, Strings: 3, Instructions: 1701fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00E41070
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00E41337
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00E41444
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00E415BA
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00E417C7
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E41DD6
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E41E83
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00E4222B
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00E4247F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00E4270C
SetFileAttributesA.KERNELBASE(00000000,00000002,?,?,?,?,?,?,00000000), ref: 00E428B9

Strings

\, xrefs: 00E42314
A-1, xrefs: 00E4115F, 00E41165
C:\Users\user, xrefs: 00E41AE8, 00E41C31

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemove
String ID: A-1$C:\Users\user$\
API String ID: 2326410248-1631190078
Opcode ID: eb7e4a5dc98b49cd29b78bab068b38ab9c3448695890632d2c1fe34be4281270
Instruction ID: 5df2304155af247f3571bcbf3aef6ee7bbaf80b0714dbd4e327d503d012e835d
Opcode Fuzzy Hash: eb7e4a5dc98b49cd29b78bab068b38ab9c3448695890632d2c1fe34be4281270
Instruction Fuzzy Hash: F9F2DC78901605DFDB049F62FE582AB3BB5FB98390B214499D481B23F5EBF109ACDB41

Function 00E5DFE0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 443
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 00E5E0FE
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,?,?,000000FF), ref: 00E5E219
CloseHandle.KERNELBASE(00000000,?,?,?,?,000000FF), ref: 00E5E252
GetTickCount.KERNEL32 ref: 00E5E2E3
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00E5E592
WriteFile.KERNELBASE(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5E62B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00E5E644

Strings

*?|r, xrefs: 00E5E53E
{foQ, xrefs: 00E5E5B0
}*@o, xrefs: 00E5E56F

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID: *?|r${foQ$}*@o
API String ID: 3478262135-1153267046
Opcode ID: bf4f1c0a0069aac418a4364b16edc3e91786e047ff87f1c3b2e1bd383541f3a1
Instruction ID: fc55181d6b13c673e356095e821beb18108e9229b3b48a7f17c8af0ed2a0e4fe
Opcode Fuzzy Hash: bf4f1c0a0069aac418a4364b16edc3e91786e047ff87f1c3b2e1bd383541f3a1
Instruction Fuzzy Hash: 9B02CB78900605DFDB049F22FD982AB3BB5FB98385F118955E881B63E4EBF1099DCB41

Function 00E2CEB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00002E0F,0071D8D8,00000000,00000000,00000000,00000008,00000000,00000000,00000044,00000000,?,?,?,?,?,00000000), ref: 00E2D02A
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E2D04E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E2D0C9

Strings

D, xrefs: 00E2CF2E

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 9b973b882bc501ba9e93ae7975ab3ae2e0a14e43ad18c5c31c03e57afea0a659
Instruction ID: 841a73b9d9723bc79c778730a9e79f0141bc3f43f5dc609125eb8e18bf00f13e
Opcode Fuzzy Hash: 9b973b882bc501ba9e93ae7975ab3ae2e0a14e43ad18c5c31c03e57afea0a659
Instruction Fuzzy Hash: CF819978901619DFE7009F62FD582AB3B71FB54384B118449E582B63F8EBF1046DCB86

Function 00E43C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,?,FFFFFFFF,00000000,?,?,?,?,00000000,?), ref: 00E43D9D
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000), ref: 00E43FC3
CloseHandle.KERNEL32(00000000), ref: 00E4410F

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 97bf45ee1e04d77410bb310da5f219716cbc9d0db2a71c1093ad8238984469ee
Instruction ID: 4f4baf9ca183f661373ad6687211e50b328dbdb574e73ea376314d7f0c6def13
Opcode Fuzzy Hash: 97bf45ee1e04d77410bb310da5f219716cbc9d0db2a71c1093ad8238984469ee
Instruction Fuzzy Hash: DBD1A778901609DFE7049F62FD992AB3BB4FB98790B114995D881B23F4FBF04968CB41

Function 00E47B30 Relevance: 3.1, APIs: 2, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00E2650A,00E2650A,[C), ref: 00E47BF9
RtlFreeHeap.NTDLL(00000000), ref: 00E47C00

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: c085865eea09e0ff16ec800d8e53dc3348304b772e19f6fcc081804977439267
Instruction ID: 82944407052c947c579527d159c1c567fe8e9129640fc8a33a9fbd869a111583
Opcode Fuzzy Hash: c085865eea09e0ff16ec800d8e53dc3348304b772e19f6fcc081804977439267
Instruction Fuzzy Hash: BF21B879805204EFC7109F72FA481DA3BB5F7643A5B214156C8A4B73E0EBF00A5CDB90

Function 00E2ACD0 Relevance: 3.0, APIs: 2, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(00E5EC02,00000000,00E5EC02,?), ref: 00E2AD0C
CharLowerBuffA.USER32(00E5EC02,00000000), ref: 00E2AD14

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 6812bba7ba6b7b41f616f2428a78b708c6365f2a1f50e0150a99100ef9d2ed8e
Instruction ID: b52bf64346e9883fce96c34340f1057c3e5c71e4adb120bbf4d942c71ac9397e
Opcode Fuzzy Hash: 6812bba7ba6b7b41f616f2428a78b708c6365f2a1f50e0150a99100ef9d2ed8e
Instruction Fuzzy Hash: 27F03A78916218EF8B00DF66F94849A7B78FB0A250B004185DC4063350D7B15A09EB91

Function 00E5CAC0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00E5CB26

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b3603fdf2045514f3c77a3a0d71955e91e3ff7eb70e153e5e3c46d58e42c6a93
Instruction ID: 62c3a75c47c33899b7ee329dd3537524d972c48dec519bf3aaead588b6b23a93
Opcode Fuzzy Hash: b3603fdf2045514f3c77a3a0d71955e91e3ff7eb70e153e5e3c46d58e42c6a93
Instruction Fuzzy Hash: 17F01738100606CFC708AF37FD0C0AB7B79FB84785B018525D4A1A63B0EBB0856DCB81

Function 00E3435B Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00E34387

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 06b1e12983193e84b20046e6ce9204b1bae6730738eb4e5582990bdebf828818
Instruction ID: 8b7366eebeb0ea42f14aab72404bf0f0add287b1282803a0c19d4a9455dfb32f
Opcode Fuzzy Hash: 06b1e12983193e84b20046e6ce9204b1bae6730738eb4e5582990bdebf828818
Instruction Fuzzy Hash: 29D0CA29400622DEC6802F7BBE180277AB5BB407A23015142E499B53F8DEF1889CD7AA

Non-executed Functions

Function 00E27DA0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 222serviceCOMMON

Download Yara Rule

APIs

CreateServiceA.ADVAPI32(00000000,00714448,00714448,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E27E74
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00E27EF3
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E27F2A
CloseServiceHandle.ADVAPI32(00000000), ref: 00E27F4E
OpenServiceA.ADVAPI32(00000000,00714448,00000010), ref: 00E27FB2
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E2804A
CloseServiceHandle.ADVAPI32(00000000), ref: 00E28063
CloseServiceHandle.ADVAPI32(00000000), ref: 00E28098

Strings

HDq, xrefs: 00E27E52, 00E27F9C

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Service$CloseHandle$Start$ChangeConfig2CreateOpen
String ID: HDq
API String ID: 229943926-853528257
Opcode ID: dd298402333fd9efaf2b6c8617609be7397268dd7bc1343ea4fc68b1385c7882
Instruction ID: ba0ca22e6a5f4c8e57c0775ea6b71a57c5909c4f01a2fe2c22c3a02aaee1f1e5
Opcode Fuzzy Hash: dd298402333fd9efaf2b6c8617609be7397268dd7bc1343ea4fc68b1385c7882
Instruction Fuzzy Hash: 12A1673C805619EFE7049F62FC886AB7B70FB99795F118446E891763F0EBB105A8CB40

Function 00E2BC00 Relevance: 12.8, APIs: 6, Strings: 1, Instructions: 558processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E2BD75

Strings

GI`, xrefs: 00E2C2B9

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID: GI`
API String ID: 3332741929-3984944610
Opcode ID: 16f5aecd696f43d8ce50c29ca81e814159a33609b3ddc8c5e19dfd86021d82c9
Instruction ID: 968a377b7279c73e4c92235f4d259f4232350c66edc61c784f887516daf1c1ed
Opcode Fuzzy Hash: 16f5aecd696f43d8ce50c29ca81e814159a33609b3ddc8c5e19dfd86021d82c9
Instruction Fuzzy Hash: 9A328778901209DFDB049F63FE982AB3B75FB98394B118459D891763F4EBB009A8CF41

Function 00E3D280 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 509serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00E3D5BC
GetLastError.KERNEL32 ref: 00E3D5E5
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00E3D6F7

Strings

wfQN, xrefs: 00E3D8C1

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: EnumServicesStatus$ErrorLast
String ID: wfQN
API String ID: 1500475886-2838687785
Opcode ID: f930af687a1a73030da2cb47aa1cb6ef969f5ef610bea4b4b9cd5b0d02edd091
Instruction ID: cb1b819ce4de47b6e27d57c82da52abd77a6b7502c807e5d08ddd9ea58343cf9
Opcode Fuzzy Hash: f930af687a1a73030da2cb47aa1cb6ef969f5ef610bea4b4b9cd5b0d02edd091
Instruction Fuzzy Hash: AD329978905204EFDB009F62FE582AB7BB5FB99390B218456D481723F4EBB10A6CDF45

Function 00E48230 Relevance: 4.6, APIs: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,00E56CE7,?,?,?,?,00E2F288), ref: 00E482F2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00E56CE7,?,?,?,?,00E2F288), ref: 00E48312
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E48390

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Time$System$FileUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1858273683-0
Opcode ID: 376b7ced660df1530e03cedca3388d7bb3f8b2afc5b975f65d30f1295aa4bf51
Instruction ID: f8d948c4acb3394df453e9903efcc25ad5ef59fcd70ba215d992cca7250b817c
Opcode Fuzzy Hash: 376b7ced660df1530e03cedca3388d7bb3f8b2afc5b975f65d30f1295aa4bf51
Instruction Fuzzy Hash: 1B517878905609DFCB04CF62FE885AF7BB4FB84384B214546D891723B4EBB00969CB45

Function 00E37DE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00E37E71

Strings

HDq, xrefs: 00E37E55

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID: HDq
API String ID: 3789849863-853528257
Opcode ID: 944f99a96af5dbead4981d33352b437592676e924bf7bae6be74862478ccba1e
Instruction ID: ebc40be1a772cf9b816704dfa6d887c4f94b4d6d19ab10e731b5d6fee9fcdee9
Opcode Fuzzy Hash: 944f99a96af5dbead4981d33352b437592676e924bf7bae6be74862478ccba1e
Instruction Fuzzy Hash: DC115138844609DFD7009F66FE481AF7FB0FB54760B114559C895B33A4E7B10559CB81

Function 00E3F079 Relevance: 1.8, APIs: 1, Instructions: 304networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000009,?,00000400,00000000), ref: 00E3F0A4
closesocket.WS2_32(00000009), ref: 00E3F642

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: closesocketrecv
String ID:
API String ID: 485150354-0
Opcode ID: e191710a3e62369a3f121f7b284a4d93d771849df09f94009dca47304c11237d
Instruction ID: 883631f4f7cd78e6582adeb44aff7a65d42658fef46dda1d5d60f2c70e2a76ad
Opcode Fuzzy Hash: e191710a3e62369a3f121f7b284a4d93d771849df09f94009dca47304c11237d
Instruction Fuzzy Hash: 3DD19C78A01608DFDB049F62FC982AB3BB5FB99790F114465D481723F4EBB049ADDB42

Function 00E39AC0 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26014a5131d89d4b80a6d6331c1741e6aff57aa43de6a587c2059dc4667fa9b
Instruction ID: 7fe436bed2d90d48cf0fbae9b93ba4668f893eda75081556f2c769503135f7b1
Opcode Fuzzy Hash: b26014a5131d89d4b80a6d6331c1741e6aff57aa43de6a587c2059dc4667fa9b
Instruction Fuzzy Hash: 8822BF78A01209DFD7048F26FD981AB7BB1FB883D4B118555D482B63F4FBB14869DB84

Function 00E3A300 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 360registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00714448,Function_000114E0), ref: 00E3A47B
SetServiceStatus.ADVAPI32(00000000,00E6E9BC), ref: 00E3A590
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E3A5A6
SetServiceStatus.ADVAPI32(00000000,00E6E9BC), ref: 00E3A636
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00E3A6CB
SetServiceStatus.ADVAPI32(00000000,00E6E9BC), ref: 00E3A7A6
CloseHandle.KERNEL32(00000000), ref: 00E3A7D3
SetServiceStatus.ADVAPI32(00000000,00E6E9BC), ref: 00E3A8E5

Strings

HDq, xrefs: 00E3A46E

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: HDq
API String ID: 3399922960-853528257
Opcode ID: a5c8718e85839362c532452705cb1304f77322bd54ce85e0e620a68cd3390b3c
Instruction ID: d6c0054eb1abb4776fc4df0f0e4140c91aa95519914eaea17204b359ff74ffb2
Opcode Fuzzy Hash: a5c8718e85839362c532452705cb1304f77322bd54ce85e0e620a68cd3390b3c
Instruction Fuzzy Hash: B6F12578902604DFD7049F63FE990AB3BB4FB98790B11859AD881B23F4EBB0095DDB45

Function 00E5E950 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 341processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000,00000001), ref: 00E5EAE8
OpenProcess.KERNEL32(00000002,00000000,?), ref: 00E5ECC0
CloseHandle.KERNEL32(00000000), ref: 00E5ED5F
Process32Next.KERNEL32(00000000,00000128), ref: 00E5EE38
CloseHandle.KERNEL32(00000000), ref: 00E5EE7C

Strings

wfQN, xrefs: 00E5ECF4

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseHandle$CreateNextOpenProcessProcess32SnapshotToolhelp32
String ID: wfQN
API String ID: 1219847958-2838687785
Opcode ID: 4f5d8ce5042988f343c320db5b5f76b4c6fa446fc3d7d798d8c3ec5ee61f29f0
Instruction ID: 6a1f19743178312a41051282a35763ba7b4f878284352042e59a85cec8bd47f3
Opcode Fuzzy Hash: 4f5d8ce5042988f343c320db5b5f76b4c6fa446fc3d7d798d8c3ec5ee61f29f0
Instruction Fuzzy Hash: 82E1BB78901615DFDB049F22FD982AB3BB0FB953D5B114895C881B23F4EBB10AADDB41

Function 00E5A650 Relevance: 9.2, APIs: 6, Instructions: 244filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00E5A728
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00E5A7F1
CloseHandle.KERNEL32(00000000), ref: 00E5A810
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E5A8FB
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00E5A94E
CloseHandle.KERNEL32(00000000), ref: 00E5A990

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: d0ae505c430810f19eec6c3c0231fe08b0f9083f7d0a4f0b5caf9b6cc7a8b69e
Instruction ID: 338cb636b3bb7517e22dadbb13f8227304591ce66cb7408f05ce8f3d6ad149ab
Opcode Fuzzy Hash: d0ae505c430810f19eec6c3c0231fe08b0f9083f7d0a4f0b5caf9b6cc7a8b69e
Instruction Fuzzy Hash: C2A1AA78901215DFD7049F67FD886AB7BB4FB987A4B10856AD880B23F4EBB0495CCB40

Function 00E2AFE0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 304fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E2B0FE
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00E2B1A5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00E2B2BD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00E2B30B

Strings

wfQN, xrefs: 00E2B0C7

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID: wfQN
API String ID: 2564258376-2838687785
Opcode ID: de5434efdd83b5dd47bda71922b9d5bc3411761d824e9162e184525e20e16410
Instruction ID: 0e13c21bdc2527537601fdaae5c23d29a271944c38fc667adb03b151ad64a168
Opcode Fuzzy Hash: de5434efdd83b5dd47bda71922b9d5bc3411761d824e9162e184525e20e16410
Instruction Fuzzy Hash: CFD1B978A00214DFDB049F66FD986AB3B75FB88790B118099E481B63E5EBF0096DDB41

Function 00E395B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 166registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00E39700
RegSetValueExA.ADVAPI32(?,00713E60,00000000,00000001,?,00000000), ref: 00E397AE
RegCloseKey.ADVAPI32(?), ref: 00E39832

Strings

ue[, xrefs: 00E39618
`>q, xrefs: 00E3979B

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseOpenValue
String ID: `>q$ue[
API String ID: 779948276-307827626
Opcode ID: 78d343aeed0721ae0af848d871a82d481275ee33308d273b2b087d3a706af483
Instruction ID: a97df89c222ad57e0cfd5aef56d8bbf5248597750a8671c41bd44520906ca4ba
Opcode Fuzzy Hash: 78d343aeed0721ae0af848d871a82d481275ee33308d273b2b087d3a706af483
Instruction Fuzzy Hash: BC61A938801514EFE7009F66FD881AB3B74FBA8798B104446D886B23F5EBF104ADC791

Function 00E2BF59 Relevance: 7.8, APIs: 5, Instructions: 259processCOMMON

Download Yara Rule

APIs

Part of subcall function 00E58340: lstrlenA.KERNEL32(?,?,?,00E27D41,?,?), ref: 00E583A7

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00E2C157
Module32First.KERNEL32(00000000,00000224), ref: 00E2C1FE

Part of subcall function 00E3ADE0: wvsprintfA.USER32(00002E0F,?,?), ref: 00E3AF24

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32lstrlenwvsprintf
String ID:
API String ID: 3143976151-0
Opcode ID: 43efe8ba06c50791660579bfa4f4734701874c90d61f96b288e04f3df1bcc940
Instruction ID: a2c641363b82bb8c1b9168534843512beff8f426b3f2f94bc0fa189f8c3b18e8
Opcode Fuzzy Hash: 43efe8ba06c50791660579bfa4f4734701874c90d61f96b288e04f3df1bcc940
Instruction Fuzzy Hash: 2AB1BD78901214DFDB049F66FE982AB3BB0FB98384B118459D855B63F0EBF00A6DDB41

Function 00E37A60 Relevance: 7.6, APIs: 5, Instructions: 127synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000001,00E5C80C), ref: 00E37B1E
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00E37B87
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E37BA0
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00E37BDF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E37BFA

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 31ada507f33f68e915503847145a119eb4ccc9500f9e510fb2102b8e86176903
Instruction ID: dd38d99853c2589c580794d00efd4608605c36f5b368b72e94b15d39d25e3af4
Opcode Fuzzy Hash: 31ada507f33f68e915503847145a119eb4ccc9500f9e510fb2102b8e86176903
Instruction Fuzzy Hash: DC51A978101214EFD7408F27FD492AB3BB4FB95BA1F00841AE899A63E4F7F44469CB41

Function 00E3AC30 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,00E34300), ref: 00E3AC7F
GetStdHandle.KERNEL32(000000F5,00000000,?,?,00E34300), ref: 00E3ACFD
GetStdHandle.KERNEL32(000000F4,00000000,?,?,00E34300), ref: 00E3AD6D

Strings

P, xrefs: 00E3AD70
0, xrefs: 00E3AD00

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Handle
String ID: 0$P
API String ID: 2519475695-3929037830
Opcode ID: 4a3f7545a65fde9e0b36904019de5bb7924e8a1a8b52fe3b6745faea2c389822
Instruction ID: 7688035ec1b0cf59c3b9c42fd1bdb4765b7295c6af5dfa01e354b33a6637d200
Opcode Fuzzy Hash: 4a3f7545a65fde9e0b36904019de5bb7924e8a1a8b52fe3b6745faea2c389822
Instruction Fuzzy Hash: B2414378809618DFD7449F52FE481AA7B70FB993A0B114196D485723F0EBB00AACCB90

Function 00E28350 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 469sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00E287E0
Sleep.KERNEL32(00015F90), ref: 00E28A0F

Strings

$y0, xrefs: 00E289AC
wfQN, xrefs: 00E28878

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: FileModuleNameSleep
String ID: wfQN$$y0
API String ID: 4084727719-2136385076
Opcode ID: 7237fd46225535f83a515b0edf0aeea8ebee6f9e9beb4bf207d7f6584654b4fc
Instruction ID: baa2b06f4470c4dfa44bf8cb7a50426848d0797a90bd6eb6b1c20a9e12bdcd6d
Opcode Fuzzy Hash: 7237fd46225535f83a515b0edf0aeea8ebee6f9e9beb4bf207d7f6584654b4fc
Instruction Fuzzy Hash: C212D178901614DFDB049F62FE481AB3BB4FB98390B114556D486B23F5EBF00A6DDB81

Function 00E5A060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00005000,?,00000000,00000001,?,00000001,?,00E34D55,?,?), ref: 00E5A17E
ReadFile.KERNEL32(?,?,00005000,00000000,00000000,?,00000000,?,00000001,?,00E34D55), ref: 00E5A22D

Strings

UM, xrefs: 00E5A0F8

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: FileRead
String ID: UM
API String ID: 2738559852-731700637
Opcode ID: 1040005f3b31c41fd97c4ac81343144c21e1498262852a8272fb2ed42da7b96d
Instruction ID: eb1c01fdb1c5efe186ad144562625086bf9807ff8b3c875febf27a2393f1d487
Opcode Fuzzy Hash: 1040005f3b31c41fd97c4ac81343144c21e1498262852a8272fb2ed42da7b96d
Instruction Fuzzy Hash: 53518878A01609DFDB048F66FD985AB3B39FB89384B008949D405B63F5EBB0492CDF41

Function 00E29C20 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 00E29CBF
HeapReAlloc.KERNEL32(00000000), ref: 00E29CC6
GetProcessHeap.KERNEL32(00000000,?), ref: 00E29CF0
HeapAlloc.KERNEL32(00000000), ref: 00E29CF7

Memory Dump Source

Source File: 00000000.00000002.1457413530.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.1457400112.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457448359.0000000000E63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457467011.0000000000E6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457483389.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_Z4KBs1USsJ.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 9a4e8f934deaedb5147eeade340b91c74eb7d0c1e45a7877f80475fd1ea473fe
Instruction ID: b971ec1e68069dfffcd0651d27fb8940dd56f30d6ac966b8015095cffefe460c
Opcode Fuzzy Hash: 9a4e8f934deaedb5147eeade340b91c74eb7d0c1e45a7877f80475fd1ea473fe
Instruction Fuzzy Hash: 9921F378904609EFDB00AF62FD191AB3B74FB48395F104484E889723F0EBB205ACCB91

Analysis Process: nflzf40di8bxnz25kz2r.exePID: 6836, Parent PID: 4520COMMON

Execution Graph

Execution Coverage:	35%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	15

Executed Functions

Function 00B1CBD0 Relevance: 19.2, APIs: 12, Instructions: 1228
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000,?,?,?,?,?,00000001), ref: 00B1CF42
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B1D041
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D0E9
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D17C
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D1D7
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D2BD
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D33C
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D404
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D441
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1D4C8
HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1DEB5
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B1DF43

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: Free$Library$Heap$AdaptersAllocInfo$AddressLoadProc
String ID:
API String ID: 2823868357-0
Opcode ID: 0e728b2f90c424e15b689b13f8ff2e4e41e23a882b4a8a94f432bd80abdc1e36
Instruction ID: cb1ee35ff2d7ab525ff948018227b817dd739397eb6d7be7d3ab1df9bccee68d
Opcode Fuzzy Hash: 0e728b2f90c424e15b689b13f8ff2e4e41e23a882b4a8a94f432bd80abdc1e36
Instruction Fuzzy Hash: E7C2E070901605CBD735DF62FD892E93BB0FB98311B11459AD8A1632B8EF35C8A7CB85

Function 00AE7DA0 Relevance: 13.7, APIs: 9, Instructions: 222
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00AE7E23
CreateServiceA.ADVAPI32(00000000,009C69E0,009C69E0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AE7E74
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00AE7EF3
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AE7F2A
CloseServiceHandle.ADVAPI32(00000000), ref: 00AE7F4E
OpenServiceA.ADVAPI32(00000000,009C69E0,00000010), ref: 00AE7FB2
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AE804A
CloseServiceHandle.ADVAPI32(00000000), ref: 00AE8063
CloseServiceHandle.ADVAPI32(00000000), ref: 00AE8098

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 8369910461834add001835abac825ddedec870cc597168e4c79c91fb50fe93b7
Instruction ID: 90dbcfe822164fb63c3c7e8c0d1d8a7b9b8dd93b853a742a5244394fb1643ad0
Opcode Fuzzy Hash: 8369910461834add001835abac825ddedec870cc597168e4c79c91fb50fe93b7
Instruction Fuzzy Hash: 8AA19C34804618EBD7309F62FC896AD7B70FB58712F11845AE8A1633B4DF3185A3CB44

Function 00B0915F Relevance: 266.1, APIs: 113, Strings: 36, Instructions: 5361libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(75550000,?), ref: 00B091B1
GetProcAddress.KERNEL32(75550000,?), ref: 00B0927C
GetProcAddress.KERNEL32(75550000,?), ref: 00B09341

Strings

jhn., xrefs: 00B0AA92
h_+, xrefs: 00B0DAA7
h^., xrefs: 00B0B1C9
hx+, xrefs: 00B0C45D
hU., xrefs: 00B0C760
hU&, xrefs: 00B0B59B
ht6, xrefs: 00B09BE9
h*6, xrefs: 00B0D111
h{4, xrefs: 00B0A131
hk, xrefs: 00B0E187
v":, xrefs: 00B0D12A
h$, xrefs: 00B09E6F
hW:, xrefs: 00B0CC62
hL+, xrefs: 00B0A836
jhH6, xrefs: 00B0A26F
hb&, xrefs: 00B09C89
h7:, xrefs: 00B0C338
O, xrefs: 00B0E96C
x, xrefs: 00B0E843
hk4, xrefs: 00B0D81C
jh5, xrefs: 00B0C6B1
hT4, xrefs: 00B0BAD2
jhE4, xrefs: 00B09F4D
hg5, xrefs: 00B0C238
H)p, xrefs: 00B0915F, 00B0CFA7, 00B0CFAD, 00B0DE3C, 00B0DE50
hp5, xrefs: 00B0D55A
hB., xrefs: 00B0DED2
h2., xrefs: 00B0A348
f}?, xrefs: 00B0D295
hE:, xrefs: 00B0B42B
jh&., xrefs: 00B0A56A
CB!, xrefs: 00B0C4BB
h-, xrefs: 00B0CA96
jhe6, xrefs: 00B0CD51
C:\Users\user, xrefs: 00B0E1A3
jhF , xrefs: 00B0CBF2

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hb&$hg5$hk$hk4$hp5$ht6$hx+$h{4$h$$h-$jh&.$jhH6$jh5$jhE4$jhF $jhe6$jhn.$v":$O$x
API String ID: 190572456-1030686920
Opcode ID: 8a5879f96aed862b7d7ea3a3766357c9c7e9d77a6a31a0d9ce57c3553f013f07
Instruction ID: 36a911f41b5670d2e6962dce89d431f6c9ca761845cf5daaeb677308178354b0
Opcode Fuzzy Hash: 8a5879f96aed862b7d7ea3a3766357c9c7e9d77a6a31a0d9ce57c3553f013f07
Instruction Fuzzy Hash: 63B3D270900608DBE720EF62FD896AD3BB0FB98311B118959E5A1633B4EF34D963DB45

Function 00B0A25E Relevance: 214.4, APIs: 89, Strings: 31, Instructions: 4394
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,?), ref: 00B0A2B5
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A332
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A406
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A4E1
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A5D9

Strings

jhn., xrefs: 00B0AA92
h_+, xrefs: 00B0DAA7
h^., xrefs: 00B0B1C9
hx+, xrefs: 00B0C45D
hU., xrefs: 00B0C760
hU&, xrefs: 00B0B59B
h*6, xrefs: 00B0D111
hk, xrefs: 00B0E187
v":, xrefs: 00B0D12A
hW:, xrefs: 00B0CC62
hL+, xrefs: 00B0A836
jhH6, xrefs: 00B0A26F
h7:, xrefs: 00B0C338
O, xrefs: 00B0E96C
x, xrefs: 00B0E843
hk4, xrefs: 00B0D81C
jh5, xrefs: 00B0C6B1
hT4, xrefs: 00B0BAD2
hg5, xrefs: 00B0C238
H)p, xrefs: 00B0CFA7, 00B0CFAD, 00B0DE3C, 00B0DE50
hp5, xrefs: 00B0D55A
hB., xrefs: 00B0DED2
h2., xrefs: 00B0A348
f}?, xrefs: 00B0D295
hE:, xrefs: 00B0B42B
jh&., xrefs: 00B0A56A
CB!, xrefs: 00B0C4BB
h-, xrefs: 00B0CA96
jhe6, xrefs: 00B0CD51
C:\Users\user, xrefs: 00B0E1A3
jhF , xrefs: 00B0CBF2

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hg5$hk$hk4$hp5$hx+$h-$jh&.$jhH6$jh5$jhF $jhe6$jhn.$v":$O$x
API String ID: 190572456-3718656039
Opcode ID: 91d9cfbdd2131904d35869b531a73976a69ad03677c5f851ed3a200af495764c
Instruction ID: 2c841b2eeefecb93e9a21e99ccdd642741b15fa8b2cdefb07d042f728b3df24b
Opcode Fuzzy Hash: 91d9cfbdd2131904d35869b531a73976a69ad03677c5f851ed3a200af495764c
Instruction Fuzzy Hash: 7D93D170900608EBE720EF62FD896AD3BB0FB98311B118559E5A1673B4EF30D963DB45

Function 00B0A547 Relevance: 203.7, APIs: 85, Strings: 29, Instructions: 4234
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,?), ref: 00B0A5D9
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A651
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A6E0
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A7CF
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A895
GetProcAddress.KERNEL32(75550000,?), ref: 00B0A9D1
GetProcAddress.KERNEL32(75550000,?), ref: 00B0AA6B
GetProcAddress.KERNEL32(75550000,?), ref: 00B0AB67
GetProcAddress.KERNEL32(75550000,?), ref: 00B0AC47

Strings

jhn., xrefs: 00B0AA92
h_+, xrefs: 00B0DAA7
h^., xrefs: 00B0B1C9
hx+, xrefs: 00B0C45D
hU., xrefs: 00B0C760
hU&, xrefs: 00B0B59B
h*6, xrefs: 00B0D111
hk, xrefs: 00B0E187
v":, xrefs: 00B0D12A
hW:, xrefs: 00B0CC62
hL+, xrefs: 00B0A836
h7:, xrefs: 00B0C338
O, xrefs: 00B0E96C
x, xrefs: 00B0E843
hk4, xrefs: 00B0D81C
jh5, xrefs: 00B0C6B1
hT4, xrefs: 00B0BAD2
hg5, xrefs: 00B0C238
H)p, xrefs: 00B0CFA7, 00B0CFAD, 00B0DE3C, 00B0DE50
hp5, xrefs: 00B0D55A
hB., xrefs: 00B0DED2
f}?, xrefs: 00B0D295
hE:, xrefs: 00B0B42B
jh&., xrefs: 00B0A56A
CB!, xrefs: 00B0C4BB
h-, xrefs: 00B0CA96
jhe6, xrefs: 00B0CD51
C:\Users\user, xrefs: 00B0E1A3
jhF , xrefs: 00B0CBF2

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hg5$hk$hk4$hp5$hx+$h-$jh&.$jh5$jhF $jhe6$jhn.$v":$O$x
API String ID: 190572456-2019635314
Opcode ID: 3dcc0f3642c7be9324e3066da7041899bd753c0964574e62f51c199dba8e104a
Instruction ID: 3822b5801e8d6a9648e28558c84c105d46a02f487d9bddbb8c6dd5f7ce589b70
Opcode Fuzzy Hash: 3dcc0f3642c7be9324e3066da7041899bd753c0964574e62f51c199dba8e104a
Instruction Fuzzy Hash: 3093D170900608EBE724EF62FD896AD3BB0FB98311B118459E5A1673B4EF30D963DB45

Function 00B0BE53 Relevance: 128.8, APIs: 50, Strings: 22, Instructions: 2769
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00B0BF33
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C0E8
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C15F

Strings

hg5, xrefs: 00B0C238
H)p, xrefs: 00B0CFA7, 00B0CFAD, 00B0DE3C, 00B0DE50
h_+, xrefs: 00B0DAA7
hp5, xrefs: 00B0D55A
hx+, xrefs: 00B0C45D
hB., xrefs: 00B0DED2
f}?, xrefs: 00B0D295
hU., xrefs: 00B0C760
CB!, xrefs: 00B0C4BB
h-, xrefs: 00B0CA96
h*6, xrefs: 00B0D111
jhe6, xrefs: 00B0CD51
v":, xrefs: 00B0D12A
hk, xrefs: 00B0E187
C:\Users\user, xrefs: 00B0E1A3
hW:, xrefs: 00B0CC62
jhF , xrefs: 00B0CBF2
h7:, xrefs: 00B0C338
O, xrefs: 00B0E96C
x, xrefs: 00B0E843
hk4, xrefs: 00B0D81C
jh5, xrefs: 00B0C6B1

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$O$x
API String ID: 2238633743-3773531125
Opcode ID: 6419d0f2c3bc33a70f37316ef2181e14c82bc820c8c0c3eaaec1da032b2329f6
Instruction ID: e560ea8bb46ade529bb4716935ac4ac1a4dd813d44f66ef0a6e0069d7f6244d5
Opcode Fuzzy Hash: 6419d0f2c3bc33a70f37316ef2181e14c82bc820c8c0c3eaaec1da032b2329f6
Instruction Fuzzy Hash: DC43C070D00608EBEB20DF62FD896AD7BB0FB98311B118559E5A1633A4DF30DA63DB45

Function 00B0BEEE Relevance: 128.7, APIs: 50, Strings: 22, Instructions: 2745
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00B0BF33
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C0E8
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C15F

Strings

hg5, xrefs: 00B0C238
H)p, xrefs: 00B0CFA7, 00B0CFAD, 00B0DE3C, 00B0DE50
h_+, xrefs: 00B0DAA7
hp5, xrefs: 00B0D55A
hx+, xrefs: 00B0C45D
hB., xrefs: 00B0DED2
f}?, xrefs: 00B0D295
hU., xrefs: 00B0C760
CB!, xrefs: 00B0C4BB
h-, xrefs: 00B0CA96
h*6, xrefs: 00B0D111
jhe6, xrefs: 00B0CD51
v":, xrefs: 00B0D12A
hk, xrefs: 00B0E187
C:\Users\user, xrefs: 00B0E1A3
hW:, xrefs: 00B0CC62
jhF , xrefs: 00B0CBF2
h7:, xrefs: 00B0C338
O, xrefs: 00B0E96C
x, xrefs: 00B0E843
hk4, xrefs: 00B0D81C
jh5, xrefs: 00B0C6B1

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: C:\Users\user$CB!$H)p$f}?$h*6$h7:$hB.$hU.$hW:$h_+$hg5$hk$hk4$hp5$hx+$h-$jh5$jhF $jhe6$v":$O$x
API String ID: 2238633743-3773531125
Opcode ID: 1b1056075ca4cfa9d26e21f3c69df4c16591bef4e807a4eb3ba47b2652163701
Instruction ID: 24334bbd8c6714a11f5e0e4e97099c239fc536a91f35eb1fbd5761790006cad7
Opcode Fuzzy Hash: 1b1056075ca4cfa9d26e21f3c69df4c16591bef4e807a4eb3ba47b2652163701
Instruction Fuzzy Hash: 7E43C070D00608EBEB20DF62FD896AD7BB0FB98311B118559E5A1633A4DF30DA63DB45

Function 00B0C587 Relevance: 105.6, APIs: 41, Strings: 18, Instructions: 2379
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75340000,?), ref: 00B0C632
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C69E
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C74B
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C7DE
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C891
GetProcAddress.KERNEL32(75340000,?), ref: 00B0C97C

Strings

H)p, xrefs: 00B0CFA7, 00B0CFAD, 00B0DE3C, 00B0DE50
h_+, xrefs: 00B0DAA7
hp5, xrefs: 00B0D55A
hB., xrefs: 00B0DED2
f}?, xrefs: 00B0D295
hU., xrefs: 00B0C760
h-, xrefs: 00B0CA96
h*6, xrefs: 00B0D111
jhe6, xrefs: 00B0CD51
v":, xrefs: 00B0D12A
hk, xrefs: 00B0E187
C:\Users\user, xrefs: 00B0E1A3
hW:, xrefs: 00B0CC62
jhF , xrefs: 00B0CBF2
O, xrefs: 00B0E96C
x, xrefs: 00B0E843
hk4, xrefs: 00B0D81C
jh5, xrefs: 00B0C6B1

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID: C:\Users\user$H)p$f}?$h*6$hB.$hU.$hW:$h_+$hk$hk4$hp5$h-$jh5$jhF $jhe6$v":$O$x
API String ID: 190572456-72004656
Opcode ID: 986d623ccbff271900f0ed3a1dd9965ac3a2d8552634f2affc7acec5b600dbcb
Instruction ID: 7751e3d4337417c47f55f5ca74057d243a49327af04f1f38f21a8644a4e23cc6
Opcode Fuzzy Hash: 986d623ccbff271900f0ed3a1dd9965ac3a2d8552634f2affc7acec5b600dbcb
Instruction Fuzzy Hash: 0933C170D00608EBEB20DF62FE496AD7BB0FB98311B118559E5A1633A4DF30DA63DB45

Function 00B00D80 Relevance: 24.5, APIs: 11, Strings: 2, Instructions: 1701fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00B01070
DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00B01337
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00B01444
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00B015BA
CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00B017C7
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B01DD6
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B01E83
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00B0222B
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00B0247F
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,00000000), ref: 00B0270C
SetFileAttributesA.KERNELBASE(00000000,00000002,?,?,?,?,?,?,00000000), ref: 00B028B9

Strings

C:\Users\user, xrefs: 00B01AE8, 00B01C31
\, xrefs: 00B02314

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemove
String ID: C:\Users\user$\
API String ID: 2326410248-2593059505
Opcode ID: 90c30b3cdb9eae9344db3deadb11703e49c753dda4bf2b902441463c0c443968
Instruction ID: 6d28d2a7dae7a696d7e6b00785ad216fe8f339a21525b3d93f8254a7e2013592
Opcode Fuzzy Hash: 90c30b3cdb9eae9344db3deadb11703e49c753dda4bf2b902441463c0c443968
Instruction Fuzzy Hash: 94F2F470900609DBE724EF62FE492E93BB0FB98311F214999D4A5633B4EF318967CB45

Function 00B101C6 Relevance: 23.6, APIs: 12, Strings: 1, Instructions: 884
sleepfilethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00B101FE
CloseHandle.KERNEL32(00000104), ref: 00B10568
SetFileAttributesA.KERNELBASE(?,00000080), ref: 00B105A5
CopyFileA.KERNEL32(?,?,00000000), ref: 00B10679
SetFileAttributesA.KERNELBASE(?,00000002), ref: 00B106A8
Sleep.KERNELBASE(000003E8), ref: 00B10850

Part of subcall function 00B1E950: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000,00000001), ref: 00B1EAE8

Sleep.KERNEL32(000007D0), ref: 00B10A11
SetFileAttributesA.KERNEL32(C:\trshmfqlcbpta\yrykdhhlfqp.exe,00000080), ref: 00B10A76
CopyFileA.KERNEL32(?,C:\trshmfqlcbpta\yrykdhhlfqp.exe,00000000), ref: 00B10A96
SetFileAttributesA.KERNEL32(C:\trshmfqlcbpta\yrykdhhlfqp.exe,00000002), ref: 00B10ACF

Part of subcall function 00AF68C0: CreateFileA.KERNEL32(00001D9F,80000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00001D9F,00000003), ref: 00AF6AA4

CreateThread.KERNEL32(00000000,00000000,Function_0000EF70,00000000,00000000,00000000), ref: 00B10ECE
Sleep.KERNEL32(0000C350), ref: 00B110F4

Strings

C:\trshmfqlcbpta\yrykdhhlfqp.exe, xrefs: 00B10A71, 00B10A8A, 00B10AB0, 00B10E0A

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: File$Attributes$CreateSleep$Copy$CloseHandleSnapshotStartupThreadToolhelp32
String ID: C:\trshmfqlcbpta\yrykdhhlfqp.exe
API String ID: 753865460-4155721312
Opcode ID: bde24c2a1d327ba68c9dddd6ec786d0e35b4a61e4d09bd4f42a0342103890ebd
Instruction ID: c9c4236305b9733ab24d1fb637964f93c72401a71645206ab60e4cbae06c6aca
Opcode Fuzzy Hash: bde24c2a1d327ba68c9dddd6ec786d0e35b4a61e4d09bd4f42a0342103890ebd
Instruction Fuzzy Hash: 5382C270901619DBEB30EF63FE996A93BB0FB98301B114559D4A1632B4EF34C9A3CB45

Function 00AECEB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00002E0F,009CD210,00000000,00000000,00000000,00000008,00000000,00000000,00000044,00000000,?,?,?,?,?,00000000), ref: 00AED02A
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AED04E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AED0C9

Strings

D, xrefs: 00AECF2E

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: baeaf58804bf924295ab8ac17f3f7f2d4292597dc2601fc388494ecb28fe2094
Instruction ID: f8bb6297286c792a778bd18f7a5cbdeb11e8d0171a1fd52c4fbf2eafca7835d3
Opcode Fuzzy Hash: baeaf58804bf924295ab8ac17f3f7f2d4292597dc2601fc388494ecb28fe2094
Instruction Fuzzy Hash: F981BD70900609DBE730AF62FD496A93B70FB68301F118959E5A1672B8EF35C563CB89

Function 00B20C20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001,?,?,?,00B00ECB), ref: 00B20CE0
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,00B00ECB), ref: 00B20D3F
FreeSid.ADVAPI32(?,?,?,?,00B00ECB), ref: 00B20E03

Strings

H)p, xrefs: 00B20DD0, 00B20DE7

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: H)p
API String ID: 3429775523-1687790836
Opcode ID: ee97358e9ee07165a5db0b0bf9eaf681be58bd63edf0baedda9e8f509cf7bbe5
Instruction ID: 85c5decb6ad11a49a5593713ce53847320aa01596c5c6eb4d9e7f99ab71026c2
Opcode Fuzzy Hash: ee97358e9ee07165a5db0b0bf9eaf681be58bd63edf0baedda9e8f509cf7bbe5
Instruction Fuzzy Hash: 9251CC30910219DBC724DF97FC886BA7BB8FB58311B15849AE8B1632A1DF34C55BCB19

Function 00AEAFE0 Relevance: 6.3, APIs: 4, Instructions: 304
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AEB0FE
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00AEB1A5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00AEB2BD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AEB30B

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID:
API String ID: 2564258376-0
Opcode ID: 081428d4ba2934ae66e3aba1a3ec1438567baf669aaf52e1eaa008bde37a1fe6
Instruction ID: e57123dcd27c2ea33ff30042cff63b66a9b483f3fc55e6d2379af773e2fe15b3
Opcode Fuzzy Hash: 081428d4ba2934ae66e3aba1a3ec1438567baf669aaf52e1eaa008bde37a1fe6
Instruction Fuzzy Hash: A1D1F130910604DBD720DF67FE896AE3B74FB98310F118559E5A1A32A4DF30DAA3DB15

Function 00B03C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,?,FFFFFFFF,00000000,?,?,?,?,00000000,?), ref: 00B03D9D
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000), ref: 00B03FC3
CloseHandle.KERNELBASE(00000000), ref: 00B0410F

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 8d55432fe274dfe7a518561bf39285b3c82c4984155953f7b486f2fd5bf85fb3
Instruction ID: 12c6ea329093660007f775cc60e6e3166ecc465fc05036c26a4f602f19e773e5
Opcode Fuzzy Hash: 8d55432fe274dfe7a518561bf39285b3c82c4984155953f7b486f2fd5bf85fb3
Instruction Fuzzy Hash: 42D1C070911609DBE730AF63FD892A93BB4FB68711B114995E8A1A32B4EF31C573CB44

Function 00B041E0 Relevance: 3.4, APIs: 2, Instructions: 422
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75670000,00000000), ref: 00B0453F
GetProcAddress.KERNEL32(75670000,00000000), ref: 00B045B2

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 59c64dcca7b0dbd3e3fc4f799f296299716a5eebfa11fe30fe27abdb7e2e22f1
Instruction ID: c6bb63d20a024d82eb1fbecd45fcec83f03b16042862bc30a056322c2b77e61a
Opcode Fuzzy Hash: 59c64dcca7b0dbd3e3fc4f799f296299716a5eebfa11fe30fe27abdb7e2e22f1
Instruction Fuzzy Hash: E202BD70900605EBE730AF62FC892A93FB4FB88712B514995D4B1632B4EF31C4A3CB59

Function 00B07B30 Relevance: 3.1, APIs: 2, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00AE650A,00AE650A,00AF435B), ref: 00B07BF9
RtlFreeHeap.NTDLL(00000000), ref: 00B07C00

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 80f6fd90c27256b19d59426ad9a5ddb3b502bc6cea82e13538967a6c36ef3d20
Instruction ID: bbdee34d7fa21a87875821672547a2a6d53677dd56e2667d64f2739b217f8bfd
Opcode Fuzzy Hash: 80f6fd90c27256b19d59426ad9a5ddb3b502bc6cea82e13538967a6c36ef3d20
Instruction Fuzzy Hash: CC21BA71C05204DBC330EF22EA492D97BB4FB58722B214256D874633A0EF309A53CB95

Function 00AEACD0 Relevance: 3.0, APIs: 2, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(00B1EC02,00000000,00B1EC02,?), ref: 00AEAD0C
CharLowerBuffA.USER32(00B1EC02,00000000), ref: 00AEAD14

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 6b985420741f335de808902eeac92ed4ae2684e4b996bea59b516e22e49d8ef6
Instruction ID: f4414ed62ccf3387093555f9d8ba49ca17b44bbec1ec9820128fe80a230599dc
Opcode Fuzzy Hash: 6b985420741f335de808902eeac92ed4ae2684e4b996bea59b516e22e49d8ef6
Instruction Fuzzy Hash: E0F05E78D01218EBC720DF65E9454D97BB8FF0D712B0041A5DC4063310CF349A12CB91

Function 00B1C960 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00B00494,?,00B00494,?), ref: 00B1C97F
RtlAllocateHeap.NTDLL(00000000,?,00B00494,?), ref: 00B1C986

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: e75bac5812286f99e4535ff52bb825536e802388c7a44fe23997d6fc00a7619d
Instruction ID: e9f1933cef4b31af678ee7e44f2e3f57df0171aa16f129c68f6ec31a3bffd7b4
Opcode Fuzzy Hash: e75bac5812286f99e4535ff52bb825536e802388c7a44fe23997d6fc00a7619d
Instruction Fuzzy Hash: 0BD0C971150208EBD7209FE5FC4DB567BACF708B02F500804F21C87260CF789152CB65

Function 00B02B20 Relevance: 2.4, APIs: 1, Instructions: 864COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00B02D1F

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 56918219e0fc15d6e26532c1bc93139f1de8561c3270dad094363e005b1f2767
Instruction ID: 84a960ec6c3517e73d9a9f5888a5c1733739d221d8cd20ede52c7fab84411723
Opcode Fuzzy Hash: 56918219e0fc15d6e26532c1bc93139f1de8561c3270dad094363e005b1f2767
Instruction Fuzzy Hash: FA822470810608DBDB24EF62FD892ED7BB4FBA8301F114499D4A1632B4EF348A67CB45

Function 00AF7430 Relevance: 1.7, APIs: 1, Instructions: 203fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00AF75B2

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c6f5906a8fc5a40c79f3c337fd942c6c298ee0e7b51d62e09c7a276f00b7df04
Instruction ID: d641fd7cbf66ba46fb315f694106513c80cb6c96b570bc204cacf4a29218255e
Opcode Fuzzy Hash: c6f5906a8fc5a40c79f3c337fd942c6c298ee0e7b51d62e09c7a276f00b7df04
Instruction Fuzzy Hash: F281D270900608DBEB24DF52FD496AD7B70FB58711F2145A9D9A1673A4EF308A63DF40

Function 00B1CAC0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00B1CB26

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ae479ff4821579c619799c8fd63dfc2f35ff5a5ec6e5a12f961a8d075db079ae
Instruction ID: 79317f964bf43ba8fb53104486c9572176312a91593bbf952afd26685de5911c
Opcode Fuzzy Hash: ae479ff4821579c619799c8fd63dfc2f35ff5a5ec6e5a12f961a8d075db079ae
Instruction Fuzzy Hash: 80F03A34500609CBC724BF26FD094697B79FB847007118515E4B18B334EF30C557CB51

Function 00AF435B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00AF4387

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a3d94fae940dcaf431e55f11e1ed78ad46e2a7bef5ffc43a349cce533107ada8
Instruction ID: b306d9ec75f70a90eb525c74ac5f373913a26e24741d9b1d6a5add5f00ef54d1
Opcode Fuzzy Hash: a3d94fae940dcaf431e55f11e1ed78ad46e2a7bef5ffc43a349cce533107ada8
Instruction Fuzzy Hash: 6BD0C925400515CA82603F77FE090AA3AA6BA40B213014146F4A8833B5DE74855BD7AA

Non-executed Functions

Function 00B1DFE0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 443fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,000000FF), ref: 00B1E0FE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,000000FF), ref: 00B1E219
CloseHandle.KERNEL32(00000000,?,?,?,?,000000FF), ref: 00B1E252
GetTickCount.KERNEL32 ref: 00B1E2E3
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00B1E592
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00B1E62B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B1E644

Strings

*?|r, xrefs: 00B1E53E
{foQ, xrefs: 00B1E5B0
}*@o, xrefs: 00B1E56F

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID: *?|r${foQ$}*@o
API String ID: 3478262135-1153267046
Opcode ID: 655ef96b9a1add03b808adbbf2e7d6612420046e2cd491c8cbe0b6d3894c7f8d
Instruction ID: 117158a0571c54df374097128c7ed714119776e44ef7365a0aec12b6b805b9b9
Opcode Fuzzy Hash: 655ef96b9a1add03b808adbbf2e7d6612420046e2cd491c8cbe0b6d3894c7f8d
Instruction Fuzzy Hash: B7021270900604DBD7249F22FD896A97BB5FBA8301F158459E8B1A33A8EF34C5A3CB55

Function 00AFA300 Relevance: 12.4, APIs: 8, Instructions: 360registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(009C69E0,Function_000114E0), ref: 00AFA47B
SetServiceStatus.ADVAPI32(00000000,00B2E9BC), ref: 00AFA590
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AFA5A6
SetServiceStatus.ADVAPI32(00000000,00B2E9BC), ref: 00AFA636
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00AFA6CB
SetServiceStatus.ADVAPI32(00000000,00B2E9BC), ref: 00AFA7A6
CloseHandle.KERNEL32(00000000), ref: 00AFA7D3
SetServiceStatus.ADVAPI32(00000000,00B2E9BC), ref: 00AFA8E5

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 984c234cd684b554e156a8a8d1e26f6c96c97fa85c72464db8f38962525c33ca
Instruction ID: d8a97c6ab0e24a22be3ebc95438899287d45ea2dc38a595577848790ff33a2c7
Opcode Fuzzy Hash: 984c234cd684b554e156a8a8d1e26f6c96c97fa85c72464db8f38962525c33ca
Instruction Fuzzy Hash: 1EF19F70911604DBD734DF63FE891A83BB0FBA8311B21855AD9A1A3274EF34C9A7CB45

Function 00B1A650 Relevance: 9.2, APIs: 6, Instructions: 244filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00B1A728
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00B1A7F1
CloseHandle.KERNEL32(00000000), ref: 00B1A810
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B1A8FB
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00B1A94E
CloseHandle.KERNEL32(00000000), ref: 00B1A990

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 937ad0c3ea1a3f895f74907b8d44ef20dba310daf70ea4966268da9d23f58611
Instruction ID: f65014b878c492bc36817bc9039db0f6e29bab76dea19be4c83f2eaba4ca2133
Opcode Fuzzy Hash: 937ad0c3ea1a3f895f74907b8d44ef20dba310daf70ea4966268da9d23f58611
Instruction Fuzzy Hash: 4FA1EF70901205DBD724DF57FD886A97BB4FB88321B10856AE860A33A4DF30D963CB59

Function 00B1E950 Relevance: 7.8, APIs: 5, Instructions: 341processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000,00000001), ref: 00B1EAE8
OpenProcess.KERNEL32(00000002,00000000,?), ref: 00B1ECC0
CloseHandle.KERNEL32(00000000), ref: 00B1ED5F
Process32Next.KERNEL32(00000000,00000128), ref: 00B1EE38
CloseHandle.KERNEL32(00000000), ref: 00B1EE7C

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: CloseHandle$CreateNextOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 1219847958-0
Opcode ID: a2b29d6f408558732188891e5ad8ecadf9c8cd514b5494cfd71a799915cc6c68
Instruction ID: e51391c8b1da77fd60d4d43655c10ae0dd01e75da311e28bcb824f39c930987a
Opcode Fuzzy Hash: a2b29d6f408558732188891e5ad8ecadf9c8cd514b5494cfd71a799915cc6c68
Instruction Fuzzy Hash: F4E1D270900615DBD730DF22FD896A93BB0FB98312B2149A5D8B1A32B4EF34D5A7CB45

Function 00AEBF59 Relevance: 7.8, APIs: 5, Instructions: 259processCOMMON

Download Yara Rule

APIs

Part of subcall function 00B18340: lstrlenA.KERNEL32(?,?,?,00AE7D41,?,?), ref: 00B183A7

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00AEC157
Module32First.KERNEL32(00000000,00000224), ref: 00AEC1FE

Part of subcall function 00AFADE0: wvsprintfA.USER32(00002E0F,?,?), ref: 00AFAF24

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32lstrlenwvsprintf
String ID:
API String ID: 3143976151-0
Opcode ID: a9df73d7093cbd6163375acf86c15a09c7e458a8003ab2281155f5c0c41e0ffe
Instruction ID: 4d713c7c0546176364a4cff615c583a4fa4e75cb2bf63ce138a6892a6ceae6ca
Opcode Fuzzy Hash: a9df73d7093cbd6163375acf86c15a09c7e458a8003ab2281155f5c0c41e0ffe
Instruction Fuzzy Hash: 24B1BC70901204DBD734DF62EE892E93BB0FBA8311B118459D875A73A4EF34CAA3CB55

Function 00AF7A60 Relevance: 7.6, APIs: 5, Instructions: 127synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000001,00B1C80C), ref: 00AF7B1E
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00AF7B87
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AF7BA0
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00AF7BDF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AF7BFA

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 01be9b96b4e688716d06f53eb770994e7ca2859eb0a0538ced79cb66673ef0b5
Instruction ID: 77b43037820ffcc239acbd2b82e0e250ad1369957bca96ff062c3cc61f83a262
Opcode Fuzzy Hash: 01be9b96b4e688716d06f53eb770994e7ca2859eb0a0538ced79cb66673ef0b5
Instruction Fuzzy Hash: 5B51AD70500214EBD730DF27FD5A6AA3BB4FBA4722F00851AE8A5972A4EF74C063CB55

Function 00AF95B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00AF9700
RegSetValueExA.ADVAPI32(?,009C0378,00000000,00000001,?,00000000), ref: 00AF97AE
RegCloseKey.ADVAPI32(?), ref: 00AF9832

Strings

ue[, xrefs: 00AF9618

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: CloseOpenValue
String ID: ue[
API String ID: 779948276-739068366
Opcode ID: 40a502cd0a9b9f16413fb0bdcf972a572cd020b27c2c421b9a70a31dbaf31072
Instruction ID: e6f89e15e1234fe7332015211b2e352e75067981b75f227bbee24a1e00be2170
Opcode Fuzzy Hash: 40a502cd0a9b9f16413fb0bdcf972a572cd020b27c2c421b9a70a31dbaf31072
Instruction Fuzzy Hash: B461D030910518EBE730AF62FD886EA3B74FBA8715B104456E8A5933B4EF31C4A3C756

Function 00AE8350 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 469sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00AE87E0
Sleep.KERNEL32(00015F90), ref: 00AE8A0F

Strings

$y0, xrefs: 00AE89AC

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: FileModuleNameSleep
String ID: $y0
API String ID: 4084727719-3426688345
Opcode ID: fc962087956137f59b922e063c03faef2c5614b71d471a03348a9cbfcbb007ee
Instruction ID: 3c5e7bbfa648f686770fd50cadb9e942d4e3213cb17dd888f2c776b1e127b269
Opcode Fuzzy Hash: fc962087956137f59b922e063c03faef2c5614b71d471a03348a9cbfcbb007ee
Instruction Fuzzy Hash: D912E170900604DBD734EF62FE852AD7BB4FB98311F214599E4A6632B4EF348A63CB45

Function 00AE9C20 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 00AE9CBF
HeapReAlloc.KERNEL32(00000000), ref: 00AE9CC6
GetProcessHeap.KERNEL32(00000000,?), ref: 00AE9CF0
HeapAlloc.KERNEL32(00000000), ref: 00AE9CF7

Memory Dump Source

Source File: 00000002.00000002.1481642903.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000002.00000002.1481632210.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481667482.0000000000B23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481679765.0000000000B2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1481690861.0000000000B30000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ae0000_nflzf40di8bxnz25kz2r.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 75ef49d165faf903490ac85a290f4f997a3e731e941ca4bb0a4fcb535dbecaa5
Instruction ID: 229cb3b2e04fef9447ac258361b15722a7e85c3ae735a07e301fb43872ee4b76
Opcode Fuzzy Hash: 75ef49d165faf903490ac85a290f4f997a3e731e941ca4bb0a4fcb535dbecaa5
Instruction Fuzzy Hash: 1321EB74904709E7DB20AF62FD192AA3B74FF58711F204544E89953364EF3289A3CB99

Analysis Process: eqyozfmcsgls.exePID: 6720, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	38.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	23

Executed Functions

Function 0012915F Relevance: 264.4, APIs: 113, Strings: 35, Instructions: 5361libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(75550000,?), ref: 001291B1
GetProcAddress.KERNEL32(75550000,?), ref: 0012927C
GetProcAddress.KERNEL32(75550000,?), ref: 00129341

Strings

hg5, xrefs: 0012C238
hT4, xrefs: 0012BAD2
jhE4, xrefs: 00129F4D
jh5, xrefs: 0012C6B1
jhF , xrefs: 0012CBF2
h{4, xrefs: 0012A131
hE:, xrefs: 0012B42B
f}?, xrefs: 0012D295
v":, xrefs: 0012D12A
h*6, xrefs: 0012D111
hp5, xrefs: 0012D55A
hx+, xrefs: 0012C45D
h2., xrefs: 0012A348
O, xrefs: 0012E96C
h7:, xrefs: 0012C338
hk4, xrefs: 0012D81C
h-, xrefs: 0012CA96
CB!, xrefs: 0012C4BB
hU&, xrefs: 0012B59B
hU., xrefs: 0012C760
x, xrefs: 0012E843
h$, xrefs: 00129E6F
h_+, xrefs: 0012DAA7
h^., xrefs: 0012B1C9
C:\Windows\system32\config\systemprofile, xrefs: 0012E1A3
ht6, xrefs: 00129BE9
jhe6, xrefs: 0012CD51
hW:, xrefs: 0012CC62
jhn., xrefs: 0012AA92
jh&., xrefs: 0012A56A
hk, xrefs: 0012E187
jhH6, xrefs: 0012A26F
hL+, xrefs: 0012A836
hB., xrefs: 0012DED2
hb&, xrefs: 00129C89

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: AddressProc
String ID: C:\Windows\system32\config\systemprofile$CB!$f}?$h*6$h2.$h7:$hB.$hE:$hL+$hT4$hU&$hU.$hW:$h^.$h_+$hb&$hg5$hk$hk4$hp5$ht6$hx+$h{4$h$$h-$jh&.$jhH6$jh5$jhE4$jhF $jhe6$jhn.$v":$O$x
API String ID: 190572456-2470745747
Opcode ID: 034fe8d32a1230396d5c87ea918f197bd3d12ea64fef00c46a26db928a686dbd
Instruction ID: c01a02a478d2b8e0726888b31f6759f8a0a5f1ba040ebed4a53da276d6b021df
Opcode Fuzzy Hash: 034fe8d32a1230396d5c87ea918f197bd3d12ea64fef00c46a26db928a686dbd
Instruction Fuzzy Hash: E4B3BF7CA00619EBEB04DF60FD895A97BF4FB9A710F118459E98093AB4EB7149E0CF41

Function 00123C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,?,FFFFFFFF,00000000,?,?,?,?,00000000,?), ref: 00123D9D
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000), ref: 00123FC3
CloseHandle.KERNELBASE(00000000), ref: 0012410F

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: bbf819db42261df5512d4792bb596f60fd80c50b73386d15fb39605ec03118b5
Instruction ID: 674b7844e9828b94e53ab4daa1dcdf3ab031d18cbc8baf3d5cef8516ca342001
Opcode Fuzzy Hash: bbf819db42261df5512d4792bb596f60fd80c50b73386d15fb39605ec03118b5
Instruction Fuzzy Hash: 65D1BD7C900609DBE704AF60FD886A97BF4FB9B710F124895E88593AB4EB7549F0CB44

Function 00140C20 Relevance: 4.6, APIs: 3, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001,?,?,?,00120ECB), ref: 00140CE0
CheckTokenMembership.KERNELBASE(00000000,?,?,?,?,?,00120ECB), ref: 00140D3F
FreeSid.ADVAPI32(?,?,?,?,00120ECB), ref: 00140E03

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9b7392f7aade2202af5441233052701f71a89d01c3aeb5e9e20288306f981851
Instruction ID: 673f9a10094c370cf71c9c3d19225d97f9b23d04b99308a4f0b212d25cddab93
Opcode Fuzzy Hash: 9b7392f7aade2202af5441233052701f71a89d01c3aeb5e9e20288306f981851
Instruction Fuzzy Hash: E351BA7CA05215DBC704CFA9FC889B97BF8FB5B325B06859AE480A3AB0D33445D8CB11

Function 00118C07 Relevance: 3.2, APIs: 2, Instructions: 153COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 00118D97
CloseHandle.KERNELBASE(00000000), ref: 00118DF2

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: c277ed393e0b3e0efb8fa7b80e185583e41e1b16abeb34c861d5e28d17a3b051
Instruction ID: 1c9cc911f990659f98bc8c4f0be830c87ac9033cf7f35f3bb4d2074d70951e80
Opcode Fuzzy Hash: c277ed393e0b3e0efb8fa7b80e185583e41e1b16abeb34c861d5e28d17a3b051
Instruction Fuzzy Hash: 0D616F7C905609DBDB04CF60FE982E97BB1FB97314F268895C88467AB4DB310AE4CB51

Function 0010ACD0 Relevance: 3.0, APIs: 2, Instructions: 28stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,?,00000001), ref: 0010AD0C
CharLowerBuffA.USER32(?,00000000), ref: 0010AD14

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 1dd333945f8488d2e4f48eed029269936e2f9cc405e04c28336727ea3f880fa8
Instruction ID: e6e9aee3c25a68634a3e8200dc5d021e39435f8b1364638f2cd50f9290f01dcd
Opcode Fuzzy Hash: 1dd333945f8488d2e4f48eed029269936e2f9cc405e04c28336727ea3f880fa8
Instruction Fuzzy Hash: 81F0FE7D955218EBCB00DFA4E9454997BB8FF0FB10B104195EC4553B30D7315A80DF91

Function 0011F079 Relevance: 1.8, APIs: 1, Instructions: 304networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000009,?,00000400,00000000), ref: 0011F0A4
closesocket.WS2_32(00000009), ref: 0011F642

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: closesocketrecv
String ID:
API String ID: 485150354-0
Opcode ID: 8f25283c48c13f8fffc67feacecfea8c2a924bb380af87da419752a49dbd383c
Instruction ID: 0557847b07a9c63eace3ddc3331810b14b681bc9ed9fbb5209462b665356e4c8
Opcode Fuzzy Hash: 8f25283c48c13f8fffc67feacecfea8c2a924bb380af87da419752a49dbd383c
Instruction Fuzzy Hash: 9DD1E47CA40619DBE7089F60FC986AC7BF4FB9B710F124469D481A3AB4EB3045E5CB46

Function 001168C0 Relevance: 1.8, APIs: 1, Instructions: 252fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000001,00000000,00000000,00000000,?,00000708), ref: 00116AA4

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 050d51241a4e1323baeca40a956c4815292f9737d728ce2beaefdf135a1b0dd3
Instruction ID: 3d336bbb177cd5e2233fe6549874a428415b16702e42c950d27f222ce6052efd
Opcode Fuzzy Hash: 050d51241a4e1323baeca40a956c4815292f9737d728ce2beaefdf135a1b0dd3
Instruction Fuzzy Hash: 6EB1017CA01604DBE7089F60FD486A53BF4F79B714F2245A9E88493EB4EB3109E5CB84

Function 00117430 Relevance: 1.7, APIs: 1, Instructions: 203fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 001175B2

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a6fb289b0d677208a0cb432e657c4edad82d220b84c14e76c3ab5e07c32fb88e
Instruction ID: 0a2dea6cb02e099dffa130bf59572415ecaaf46a28ff68215d0944ff26962657
Opcode Fuzzy Hash: a6fb289b0d677208a0cb432e657c4edad82d220b84c14e76c3ab5e07c32fb88e
Instruction Fuzzy Hash: C281BC7CA00604DBEB04DF64FD486A87BF0FB9A724F1145A9D884A7AB4E7710AE0DF40

Function 001170F0 Relevance: 1.4, APIs: 1, Instructions: 188sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8,?,?,?,00000001,00000000,00000000,?,00000708), ref: 0011727B

Memory Dump Source

Source File: 00000003.00000002.2244676716.0000000000101000.00000020.00000001.01000000.00000005.sdmp, Offset: 00100000, based on PE: true

Associated: 00000003.00000002.2244646748.0000000000100000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244710404.0000000000143000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244731858.000000000014E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2244747753.0000000000150000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100000_eqyozfmcsgls.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 12a00d8a9ef565ddf30322d0e4fab271e2df1fcf22bf122b6c5aa0e304342f97
Instruction ID: f81826cfe4563eb82ee1b05f3f9d6a708cc0504a29e049b67f7f084e1f02ea6d
Opcode Fuzzy Hash: 12a00d8a9ef565ddf30322d0e4fab271e2df1fcf22bf122b6c5aa0e304342f97
Instruction Fuzzy Hash: F571017C900615DBEB10AF20FD599A93BF4FB9BB20F0644A5E58493EB4EB7104E4CB51

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Z4KBs1USsJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\trshmfqlcbpta\no2uvy

C:\trshmfqlcbpta\eqyozfmcsgls.exe

C:\trshmfqlcbpta\nflzf40di8bxnz25kz2r.exe

C:\trshmfqlcbpta\no2uvy

C:\trshmfqlcbpta\yrykdhhlfqp.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Z4KBs1USsJ.exe

Function 00E57B00 Relevance: 8.0, APIs: 5, Instructions: 501
sleepfileCOMMON

Function 00E60C20 Relevance: 4.6, APIs: 3, Instructions: 146
memoryCOMMON

Function 00E5C960 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Function 00E4A25E Relevance: 217.9, APIs: 89, Strings: 33, Instructions: 4394
libraryloaderCOMMON

Function 00E4BE53 Relevance: 132.3, APIs: 50, Strings: 24, Instructions: 2769
libraryloaderCOMMON

Function 00E4BEEE Relevance: 132.2, APIs: 50, Strings: 24, Instructions: 2745
libraryloaderCOMMON

Function 00E4C587 Relevance: 109.1, APIs: 41, Strings: 20, Instructions: 2379
libraryloaderCOMMON

Function 00E5DFE0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 443
fileCOMMON

Function 00E2CEB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
processCOMMON

Function 00E43C00 Relevance: 4.8, APIs: 3, Instructions: 323
fileCOMMON

Function 00E47B30 Relevance: 3.1, APIs: 2, Instructions: 62
memoryCOMMON

Function 00E2ACD0 Relevance: 3.0, APIs: 2, Instructions: 28
stringCOMMON

Function 00E5CAC0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 00E3435B Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre