Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522724
MD5:	5027e6b49ab2616a8f08f4c868b90dba
SHA1:	f7bbc4c784fb2a30d8a018b65f2632507335590d
SHA256:	509c5bf724b0d3bc60cdc93c1b0f1e6710cf23edb2293d670cb8bdeaa5ac7e6f
Tags:	exeGandCrabuser-jstrosch
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gandcrab

Yara detected ReflectiveLoader

AI detected suspicious sample

Contains functionality to determine the online IP of the system

Found Tor onion address

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses nslookup.exe to query domains

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 3408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5027E6B49AB2616A8F08F4C868B90DBA)

dllhost.exe (PID: 3592 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

nslookup.exe (PID: 5728 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 5988 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 6952 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 3960 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 1636 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 6880 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dwqocx.exe (PID: 2524 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe" MD5: 792DCCE2F5F5C326C8A2A36E993BB215)

nslookup.exe (PID: 4152 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 7068 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2456 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 5848 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 5960 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 4128 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 6480 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 4716 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 700 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 4028 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2524 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 924 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 4676 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2228 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2780 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2624 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2668 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 1104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 5176 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 6052 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MpCmdRun.exe (PID: 6304 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 1708 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 6084 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2256 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 2536 cmdline: nslookup zonealarm.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 2700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 6372 cmdline: nslookup ransomware.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 3520 cmdline: nslookup zonealarm.bit ns2.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nslookup.exe (PID: 3640 cmdline: nslookup ransomware.bit ns1.cloud-name.ru MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)

conhost.exe (PID: 2636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dwqocx.exe (PID: 3536 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe" MD5: 792DCCE2F5F5C326C8A2A36E993BB215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gandcrab	GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.In a surprising announcement on May 31, 2019, the GandCrabs operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If theres one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.	Pinchy Spider	http://asec.ahnlab.com/1145 http://www.secureworks.com/research/threat-profiles/gold-garden http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/ https://asec.ahnlab.com/en/41450/ https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xfbd8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10681:$s1: _ReflectiveLoader@ 0x10682:$s2: ReflectiveLoader@
0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xfbd8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10681:$s1: _ReflectiveLoader@ 0x10682:$s2: ReflectiveLoader@
0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xfbd8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10681:$s1: _ReflectiveLoader@ 0x10682:$s2: ReflectiveLoader@
00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.1583581493.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: file.exe PID: 3408	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: file.exe PID: 3408	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: dwqocx.exe PID: 2524	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: dwqocx.exe PID: 2524	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: dwqocx.exe PID: 3536	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: dwqocx.exe PID: 3536	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
29.2.dwqocx.exe.fe20c0.2.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
29.2.dwqocx.exe.fe20c0.2.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xd7d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
29.2.dwqocx.exe.fe20c0.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe281:$s1: _ReflectiveLoader@ 0xe282:$s2: ReflectiveLoader@
29.2.dwqocx.exe.430000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
29.2.dwqocx.exe.430000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe9d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
29.2.dwqocx.exe.430000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xf481:$s1: _ReflectiveLoader@ 0xf482:$s2: ReflectiveLoader@
29.2.dwqocx.exe.fe20c0.2.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
29.2.dwqocx.exe.fe20c0.2.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe9d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
29.2.dwqocx.exe.fe20c0.2.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xf481:$s1: _ReflectiveLoader@ 0xf482:$s2: ReflectiveLoader@
15.2.dwqocx.exe.f90000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.dwqocx.exe.f90000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xfbd8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.dwqocx.exe.f90000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10681:$s1: _ReflectiveLoader@ 0x10682:$s2: ReflectiveLoader@
0.2.file.exe.bb0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.file.exe.bb0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe9d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.file.exe.bb0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xf481:$s1: _ReflectiveLoader@ 0xf482:$s2: ReflectiveLoader@
29.2.dwqocx.exe.430000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
29.2.dwqocx.exe.430000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xfbd8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
29.2.dwqocx.exe.430000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10681:$s1: _ReflectiveLoader@ 0x10682:$s2: ReflectiveLoader@
15.2.dwqocx.exe.f90000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.dwqocx.exe.f90000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe9d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.dwqocx.exe.f90000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xf481:$s1: _ReflectiveLoader@ 0xf482:$s2: ReflectiveLoader@
15.2.dwqocx.exe.fe20c0.2.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.dwqocx.exe.fe20c0.2.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xd7d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.dwqocx.exe.fe20c0.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe281:$s1: _ReflectiveLoader@ 0xe282:$s2: ReflectiveLoader@
0.2.file.exe.e120c0.2.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.file.exe.e120c0.2.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe9d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.file.exe.e120c0.2.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xf481:$s1: _ReflectiveLoader@ 0xf482:$s2: ReflectiveLoader@
15.2.dwqocx.exe.fe20c0.2.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.dwqocx.exe.fe20c0.2.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe9d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.dwqocx.exe.fe20c0.2.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xf481:$s1: _ReflectiveLoader@ 0xf482:$s2: ReflectiveLoader@
0.2.file.exe.bb0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.file.exe.bb0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xfbd8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.file.exe.bb0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10681:$s1: _ReflectiveLoader@ 0x10682:$s2: ReflectiveLoader@
0.2.file.exe.e120c0.2.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.file.exe.e120c0.2.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xd7d8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.file.exe.e120c0.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xe281:$s1: _ReflectiveLoader@ 0xe282:$s2: ReflectiveLoader@
29.2.dwqocx.exe.fd0000.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
29.2.dwqocx.exe.fd0000.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x1fe98:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
29.2.dwqocx.exe.fd0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x20941:$s1: _ReflectiveLoader@ 0x20942:$s2: ReflectiveLoader@
15.2.dwqocx.exe.fd0000.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.dwqocx.exe.fd0000.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x1fe98:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.dwqocx.exe.fd0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x20941:$s1: _ReflectiveLoader@ 0x20942:$s2: ReflectiveLoader@
0.2.file.exe.e00000.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.file.exe.e00000.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x1fe98:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.2.file.exe.e00000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x20941:$s1: _ReflectiveLoader@ 0x20942:$s2: ReflectiveLoader@
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 3408, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bgummckzlfn

Suricata Signatures

ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T16:03:49.107021+0200	2025452	1	A Network Trojan was detected	192.168.2.11	50821	1.1.1.1	53	UDP

ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T16:03:50.683722+0200	2025453	1	A Network Trojan was detected	192.168.2.11	50826	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_00BB8880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB64F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_00BB64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB58D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_00BB58D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB4B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_00BB4B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_00BB8730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB56A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_00BB56A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_00BB34F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB5400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_00BB5400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_00BB6770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F94B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	15_2_00F94B30
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F964F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	15_2_00F964F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F934F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	15_2_00F934F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F958D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	15_2_00F958D0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F956A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	15_2_00F956A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F98880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	15_2_00F98880
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	15_2_00F96770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F98730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	15_2_00F98730
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F95400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	15_2_00F95400
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00434B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	29_2_00434B30
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	29_2_00436770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00435400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	29_2_00435400
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00438730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	29_2_00438730
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004358D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	29_2_004358D0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004364F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	29_2_004364F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004334F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	29_2_004334F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00438880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	29_2_00438880
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004356A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	29_2_004356A0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Unpacked PE file: 29.2.dwqocx.exe.430000.0.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_00BB6CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_00BB6F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	15_2_00F96CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	15_2_00F96F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	29_2_00436F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	29_2_00436CB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2025452 - Severity 1 - ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup) : 192.168.2.11:50821 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2025453 - Severity 1 - ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup) : 192.168.2.11:50826 -> 1.1.1.1:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_00BB7160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_00BB7160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F97160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	15_2_00F97160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F97160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	15_2_00F97160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00437160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	29_2_00437160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00437160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	29_2_00437160

Found Tor onion address

Source: file.exe	String found in binary or memory: rab2pie73et.onion.guide/da3fe3083522c987 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987 3. https://gandcrab2pie73et.onion.
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 0. https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. https://gandcrab2pie73et.onion.to/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 0. https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. https://gandcrab2pie73et.onion.to/da3fe3083522c987

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.11:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49715 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49722 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49721 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49720 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49719 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49718 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49717 -> 1.1.1.1:53

Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB84D0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_00BB84D0

Source: global traffic	DNS traffic detected: DNS query: ipv4bot.whatismyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: ns1.cloud-name.ru
Source: global traffic	DNS traffic detected: DNS query: 1.1.1.1.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: zonealarm.bit
Source: global traffic	DNS traffic detected: DNS query: ns2.cloud-name.ru
Source: global traffic	DNS traffic detected: DNS query: ransomware.bit

Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/(
Source: file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/;
Source: file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/G
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sj.ms/register.php
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Source: file.exe	String found in binary or memory: https://gandcrab2pie73et.onion.
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.to/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://psi-im.org/download/
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: Process Memory Space: file.exe PID: 3408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 2524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 3536, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_00BB6770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	15_2_00F96770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	29_2_00436770

Source: conhost.exe	Process created: 48
Source: nslookup.exe	Process created: 60

System Summary

Malicious sample detected (through community Yara rule)

Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB89A0	0_2_00BB89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1C20	0_2_00BB1C20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1020	0_2_00BB1020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E124E0	0_2_00E124E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E130E0	0_2_00E130E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E08424	0_2_00E08424
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0A5FD	0_2_00E0A5FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E07940	0_2_00E07940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E07EB2	0_2_00E07EB2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E09691	0_2_00E09691
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E19E60	0_2_00E19E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E01BFB	0_2_00E01BFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0679C	0_2_00E0679C
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F989A0	15_2_00F989A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F91C20	15_2_00F91C20
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F91020	15_2_00F91020
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE24E0	15_2_00FE24E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE30E0	15_2_00FE30E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD8424	15_2_00FD8424
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FDA5FD	15_2_00FDA5FD
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD7940	15_2_00FD7940
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD7EB2	15_2_00FD7EB2
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD9691	15_2_00FD9691
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE9E60	15_2_00FE9E60
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD1BFB	15_2_00FD1BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD679C	15_2_00FD679C
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00431C20	29_2_00431C20
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00431020	29_2_00431020
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004389A0	29_2_004389A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE24E0	29_2_00FE24E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE30E0	29_2_00FE30E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD8424	29_2_00FD8424
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FDA5FD	29_2_00FDA5FD
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD7940	29_2_00FD7940
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD7EB2	29_2_00FD7EB2
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD9691	29_2_00FD9691
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE9E60	29_2_00FE9E60
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD1BFB	29_2_00FD1BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD679C	29_2_00FD679C

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: String function: 00FD2790 appears 42 times
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: String function: 00FD32DA appears 32 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@398/2@1702/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB7600 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_00BB7600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB7CE0 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,CloseHandle,VirtualFree,

0_2_00BB7CE0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=da3fe3083522c987
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03

Source: C:\Program Files\Windows Defender\MpCmdRun.exe

File created: C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\MpCmdRun.log

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Unpacked PE file: 29.2.dwqocx.exe.430000.0.unpack

Yara detected ReflectiveLoader

Source: Yara match	File source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583581493.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 2524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 3536, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_00BB8880

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E11069 push esp; iretd	0_2_00E11191
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E111A4 push 6C00E0CFh; iretd	0_2_00E111A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1119C pushad ; iretd	0_2_00E1119D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E027D5 push ecx; ret	0_2_00E027E8
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE1069 push esp; iretd	15_2_00FE1191
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD27D5 push ecx; ret	15_2_00FD27E8
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE1069 push esp; iretd	29_2_00FE1191
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD27D5 push ecx; ret	29_2_00FD27E8

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E01BFB EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E01BFB

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_15-10760
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-10777

Source: C:\Users\user\Desktop\file.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_00BB2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	15_2_00F92F50
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	29_2_00432F50

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evaded block: after key decision			graph_15-11024
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evaded block: after key decision			graph_29-11028

Source: C:\Users\user\Desktop\file.exe TID: 4616	Thread sleep count: 329 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4616	Thread sleep time: -329000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_00BB6CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_00BB6F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	15_2_00F96CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	15_2_00F96F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	29_2_00436F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	29_2_00436CB0

Source: nslookup.exe, 00000043.00000002.1995462764.0000000002968000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: nslookup.exe, 00000009.00000002.1628596929.0000000002B19000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000000D.00000002.1657036223.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: nslookup.exe, 0000002C.00000002.1860308992.0000000002677000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: nslookup.exe, 00000007.00000002.1616929297.0000000002B79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: nslookup.exe, 0000003C.00000002.1957470394.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\p
Source: nslookup.exe, 0000003E.00000002.1970270373.00000000032F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^4I
Source: file.exe, 00000000.00000002.2791556153.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: nslookup.exe, 00000003.00000002.1589200684.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000005.00000002.1601748756.00000000035A9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000000B.00000002.1644784030.0000000002C89000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000010.00000002.1678588129.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000001B.00000002.1742251945.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000020.00000002.1780589150.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000022.00000002.1793471404.0000000003348000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000024.00000002.1807509867.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000026.00000002.1820162340.0000000002A79000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000028.00000002.1833392605.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000002A.00000002.1845682656.0000000002F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: nslookup.exe, 00000012.00000002.1690269558.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000017.00000002.1716417022.0000000003319000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000001E.00000002.1764334421.0000000002AE9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000034.00000002.1913990128.0000000002D89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ
Source: nslookup.exe, 00000015.00000002.1703679027.0000000002918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
Source: nslookup.exe, 00000019.00000002.1728893613.0000000003409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]
Source: nslookup.exe, 00000032.00000002.1900139978.0000000000469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-10946
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-10725
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-10740
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node	graph_15-10932
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node	graph_15-9859
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node	graph_29-10934
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node	graph_29-9863

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E02984 IsDebuggerPresent,

0_2_00E02984

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E04BCA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00E04BCA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_00BB8880

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6100 mov eax, dword ptr fs:[00000030h]	0_2_00BB6100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E175C0 mov eax, dword ptr fs:[00000030h]	0_2_00E175C0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96100 mov eax, dword ptr fs:[00000030h]	15_2_00F96100
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE75C0 mov eax, dword ptr fs:[00000030h]	15_2_00FE75C0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436100 mov eax, dword ptr fs:[00000030h]	29_2_00436100
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE75C0 mov eax, dword ptr fs:[00000030h]	29_2_00FE75C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB33E0 lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,ExitProcess,

0_2_00BB33E0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E0315A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E03129 SetUnhandledExceptionFilter,	0_2_00E03129
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00FD315A
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD3129 SetUnhandledExceptionFilter,	15_2_00FD3129
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00FD315A
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD3129 SetUnhandledExceptionFilter,	29_2_00FD3129

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB3C80 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_00BB3C80

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB9680 cpuid

0_2_00BB9680

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E02620 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E02620

Source: C:\Users\user\Desktop\file.exe

0_2_00BB7600

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: dwqocx.exe	Binary or memory string: cmdagent.exe
Source: dwqocx.exe	Binary or memory string: cfp.exe
Source: dwqocx.exe	Binary or memory string: avengine.exe
Source: dwqocx.exe	Binary or memory string: msmpeng.exe
Source: dwqocx.exe	Binary or memory string: AVP.EXE
Source: dwqocx.exe	Binary or memory string: ashDisp.exe
Source: dwqocx.exe	Binary or memory string: avgnt.exe
Source: dwqocx.exe	Binary or memory string: Mcshield.exe

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	12 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Software Packing	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	45 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	51 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	11 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
file.exe	92%	ReversingLabs	Win32.Ransomware.GandCrab
file.exe	100%	Avira	TR/Dropper.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipv4bot.whatismyipaddress.com	unknown	unknown	true	unknown
ransomware.bit	unknown	unknown	true	unknown
1.1.1.1.in-addr.arpa	unknown	unknown	false	unknown
zonealarm.bit	unknown	unknown	true	unknown
ns1.cloud-name.ru	unknown	unknown	true	unknown
ns2.cloud-name.ru	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://gandcrab2pie73et.onion.rip/da3fe3083522c987	file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	true	unknown
https://psi-im.org/download/	file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	false	unknown
http://gandcrab2pie73et.onion/da3fe3083522c987	file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	true	unknown
http://ipv4bot.whatismyipaddress.com/(	file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ipv4bot.whatismyipaddress.com/G	file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gandcrab2pie73et.onion.	file.exe	true	unknown
https://gandcrab2pie73et.onion.to/da3fe3083522c987	file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	true	unknown
http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf	file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	false	unknown
https://gandcrab2pie73et.onion.guide/da3fe3083522c987	file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	true	unknown
https://www.torproject.org/	file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	false	unknown
http://ipv4bot.whatismyipaddress.com/	file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://sj.ms/register.php	file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	false	unknown
http://ipv4bot.whatismyipaddress.com/;	file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gandcrab2pie73et.onion.plus/da3fe3083522c987	file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	true	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522724
Start date and time:	2024-09-30 16:02:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	73
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@398/2@1702/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 63 Number of non-executed functions: 157
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:03:42	API Interceptor	1x Sleep call for process: dllhost.exe modified
10:04:22	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
10:04:31	API Interceptor	298x Sleep call for process: file.exe modified
16:03:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
16:03:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	749568
Entropy (8bit):	3.9341253465399197
Encrypted:	false
SSDEEP:	6144:WBb/GhISjsUpwWx7ko0dvmfMaZaocS427zkXQj3805rSj15jBvp9HxawFH4yeK1a:WBLGO0oWp6ZmEOazhsyQt5r
MD5:	792DCCE2F5F5C326C8A2A36E993BB215
SHA1:	376EA88188D9D611B5985C9F8F7A96FCF79E6FF3
SHA-256:	BB3662E2CF1E6B1925C65B1304E824E04FF3C337CEA73E671AD76B8A9C79FDA0
SHA-512:	54CD582DE482BEDE5A0C7D9F230E09A799D20C1523F11EF5A597B206546E0A29C30EA6E0C8CA901C456D20FF48EBF756BE9A4E303F8031D8C6DAAB61D3031793
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This .b\.P.m cannot be run in DOS mode....$.......*p^.n.0.n.0.n.0.(@.w.0.(@.\|.0.(@...0.gi..k.0.n.1.6.0.cC.l.0.cC.o.0.Richn.0.................PE..L....^.Z..........................................@.......................................@.................................$...(............................p..........................................@............................................text............................... ..`.rdata...E.......P..................@..@.data...$S.......`..................@....reloc.......p.......p..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2417968494615015
Encrypted:	false
SSDEEP:	24:QOaqdmuF3r8wl+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVs:FaqdF78wl+AAHdKoqKFxcxkFyw/
MD5:	5C326700C8688F1A46A3FD1C88188DDB
SHA1:	C9CBFE61821A3D32A31A7044DBBD17E815A23F02
SHA-256:	AA4BF9370306578C43EEAC963241942B8821589FE6F1502D8FFA53F1669ACC2F
SHA-512:	01F2A813152C2D14C0F513BED48721F12D63F7DDBAD851277C0C3D84672143A761F1B63CFA9034DFD6C556625E102017B416C5526D5B8E135502FBB990AF9A04
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. S.e.p. .. 3.0. .. 2.0.2.4. .1.0.:.0.4.:.2.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.934123532199371
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	749'568 bytes
MD5:	5027e6b49ab2616a8f08f4c868b90dba
SHA1:	f7bbc4c784fb2a30d8a018b65f2632507335590d
SHA256:	509c5bf724b0d3bc60cdc93c1b0f1e6710cf23edb2293d670cb8bdeaa5ac7e6f
SHA512:	35430b07d0ccc4e587a1cc416872a47ccfc90dd0f0fdf504f37d21725390c97c547ef73495adc1d79175cd3d3341e8ba9ff6ba7d9ee515b62d51ac3c00859956
SSDEEP:	6144:dBb/GhISjsUpwWx7ko0dvmfMaZaocS427zkXQj3805rSj15jBvp9HxawFH4yeK1a:dBLGO0oWp6ZmEOazhsyQt5r
TLSH:	84F4AD0222D04E75DEE3B4799575F6700FB9391C2BB03E0BA6D291EB367DE604A31687
File Content Preview:	MZ......................@...............................................!..L.!This hn{6..m cannot be run in DOS mode....$.......*p^.n.0.n.0.n.0.(@..w.0.(@..\|.0.(@....0.gi..k.0.n.1.6.0.cC..l.0.cC..o.0.Richn.0.................PE..L....^.Z...................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4013b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5AC65ECC [Thu Apr 5 17:37:16 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	7b6dd4245c054681d7b6b1f9b76fe984

Entrypoint Preview

Instruction
call 00007FF53D07C34Ah
jmp 00007FF53D07AF60h
cmp ecx, dword ptr [00411050h]
jne 00007FF53D07B0E4h
rep ret
jmp 00007FF53D07C6D7h
int3
mov ecx, dword ptr [esp+08h]
mov eax, dword ptr [esp+04h]
push edi
push ebx
push esi
cmp dword ptr [00425060h], 01h
jc 00007FF53D07B2B4h
ja 00007FF53D07B1E3h
movzx edx, byte ptr [ecx]
mov ebx, edx
shl edx, 08h
or edx, ebx
je 00007FF53D07B1CFh
movd xmm3, edx
pshuflw xmm3, xmm3, 00h
movlhps xmm3, xmm3
pxor xmm0, xmm0
mov esi, ecx
or edi, FFFFFFFFh
movzx ebx, byte ptr [ecx]
add ecx, 01h
test ebx, ebx
je 00007FF53D07B0FFh
test ecx, 0000000Fh
jne 00007FF53D07B0D0h
movdqa xmm2, dqword ptr [ecx]
pcmpeqb xmm2, xmm0
pmovmskb ebx, xmm2
test ebx, ebx
jne 00007FF53D07B0E7h
mov edi, 0000000Fh
movd edx, xmm3
mov ebx, 00000FFFh
and ebx, eax
cmp ebx, 00000FF0h
jnbe 00007FF53D07B109h
movdqu xmm1, dqword ptr [eax]
pxor xmm2, xmm2
pcmpeqb xmm2, xmm1
pcmpeqb xmm1, xmm3
por xmm1, xmm2
pmovmskb ebx, xmm1
add eax, 10h
test ebx, ebx
je 00007FF53D07B0B4h
bsf ebx, ebx
sub eax, 10h
add eax, ebx
movzx ebx, byte ptr [eax]
test ebx, ebx
je 00007FF53D07B14Ch
add eax, 01h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10024	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27000	0xcbc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfcc8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa4f7	0xb000	2535bd00e9d839d72ef1b255cf48181a	False	0.5609241832386364	data	6.490742379297465	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x45dc	0x5000	6ff5dc876b59837be9710ec2e6e12603	False	0.34423828125	data	4.176988594228439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x15324	0x16000	f580f48abfe4f99a0c7d40434a30c899	False	0.6173428622159091	DOS executable (block device driver \377\377\200)	6.817672467319551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x27000	0xcbc	0x1000	40d1b92133b27bf4d9cf9e2b9ac1efe0	False	0.660400390625	data	5.7873346574246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, ExitProcess, OpenProcess, Sleep, ExitThread, GetLastError, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetCommandLineA, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, GetModuleHandleExW, GetProcAddress, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsDebuggerPresent, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, EnterCriticalSection, LeaveCriticalSection, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, LoadLibraryExW, RtlUnwind, OutputDebugStringW, HeapAlloc, HeapReAlloc, GetStringTypeW, HeapSize, LCMapStringW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, CreateFileW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T16:03:49.107021+0200	2025452	ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)	1	192.168.2.11	50821	1.1.1.1	53	UDP
2024-09-30T16:03:50.683722+0200	2025453	ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)	1	192.168.2.11	50826	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 16:04:47.465859890 CEST	49715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.470731974 CEST	53	49715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.470874071 CEST	49715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.470874071 CEST	49715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.475739002 CEST	53	49715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.475819111 CEST	49715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.480587006 CEST	53	49715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.934752941 CEST	53	49715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.934928894 CEST	49715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.940258026 CEST	53	49715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.940331936 CEST	49715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.386889935 CEST	49716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.391810894 CEST	53	49716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.391911030 CEST	49716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.392049074 CEST	49716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.396806955 CEST	53	49716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.396883011 CEST	49716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.401705027 CEST	53	49716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.929912090 CEST	53	49716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.930023909 CEST	49716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.935144901 CEST	53	49716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.935235977 CEST	49716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.160769939 CEST	49717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.165715933 CEST	53	49717	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.165816069 CEST	49717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.165816069 CEST	49717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.170859098 CEST	53	49717	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.170914888 CEST	49717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.175817966 CEST	53	49717	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.682041883 CEST	53	49717	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.682176113 CEST	49717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.687602997 CEST	53	49717	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.687652111 CEST	49717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.839179993 CEST	49718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.844540119 CEST	53	49718	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.847563028 CEST	49718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.847604036 CEST	49718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.855381012 CEST	53	49718	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.855546951 CEST	49718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.863993883 CEST	53	49718	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.315733910 CEST	53	49718	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.316267014 CEST	49718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.321922064 CEST	53	49718	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.321988106 CEST	49718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.452917099 CEST	49719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.457834959 CEST	53	49719	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.457967043 CEST	49719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.457967997 CEST	49719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.463665962 CEST	53	49719	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.463726044 CEST	49719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.468493938 CEST	53	49719	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.906358957 CEST	53	49719	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.907645941 CEST	49719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.912785053 CEST	53	49719	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.914402008 CEST	49719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.632913113 CEST	49720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.637768984 CEST	53	49720	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.637866974 CEST	49720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.637902975 CEST	49720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.642632961 CEST	53	49720	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.642688036 CEST	49720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.647464037 CEST	53	49720	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.154913902 CEST	53	49720	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.155303955 CEST	49720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.161262989 CEST	53	49720	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.161302090 CEST	49720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.226733923 CEST	49721	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.231842041 CEST	53	49721	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.231906891 CEST	49721	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.231929064 CEST	49721	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.236733913 CEST	53	49721	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.236793995 CEST	49721	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.241642952 CEST	53	49721	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.791217089 CEST	53	49721	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.792623043 CEST	49721	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.797863007 CEST	53	49721	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.797960043 CEST	49721	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.096319914 CEST	49722	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.101274967 CEST	53	49722	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.101363897 CEST	49722	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.101402998 CEST	49722	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.106236935 CEST	53	49722	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.106348038 CEST	49722	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.111191034 CEST	53	49722	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.550004005 CEST	53	49722	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.550132990 CEST	49722	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.555893898 CEST	53	49722	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.556233883 CEST	49722	53	192.168.2.11	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 16:03:47.397953987 CEST	59322	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:47.409701109 CEST	53	59322	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:47.632883072 CEST	55056	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:47.680965900 CEST	53	55056	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:47.798232079 CEST	55057	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:47.805489063 CEST	53	55057	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:47.842344999 CEST	55058	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:47.871238947 CEST	53	55058	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:47.873744965 CEST	55059	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:47.889507055 CEST	53	55059	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:47.892214060 CEST	55060	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:47.926399946 CEST	53	55060	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:47.926783085 CEST	55061	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:47.935403109 CEST	53	55061	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:49.029576063 CEST	50819	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:49.088488102 CEST	53	50819	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:49.099518061 CEST	50820	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:49.106600046 CEST	53	50820	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:49.107021093 CEST	50821	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:49.117207050 CEST	53	50821	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:49.117605925 CEST	50822	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:49.131844997 CEST	53	50822	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:49.132158041 CEST	50823	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:49.149068117 CEST	53	50823	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:49.149420977 CEST	50824	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:49.158987045 CEST	53	50824	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:50.676156044 CEST	50825	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:50.683156013 CEST	53	50825	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:50.683722019 CEST	50826	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:50.692665100 CEST	53	50826	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:50.693043947 CEST	50827	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:50.707458973 CEST	53	50827	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:50.707788944 CEST	50828	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:50.717467070 CEST	53	50828	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:50.717767954 CEST	50829	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:50.737943888 CEST	53	50829	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:51.828855038 CEST	50830	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:51.836666107 CEST	53	50830	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:51.837125063 CEST	50831	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:51.857816935 CEST	53	50831	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:51.858403921 CEST	50832	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:51.867506981 CEST	53	50832	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:51.867768049 CEST	50833	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:51.887192965 CEST	53	50833	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:51.887562990 CEST	50834	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:51.896087885 CEST	53	50834	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:53.349147081 CEST	55518	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:53.435378075 CEST	53	55518	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:53.454124928 CEST	55519	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:53.461950064 CEST	53	55519	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:53.462374926 CEST	55520	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:53.478097916 CEST	53	55520	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:53.478559017 CEST	55521	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:53.490907907 CEST	53	55521	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:53.491250992 CEST	55522	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:53.506895065 CEST	53	55522	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:53.507256985 CEST	55523	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:53.516374111 CEST	53	55523	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:54.606419086 CEST	50590	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:54.657802105 CEST	53	50590	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:54.671022892 CEST	50591	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:54.678339005 CEST	53	50591	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:54.678781033 CEST	50592	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:54.687315941 CEST	53	50592	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:54.687797070 CEST	50593	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:54.698839903 CEST	53	50593	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:54.699287891 CEST	50594	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:54.707211018 CEST	53	50594	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:54.711653948 CEST	50595	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:54.727705956 CEST	53	50595	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:56.074201107 CEST	50596	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:56.836749077 CEST	53	50596	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:56.837495089 CEST	50597	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:56.847038984 CEST	53	50597	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:56.847398043 CEST	50598	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:56.861613989 CEST	53	50598	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:56.862097979 CEST	50599	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:56.877643108 CEST	53	50599	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:56.878218889 CEST	50600	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:56.891129971 CEST	53	50600	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:57.992733002 CEST	50601	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:57.999921083 CEST	53	50601	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:58.000353098 CEST	50602	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:58.009596109 CEST	53	50602	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:58.009941101 CEST	50603	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:58.032846928 CEST	53	50603	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:58.033251047 CEST	50604	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:58.042644978 CEST	53	50604	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:58.042978048 CEST	50605	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:58.057732105 CEST	53	50605	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:59.237570047 CEST	56711	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:59.285491943 CEST	53	56711	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:59.296691895 CEST	56712	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:59.303621054 CEST	53	56712	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:59.304019928 CEST	56713	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:59.319468021 CEST	53	56713	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:59.319787979 CEST	56714	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:59.330456972 CEST	53	56714	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:59.330770016 CEST	56715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:59.350780964 CEST	53	56715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:03:59.351471901 CEST	56716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:03:59.366853952 CEST	53	56716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:00.454020023 CEST	53888	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:00.610440969 CEST	53	53888	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:00.623466015 CEST	53889	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:00.630398989 CEST	53	53889	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:00.630812883 CEST	53890	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:00.649519920 CEST	53	53890	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:00.650238037 CEST	53891	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:00.659753084 CEST	53	53891	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:00.660161018 CEST	53892	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:00.670264006 CEST	53	53892	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:00.670676947 CEST	53893	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:00.686781883 CEST	53	53893	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:01.855673075 CEST	62132	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:01.863192081 CEST	53	62132	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:01.863650084 CEST	62133	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:01.873826027 CEST	53	62133	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:01.874269009 CEST	62134	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:01.883842945 CEST	53	62134	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:01.884248972 CEST	62135	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:01.908102989 CEST	53	62135	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:01.908628941 CEST	62136	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:01.928551912 CEST	53	62136	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:03.091366053 CEST	62137	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:03.098648071 CEST	53	62137	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:03.099628925 CEST	62138	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:03.116215944 CEST	53	62138	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:03.116621017 CEST	62139	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:03.124727964 CEST	53	62139	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:03.125299931 CEST	62140	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:03.135585070 CEST	53	62140	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:03.137382984 CEST	62141	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:03.150015116 CEST	53	62141	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:04.287630081 CEST	61226	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:04.336779118 CEST	53	61226	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:04.348058939 CEST	61227	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:05.393795013 CEST	53	61227	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:05.394287109 CEST	61228	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:05.404474974 CEST	53	61228	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:05.404962063 CEST	61229	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:05.420907021 CEST	53	61229	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:05.421288013 CEST	61230	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:05.437273026 CEST	53	61230	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:05.437685013 CEST	61231	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:05.453911066 CEST	53	61231	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:06.981375933 CEST	61305	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:07.031116009 CEST	53	61305	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:07.042352915 CEST	61306	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:07.049798012 CEST	53	61306	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:07.050723076 CEST	61307	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:07.068737984 CEST	53	61307	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:07.069257975 CEST	61308	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:07.081748009 CEST	53	61308	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:07.082108021 CEST	61309	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:07.092657089 CEST	53	61309	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:07.092994928 CEST	61310	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:07.109291077 CEST	53	61310	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:08.296057940 CEST	61311	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:08.304173946 CEST	53	61311	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:08.304882050 CEST	61312	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:08.320239067 CEST	53	61312	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:08.320780039 CEST	61313	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:08.336157084 CEST	53	61313	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:08.336591005 CEST	61314	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:08.361104012 CEST	53	61314	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:08.361706018 CEST	61315	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:08.377526045 CEST	53	61315	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:09.534271002 CEST	58170	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:09.697345018 CEST	53	58170	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:09.713671923 CEST	58171	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:09.721174002 CEST	53	58171	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:09.721735954 CEST	58172	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:09.741790056 CEST	53	58172	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:09.742266893 CEST	58173	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:09.749995947 CEST	53	58173	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:09.750449896 CEST	58174	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:09.766967058 CEST	53	58174	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:09.767393112 CEST	58175	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:09.779350996 CEST	53	58175	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:10.999357939 CEST	58176	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:11.006304979 CEST	53	58176	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:11.006737947 CEST	58177	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:11.022349119 CEST	53	58177	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:11.022906065 CEST	58178	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:11.030344963 CEST	53	58178	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:11.030731916 CEST	58179	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:11.038984060 CEST	53	58179	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:11.039280891 CEST	58180	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:11.047502995 CEST	53	58180	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:12.208085060 CEST	53710	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:12.257260084 CEST	53	53710	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:12.267612934 CEST	53711	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:12.274775028 CEST	53	53711	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:12.275348902 CEST	53712	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:12.290659904 CEST	53	53712	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:12.291404009 CEST	53713	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:12.307190895 CEST	53	53713	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:12.307531118 CEST	53714	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:12.324875116 CEST	53	53714	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:12.325329065 CEST	53715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:12.341464043 CEST	53	53715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:13.546014071 CEST	53716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:13.553267956 CEST	53	53716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:13.553754091 CEST	53717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:13.570120096 CEST	53	53717	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:13.570485115 CEST	53718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:13.578596115 CEST	53	53718	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:13.578900099 CEST	53719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:13.592706919 CEST	53	53719	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:13.593044043 CEST	53720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:13.603951931 CEST	53	53720	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:14.746707916 CEST	63345	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:15.008519888 CEST	53	63345	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:15.019551039 CEST	63346	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:15.027267933 CEST	53	63346	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:15.027896881 CEST	63347	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:15.037590981 CEST	53	63347	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:15.038031101 CEST	63348	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:15.045941114 CEST	53	63348	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:15.046416044 CEST	63349	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:15.054208040 CEST	53	63349	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:15.054730892 CEST	63350	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:15.062285900 CEST	53	63350	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:16.308128119 CEST	63351	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:16.315550089 CEST	53	63351	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:16.315968990 CEST	63352	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:16.326114893 CEST	53	63352	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:16.326462030 CEST	63353	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:16.336224079 CEST	53	63353	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:16.336654902 CEST	63354	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:16.345469952 CEST	53	63354	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:16.345911026 CEST	63355	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:16.354556084 CEST	53	63355	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:17.529544115 CEST	61969	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:17.578751087 CEST	53	61969	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:17.589742899 CEST	61970	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:17.596712112 CEST	53	61970	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:17.597275972 CEST	61971	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:17.605592012 CEST	53	61971	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:17.605940104 CEST	61972	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:17.615161896 CEST	53	61972	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:17.615679979 CEST	61973	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:17.630722046 CEST	53	61973	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:17.631155014 CEST	61974	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:17.640847921 CEST	53	61974	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:18.811594963 CEST	61975	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:18.993335009 CEST	53	61975	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:18.994154930 CEST	61976	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:19.014178038 CEST	53	61976	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:19.014723063 CEST	61977	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:19.025468111 CEST	53	61977	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:19.025816917 CEST	61978	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:19.042473078 CEST	53	61978	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:19.042843103 CEST	61979	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:19.053687096 CEST	53	61979	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:20.211648941 CEST	59445	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:20.368280888 CEST	53	59445	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:20.378281116 CEST	59446	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:20.385109901 CEST	53	59446	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:20.385562897 CEST	59447	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:20.400547028 CEST	53	59447	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:20.401206970 CEST	59448	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:20.408437967 CEST	53	59448	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:20.408689022 CEST	59449	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:20.423118114 CEST	53	59449	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:20.423410892 CEST	59450	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:20.433808088 CEST	53	59450	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:21.941957951 CEST	59451	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:21.949076891 CEST	53	59451	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:21.950232983 CEST	59452	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:21.966165066 CEST	53	59452	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:21.966963053 CEST	59453	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:21.981168985 CEST	53	59453	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:21.995604992 CEST	59454	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:22.002841949 CEST	53	59454	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:22.012712955 CEST	59455	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:22.022468090 CEST	53	59455	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:23.400167942 CEST	56494	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:23.448793888 CEST	53	56494	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:23.458935976 CEST	56495	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:23.467268944 CEST	53	56495	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:23.467716932 CEST	56496	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:23.484067917 CEST	53	56496	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:23.484426975 CEST	56497	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:23.499228954 CEST	53	56497	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:23.499535084 CEST	56498	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:23.509365082 CEST	53	56498	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:23.509670019 CEST	56499	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:23.530438900 CEST	53	56499	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:24.737256050 CEST	56500	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:24.745419979 CEST	53	56500	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:24.745918989 CEST	56501	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:24.753271103 CEST	53	56501	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:24.753571987 CEST	56502	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:24.768012047 CEST	53	56502	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:24.768297911 CEST	56503	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:24.775418997 CEST	53	56503	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:24.775731087 CEST	56504	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:24.784169912 CEST	53	56504	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:25.880845070 CEST	60347	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:25.966466904 CEST	53	60347	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:25.976509094 CEST	60348	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:25.983437061 CEST	53	60348	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:25.984149933 CEST	60349	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:25.991871119 CEST	53	60349	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:25.992275000 CEST	60350	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:26.039942026 CEST	53	60350	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:26.040543079 CEST	60351	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:26.056350946 CEST	53	60351	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:26.056608915 CEST	60352	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:26.064404964 CEST	53	60352	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:27.236747026 CEST	60353	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:27.243802071 CEST	53	60353	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:27.244339943 CEST	60354	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:27.259430885 CEST	53	60354	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:27.259820938 CEST	60355	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:27.276513100 CEST	53	60355	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:27.276892900 CEST	60356	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:27.287839890 CEST	53	60356	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:27.288222075 CEST	60357	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:27.302649975 CEST	53	60357	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:28.479434013 CEST	50480	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:28.527673960 CEST	53	50480	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:28.537770987 CEST	50481	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:28.546701908 CEST	53	50481	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:28.547226906 CEST	50482	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:28.555650949 CEST	53	50482	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:28.556001902 CEST	50483	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:28.568897963 CEST	53	50483	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:28.569228888 CEST	50484	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:28.579083920 CEST	53	50484	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:28.579566956 CEST	50485	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:28.589957952 CEST	53	50485	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:29.710371017 CEST	50486	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:29.719471931 CEST	53	50486	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:29.721838951 CEST	50487	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:29.729110956 CEST	53	50487	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:29.730612040 CEST	50488	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:29.738178968 CEST	53	50488	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:29.739330053 CEST	50489	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:29.754086971 CEST	53	50489	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:29.754452944 CEST	50490	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:29.764384031 CEST	53	50490	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:30.850526094 CEST	61682	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:30.937041998 CEST	53	61682	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:30.947144032 CEST	61683	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:30.955058098 CEST	53	61683	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:30.955631018 CEST	61684	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:30.969449997 CEST	53	61684	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:30.969863892 CEST	61685	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:30.979613066 CEST	53	61685	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:30.980148077 CEST	61686	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:31.000426054 CEST	53	61686	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:31.000895977 CEST	61687	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:31.020565033 CEST	53	61687	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:32.091449976 CEST	61688	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:32.098752975 CEST	53	61688	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:32.099128962 CEST	61689	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:32.114301920 CEST	53	61689	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:32.114670992 CEST	61690	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:32.124341011 CEST	53	61690	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:32.124763966 CEST	61691	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:32.132179976 CEST	53	61691	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:32.132370949 CEST	61692	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:32.140723944 CEST	53	61692	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:33.422940016 CEST	59607	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:33.510096073 CEST	53	59607	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:33.519455910 CEST	59608	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:33.530755997 CEST	53	59608	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:33.531264067 CEST	59609	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:33.538676023 CEST	53	59609	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:33.538969994 CEST	59610	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:33.548229933 CEST	53	59610	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:33.548487902 CEST	59611	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:33.556344986 CEST	53	59611	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:33.556602955 CEST	59612	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:33.564141035 CEST	53	59612	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:34.563090086 CEST	59613	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:34.570430994 CEST	53	59613	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:34.570920944 CEST	59614	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:34.586143017 CEST	53	59614	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:34.586529970 CEST	59615	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:34.594559908 CEST	53	59615	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:34.594779015 CEST	59616	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:34.603159904 CEST	53	59616	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:34.603363037 CEST	59617	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:34.611448050 CEST	53	59617	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:35.571561098 CEST	57447	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:35.620667934 CEST	53	57447	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:35.630676031 CEST	57448	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:35.639117002 CEST	53	57448	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:35.639755011 CEST	57449	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:35.656002998 CEST	53	57449	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:35.659584045 CEST	57450	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:35.675667048 CEST	53	57450	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:35.679867029 CEST	57451	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:35.687429905 CEST	53	57451	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:35.691569090 CEST	57452	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:35.700293064 CEST	53	57452	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:36.642393112 CEST	57453	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:36.650800943 CEST	53	57453	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:36.651139021 CEST	57454	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:36.659907103 CEST	53	57454	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:36.660154104 CEST	57455	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:36.677251101 CEST	53	57455	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:36.677498102 CEST	57456	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:36.685513973 CEST	53	57456	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:36.685770988 CEST	57457	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:36.694166899 CEST	53	57457	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:37.595499039 CEST	57458	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:37.602462053 CEST	53	57458	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:37.602919102 CEST	57459	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:37.614917040 CEST	53	57459	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:37.616792917 CEST	57460	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:37.634232044 CEST	53	57460	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:37.634646893 CEST	57461	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:37.648922920 CEST	53	57461	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:37.649279118 CEST	57462	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:37.656883001 CEST	53	57462	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:38.526057959 CEST	56041	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:38.782001019 CEST	53	56041	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:38.789582968 CEST	56042	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:38.798826933 CEST	53	56042	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:38.799359083 CEST	56043	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:38.821994066 CEST	53	56043	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:38.822572947 CEST	56044	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:38.838181019 CEST	53	56044	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:38.838584900 CEST	56045	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:38.846627951 CEST	53	56045	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:38.846837044 CEST	56046	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:38.866648912 CEST	53	56046	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:39.731370926 CEST	56047	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:39.738771915 CEST	53	56047	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:39.739177942 CEST	56048	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:39.746893883 CEST	53	56048	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:39.747205019 CEST	56049	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:39.763490915 CEST	53	56049	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:39.763863087 CEST	56050	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:39.770860910 CEST	53	56050	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:39.771177053 CEST	56051	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:39.779083967 CEST	53	56051	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:40.597038984 CEST	63222	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:40.682077885 CEST	53	63222	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:40.690278053 CEST	63223	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:40.698074102 CEST	53	63223	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:40.699153900 CEST	63224	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:40.714271069 CEST	53	63224	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:40.717782974 CEST	63225	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:40.737967014 CEST	53	63225	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:40.742422104 CEST	63226	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:40.749912024 CEST	53	63226	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:40.750323057 CEST	63227	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:40.758110046 CEST	53	63227	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:41.567104101 CEST	63228	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:42.381412029 CEST	53	63228	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:42.382127047 CEST	63229	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:42.399029016 CEST	53	63229	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:42.399621964 CEST	63230	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:42.413646936 CEST	53	63230	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:42.414079905 CEST	63231	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:42.421993017 CEST	53	63231	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:42.422332048 CEST	63232	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:42.432146072 CEST	53	63232	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:43.204268932 CEST	63233	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:43.352175951 CEST	53	63233	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:43.352864027 CEST	63234	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:43.361932039 CEST	53	63234	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:43.362364054 CEST	63235	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:43.379834890 CEST	53	63235	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:43.380310059 CEST	63236	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:43.389545918 CEST	53	63236	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:43.390188932 CEST	63237	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:43.398680925 CEST	53	63237	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:44.150959015 CEST	63238	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:44.304833889 CEST	53	63238	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:44.305594921 CEST	63239	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:44.312887907 CEST	53	63239	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:44.313292980 CEST	63240	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:44.327604055 CEST	53	63240	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:44.327964067 CEST	63241	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:44.336777925 CEST	53	63241	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:44.336977959 CEST	63242	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:44.353435040 CEST	53	63242	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.080777884 CEST	63243	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.088253975 CEST	53	63243	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.088836908 CEST	63244	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.096915007 CEST	53	63244	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.097557068 CEST	63245	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.112756014 CEST	53	63245	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.113097906 CEST	63246	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.120394945 CEST	53	63246	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.120738029 CEST	63247	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.128200054 CEST	53	63247	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.831598997 CEST	64723	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.916619062 CEST	53	64723	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.926100016 CEST	64724	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.933974028 CEST	53	64724	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.934477091 CEST	64725	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.945554972 CEST	53	64725	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.946060896 CEST	64726	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.955214024 CEST	53	64726	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.955578089 CEST	64727	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.963253021 CEST	53	64727	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:45.963529110 CEST	64728	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:45.971112013 CEST	53	64728	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:46.664391041 CEST	64729	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:46.671577930 CEST	53	64729	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:46.672059059 CEST	64730	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:46.692682028 CEST	53	64730	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:46.693116903 CEST	64731	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:46.709444046 CEST	53	64731	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:46.709949970 CEST	64732	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:46.730784893 CEST	53	64732	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:46.731321096 CEST	64733	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:46.740237951 CEST	53	64733	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.400863886 CEST	51128	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.450015068 CEST	53	51128	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.457556009 CEST	51129	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.465507984 CEST	53	51129	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.935235023 CEST	51130	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.943288088 CEST	53	51130	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.943519115 CEST	51131	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.958163023 CEST	53	51131	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.958353996 CEST	51132	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.966937065 CEST	53	51132	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:47.967104912 CEST	51133	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:47.975147009 CEST	53	51133	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:48.620944977 CEST	51134	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:48.629255056 CEST	53	51134	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:48.629703999 CEST	51135	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:48.645946026 CEST	53	51135	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:48.646342993 CEST	51136	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:48.655735970 CEST	53	51136	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:48.656088114 CEST	51137	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:48.669296980 CEST	53	51137	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:48.669651985 CEST	51138	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:48.683312893 CEST	53	51138	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:49.320671082 CEST	51139	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.036127090 CEST	53	51139	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.036577940 CEST	51140	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.044127941 CEST	53	51140	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.044437885 CEST	51141	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.052251101 CEST	53	51141	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.052485943 CEST	51142	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.073954105 CEST	53	51142	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.074291945 CEST	51143	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.092200994 CEST	53	51143	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.734767914 CEST	54267	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.743048906 CEST	53	54267	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.778858900 CEST	54268	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.788976908 CEST	53	54268	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.789374113 CEST	54269	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.796871901 CEST	53	54269	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.797152042 CEST	54270	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.807179928 CEST	53	54270	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.807449102 CEST	54271	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.814907074 CEST	53	54271	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:50.815179110 CEST	54272	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:50.822787046 CEST	53	54272	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:51.416765928 CEST	54273	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:51.423712969 CEST	53	54273	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:51.424163103 CEST	54274	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:51.431791067 CEST	53	54274	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:51.432133913 CEST	54275	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:51.441293001 CEST	53	54275	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:51.441513062 CEST	54276	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:51.448802948 CEST	53	54276	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:51.449004889 CEST	54277	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:51.464116096 CEST	53	54277	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.032001019 CEST	54278	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.040864944 CEST	53	54278	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.041357994 CEST	54279	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.052123070 CEST	53	54279	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.052541971 CEST	54280	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.060431004 CEST	53	54280	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.060659885 CEST	54281	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.068263054 CEST	53	54281	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.068502903 CEST	54282	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.079049110 CEST	53	54282	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.623692036 CEST	54283	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.630850077 CEST	53	54283	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.631211042 CEST	54284	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.650851011 CEST	53	54284	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.651117086 CEST	54285	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.659377098 CEST	53	54285	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.659678936 CEST	54286	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.667408943 CEST	53	54286	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:52.667649031 CEST	54287	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:52.682557106 CEST	53	54287	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:53.228163004 CEST	54288	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:53.235227108 CEST	53	54288	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:53.235608101 CEST	54289	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:53.249922991 CEST	53	54289	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:53.250307083 CEST	54290	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:53.258213997 CEST	53	54290	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:53.258421898 CEST	54291	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:53.267873049 CEST	53	54291	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:53.268120050 CEST	54292	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:53.275789976 CEST	53	54292	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:53.963267088 CEST	62980	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.055732012 CEST	53	62980	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.063302994 CEST	62981	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.070451975 CEST	53	62981	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.070832968 CEST	62982	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.078763008 CEST	53	62982	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.079173088 CEST	62983	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.087455034 CEST	53	62983	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.087711096 CEST	62984	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.095500946 CEST	53	62984	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.095751047 CEST	62985	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.111157894 CEST	53	62985	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.616667032 CEST	62986	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.623800993 CEST	53	62986	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.624180079 CEST	62987	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.630956888 CEST	53	62987	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.631176949 CEST	62988	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.646595955 CEST	53	62988	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.646893978 CEST	62989	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.661380053 CEST	53	62989	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:54.661662102 CEST	62990	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:54.677218914 CEST	53	62990	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.171997070 CEST	62991	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.179794073 CEST	53	62991	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.180171967 CEST	62992	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.188234091 CEST	53	62992	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.188555002 CEST	62993	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.197125912 CEST	53	62993	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.197343111 CEST	62994	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.206298113 CEST	53	62994	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.206559896 CEST	62995	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.216953993 CEST	53	62995	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.691967010 CEST	54375	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.742280960 CEST	53	54375	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.749983072 CEST	54376	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.757857084 CEST	53	54376	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.758219957 CEST	54377	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.765604019 CEST	53	54377	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.765881062 CEST	54378	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.782012939 CEST	53	54378	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.782300949 CEST	54379	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.789581060 CEST	53	54379	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:55.789788961 CEST	54380	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:55.799020052 CEST	53	54380	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.294055939 CEST	54381	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.301989079 CEST	53	54381	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.306112051 CEST	54382	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.314131975 CEST	53	54382	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.314475060 CEST	54383	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.323225021 CEST	53	54383	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.323988914 CEST	54384	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.347783089 CEST	53	54384	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.348160028 CEST	54385	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.355468988 CEST	53	54385	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.795636892 CEST	54386	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.806607962 CEST	53	54386	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.807188988 CEST	54387	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.822257042 CEST	53	54387	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.822695017 CEST	54388	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.831594944 CEST	53	54388	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.831836939 CEST	54389	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.842083931 CEST	53	54389	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:56.842327118 CEST	54390	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:56.851170063 CEST	53	54390	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.294154882 CEST	54391	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.302054882 CEST	53	54391	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.302613974 CEST	54392	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.310596943 CEST	53	54392	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.310905933 CEST	54393	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.320215940 CEST	53	54393	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.320804119 CEST	54394	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.328283072 CEST	53	54394	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.328644991 CEST	54395	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.336616039 CEST	53	54395	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.778863907 CEST	54396	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.785934925 CEST	53	54396	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.786391973 CEST	54397	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.794851065 CEST	53	54397	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.795207024 CEST	54398	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.802653074 CEST	53	54398	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.802901983 CEST	54399	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.810511112 CEST	53	54399	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:57.810761929 CEST	54400	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:57.818612099 CEST	53	54400	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.227099895 CEST	51826	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.315054893 CEST	53	51826	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.322304964 CEST	51827	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.329849005 CEST	53	51827	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.330256939 CEST	51828	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.337655067 CEST	53	51828	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.338046074 CEST	51829	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.347700119 CEST	53	51829	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.347958088 CEST	51830	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.355885983 CEST	53	51830	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.356167078 CEST	51831	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.365712881 CEST	53	51831	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.770442009 CEST	51832	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.869823933 CEST	53	51832	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.870629072 CEST	51833	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.878515005 CEST	53	51833	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.878861904 CEST	51834	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.886473894 CEST	53	51834	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.886713982 CEST	51835	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.896030903 CEST	53	51835	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:58.896403074 CEST	51836	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:58.904687881 CEST	53	51836	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.297887087 CEST	51837	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.304934978 CEST	53	51837	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.305377007 CEST	51838	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.312912941 CEST	53	51838	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.313180923 CEST	51839	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.329603910 CEST	53	51839	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.329834938 CEST	51840	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.345633030 CEST	53	51840	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.345920086 CEST	51841	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.354187012 CEST	53	51841	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.782042980 CEST	51842	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.789711952 CEST	53	51842	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.790081024 CEST	51843	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.797369957 CEST	53	51843	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.797652006 CEST	51844	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.805442095 CEST	53	51844	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.805763006 CEST	51845	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.814049006 CEST	53	51845	1.1.1.1	192.168.2.11
Sep 30, 2024 16:04:59.814344883 CEST	51846	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:04:59.822900057 CEST	53	51846	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.187239885 CEST	51847	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.194535971 CEST	53	51847	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.194963932 CEST	51848	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.210370064 CEST	53	51848	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.210783958 CEST	51849	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.218848944 CEST	53	51849	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.219058037 CEST	51850	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.226843119 CEST	53	51850	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.227055073 CEST	51851	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.235249996 CEST	53	51851	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.594161987 CEST	51852	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.601340055 CEST	53	51852	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.601950884 CEST	51853	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.609399080 CEST	53	51853	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.609694958 CEST	51854	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.617897034 CEST	53	51854	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.618174076 CEST	51855	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.628146887 CEST	53	51855	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.628402948 CEST	51856	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.637717962 CEST	53	51856	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.977452993 CEST	63980	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:00.988385916 CEST	53	63980	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:00.995570898 CEST	63981	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.002465010 CEST	53	63981	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.002882957 CEST	63982	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.010458946 CEST	53	63982	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.010726929 CEST	63983	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.021387100 CEST	53	63983	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.021749973 CEST	63984	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.029055119 CEST	53	63984	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.029306889 CEST	63985	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.282668114 CEST	53	63985	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.625197887 CEST	63986	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.632359028 CEST	53	63986	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.632983923 CEST	63987	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.641716003 CEST	53	63987	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.642026901 CEST	63988	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.649665117 CEST	53	63988	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.649926901 CEST	63989	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.665033102 CEST	53	63989	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:01.665478945 CEST	63990	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:01.672703981 CEST	53	63990	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.001776934 CEST	63991	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.009691000 CEST	53	63991	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.010278940 CEST	63992	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.026263952 CEST	53	63992	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.026597977 CEST	63993	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.039841890 CEST	53	63993	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.040154934 CEST	63994	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.057096004 CEST	53	63994	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.057336092 CEST	63995	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.066117048 CEST	53	63995	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.463725090 CEST	63996	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.471477032 CEST	53	63996	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.483169079 CEST	63997	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.491008043 CEST	53	63997	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.505887985 CEST	63998	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.521517992 CEST	53	63998	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.522099972 CEST	63999	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.536942005 CEST	53	63999	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.538053989 CEST	64000	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.545844078 CEST	53	64000	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.870035887 CEST	64001	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.876892090 CEST	53	64001	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.877336025 CEST	64002	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.886986017 CEST	53	64002	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.887300968 CEST	64003	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.897954941 CEST	53	64003	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.898163080 CEST	64004	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.906904936 CEST	53	64004	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:02.907049894 CEST	64005	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:02.915596008 CEST	53	64005	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:03.232323885 CEST	64006	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:03.239275932 CEST	53	64006	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:03.239761114 CEST	64007	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:03.249654055 CEST	53	64007	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:03.250021935 CEST	64008	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:03.256980896 CEST	53	64008	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:03.257164001 CEST	64009	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:03.267438889 CEST	53	64009	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:03.267663956 CEST	64010	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:03.276134014 CEST	53	64010	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:03.563322067 CEST	49730	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.119267941 CEST	53	49730	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.127182007 CEST	49731	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.134474039 CEST	53	49731	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.134912014 CEST	49732	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.151204109 CEST	53	49732	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.151686907 CEST	49733	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.164022923 CEST	53	49733	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.164367914 CEST	49734	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.176042080 CEST	53	49734	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.176400900 CEST	49735	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.184489965 CEST	53	49735	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.476335049 CEST	49736	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.484221935 CEST	53	49736	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.484649897 CEST	49737	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.494529963 CEST	53	49737	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.494865894 CEST	49738	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.503040075 CEST	53	49738	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.503375053 CEST	49739	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.520575047 CEST	53	49739	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.520944118 CEST	49740	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.531461000 CEST	53	49740	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.817255020 CEST	49741	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.824585915 CEST	53	49741	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.825731039 CEST	49742	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.834780931 CEST	53	49742	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.835103035 CEST	49743	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.842367887 CEST	53	49743	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.842567921 CEST	49744	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.854196072 CEST	53	49744	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:04.854708910 CEST	49745	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:04.863455057 CEST	53	49745	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.148825884 CEST	49746	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.345813990 CEST	53	49746	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.346319914 CEST	49747	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.355393887 CEST	53	49747	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.355796099 CEST	49748	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.371164083 CEST	53	49748	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.371625900 CEST	49749	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.379452944 CEST	53	49749	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:05.379630089 CEST	49750	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:05.386586905 CEST	53	49750	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.198451042 CEST	49751	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.205008030 CEST	53	49751	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.207973957 CEST	49752	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.216595888 CEST	53	49752	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.219769955 CEST	49753	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.228921890 CEST	53	49753	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.231741905 CEST	49754	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.247901917 CEST	53	49754	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.250169039 CEST	49755	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.258550882 CEST	53	49755	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.516191006 CEST	49756	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.523674965 CEST	53	49756	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.524120092 CEST	49757	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.532346964 CEST	53	49757	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.532672882 CEST	49758	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.541296959 CEST	53	49758	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.541507006 CEST	49759	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.549505949 CEST	53	49759	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.549751997 CEST	49760	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.557760954 CEST	53	49760	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.809099913 CEST	64079	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.967264891 CEST	53	64079	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.974435091 CEST	64080	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.981817007 CEST	53	64080	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.982145071 CEST	64081	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.990622997 CEST	53	64081	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.990880966 CEST	64082	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:06.998410940 CEST	53	64082	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:06.998585939 CEST	64083	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.008851051 CEST	53	64083	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.009056091 CEST	64084	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.018627882 CEST	53	64084	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.265808105 CEST	64085	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.274144888 CEST	53	64085	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.274472952 CEST	64086	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.282157898 CEST	53	64086	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.282340050 CEST	64087	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.291516066 CEST	53	64087	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.291766882 CEST	64088	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.299352884 CEST	53	64088	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.299602985 CEST	64089	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.308556080 CEST	53	64089	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.556988955 CEST	64090	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.564784050 CEST	53	64090	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.565130949 CEST	64091	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.573903084 CEST	53	64091	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.574476004 CEST	64092	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.583506107 CEST	53	64092	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.583678961 CEST	64093	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.593651056 CEST	53	64093	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.593848944 CEST	64094	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.603869915 CEST	53	64094	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.833379030 CEST	64095	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.844738007 CEST	53	64095	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.845211983 CEST	64096	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.853120089 CEST	53	64096	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.853341103 CEST	64097	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.863070011 CEST	53	64097	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.863279104 CEST	64098	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.873229980 CEST	53	64098	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:07.873486042 CEST	64099	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:07.881139040 CEST	53	64099	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.112533092 CEST	64100	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.119924068 CEST	53	64100	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.120253086 CEST	64101	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.130013943 CEST	53	64101	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.130223989 CEST	64102	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.138586044 CEST	53	64102	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.138797998 CEST	64103	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.147253036 CEST	53	64103	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.147433043 CEST	64104	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.156975031 CEST	53	64104	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.382703066 CEST	64105	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.390141964 CEST	53	64105	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.390641928 CEST	64106	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.405989885 CEST	53	64106	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.406416893 CEST	64107	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.414294958 CEST	53	64107	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.414465904 CEST	64108	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.422420025 CEST	53	64108	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.422611952 CEST	64109	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.446954966 CEST	53	64109	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.654752970 CEST	60565	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.910636902 CEST	53	60565	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.917826891 CEST	60566	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.925929070 CEST	53	60566	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.926342964 CEST	60567	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.945589066 CEST	53	60567	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.945954084 CEST	60568	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.962122917 CEST	53	60568	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.962340117 CEST	60569	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.969650030 CEST	53	60569	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:08.969961882 CEST	60570	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:08.977685928 CEST	53	60570	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.186676979 CEST	60571	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.195703983 CEST	53	60571	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.196044922 CEST	60572	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.204880953 CEST	53	60572	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.205218077 CEST	60573	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.213116884 CEST	53	60573	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.213449001 CEST	60574	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.221060038 CEST	53	60574	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.221374035 CEST	60575	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.229831934 CEST	53	60575	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.435925961 CEST	60576	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.443181992 CEST	53	60576	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.443619967 CEST	60577	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.450952053 CEST	53	60577	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.451251030 CEST	60578	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.460340023 CEST	53	60578	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.460565090 CEST	60579	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.469206095 CEST	53	60579	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.469485998 CEST	60580	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.477446079 CEST	53	60580	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.671861887 CEST	60581	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.679717064 CEST	53	60581	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.680241108 CEST	60582	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.690781116 CEST	53	60582	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.691123962 CEST	60583	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.701442957 CEST	53	60583	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.701756001 CEST	60584	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.709672928 CEST	53	60584	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.709912062 CEST	60585	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.717926979 CEST	53	60585	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.919224024 CEST	60586	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.926336050 CEST	53	60586	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.926750898 CEST	60587	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.934312105 CEST	53	60587	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.934613943 CEST	60588	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.942301035 CEST	53	60588	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.942585945 CEST	60589	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.952641964 CEST	53	60589	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:09.952899933 CEST	60590	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:09.961074114 CEST	53	60590	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.154891968 CEST	60591	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.163033962 CEST	53	60591	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.163395882 CEST	60592	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.171156883 CEST	53	60592	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.171519041 CEST	60593	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.179213047 CEST	53	60593	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.179441929 CEST	60594	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.189198017 CEST	53	60594	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.189551115 CEST	60595	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.198618889 CEST	53	60595	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.402628899 CEST	60596	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.409861088 CEST	53	60596	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.410218954 CEST	60597	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.420655966 CEST	53	60597	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.420922041 CEST	60598	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.430295944 CEST	53	60598	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.430561066 CEST	60599	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.437906027 CEST	53	60599	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.438219070 CEST	60600	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.446307898 CEST	53	60600	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.626502991 CEST	60601	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.634164095 CEST	53	60601	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.634661913 CEST	60602	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.642579079 CEST	53	60602	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.642930031 CEST	60603	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.652357101 CEST	53	60603	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.652580976 CEST	60604	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.660384893 CEST	53	60604	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.660594940 CEST	60605	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.676611900 CEST	53	60605	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.867623091 CEST	60606	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.874588966 CEST	53	60606	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.874978065 CEST	60607	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.882987022 CEST	53	60607	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.883220911 CEST	60608	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.891994953 CEST	53	60608	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.892235994 CEST	60609	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.903520107 CEST	53	60609	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:10.903763056 CEST	60610	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:10.914664984 CEST	53	60610	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.099293947 CEST	60611	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.223617077 CEST	53	60611	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.224222898 CEST	60612	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.232260942 CEST	53	60612	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.232685089 CEST	60613	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.241544962 CEST	53	60613	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.241822004 CEST	60614	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.249990940 CEST	53	60614	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.250231028 CEST	60615	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.257467031 CEST	53	60615	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.419128895 CEST	52281	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.467832088 CEST	53	52281	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.475337982 CEST	52282	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.483004093 CEST	53	52282	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.483520031 CEST	52283	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.491023064 CEST	53	52283	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.491400957 CEST	52284	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.498867989 CEST	53	52284	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.499129057 CEST	52285	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.514673948 CEST	53	52285	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.515140057 CEST	52286	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.524724007 CEST	53	52286	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.687274933 CEST	52287	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.694679022 CEST	53	52287	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.695091963 CEST	52288	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.703074932 CEST	53	52288	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.703392982 CEST	52289	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.719177008 CEST	53	52289	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.719543934 CEST	52290	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.730251074 CEST	53	52290	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.730551958 CEST	52291	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.740802050 CEST	53	52291	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.912574053 CEST	52292	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.920253038 CEST	53	52292	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.920615911 CEST	52293	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.928301096 CEST	53	52293	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.928564072 CEST	52294	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.936547041 CEST	53	52294	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.936774015 CEST	52295	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.943924904 CEST	53	52295	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:11.944196939 CEST	52296	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:11.952310085 CEST	53	52296	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.129961014 CEST	52297	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.137418985 CEST	53	52297	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.137737989 CEST	52298	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.145252943 CEST	53	52298	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.145495892 CEST	52299	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.153043985 CEST	53	52299	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.153306961 CEST	52300	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.160501003 CEST	53	52300	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.682356119 CEST	52301	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.690615892 CEST	53	52301	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.865430117 CEST	52302	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.872667074 CEST	53	52302	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.873213053 CEST	52303	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.881536961 CEST	53	52303	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.881843090 CEST	52304	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.889833927 CEST	53	52304	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.890100956 CEST	52305	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.900830030 CEST	53	52305	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:12.901102066 CEST	52306	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:12.908994913 CEST	53	52306	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.063249111 CEST	52307	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.071286917 CEST	53	52307	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.071645021 CEST	52308	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.082920074 CEST	53	52308	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.083259106 CEST	52309	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.091080904 CEST	53	52309	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.091377974 CEST	52310	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.101130962 CEST	53	52310	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.101521969 CEST	52311	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.110130072 CEST	53	52311	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.260442972 CEST	49624	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.346955061 CEST	53	49624	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.354974985 CEST	49625	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.362365961 CEST	53	49625	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.362831116 CEST	49626	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.370825052 CEST	53	49626	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.371212959 CEST	49627	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.378753901 CEST	53	49627	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.379045010 CEST	49628	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.388580084 CEST	53	49628	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.388904095 CEST	49629	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.405129910 CEST	53	49629	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.556787968 CEST	49630	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.567395926 CEST	53	49630	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.567807913 CEST	49631	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.575340033 CEST	53	49631	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.575567007 CEST	49632	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.585155010 CEST	53	49632	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.585355043 CEST	49633	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.595474005 CEST	53	49633	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.595663071 CEST	49634	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.603451967 CEST	53	49634	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.749999046 CEST	49635	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.757106066 CEST	53	49635	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.757519960 CEST	49636	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.766925097 CEST	53	49636	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.767311096 CEST	49637	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.776031017 CEST	53	49637	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.776366949 CEST	49638	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.784972906 CEST	53	49638	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.785315990 CEST	49639	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.793528080 CEST	53	49639	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.957495928 CEST	49640	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.965051889 CEST	53	49640	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.965471983 CEST	49641	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.976349115 CEST	53	49641	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.976629972 CEST	49642	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.984446049 CEST	53	49642	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.984741926 CEST	49643	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:13.992924929 CEST	53	49643	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:13.993149996 CEST	49644	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.001133919 CEST	53	49644	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.141689062 CEST	49645	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.148869991 CEST	53	49645	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.149460077 CEST	49646	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.164772034 CEST	53	49646	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.166657925 CEST	49647	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.176157951 CEST	53	49647	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.176902056 CEST	49648	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.184405088 CEST	53	49648	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.184989929 CEST	49649	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.192173004 CEST	53	49649	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.328758001 CEST	49650	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.335659027 CEST	53	49650	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.336143017 CEST	49651	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.344050884 CEST	53	49651	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.344405890 CEST	49652	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.352216959 CEST	53	49652	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.352453947 CEST	49653	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.360641956 CEST	53	49653	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.360893965 CEST	49654	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.369548082 CEST	53	49654	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.514327049 CEST	49655	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.523714066 CEST	53	49655	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.524396896 CEST	49656	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.532888889 CEST	53	49656	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.533463955 CEST	49657	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.542349100 CEST	53	49657	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.542707920 CEST	49658	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.550981998 CEST	53	49658	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.551309109 CEST	49659	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.560986996 CEST	53	49659	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.687737942 CEST	49660	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.696178913 CEST	53	49660	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.696623087 CEST	49661	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.705538034 CEST	53	49661	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.705985069 CEST	49662	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.714451075 CEST	53	49662	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.714747906 CEST	49663	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.723473072 CEST	53	49663	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.723707914 CEST	49664	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.732516050 CEST	53	49664	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.863768101 CEST	49665	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.872438908 CEST	53	49665	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.872967958 CEST	49666	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.881489992 CEST	53	49666	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.881984949 CEST	49667	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.891948938 CEST	53	49667	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.892237902 CEST	49668	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.902328014 CEST	53	49668	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:14.902596951 CEST	49669	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:14.911604881 CEST	53	49669	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.036210060 CEST	49670	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.044116974 CEST	53	49670	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.044456959 CEST	49671	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.062622070 CEST	53	49671	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.062978029 CEST	49672	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.070594072 CEST	53	49672	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.070831060 CEST	49673	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.080388069 CEST	53	49673	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.080668926 CEST	49674	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.089385033 CEST	53	49674	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.223469973 CEST	49675	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.231134892 CEST	53	49675	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.231631994 CEST	49676	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.238966942 CEST	53	49676	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.239331007 CEST	49677	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.247267008 CEST	53	49677	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.247443914 CEST	49678	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.255589008 CEST	53	49678	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.255748987 CEST	49679	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.267139912 CEST	53	49679	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.388710022 CEST	49680	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.397620916 CEST	53	49680	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.397950888 CEST	49681	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.405746937 CEST	53	49681	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.406003952 CEST	49682	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.414021969 CEST	53	49682	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.414227009 CEST	49683	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.423716068 CEST	53	49683	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.423976898 CEST	49684	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.433161974 CEST	53	49684	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.569109917 CEST	49685	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.577647924 CEST	53	49685	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.578000069 CEST	49686	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.586170912 CEST	53	49686	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.586422920 CEST	49687	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.595730066 CEST	53	49687	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.595954895 CEST	49688	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.604044914 CEST	53	49688	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.604288101 CEST	49689	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.613384962 CEST	53	49689	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.750823021 CEST	49690	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.758441925 CEST	53	49690	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.758796930 CEST	49691	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.766711950 CEST	53	49691	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.766993046 CEST	49692	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.774918079 CEST	53	49692	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.775161982 CEST	49693	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.783857107 CEST	53	49693	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.784104109 CEST	49694	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.791768074 CEST	53	49694	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.935420990 CEST	49695	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.942548037 CEST	53	49695	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.942866087 CEST	49696	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.952008009 CEST	53	49696	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.952229977 CEST	49697	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.960643053 CEST	53	49697	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.960858107 CEST	49698	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.968811989 CEST	53	49698	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:15.969028950 CEST	49699	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:15.979340076 CEST	53	49699	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.098658085 CEST	49700	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.108411074 CEST	53	49700	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.108781099 CEST	49701	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.118721962 CEST	53	49701	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.118938923 CEST	49702	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.138514042 CEST	53	49702	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.138724089 CEST	49703	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.147506952 CEST	53	49703	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.147691965 CEST	49704	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.155951023 CEST	53	49704	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.295953035 CEST	49705	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.305548906 CEST	53	49705	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.305901051 CEST	49706	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.315732002 CEST	53	49706	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.316052914 CEST	49707	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.326005936 CEST	53	49707	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.326231956 CEST	49708	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.335525036 CEST	53	49708	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.335726976 CEST	49709	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.346502066 CEST	53	49709	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.456187963 CEST	49710	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.465732098 CEST	53	49710	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.466247082 CEST	49711	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.475931883 CEST	53	49711	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.476130962 CEST	49712	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.486651897 CEST	53	49712	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.486846924 CEST	49713	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.495739937 CEST	53	49713	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.495990038 CEST	49714	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.506211996 CEST	53	49714	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.608340979 CEST	64804	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.657994032 CEST	53	64804	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.665155888 CEST	64805	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.672173977 CEST	53	64805	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.672499895 CEST	64806	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.680825949 CEST	53	64806	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.681005955 CEST	64807	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.689639091 CEST	53	64807	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.689809084 CEST	64808	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.697593927 CEST	53	64808	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.697774887 CEST	64809	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.706274986 CEST	53	64809	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.814450026 CEST	64810	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.821348906 CEST	53	64810	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.821850061 CEST	64811	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.830755949 CEST	53	64811	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.832273960 CEST	64812	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.840527058 CEST	53	64812	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.840889931 CEST	64813	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.847985983 CEST	53	64813	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.848282099 CEST	64814	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.856379986 CEST	53	64814	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.990309000 CEST	64815	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:16.997385979 CEST	53	64815	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:16.997769117 CEST	64816	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.006081104 CEST	53	64816	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.006331921 CEST	64817	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.013842106 CEST	53	64817	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.014069080 CEST	64818	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.022838116 CEST	53	64818	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.023123026 CEST	64819	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.032011032 CEST	53	64819	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.140441895 CEST	64820	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.147530079 CEST	53	64820	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.147876024 CEST	64821	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.157478094 CEST	53	64821	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.157860041 CEST	64822	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.165889978 CEST	53	64822	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.166168928 CEST	64823	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.173815966 CEST	53	64823	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.174010992 CEST	64824	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.185079098 CEST	53	64824	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.289791107 CEST	64825	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.297225952 CEST	53	64825	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.297771931 CEST	64826	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.305598021 CEST	53	64826	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.305821896 CEST	64827	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.315438032 CEST	53	64827	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.315722942 CEST	64828	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.323348999 CEST	53	64828	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.323590994 CEST	64829	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.331494093 CEST	53	64829	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.442117929 CEST	64830	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.450798988 CEST	53	64830	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.451819897 CEST	64831	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.459429979 CEST	53	64831	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.459676981 CEST	64832	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.469007015 CEST	53	64832	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.471803904 CEST	64833	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.481389046 CEST	53	64833	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.483716965 CEST	64834	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.492947102 CEST	53	64834	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.599618912 CEST	64835	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.607110023 CEST	53	64835	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.607816935 CEST	64836	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.617027044 CEST	53	64836	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.619856119 CEST	64837	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.628341913 CEST	53	64837	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.630287886 CEST	64838	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.638206005 CEST	53	64838	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.642152071 CEST	64839	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.652472973 CEST	53	64839	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.750847101 CEST	64840	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.757889032 CEST	53	64840	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.759752035 CEST	64841	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.766988993 CEST	53	64841	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.767832994 CEST	64842	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.775901079 CEST	53	64842	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.779715061 CEST	64843	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.787255049 CEST	53	64843	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.787638903 CEST	64844	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.796238899 CEST	53	64844	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.896836042 CEST	64845	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.906738997 CEST	53	64845	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.907124996 CEST	64846	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.918931007 CEST	53	64846	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.919296980 CEST	64847	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.926841974 CEST	53	64847	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.927098989 CEST	64848	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.934638023 CEST	53	64848	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:17.934849024 CEST	64849	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:17.943346977 CEST	53	64849	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.061173916 CEST	64850	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.071921110 CEST	53	64850	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.075815916 CEST	64851	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.086064100 CEST	53	64851	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.086318970 CEST	64852	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.098849058 CEST	53	64852	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.099080086 CEST	64853	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.107156038 CEST	53	64853	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.107393980 CEST	64854	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.117928982 CEST	53	64854	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.219819069 CEST	64855	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.229660034 CEST	53	64855	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.230377913 CEST	64856	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.239845991 CEST	53	64856	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.240053892 CEST	64857	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.249584913 CEST	53	64857	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.249803066 CEST	64858	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.260401964 CEST	53	64858	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.261305094 CEST	64859	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.269575119 CEST	53	64859	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.352790117 CEST	51468	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.360522985 CEST	53	51468	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.367508888 CEST	51469	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.375947952 CEST	53	51469	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.376389027 CEST	51470	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.384716988 CEST	53	51470	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.384967089 CEST	51471	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.393047094 CEST	53	51471	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.393248081 CEST	51472	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.405092001 CEST	53	51472	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.405304909 CEST	51473	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.413289070 CEST	53	51473	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.499649048 CEST	51474	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.507323027 CEST	53	51474	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.507788897 CEST	51475	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.515693903 CEST	53	51475	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.519735098 CEST	51476	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.527097940 CEST	53	51476	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.527645111 CEST	51477	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.536106110 CEST	53	51477	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.539716959 CEST	51478	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.549726963 CEST	53	51478	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.665218115 CEST	51479	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.673032999 CEST	53	51479	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.673825026 CEST	51480	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.681556940 CEST	53	51480	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.682952881 CEST	51481	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.690542936 CEST	53	51481	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.693751097 CEST	51482	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.702301025 CEST	53	51482	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.705862999 CEST	51483	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.713385105 CEST	53	51483	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.803215981 CEST	51484	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.811127901 CEST	53	51484	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.814410925 CEST	51485	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.822592020 CEST	53	51485	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.825855970 CEST	51486	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.833914995 CEST	53	51486	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.834167004 CEST	51487	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.842125893 CEST	53	51487	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.845849037 CEST	51488	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.853877068 CEST	53	51488	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.938508987 CEST	51489	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.946283102 CEST	53	51489	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.946727991 CEST	51490	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.955601931 CEST	53	51490	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.955889940 CEST	51491	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.962677002 CEST	53	51491	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.962933064 CEST	51492	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.970623970 CEST	53	51492	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:18.970844984 CEST	51493	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:18.977720022 CEST	53	51493	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.069094896 CEST	51494	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.076970100 CEST	53	51494	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.077276945 CEST	51495	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.085342884 CEST	53	51495	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.085544109 CEST	51496	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.092950106 CEST	53	51496	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.093147039 CEST	51497	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.100321054 CEST	53	51497	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.100512028 CEST	51498	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.107572079 CEST	53	51498	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.256824970 CEST	51499	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.266485929 CEST	53	51499	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.266815901 CEST	51500	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.275909901 CEST	53	51500	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.276176929 CEST	51501	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.286777973 CEST	53	51501	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.287026882 CEST	51502	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.295888901 CEST	53	51502	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.296194077 CEST	51503	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.304775953 CEST	53	51503	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.389691114 CEST	51504	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.396684885 CEST	53	51504	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.396959066 CEST	51505	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.404866934 CEST	53	51505	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.405106068 CEST	51506	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.412969112 CEST	53	51506	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.413130999 CEST	51507	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.425950050 CEST	53	51507	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.426212072 CEST	51508	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.442455053 CEST	53	51508	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.529942036 CEST	51509	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.539674044 CEST	53	51509	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.540137053 CEST	51510	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.548657894 CEST	53	51510	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.548958063 CEST	51511	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.566015005 CEST	53	51511	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.566267014 CEST	51512	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.575136900 CEST	53	51512	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.575340986 CEST	51513	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.583798885 CEST	53	51513	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.685106039 CEST	51514	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.692284107 CEST	53	51514	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.693232059 CEST	51515	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.699870110 CEST	53	51515	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.700159073 CEST	51516	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.708576918 CEST	53	51516	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.708789110 CEST	51517	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.715810061 CEST	53	51517	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.716077089 CEST	51518	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.724035978 CEST	53	51518	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.810848951 CEST	51519	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.818192959 CEST	53	51519	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.818497896 CEST	51520	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.827080011 CEST	53	51520	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.827306986 CEST	51521	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.839658022 CEST	53	51521	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.839890957 CEST	51522	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.848869085 CEST	53	51522	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.849103928 CEST	51523	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.856901884 CEST	53	51523	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.944806099 CEST	51524	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.952115059 CEST	53	51524	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.952461004 CEST	51525	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.960709095 CEST	53	51525	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.960944891 CEST	51526	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.968795061 CEST	53	51526	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.969017982 CEST	51527	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.977653980 CEST	53	51527	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:19.977878094 CEST	51528	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:19.985336065 CEST	53	51528	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.076530933 CEST	51529	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.083803892 CEST	53	51529	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.084148884 CEST	51530	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.092164040 CEST	53	51530	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.092400074 CEST	51531	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.100063086 CEST	53	51531	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.100281000 CEST	51532	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.108757973 CEST	53	51532	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.108975887 CEST	51533	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.116709948 CEST	53	51533	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.201978922 CEST	51534	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.209804058 CEST	53	51534	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.210215092 CEST	51535	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.218614101 CEST	53	51535	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.218910933 CEST	51536	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.227822065 CEST	53	51536	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.228087902 CEST	51537	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.235903978 CEST	53	51537	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.236124992 CEST	51538	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.243860960 CEST	53	51538	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.326822042 CEST	51539	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.336643934 CEST	53	51539	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.337146044 CEST	51540	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.347410917 CEST	53	51540	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.347827911 CEST	51541	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.359872103 CEST	53	51541	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.362550020 CEST	51542	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.371260881 CEST	53	51542	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.373788118 CEST	51543	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.381227970 CEST	53	51543	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.474386930 CEST	51544	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.484292030 CEST	53	51544	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.484627962 CEST	51545	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.493016005 CEST	53	51545	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.493191004 CEST	51546	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.501631975 CEST	53	51546	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.501936913 CEST	51547	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.511221886 CEST	53	51547	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.511478901 CEST	51548	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.520860910 CEST	53	51548	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.593770027 CEST	51549	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.608961105 CEST	53	51549	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.609349012 CEST	51550	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.618153095 CEST	53	51550	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.618334055 CEST	51551	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.627038002 CEST	53	51551	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.627223015 CEST	51552	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.636878967 CEST	53	51552	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.637089014 CEST	51553	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.646514893 CEST	53	51553	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.723854065 CEST	51554	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.731904984 CEST	53	51554	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.732225895 CEST	51555	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.742326975 CEST	53	51555	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.742635012 CEST	51556	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.753098965 CEST	53	51556	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.753329992 CEST	51557	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.766549110 CEST	53	51557	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.766792059 CEST	51558	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.775505066 CEST	53	51558	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.858139038 CEST	51559	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.867520094 CEST	53	51559	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.868092060 CEST	51560	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.879122019 CEST	53	51560	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.879621029 CEST	51561	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.888818026 CEST	53	51561	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.889116049 CEST	51562	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.898636103 CEST	53	51562	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.898900986 CEST	51563	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:20.908092976 CEST	53	51563	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:20.990763903 CEST	51564	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.000571966 CEST	53	51564	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.000905991 CEST	51565	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.011467934 CEST	53	51565	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.011919975 CEST	51566	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.020350933 CEST	53	51566	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.020648956 CEST	51567	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.032634020 CEST	53	51567	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.033066034 CEST	51568	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.042469025 CEST	53	51568	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.132006884 CEST	51569	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.139127016 CEST	53	51569	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.139494896 CEST	51570	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.148214102 CEST	53	51570	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.148456097 CEST	51571	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.155934095 CEST	53	51571	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.156131983 CEST	51572	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.165126085 CEST	53	51572	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.165307045 CEST	51573	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.173832893 CEST	53	51573	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.242960930 CEST	61073	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.408685923 CEST	53	61073	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.415829897 CEST	61074	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.423535109 CEST	53	61074	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.423974037 CEST	61075	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.432442904 CEST	53	61075	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.432764053 CEST	61076	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.441478968 CEST	53	61076	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.441778898 CEST	61077	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.451785088 CEST	53	61077	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.451987982 CEST	61078	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.461518049 CEST	53	61078	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.528142929 CEST	61079	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.535753965 CEST	53	61079	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.536118984 CEST	61080	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.545193911 CEST	53	61080	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.545629978 CEST	61081	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.554769993 CEST	53	61081	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.554975033 CEST	61082	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.562508106 CEST	53	61082	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.562781096 CEST	61083	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.570096970 CEST	53	61083	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.644725084 CEST	61084	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.651762009 CEST	53	61084	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.652089119 CEST	61085	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.660533905 CEST	53	61085	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.660788059 CEST	61086	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.668131113 CEST	53	61086	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.668342113 CEST	61087	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.676233053 CEST	53	61087	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.676415920 CEST	61088	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.687393904 CEST	53	61088	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.774460077 CEST	61089	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.782520056 CEST	53	61089	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.782922983 CEST	61090	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.793200016 CEST	53	61090	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.793493986 CEST	61091	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.802947044 CEST	53	61091	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.803335905 CEST	61092	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.811206102 CEST	53	61092	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.811518908 CEST	61093	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.819394112 CEST	53	61093	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.889404058 CEST	61094	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.896935940 CEST	53	61094	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.897496939 CEST	61095	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.906059027 CEST	53	61095	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.906317949 CEST	61096	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.915522099 CEST	53	61096	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.915739059 CEST	61097	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.925770044 CEST	53	61097	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:21.926088095 CEST	61098	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:21.936922073 CEST	53	61098	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.019726992 CEST	61099	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.030699968 CEST	53	61099	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.031089067 CEST	61100	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.042943001 CEST	53	61100	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.043354034 CEST	61101	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.052095890 CEST	53	61101	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.052349091 CEST	61102	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.062891960 CEST	53	61102	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.063146114 CEST	61103	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.075294018 CEST	53	61103	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.165985107 CEST	61104	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.173202991 CEST	53	61104	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.173746109 CEST	61105	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.180855989 CEST	53	61105	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.181129932 CEST	61106	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.189038992 CEST	53	61106	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.189280987 CEST	61107	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.197493076 CEST	53	61107	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.199469090 CEST	61108	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.208173990 CEST	53	61108	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.281749010 CEST	61109	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.289108992 CEST	53	61109	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.289494038 CEST	61110	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.300419092 CEST	53	61110	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.300738096 CEST	61111	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.310370922 CEST	53	61111	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.310612917 CEST	61112	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.320038080 CEST	53	61112	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.320255041 CEST	61113	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.329185963 CEST	53	61113	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.405572891 CEST	61114	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.414979935 CEST	53	61114	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.418006897 CEST	61115	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.426980019 CEST	53	61115	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.427309990 CEST	61116	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.435194969 CEST	53	61116	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.435516119 CEST	61117	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.443221092 CEST	53	61117	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.443414927 CEST	61118	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.451905012 CEST	53	61118	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.530405045 CEST	61119	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.542753935 CEST	53	61119	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.543128967 CEST	61120	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.551475048 CEST	53	61120	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.551671982 CEST	61121	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.562202930 CEST	53	61121	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.562386990 CEST	61122	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.572424889 CEST	53	61122	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.572613001 CEST	61123	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.580672979 CEST	53	61123	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.655781984 CEST	61124	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.662733078 CEST	53	61124	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.663220882 CEST	61125	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.672349930 CEST	53	61125	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.672732115 CEST	61126	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.680294991 CEST	53	61126	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.680521965 CEST	61127	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.687558889 CEST	53	61127	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.687757969 CEST	61128	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.697953939 CEST	53	61128	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.773387909 CEST	61129	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.780927896 CEST	53	61129	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.781311989 CEST	61130	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.797408104 CEST	53	61130	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.799719095 CEST	61131	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.808677912 CEST	53	61131	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.808940887 CEST	61132	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.817226887 CEST	53	61132	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.819071054 CEST	61133	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.826427937 CEST	53	61133	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.891402006 CEST	61134	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.899137020 CEST	53	61134	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.899593115 CEST	61135	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.907460928 CEST	53	61135	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.907787085 CEST	61136	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.915644884 CEST	53	61136	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.915863991 CEST	61137	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.923176050 CEST	53	61137	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:22.923485041 CEST	61138	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:22.932420015 CEST	53	61138	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.004084110 CEST	61139	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.013648987 CEST	53	61139	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.014113903 CEST	61140	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.023557901 CEST	53	61140	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.023828983 CEST	61141	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.033741951 CEST	53	61141	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.034073114 CEST	61142	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.045028925 CEST	53	61142	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.045300007 CEST	61143	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.054693937 CEST	53	61143	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.142092943 CEST	61144	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.150324106 CEST	53	61144	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.150682926 CEST	61145	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.159877062 CEST	53	61145	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.160115957 CEST	61146	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.175225019 CEST	53	61146	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.175493956 CEST	61147	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.186479092 CEST	53	61147	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.186741114 CEST	61148	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.196043015 CEST	53	61148	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.259159088 CEST	51362	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.306926966 CEST	53	51362	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.316736937 CEST	51363	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.323904991 CEST	53	51363	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.324340105 CEST	51364	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.331924915 CEST	53	51364	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.334311962 CEST	51365	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.342660904 CEST	53	51365	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.346081972 CEST	51366	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.353099108 CEST	53	51366	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.353877068 CEST	51367	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.362307072 CEST	53	51367	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.447690964 CEST	51368	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.454993010 CEST	53	51368	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.456783056 CEST	51369	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.466114044 CEST	53	51369	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.474833012 CEST	51370	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.482865095 CEST	53	51370	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.486680984 CEST	51371	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.493825912 CEST	53	51371	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.495486975 CEST	51372	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.503556013 CEST	53	51372	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.577445030 CEST	51373	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.584703922 CEST	53	51373	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.587462902 CEST	51374	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.595645905 CEST	53	51374	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.598654985 CEST	51375	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.606197119 CEST	53	51375	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.611747980 CEST	51376	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.619887114 CEST	53	51376	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.623745918 CEST	51377	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.630852938 CEST	53	51377	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.708271980 CEST	51378	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.715823889 CEST	53	51378	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.716255903 CEST	51379	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.724251032 CEST	53	51379	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.726113081 CEST	51380	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.733787060 CEST	53	51380	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.738092899 CEST	51381	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.745542049 CEST	53	51381	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.749955893 CEST	51382	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.759488106 CEST	53	51382	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.838881016 CEST	51383	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.846009016 CEST	53	51383	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.847830057 CEST	51384	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.856679916 CEST	53	51384	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.859638929 CEST	51385	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.869051933 CEST	53	51385	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.869292974 CEST	51386	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.877156973 CEST	53	51386	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.877362013 CEST	51387	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.887227058 CEST	53	51387	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.955902100 CEST	51388	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.962954998 CEST	53	51388	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.963295937 CEST	51389	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.971584082 CEST	53	51389	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.971828938 CEST	51390	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.979357004 CEST	53	51390	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.979665995 CEST	51391	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.989790916 CEST	53	51391	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:23.990128994 CEST	51392	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:23.997736931 CEST	53	51392	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.074960947 CEST	51393	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.082483053 CEST	53	51393	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.082885981 CEST	51394	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.090959072 CEST	53	51394	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.091265917 CEST	51395	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.098752975 CEST	53	51395	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.098993063 CEST	51396	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.106452942 CEST	53	51396	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.106744051 CEST	51397	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.114494085 CEST	53	51397	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.198837996 CEST	51398	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.205651045 CEST	53	51398	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.206098080 CEST	51399	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.213736057 CEST	53	51399	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.214124918 CEST	51400	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.221571922 CEST	53	51400	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.221869946 CEST	51401	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.229867935 CEST	53	51401	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.230109930 CEST	51402	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.239270926 CEST	53	51402	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.318211079 CEST	51403	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.325120926 CEST	53	51403	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.325473070 CEST	51404	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.333014965 CEST	53	51404	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.333246946 CEST	51405	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.340692043 CEST	53	51405	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.340939999 CEST	51406	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.348875046 CEST	53	51406	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.349193096 CEST	51407	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.356261015 CEST	53	51407	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.420697927 CEST	51408	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.429052114 CEST	53	51408	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.432029009 CEST	51409	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.440329075 CEST	53	51409	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.443820000 CEST	51410	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.451561928 CEST	53	51410	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.454529047 CEST	51411	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.462796926 CEST	53	51411	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.463157892 CEST	51412	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.472714901 CEST	53	51412	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.545547962 CEST	51413	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.553900957 CEST	53	51413	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.554274082 CEST	51414	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.561463118 CEST	53	51414	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.561692953 CEST	51415	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.573175907 CEST	53	51415	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.573565006 CEST	51416	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.580466986 CEST	53	51416	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.580724955 CEST	51417	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.590636015 CEST	53	51417	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.664541960 CEST	51418	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.671652079 CEST	53	51418	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.673892975 CEST	51419	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.682769060 CEST	53	51419	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.685786963 CEST	51420	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.693958998 CEST	53	51420	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.694658995 CEST	51421	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.703079939 CEST	53	51421	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.707817078 CEST	51422	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.717847109 CEST	53	51422	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.784770012 CEST	51423	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.793633938 CEST	53	51423	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.798372984 CEST	51424	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.807173967 CEST	53	51424	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.807940006 CEST	51425	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.816781044 CEST	53	51425	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.819817066 CEST	51426	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.829797983 CEST	53	51426	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.831866026 CEST	51427	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.840212107 CEST	53	51427	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.905538082 CEST	51428	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.912286043 CEST	53	51428	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.915663958 CEST	51429	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.923187017 CEST	53	51429	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.923408031 CEST	51430	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.931143999 CEST	53	51430	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.931377888 CEST	51431	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.940905094 CEST	53	51431	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:24.941139936 CEST	51432	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:24.949662924 CEST	53	51432	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.019591093 CEST	51433	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.028683901 CEST	53	51433	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.029047966 CEST	51434	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.038009882 CEST	53	51434	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.038347960 CEST	51435	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.046366930 CEST	53	51435	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.046734095 CEST	51436	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.054646015 CEST	53	51436	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.055272102 CEST	51437	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.064013004 CEST	53	51437	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.153480053 CEST	51438	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.166217089 CEST	53	51438	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.166920900 CEST	51439	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.179598093 CEST	53	51439	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.181390047 CEST	51440	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.193520069 CEST	53	51440	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.193900108 CEST	51441	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.202208996 CEST	53	51441	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.202522039 CEST	51442	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.211699009 CEST	53	51442	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.295999050 CEST	51443	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.305960894 CEST	53	51443	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.306334019 CEST	51444	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.315910101 CEST	53	51444	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.316245079 CEST	51445	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.326961994 CEST	53	51445	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.327341080 CEST	51446	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.338021994 CEST	53	51446	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.338327885 CEST	51447	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.348546982 CEST	53	51447	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.428642988 CEST	51448	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.437052011 CEST	53	51448	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.437979937 CEST	51449	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.448698997 CEST	53	51449	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.449702024 CEST	51450	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.458723068 CEST	53	51450	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.461749077 CEST	51451	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.470807076 CEST	53	51451	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.473854065 CEST	51452	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.486057043 CEST	53	51452	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.895756006 CEST	51453	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.903223038 CEST	53	51453	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.907969952 CEST	51454	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.916834116 CEST	53	51454	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.918548107 CEST	51455	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.926867962 CEST	53	51455	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.927293062 CEST	51456	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.936692953 CEST	53	51456	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:25.939313889 CEST	51457	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:25.947643995 CEST	53	51457	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.066992998 CEST	51458	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.074664116 CEST	53	51458	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.075054884 CEST	51459	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.082412004 CEST	53	51459	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.083028078 CEST	51460	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.093909025 CEST	53	51460	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.094221115 CEST	51461	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.102248907 CEST	53	51461	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.102596045 CEST	51462	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.111548901 CEST	53	51462	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.189273119 CEST	51463	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.198554039 CEST	53	51463	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.199438095 CEST	51464	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.207195044 CEST	53	51464	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.208554983 CEST	51465	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.216051102 CEST	53	51465	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.216814041 CEST	51466	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.224267960 CEST	53	51466	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.227747917 CEST	51467	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.237102032 CEST	53	51467	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.295500994 CEST	56487	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.551830053 CEST	53	56487	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.560513020 CEST	56488	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.569169044 CEST	53	56488	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.569796085 CEST	56489	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.577341080 CEST	53	56489	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.577836037 CEST	56490	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.586193085 CEST	53	56490	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.586421013 CEST	56491	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.595104933 CEST	53	56491	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.595462084 CEST	56492	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.602533102 CEST	53	56492	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.678802967 CEST	56493	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.686065912 CEST	53	56493	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.686451912 CEST	56494	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.693726063 CEST	53	56494	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.694022894 CEST	56495	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.702332020 CEST	53	56495	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.702610970 CEST	56496	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.710714102 CEST	53	56496	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.710947037 CEST	56497	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.718909979 CEST	53	56497	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.782349110 CEST	56498	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.789563894 CEST	53	56498	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.790056944 CEST	56499	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.797430038 CEST	53	56499	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.797714949 CEST	56500	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.805255890 CEST	53	56500	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.805569887 CEST	56501	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.812865973 CEST	53	56501	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.813155890 CEST	56502	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.821238995 CEST	53	56502	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.896861076 CEST	56503	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.904174089 CEST	53	56503	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.904794931 CEST	56504	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.914350033 CEST	53	56504	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.914958954 CEST	56505	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.925060034 CEST	53	56505	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.925398111 CEST	56506	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.933144093 CEST	53	56506	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:26.933362007 CEST	56507	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:26.943727016 CEST	53	56507	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.005386114 CEST	56508	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.012243986 CEST	53	56508	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.012712955 CEST	56509	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.020347118 CEST	53	56509	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.020703077 CEST	56510	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.028836966 CEST	53	56510	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.029191971 CEST	56511	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.037302017 CEST	53	56511	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.037587881 CEST	56512	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.044933081 CEST	53	56512	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.115876913 CEST	56513	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.125072002 CEST	53	56513	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.125483990 CEST	56514	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.134028912 CEST	53	56514	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.134308100 CEST	56515	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.148889065 CEST	53	56515	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.149194002 CEST	56516	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.159545898 CEST	53	56516	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.159982920 CEST	56517	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.169934034 CEST	53	56517	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.266616106 CEST	56518	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.275336027 CEST	53	56518	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.275876999 CEST	56519	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.285757065 CEST	53	56519	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.286081076 CEST	56520	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.296511889 CEST	53	56520	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.298571110 CEST	56521	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.310112000 CEST	53	56521	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.310497999 CEST	56522	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.322292089 CEST	53	56522	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.394856930 CEST	56523	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.404603004 CEST	53	56523	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.406682014 CEST	56524	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.417272091 CEST	53	56524	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.419925928 CEST	56525	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.433387041 CEST	53	56525	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.435849905 CEST	56526	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.446165085 CEST	53	56526	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.447860003 CEST	56527	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.460994005 CEST	53	56527	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.536215067 CEST	56528	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.545825958 CEST	53	56528	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.546941042 CEST	56529	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.554878950 CEST	53	56529	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.557959080 CEST	56530	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.567177057 CEST	53	56530	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.569905043 CEST	56531	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.577491999 CEST	53	56531	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.581995010 CEST	56532	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.589917898 CEST	53	56532	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.654259920 CEST	56533	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.663047075 CEST	53	56533	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.666032076 CEST	56534	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.673283100 CEST	53	56534	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.673835039 CEST	56535	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.682198048 CEST	53	56535	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.685908079 CEST	56536	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.694736004 CEST	53	56536	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.697813034 CEST	56537	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.706492901 CEST	53	56537	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.767122984 CEST	56538	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.774179935 CEST	53	56538	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.774606943 CEST	56539	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.782682896 CEST	53	56539	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.783044100 CEST	56540	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.791491032 CEST	53	56540	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.791786909 CEST	56541	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.800935030 CEST	53	56541	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.801209927 CEST	56542	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.809792042 CEST	53	56542	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.882160902 CEST	56543	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.890777111 CEST	53	56543	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.891182899 CEST	56544	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.901025057 CEST	53	56544	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.901417017 CEST	56545	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.910283089 CEST	53	56545	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.911789894 CEST	56546	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.919501066 CEST	53	56546	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:27.926637888 CEST	56547	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:27.938184977 CEST	53	56547	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.006213903 CEST	56548	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.014054060 CEST	53	56548	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.014487982 CEST	56549	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.022352934 CEST	53	56549	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.022802114 CEST	56550	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.030643940 CEST	53	56550	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.030967951 CEST	56551	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.038995028 CEST	53	56551	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.039505005 CEST	56552	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.049151897 CEST	53	56552	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.148926020 CEST	56553	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.157773972 CEST	53	56553	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.158294916 CEST	56554	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.166850090 CEST	53	56554	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.167464018 CEST	56555	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.176384926 CEST	53	56555	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.176856041 CEST	56556	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.185295105 CEST	53	56556	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.185575008 CEST	56557	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.193043947 CEST	53	56557	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.692295074 CEST	64636	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.778930902 CEST	53	64636	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.786263943 CEST	64637	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.796533108 CEST	53	64637	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.796952963 CEST	64638	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.804868937 CEST	53	64638	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.805105925 CEST	64639	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.812464952 CEST	53	64639	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.812726021 CEST	64640	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.820385933 CEST	53	64640	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.820663929 CEST	64641	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.828438997 CEST	53	64641	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.892810106 CEST	64642	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.900619030 CEST	53	64642	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.901189089 CEST	64643	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.911845922 CEST	53	64643	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.912183046 CEST	64644	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.920063972 CEST	53	64644	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.920444012 CEST	64645	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.929557085 CEST	53	64645	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:28.929804087 CEST	64646	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:28.938888073 CEST	53	64646	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.015511990 CEST	64647	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.023122072 CEST	53	64647	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.023504019 CEST	64648	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.037544012 CEST	53	64648	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.037847996 CEST	64649	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.050307989 CEST	53	64649	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.050595999 CEST	64650	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.063668966 CEST	53	64650	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.063945055 CEST	64651	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.077683926 CEST	53	64651	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.148065090 CEST	64652	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.160187006 CEST	53	64652	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.160959005 CEST	64653	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.174285889 CEST	53	64653	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.174638033 CEST	64654	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.187670946 CEST	53	64654	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.188055038 CEST	64655	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.202558041 CEST	53	64655	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.202888012 CEST	64656	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.214927912 CEST	53	64656	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.286180019 CEST	64657	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.297205925 CEST	53	64657	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.297715902 CEST	64658	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.308290958 CEST	53	64658	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.308706045 CEST	64659	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.320486069 CEST	53	64659	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.320909023 CEST	64660	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.330476046 CEST	53	64660	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.330872059 CEST	64661	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.338264942 CEST	53	64661	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.406259060 CEST	64662	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.413707018 CEST	53	64662	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.414114952 CEST	64663	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.422823906 CEST	53	64663	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.423193932 CEST	64664	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.430613995 CEST	53	64664	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.430857897 CEST	64665	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.442034006 CEST	53	64665	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.442291975 CEST	64666	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.450009108 CEST	53	64666	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.517519951 CEST	64667	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.527586937 CEST	53	64667	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.527976990 CEST	64668	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.536094904 CEST	53	64668	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.536317110 CEST	64669	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.546920061 CEST	53	64669	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.547143936 CEST	64670	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.557996035 CEST	53	64670	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.558195114 CEST	64671	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.568145037 CEST	53	64671	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.626286983 CEST	64672	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.635688066 CEST	53	64672	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.636643887 CEST	64673	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.646612883 CEST	53	64673	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.646991968 CEST	64674	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.656786919 CEST	53	64674	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.661781073 CEST	64675	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.672234058 CEST	53	64675	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.672530890 CEST	64676	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.683408976 CEST	53	64676	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.749768019 CEST	64677	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.757189035 CEST	53	64677	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.757608891 CEST	64678	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.765692949 CEST	53	64678	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.766024113 CEST	64679	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.774312973 CEST	53	64679	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.774542093 CEST	64680	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.782407045 CEST	53	64680	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.782668114 CEST	64681	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.791635036 CEST	53	64681	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.864635944 CEST	64682	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.871783972 CEST	53	64682	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.872108936 CEST	64683	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.880956888 CEST	53	64683	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.881211996 CEST	64684	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.890135050 CEST	53	64684	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.890376091 CEST	64685	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.898454905 CEST	53	64685	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.898714066 CEST	64686	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.906219959 CEST	53	64686	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.966485023 CEST	64687	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.973234892 CEST	53	64687	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.973573923 CEST	64688	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.981494904 CEST	53	64688	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.981811047 CEST	64689	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:29.991095066 CEST	53	64689	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:29.991472006 CEST	64690	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.000538111 CEST	53	64690	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.000817060 CEST	64691	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.010402918 CEST	53	64691	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.080625057 CEST	64692	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.090164900 CEST	53	64692	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.090534925 CEST	64693	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.099196911 CEST	53	64693	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.099473000 CEST	64694	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.107981920 CEST	53	64694	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.108210087 CEST	64695	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.117938042 CEST	53	64695	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.118153095 CEST	64696	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.126991987 CEST	53	64696	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.190740108 CEST	64697	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.201138973 CEST	53	64697	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.201576948 CEST	64698	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.211292982 CEST	53	64698	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.211524963 CEST	64699	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.221343040 CEST	53	64699	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.221663952 CEST	64700	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.229899883 CEST	53	64700	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.230245113 CEST	64701	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.237246037 CEST	53	64701	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.300880909 CEST	64702	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.308012962 CEST	53	64702	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.308732033 CEST	64703	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.317678928 CEST	53	64703	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.317985058 CEST	64704	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.325211048 CEST	53	64704	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.325630903 CEST	64705	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.333520889 CEST	53	64705	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.333988905 CEST	64706	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.342778921 CEST	53	64706	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.406985044 CEST	64707	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.414135933 CEST	53	64707	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.415807009 CEST	64708	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.423485994 CEST	53	64708	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.423983097 CEST	64709	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.432743073 CEST	53	64709	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.432986975 CEST	64710	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.441582918 CEST	53	64710	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.441986084 CEST	64711	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.449856043 CEST	53	64711	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.516066074 CEST	64712	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.523122072 CEST	53	64712	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.523572922 CEST	64713	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.531500101 CEST	53	64713	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.531747103 CEST	64714	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.539347887 CEST	53	64714	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.539632082 CEST	64715	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.547771931 CEST	53	64715	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.548034906 CEST	64716	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.556744099 CEST	53	64716	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.624397993 CEST	64717	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.631613016 CEST	53	64717	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.632239103 CEST	64718	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.639353037 CEST	53	64718	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.639625072 CEST	64719	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.647301912 CEST	53	64719	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.647492886 CEST	64720	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.654995918 CEST	53	64720	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.655730963 CEST	64721	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.662990093 CEST	53	64721	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.732279062 CEST	64722	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.739875078 CEST	53	64722	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.743774891 CEST	64723	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.751331091 CEST	53	64723	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.751717091 CEST	64724	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.763676882 CEST	53	64724	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.767932892 CEST	64725	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.778188944 CEST	53	64725	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.779710054 CEST	64726	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.787709951 CEST	53	64726	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.856839895 CEST	64727	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.866767883 CEST	53	64727	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.870269060 CEST	64728	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.878844976 CEST	53	64728	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.882030964 CEST	64729	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.892421961 CEST	53	64729	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.893951893 CEST	64730	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.905775070 CEST	53	64730	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.906267881 CEST	64731	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:30.918101072 CEST	53	64731	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:30.989451885 CEST	64732	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.001034021 CEST	53	64732	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.001528978 CEST	64733	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.010885954 CEST	53	64733	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.011406898 CEST	64734	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.021042109 CEST	53	64734	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.021615982 CEST	64735	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.030828953 CEST	53	64735	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.031152010 CEST	64736	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.040769100 CEST	53	64736	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.116897106 CEST	64737	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.126297951 CEST	53	64737	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.126677990 CEST	64738	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.134754896 CEST	53	64738	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.135077000 CEST	64739	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.150654078 CEST	53	64739	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.150976896 CEST	64740	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.163921118 CEST	53	64740	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.164237022 CEST	64741	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.177027941 CEST	53	64741	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.240391016 CEST	64742	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.252540112 CEST	53	64742	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.252990007 CEST	64743	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.264750957 CEST	53	64743	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.265094995 CEST	64744	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.277678013 CEST	53	64744	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.278028011 CEST	64745	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.291789055 CEST	53	64745	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.292263985 CEST	64746	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.300276041 CEST	53	64746	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.374367952 CEST	50795	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.529920101 CEST	53	50795	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.541033983 CEST	50796	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.547977924 CEST	53	50796	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.548439980 CEST	50797	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.556984901 CEST	53	50797	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.557205915 CEST	50798	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.566562891 CEST	53	50798	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.566998959 CEST	50799	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.576179981 CEST	53	50799	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.576548100 CEST	50800	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.584379911 CEST	53	50800	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.658420086 CEST	50801	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.669508934 CEST	53	50801	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.670011997 CEST	50802	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.678162098 CEST	53	50802	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.678498030 CEST	50803	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.687035084 CEST	53	50803	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.689857960 CEST	50804	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.696943045 CEST	53	50804	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.697746038 CEST	50805	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.706300974 CEST	53	50805	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.767637014 CEST	50806	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.774578094 CEST	53	50806	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.774971962 CEST	50807	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.786483049 CEST	53	50807	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.786910057 CEST	50808	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.794728994 CEST	53	50808	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.795018911 CEST	50809	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.805104971 CEST	53	50809	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.805403948 CEST	50810	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.813803911 CEST	53	50810	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.875859022 CEST	50811	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.883413076 CEST	53	50811	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.883951902 CEST	50812	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.893064022 CEST	53	50812	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.894254923 CEST	50813	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.904542923 CEST	53	50813	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.907433987 CEST	50814	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.916198015 CEST	53	50814	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.916532040 CEST	50815	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.924680948 CEST	53	50815	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.988775969 CEST	50816	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:31.996522903 CEST	53	50816	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:31.997036934 CEST	50817	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.006738901 CEST	53	50817	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.006978035 CEST	50818	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.014565945 CEST	53	50818	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.014852047 CEST	50819	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.021883965 CEST	53	50819	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.022099972 CEST	50820	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.033220053 CEST	53	50820	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.107752085 CEST	50821	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.115063906 CEST	53	50821	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.115392923 CEST	50822	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.124058962 CEST	53	50822	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.124295950 CEST	50823	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.131721020 CEST	53	50823	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.131941080 CEST	50824	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.139031887 CEST	53	50824	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.139220953 CEST	50825	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.146259069 CEST	53	50825	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.208894968 CEST	50826	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.216195107 CEST	53	50826	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.216552019 CEST	50827	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.224592924 CEST	53	50827	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.224858999 CEST	50828	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.236722946 CEST	53	50828	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.237024069 CEST	50829	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.245832920 CEST	53	50829	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.246507883 CEST	50830	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.255624056 CEST	53	50830	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.317812920 CEST	50831	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.326643944 CEST	53	50831	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.327003956 CEST	50832	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.338900089 CEST	53	50832	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.339376926 CEST	50833	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.348618031 CEST	53	50833	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.348929882 CEST	50834	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.358535051 CEST	53	50834	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.358830929 CEST	50835	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.368628025 CEST	53	50835	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.430489063 CEST	50836	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.437671900 CEST	53	50836	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.438200951 CEST	50837	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.445197105 CEST	53	50837	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.445425034 CEST	50838	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.452842951 CEST	53	50838	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.453082085 CEST	50839	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.460465908 CEST	53	50839	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.460690022 CEST	50840	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.469785929 CEST	53	50840	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.532469034 CEST	50841	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.539745092 CEST	53	50841	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.540190935 CEST	50842	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.547583103 CEST	53	50842	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.547976971 CEST	50843	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.555670977 CEST	53	50843	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.556123972 CEST	50844	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.564285040 CEST	53	50844	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.564542055 CEST	50845	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.571994066 CEST	53	50845	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.645390034 CEST	50846	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.652791977 CEST	53	50846	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.653964043 CEST	50847	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.662101030 CEST	53	50847	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.664514065 CEST	50848	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.672750950 CEST	53	50848	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.672960997 CEST	50849	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.681598902 CEST	53	50849	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.681762934 CEST	50850	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.690849066 CEST	53	50850	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.769604921 CEST	50851	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.777612925 CEST	53	50851	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.778487921 CEST	50852	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.785912991 CEST	53	50852	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.789556026 CEST	50853	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.797439098 CEST	53	50853	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.797719955 CEST	50854	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.806994915 CEST	53	50854	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.809066057 CEST	50855	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.817009926 CEST	53	50855	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.889908075 CEST	50856	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.899808884 CEST	53	50856	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.900340080 CEST	50857	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.908869028 CEST	53	50857	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.909122944 CEST	50858	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.919466019 CEST	53	50858	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.919969082 CEST	50859	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.929222107 CEST	53	50859	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:32.929639101 CEST	50860	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:32.939675093 CEST	53	50860	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.001614094 CEST	50861	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.010929108 CEST	53	50861	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.011523008 CEST	50862	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.018740892 CEST	53	50862	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.019113064 CEST	50863	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.027683973 CEST	53	50863	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.028060913 CEST	50864	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.036915064 CEST	53	50864	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.037377119 CEST	50865	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.045066118 CEST	53	50865	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.140476942 CEST	50866	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.148422003 CEST	53	50866	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.148883104 CEST	50867	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.156493902 CEST	53	50867	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.157022953 CEST	50868	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.164593935 CEST	53	50868	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.164856911 CEST	50869	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.172529936 CEST	53	50869	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.172780991 CEST	50870	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.180901051 CEST	53	50870	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.244983912 CEST	50812	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.252309084 CEST	53	50812	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.260756016 CEST	50813	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.268488884 CEST	53	50813	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.269011021 CEST	50814	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.275973082 CEST	53	50814	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.276320934 CEST	50815	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.284245014 CEST	53	50815	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.284584045 CEST	50816	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.291821003 CEST	53	50816	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.292124987 CEST	50817	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.300251007 CEST	53	50817	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.372477055 CEST	50818	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.379554987 CEST	53	50818	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.379991055 CEST	50819	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.387135983 CEST	53	50819	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.387749910 CEST	50820	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.395814896 CEST	53	50820	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.396116018 CEST	50821	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.403362989 CEST	53	50821	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.405880928 CEST	50822	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.413696051 CEST	53	50822	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.484760046 CEST	50823	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.492125034 CEST	53	50823	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.493773937 CEST	50824	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.501007080 CEST	53	50824	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.501765013 CEST	50825	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.509536028 CEST	53	50825	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.510162115 CEST	50826	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.518354893 CEST	53	50826	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.519747019 CEST	50827	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.528088093 CEST	53	50827	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.617610931 CEST	50828	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.625416994 CEST	53	50828	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.627911091 CEST	50829	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.638463974 CEST	53	50829	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.639884949 CEST	50830	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.647515059 CEST	53	50830	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.651992083 CEST	50831	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.659394026 CEST	53	50831	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.663758993 CEST	50832	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.671494007 CEST	53	50832	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.739226103 CEST	50833	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.746339083 CEST	53	50833	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.746695995 CEST	50834	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.754432917 CEST	53	50834	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.759952068 CEST	50835	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.768201113 CEST	53	50835	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.771955967 CEST	50836	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.780502081 CEST	53	50836	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.783854961 CEST	50837	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.794429064 CEST	53	50837	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.867315054 CEST	50838	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.874183893 CEST	53	50838	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.879903078 CEST	50839	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.887774944 CEST	53	50839	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.891794920 CEST	50840	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.899051905 CEST	53	50840	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.903793097 CEST	50841	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.917238951 CEST	53	50841	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.918879986 CEST	50842	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.926573038 CEST	53	50842	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.983694077 CEST	50843	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:33.990896940 CEST	53	50843	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:33.994014978 CEST	50844	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.000785112 CEST	53	50844	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.001765966 CEST	50845	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.008784056 CEST	53	50845	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.009080887 CEST	50846	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.016338110 CEST	53	50846	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.016702890 CEST	50847	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.023734093 CEST	53	50847	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.094351053 CEST	50848	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.104237080 CEST	53	50848	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.104944944 CEST	50849	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.114860058 CEST	53	50849	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.115241051 CEST	50850	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.123827934 CEST	53	50850	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.124181032 CEST	50851	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.132324934 CEST	53	50851	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.132667065 CEST	50852	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.144345045 CEST	53	50852	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.207499027 CEST	50853	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.214339018 CEST	53	50853	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.214683056 CEST	50854	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.221375942 CEST	53	50854	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.221617937 CEST	50855	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.229036093 CEST	53	50855	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.229281902 CEST	50856	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.239546061 CEST	53	50856	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.239806890 CEST	50857	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.248090982 CEST	53	50857	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.317219019 CEST	50858	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.325203896 CEST	53	50858	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.325699091 CEST	50859	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.333142042 CEST	53	50859	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.333477020 CEST	50860	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.340424061 CEST	53	50860	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.340709925 CEST	50861	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.349143982 CEST	53	50861	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.349421978 CEST	50862	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.358011007 CEST	53	50862	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.426831007 CEST	50863	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.434053898 CEST	53	50863	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.434967995 CEST	50864	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.443187952 CEST	53	50864	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.443851948 CEST	50865	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.452737093 CEST	53	50865	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.457859993 CEST	50866	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.467582941 CEST	53	50866	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.467988968 CEST	50867	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.476982117 CEST	53	50867	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.531224012 CEST	50868	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.541491985 CEST	53	50868	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.541873932 CEST	50869	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.552112103 CEST	53	50869	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.552462101 CEST	50870	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.562926054 CEST	53	50870	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.563177109 CEST	50871	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.573788881 CEST	53	50871	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.574004889 CEST	50872	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.581140041 CEST	53	50872	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.633146048 CEST	50873	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.640430927 CEST	53	50873	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.641904116 CEST	50874	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.649382114 CEST	53	50874	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.650842905 CEST	50875	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.659104109 CEST	53	50875	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.659531116 CEST	50876	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.666316032 CEST	53	50876	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.666691065 CEST	50877	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.674671888 CEST	53	50877	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.739327908 CEST	50878	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.746860027 CEST	53	50878	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.747817039 CEST	50879	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.756526947 CEST	53	50879	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.756802082 CEST	50880	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.764918089 CEST	53	50880	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.765276909 CEST	50881	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.773303032 CEST	53	50881	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.773509979 CEST	50882	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.781006098 CEST	53	50882	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.862598896 CEST	50883	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.869678974 CEST	53	50883	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.872503042 CEST	50884	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.881424904 CEST	53	50884	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.881774902 CEST	50885	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.889520884 CEST	53	50885	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.889779091 CEST	50886	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.897368908 CEST	53	50886	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.899746895 CEST	50887	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.907139063 CEST	53	50887	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.966516972 CEST	50888	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.973567963 CEST	53	50888	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.975003004 CEST	50889	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.982652903 CEST	53	50889	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.983732939 CEST	50890	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:34.991461039 CEST	53	50890	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:34.995826006 CEST	50891	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.004189968 CEST	53	50891	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.007850885 CEST	50892	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.016786098 CEST	53	50892	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.289503098 CEST	50893	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.298579931 CEST	53	50893	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.301520109 CEST	50894	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.310157061 CEST	53	50894	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.313462019 CEST	50895	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.321177006 CEST	53	50895	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.329171896 CEST	50896	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.336376905 CEST	53	50896	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.336956024 CEST	50897	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.344886065 CEST	53	50897	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.610960007 CEST	50898	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.618331909 CEST	53	50898	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.618705988 CEST	50899	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.626156092 CEST	53	50899	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.626434088 CEST	50900	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.633904934 CEST	53	50900	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.634171963 CEST	50901	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.644077063 CEST	53	50901	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.644336939 CEST	50902	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.652584076 CEST	53	50902	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.712290049 CEST	50903	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.719420910 CEST	53	50903	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.719974995 CEST	50904	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.727174044 CEST	53	50904	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.727477074 CEST	50905	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.735375881 CEST	53	50905	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.735657930 CEST	50906	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.743869066 CEST	53	50906	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.744167089 CEST	50907	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.752341032 CEST	53	50907	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.811341047 CEST	50908	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.818923950 CEST	53	50908	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.819832087 CEST	50909	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.827558994 CEST	53	50909	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.828300953 CEST	50910	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.836960077 CEST	53	50910	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.837377071 CEST	50911	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.845675945 CEST	53	50911	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.849930048 CEST	50912	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.857367039 CEST	53	50912	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.919939041 CEST	50913	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.927573919 CEST	53	50913	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.930026054 CEST	50914	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.937342882 CEST	53	50914	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.937822104 CEST	50915	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.945893049 CEST	53	50915	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.948544025 CEST	50916	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.956505060 CEST	53	50916	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:35.958108902 CEST	50917	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:35.965960026 CEST	53	50917	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.021636963 CEST	50918	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.028527975 CEST	53	50918	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.028947115 CEST	50919	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.036135912 CEST	53	50919	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.036412954 CEST	50920	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.046184063 CEST	53	50920	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.046508074 CEST	50921	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.055299997 CEST	53	50921	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.055635929 CEST	50922	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.064059973 CEST	53	50922	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.120145082 CEST	50923	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.127022028 CEST	53	50923	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.127389908 CEST	50924	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.134825945 CEST	53	50924	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.135117054 CEST	50925	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.144399881 CEST	53	50925	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.144685030 CEST	50926	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.152657032 CEST	53	50926	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.152935028 CEST	50927	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.161041975 CEST	53	50927	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.249458075 CEST	50928	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.257117987 CEST	53	50928	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.257582903 CEST	50929	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.267427921 CEST	53	50929	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.267801046 CEST	50930	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.280574083 CEST	53	50930	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.280915022 CEST	50931	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.289102077 CEST	53	50931	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.289426088 CEST	50932	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.297250032 CEST	53	50932	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.352251053 CEST	50933	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.359870911 CEST	53	50933	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.360285044 CEST	50934	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.368628025 CEST	53	50934	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.368896008 CEST	50935	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.376075983 CEST	53	50935	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.376559019 CEST	50936	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.384187937 CEST	53	50936	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.384808064 CEST	50937	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.393696070 CEST	53	50937	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.443574905 CEST	65000	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.493020058 CEST	53	65000	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.503370047 CEST	65001	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.510965109 CEST	53	65001	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.512054920 CEST	65002	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.519740105 CEST	53	65002	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.521706104 CEST	65003	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.529664993 CEST	53	65003	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.530081987 CEST	65004	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.538480997 CEST	53	65004	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.538794994 CEST	65005	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.547342062 CEST	53	65005	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.612266064 CEST	65006	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.619395018 CEST	53	65006	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.619996071 CEST	65007	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.627775908 CEST	53	65007	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.631938934 CEST	65008	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.639558077 CEST	53	65008	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.643929005 CEST	65009	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.651439905 CEST	53	65009	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.651680946 CEST	65010	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.658690929 CEST	53	65010	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.770008087 CEST	65011	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.778047085 CEST	53	65011	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.778417110 CEST	65012	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.786442041 CEST	53	65012	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.786699057 CEST	65013	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.793981075 CEST	53	65013	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.795650959 CEST	65014	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.804603100 CEST	53	65014	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.804826021 CEST	65015	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.815947056 CEST	53	65015	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.889008999 CEST	65016	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.899485111 CEST	53	65016	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.903985977 CEST	65017	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.914329052 CEST	53	65017	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.915860891 CEST	65018	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.927432060 CEST	53	65018	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.927839041 CEST	65019	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.938215971 CEST	53	65019	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:36.939795017 CEST	65020	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:36.947544098 CEST	53	65020	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.094719887 CEST	65021	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.102273941 CEST	53	65021	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.102739096 CEST	65022	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.120718956 CEST	53	65022	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.121079922 CEST	65023	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.130929947 CEST	53	65023	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.131223917 CEST	65024	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.142420053 CEST	53	65024	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.142765999 CEST	65025	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.152851105 CEST	53	65025	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.226541996 CEST	65026	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.233356953 CEST	53	65026	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.233735085 CEST	65027	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.242264986 CEST	53	65027	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.242511034 CEST	65028	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.250452042 CEST	53	65028	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.250731945 CEST	65029	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.262334108 CEST	53	65029	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.262590885 CEST	65030	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.270845890 CEST	53	65030	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.328119993 CEST	65031	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.336226940 CEST	53	65031	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.336659908 CEST	65032	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.347068071 CEST	53	65032	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.347397089 CEST	65033	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.356894970 CEST	53	65033	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.357218027 CEST	65034	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.366101027 CEST	53	65034	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.366413116 CEST	65035	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.375960112 CEST	53	65035	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.448156118 CEST	65036	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.455513000 CEST	53	65036	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.455998898 CEST	65037	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.464576960 CEST	53	65037	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.464931011 CEST	65038	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.473834038 CEST	53	65038	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.474160910 CEST	65039	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.482430935 CEST	53	65039	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.482711077 CEST	65040	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.490669012 CEST	53	65040	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.587011099 CEST	65041	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.594309092 CEST	53	65041	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.595347881 CEST	65042	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.602560997 CEST	53	65042	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.602840900 CEST	65043	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.610816002 CEST	53	65043	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.611085892 CEST	65044	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.619050980 CEST	53	65044	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.619306087 CEST	65045	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.626619101 CEST	53	65045	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.691015005 CEST	65046	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.700525999 CEST	53	65046	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.700903893 CEST	65047	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.708259106 CEST	53	65047	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.709939003 CEST	65048	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.717261076 CEST	53	65048	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.718286037 CEST	65049	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.725191116 CEST	53	65049	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:37.727700949 CEST	65050	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:37.735472918 CEST	53	65050	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.019638062 CEST	65051	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.028161049 CEST	53	65051	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.035415888 CEST	65052	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.044097900 CEST	53	65052	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.067673922 CEST	65053	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.074851036 CEST	53	65053	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.078989983 CEST	65054	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.087518930 CEST	53	65054	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.090496063 CEST	65055	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.102320910 CEST	53	65055	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.294035912 CEST	63904	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.342597961 CEST	53	63904	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.351795912 CEST	63905	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.358863115 CEST	53	63905	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.359240055 CEST	63906	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.367168903 CEST	53	63906	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.367424011 CEST	63907	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.377104998 CEST	53	63907	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.377346992 CEST	63908	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.385668993 CEST	53	63908	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.385987043 CEST	63909	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.394864082 CEST	53	63909	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.449421883 CEST	63910	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.458996058 CEST	53	63910	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.459700108 CEST	63911	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.467773914 CEST	53	63911	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.468061924 CEST	63912	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.475712061 CEST	53	63912	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.475928068 CEST	63913	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.483166933 CEST	53	63913	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.483433962 CEST	63914	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.492114067 CEST	53	63914	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.545593977 CEST	63915	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.557188034 CEST	53	63915	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.557660103 CEST	63916	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.572439909 CEST	53	63916	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.572865009 CEST	63917	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.584130049 CEST	53	63917	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.584379911 CEST	63918	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.594028950 CEST	53	63918	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.594394922 CEST	63919	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.604366064 CEST	53	63919	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.665467978 CEST	63920	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.672673941 CEST	53	63920	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.673259020 CEST	63921	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.681364059 CEST	53	63921	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.681701899 CEST	63922	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.689435005 CEST	53	63922	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.689755917 CEST	63923	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.696980000 CEST	53	63923	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.697463989 CEST	63924	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.707546949 CEST	53	63924	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.762831926 CEST	63925	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.769582033 CEST	53	63925	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.770051003 CEST	63926	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.779757023 CEST	53	63926	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.780072927 CEST	63927	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.788140059 CEST	53	63927	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.788475990 CEST	63928	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.796987057 CEST	53	63928	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.797250032 CEST	63929	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.804975033 CEST	53	63929	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.858350992 CEST	63930	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.865277052 CEST	53	63930	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.865613937 CEST	63931	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.873930931 CEST	53	63931	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.874171019 CEST	63932	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.882273912 CEST	53	63932	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.882507086 CEST	63933	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.890245914 CEST	53	63933	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.890474081 CEST	63934	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.898742914 CEST	53	63934	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.964732885 CEST	63935	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.972843885 CEST	53	63935	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.973328114 CEST	63936	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.980909109 CEST	53	63936	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.981237888 CEST	63937	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.990108967 CEST	53	63937	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.990329027 CEST	63938	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:38.998780966 CEST	53	63938	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:38.998986959 CEST	63939	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.008569956 CEST	53	63939	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.065936089 CEST	63940	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.073302031 CEST	53	63940	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.074135065 CEST	63941	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.082510948 CEST	53	63941	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.082721949 CEST	63942	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.090025902 CEST	53	63942	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.090315104 CEST	63943	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.099092960 CEST	53	63943	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.099304914 CEST	63944	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.106934071 CEST	53	63944	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.165482998 CEST	63945	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.174242973 CEST	53	63945	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.174678087 CEST	63946	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.184715986 CEST	53	63946	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.185062885 CEST	63947	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.192775965 CEST	53	63947	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.193039894 CEST	63948	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.201867104 CEST	53	63948	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.202291965 CEST	63949	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.211051941 CEST	53	63949	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.273901939 CEST	63950	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.283036947 CEST	53	63950	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.288126945 CEST	63951	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.305676937 CEST	53	63951	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.306035042 CEST	63952	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.315874100 CEST	53	63952	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.316179991 CEST	63953	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.328111887 CEST	53	63953	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.328464031 CEST	63954	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.342255116 CEST	53	63954	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.399626970 CEST	63955	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.407737970 CEST	53	63955	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.408128977 CEST	63956	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.416706085 CEST	53	63956	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.417030096 CEST	63957	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.425957918 CEST	53	63957	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.427853107 CEST	63958	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.435482025 CEST	53	63958	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.435771942 CEST	63959	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.444327116 CEST	53	63959	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.503860950 CEST	63960	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.512113094 CEST	53	63960	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.512522936 CEST	63961	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.522696018 CEST	53	63961	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.523201942 CEST	63962	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.531423092 CEST	53	63962	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.531805038 CEST	63963	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.540843010 CEST	53	63963	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.543822050 CEST	63964	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.551621914 CEST	53	63964	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.607870102 CEST	63965	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.614871979 CEST	53	63965	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.615906954 CEST	63966	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.624439955 CEST	53	63966	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.630139112 CEST	63967	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.640789986 CEST	53	63967	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.643769026 CEST	63968	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.653794050 CEST	53	63968	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.655769110 CEST	63969	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.666222095 CEST	53	63969	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.720071077 CEST	63970	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.729990005 CEST	53	63970	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.730488062 CEST	63971	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.741302967 CEST	53	63971	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.743824959 CEST	63972	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.753851891 CEST	53	63972	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.755928993 CEST	63973	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.765093088 CEST	53	63973	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.767703056 CEST	63974	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.776458025 CEST	53	63974	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:39.830952883 CEST	63975	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:39.838232040 CEST	53	63975	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.316637993 CEST	63976	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.324966908 CEST	53	63976	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.325531006 CEST	63977	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.332421064 CEST	53	63977	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.332880020 CEST	63978	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.339813948 CEST	53	63978	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.340241909 CEST	63979	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.348418951 CEST	53	63979	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.421116114 CEST	63980	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.669446945 CEST	53	63980	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.802315950 CEST	63981	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.811211109 CEST	53	63981	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.812006950 CEST	63982	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.819525003 CEST	53	63982	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.819869041 CEST	63983	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.827029943 CEST	53	63983	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:40.832395077 CEST	63984	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:40.840261936 CEST	53	63984	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.072300911 CEST	63985	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.079864979 CEST	53	63985	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.080303907 CEST	63986	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.088861942 CEST	53	63986	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.089176893 CEST	63987	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.097920895 CEST	53	63987	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.098264933 CEST	63988	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.107368946 CEST	53	63988	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.107635021 CEST	63989	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.116014004 CEST	53	63989	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.175733089 CEST	63990	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.183480978 CEST	53	63990	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.185648918 CEST	63991	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.193437099 CEST	53	63991	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.194034100 CEST	63992	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.203224897 CEST	53	63992	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.203525066 CEST	63993	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.212152004 CEST	53	63993	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.212374926 CEST	63994	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.220495939 CEST	53	63994	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.270873070 CEST	57930	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.321294069 CEST	53	57930	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.328668118 CEST	57931	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.335880041 CEST	53	57931	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.337939978 CEST	57932	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.347074032 CEST	53	57932	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.350821018 CEST	57933	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.358582973 CEST	53	57933	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.358875036 CEST	57934	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.366365910 CEST	53	57934	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.366609097 CEST	57935	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.374758959 CEST	53	57935	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.428894043 CEST	57936	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.436563969 CEST	53	57936	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.436965942 CEST	57937	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.445226908 CEST	53	57937	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.445429087 CEST	57938	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.452634096 CEST	53	57938	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.907828093 CEST	57939	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.915431023 CEST	53	57939	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.917973042 CEST	57940	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.925782919 CEST	53	57940	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.986239910 CEST	57941	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:41.993940115 CEST	53	57941	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:41.995536089 CEST	57942	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.002737999 CEST	53	57942	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.003735065 CEST	57943	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.012836933 CEST	53	57943	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.015825033 CEST	57944	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.024343014 CEST	53	57944	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.027895927 CEST	57945	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.036051035 CEST	53	57945	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.102188110 CEST	57946	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.109010935 CEST	53	57946	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.109388113 CEST	57947	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.116529942 CEST	53	57947	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.116754055 CEST	57948	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.124409914 CEST	53	57948	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.124682903 CEST	57949	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.132740021 CEST	53	57949	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.132982969 CEST	57950	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.140968084 CEST	53	57950	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.205518961 CEST	57951	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.214406013 CEST	53	57951	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.214720011 CEST	57952	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.223905087 CEST	53	57952	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.224128962 CEST	57953	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.233815908 CEST	53	57953	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.234081030 CEST	57954	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.241185904 CEST	53	57954	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.241405964 CEST	57955	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.249574900 CEST	53	57955	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.308511972 CEST	57956	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.315216064 CEST	53	57956	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.315563917 CEST	57957	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.323031902 CEST	53	57957	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.323435068 CEST	57958	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.334364891 CEST	53	57958	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.334604979 CEST	57959	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.343674898 CEST	53	57959	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.343903065 CEST	57960	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.352111101 CEST	53	57960	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.418396950 CEST	57961	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.427419901 CEST	53	57961	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.427753925 CEST	57962	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.436772108 CEST	53	57962	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.437041044 CEST	57963	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.446510077 CEST	53	57963	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.446877956 CEST	57964	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.454224110 CEST	53	57964	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.454437971 CEST	57965	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.462158918 CEST	53	57965	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.516848087 CEST	57966	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.525028944 CEST	53	57966	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.525610924 CEST	57967	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.532813072 CEST	53	57967	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.533006907 CEST	57968	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.540445089 CEST	53	57968	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.540602922 CEST	57969	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.548484087 CEST	53	57969	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.548738003 CEST	57970	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.558912039 CEST	53	57970	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.611505985 CEST	57971	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.618493080 CEST	53	57971	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.618915081 CEST	57972	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.625942945 CEST	53	57972	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:42.626200914 CEST	57973	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:42.632695913 CEST	53	57973	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.155492067 CEST	57974	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.163103104 CEST	53	57974	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.163595915 CEST	57975	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.170996904 CEST	53	57975	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.448020935 CEST	61856	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.704454899 CEST	53	61856	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.742279053 CEST	61857	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.750194073 CEST	53	61857	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.753675938 CEST	61858	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.761049032 CEST	53	61858	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.761781931 CEST	61859	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.769450903 CEST	53	61859	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.769809961 CEST	61860	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.779269934 CEST	53	61860	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.781764984 CEST	61861	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.791733027 CEST	53	61861	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.852368116 CEST	61862	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.859437943 CEST	53	61862	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.861887932 CEST	61863	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.869139910 CEST	53	61863	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.870799065 CEST	61864	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.878443956 CEST	53	61864	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.879883051 CEST	61865	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.889503956 CEST	53	61865	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.890008926 CEST	61866	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.899183989 CEST	53	61866	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.952317953 CEST	61867	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.959661961 CEST	53	61867	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.963002920 CEST	61868	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.970663071 CEST	53	61868	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.971008062 CEST	61869	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.978821993 CEST	53	61869	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.979026079 CEST	61870	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.986799955 CEST	53	61870	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:43.986974955 CEST	61871	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:43.997045040 CEST	53	61871	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.049462080 CEST	61872	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.056602955 CEST	53	61872	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.057019949 CEST	61873	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.065587044 CEST	53	61873	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.065861940 CEST	61874	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.074507952 CEST	53	61874	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.074733019 CEST	61875	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.081794024 CEST	53	61875	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.081981897 CEST	61876	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.090126991 CEST	53	61876	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.193773985 CEST	61877	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.200907946 CEST	53	61877	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.201432943 CEST	61878	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.211451054 CEST	53	61878	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.211663008 CEST	61879	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.219280005 CEST	53	61879	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.219516039 CEST	61880	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.226494074 CEST	53	61880	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.792917013 CEST	61881	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.800676107 CEST	53	61881	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.857172966 CEST	61882	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.864502907 CEST	53	61882	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.864959002 CEST	61883	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.871848106 CEST	53	61883	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.872128010 CEST	61884	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.879987955 CEST	53	61884	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.880314112 CEST	61885	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.888447046 CEST	53	61885	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.888858080 CEST	61886	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.896538973 CEST	53	61886	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.962213039 CEST	61887	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.969548941 CEST	53	61887	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.969904900 CEST	61888	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.977340937 CEST	53	61888	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.977623940 CEST	61889	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.985163927 CEST	53	61889	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.985438108 CEST	61890	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:44.993352890 CEST	53	61890	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:44.993746996 CEST	61891	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.002145052 CEST	53	61891	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.055677891 CEST	61892	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.063226938 CEST	53	61892	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.063586950 CEST	61893	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.071436882 CEST	53	61893	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.071621895 CEST	61894	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.079051971 CEST	53	61894	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.079261065 CEST	61895	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.088665009 CEST	53	61895	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.088849068 CEST	61896	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.095810890 CEST	53	61896	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.612005949 CEST	61897	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.619756937 CEST	53	61897	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.622064114 CEST	61898	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.629997015 CEST	53	61898	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.632642031 CEST	61899	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.643153906 CEST	53	61899	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.646090031 CEST	61900	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.653934002 CEST	53	61900	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.657785892 CEST	61901	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.665822983 CEST	53	61901	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.722105026 CEST	61902	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.730781078 CEST	53	61902	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.736002922 CEST	61903	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.745346069 CEST	53	61903	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.748699903 CEST	61904	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.756841898 CEST	53	61904	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.757797003 CEST	61905	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.765330076 CEST	53	61905	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.784774065 CEST	61906	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.792695045 CEST	53	61906	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.894398928 CEST	61907	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.901797056 CEST	53	61907	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.906487942 CEST	61908	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.913922071 CEST	53	61908	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.918154001 CEST	61909	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.925575018 CEST	53	61909	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.925785065 CEST	61910	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.933631897 CEST	53	61910	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:45.933940887 CEST	61911	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:45.942125082 CEST	53	61911	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.027364016 CEST	61912	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.034873962 CEST	53	61912	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.038367987 CEST	61913	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.046500921 CEST	53	61913	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.049810886 CEST	61914	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.057192087 CEST	53	61914	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.058168888 CEST	61915	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.065860987 CEST	53	61915	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.069896936 CEST	61916	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.078810930 CEST	53	61916	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.182290077 CEST	61917	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.189218998 CEST	53	61917	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.189733028 CEST	61918	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.197362900 CEST	53	61918	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.197695971 CEST	61919	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.205233097 CEST	53	61919	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.205450058 CEST	61920	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.213145971 CEST	53	61920	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.213596106 CEST	61921	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.222666979 CEST	53	61921	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.347500086 CEST	61922	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.354829073 CEST	53	61922	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.357868910 CEST	61923	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.365964890 CEST	53	61923	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.370696068 CEST	61924	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.379282951 CEST	53	61924	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.382320881 CEST	61925	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.392138958 CEST	53	61925	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.395740032 CEST	61926	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.404526949 CEST	53	61926	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.458518028 CEST	53607	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.509542942 CEST	53	53607	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.518785954 CEST	53608	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.525888920 CEST	53	53608	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.527837038 CEST	53609	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.535367012 CEST	53	53609	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.537853956 CEST	53610	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.549725056 CEST	53	53610	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.550043106 CEST	53611	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.557800055 CEST	53	53611	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.557995081 CEST	53612	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.568562031 CEST	53	53612	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.629947901 CEST	53613	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.636769056 CEST	53	53613	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.637298107 CEST	53614	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.645565033 CEST	53	53614	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.645925045 CEST	53615	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.653628111 CEST	53	53615	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.655821085 CEST	53616	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.663289070 CEST	53	53616	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.663568974 CEST	53617	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.671173096 CEST	53	53617	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.730370998 CEST	53618	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.737744093 CEST	53	53618	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.739985943 CEST	53619	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.971584082 CEST	53	53619	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.976125002 CEST	53620	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.983907938 CEST	53	53620	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.985980988 CEST	53621	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:46.994968891 CEST	53	53621	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:46.995475054 CEST	53622	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.003762960 CEST	53	53622	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.093381882 CEST	53623	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.101119995 CEST	53	53623	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.102169991 CEST	53624	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.110997915 CEST	53	53624	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.114039898 CEST	53625	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.121874094 CEST	53	53625	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.122137070 CEST	53626	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.129791021 CEST	53	53626	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.130054951 CEST	53627	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.137806892 CEST	53	53627	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.210268021 CEST	53628	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.218256950 CEST	53	53628	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.218703985 CEST	53629	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.226377964 CEST	53	53629	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.226634026 CEST	53630	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.234525919 CEST	53	53630	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.234793901 CEST	53631	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.242902994 CEST	53	53631	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.243248940 CEST	53632	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.251497984 CEST	53	53632	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.309693098 CEST	53633	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.318265915 CEST	53	53633	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.318742990 CEST	53634	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.326443911 CEST	53	53634	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.326749086 CEST	53635	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.336560011 CEST	53	53635	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.336905003 CEST	53636	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.344891071 CEST	53	53636	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.345199108 CEST	53637	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.352839947 CEST	53	53637	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.408494949 CEST	53638	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.416878939 CEST	53	53638	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.417557955 CEST	53639	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.427408934 CEST	53	53639	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.427747965 CEST	53640	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.437975883 CEST	53	53640	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.438242912 CEST	53641	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.445274115 CEST	53	53641	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.447753906 CEST	53642	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.455271959 CEST	53	53642	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.514508963 CEST	53643	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.521843910 CEST	53	53643	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.524008989 CEST	53644	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.532052994 CEST	53	53644	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.536195993 CEST	53645	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.543822050 CEST	53	53645	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.544321060 CEST	53646	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.551609039 CEST	53	53646	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.551958084 CEST	53647	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.558552980 CEST	53	53647	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.612134933 CEST	53648	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.621035099 CEST	53	53648	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.621412039 CEST	53649	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.631426096 CEST	53	53649	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.631702900 CEST	53650	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.642121077 CEST	53	53650	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.642450094 CEST	53651	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.651984930 CEST	53	53651	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.652220964 CEST	53652	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.660059929 CEST	53	53652	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.713586092 CEST	53653	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.721082926 CEST	53	53653	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.721476078 CEST	53654	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.733426094 CEST	53	53654	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.733757973 CEST	53655	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.741605043 CEST	53	53655	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.741822004 CEST	53656	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.749207973 CEST	53	53656	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.749433994 CEST	53657	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.757148027 CEST	53	53657	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.810439110 CEST	53658	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.817482948 CEST	53	53658	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.817873001 CEST	53659	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.825464010 CEST	53	53659	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.826571941 CEST	53660	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.835263968 CEST	53	53660	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.835591078 CEST	53661	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.843508005 CEST	53	53661	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.843705893 CEST	53662	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.850975990 CEST	53	53662	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.906975985 CEST	53663	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.914623022 CEST	53	53663	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.917561054 CEST	53664	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.924786091 CEST	53	53664	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.926285028 CEST	53665	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.935065031 CEST	53	53665	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.937799931 CEST	53666	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.946746111 CEST	53	53666	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:47.947087049 CEST	53667	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:47.957619905 CEST	53	53667	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.016510963 CEST	53668	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.023612022 CEST	53	53668	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.025903940 CEST	53669	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.033915997 CEST	53	53669	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.034226894 CEST	53670	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.042006969 CEST	53	53670	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.044377089 CEST	53671	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.052212954 CEST	53	53671	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.052509069 CEST	53672	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.060190916 CEST	53	53672	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.121074915 CEST	53673	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.128180027 CEST	53	53673	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.128585100 CEST	53674	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.136729956 CEST	53	53674	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.137007952 CEST	53675	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.145279884 CEST	53	53675	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.145597935 CEST	53676	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.153398037 CEST	53	53676	1.1.1.1	192.168.2.11
Sep 30, 2024 16:05:48.153660059 CEST	53677	53	192.168.2.11	1.1.1.1
Sep 30, 2024 16:05:48.161362886 CEST	53	53677	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 16:03:47.397953987 CEST	192.168.2.11	1.1.1.1	0x4554	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:47.632883072 CEST	192.168.2.11	1.1.1.1	0xe1ff	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:47.798232079 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:47.842344999 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:47.873744965 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:47.892214060 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:47.926783085 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:49.029576063 CEST	192.168.2.11	1.1.1.1	0x289	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:49.099518061 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:49.107021093 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:49.117605925 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:49.132158041 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:49.149420977 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:50.676156044 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:50.683722019 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:50.693043947 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:50.707788944 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:50.717767954 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:51.828855038 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:51.837125063 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:51.858403921 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:51.867768049 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:51.887562990 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:53.349147081 CEST	192.168.2.11	1.1.1.1	0x1f6d	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:53.454124928 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:53.462374926 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:53.478559017 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:53.491250992 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:53.507256985 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:54.606419086 CEST	192.168.2.11	1.1.1.1	0xdfc4	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:54.671022892 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:54.678781033 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:54.687797070 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:54.699287891 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:54.711653948 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:56.074201107 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:56.837495089 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:56.847398043 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:56.862097979 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:56.878218889 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:57.992733002 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:58.000353098 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:58.009941101 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:58.033251047 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:58.042978048 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:59.237570047 CEST	192.168.2.11	1.1.1.1	0xf476	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:59.296691895 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:59.304019928 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:59.319787979 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:03:59.330770016 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:59.351471901 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:00.454020023 CEST	192.168.2.11	1.1.1.1	0x28bd	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:00.623466015 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:00.630812883 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:00.650238037 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:00.660161018 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:00.670676947 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:01.855673075 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:01.863650084 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:01.874269009 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:01.884248972 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:01.908628941 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:03.091366053 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:03.099628925 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:03.116621017 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:03.125299931 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:03.137382984 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:04.287630081 CEST	192.168.2.11	1.1.1.1	0xed9	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:04.348058939 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:05.394287109 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:05.404962063 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:05.421288013 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:05.437685013 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:06.981375933 CEST	192.168.2.11	1.1.1.1	0xd7a7	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:07.042352915 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:07.050723076 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:07.069257975 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:07.082108021 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:07.092994928 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:08.296057940 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:08.304882050 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:08.320780039 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:08.336591005 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:08.361706018 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:09.534271002 CEST	192.168.2.11	1.1.1.1	0xdfd2	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:09.713671923 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:09.721735954 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:09.742266893 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:09.750449896 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:09.767393112 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:10.999357939 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:11.006737947 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:11.022906065 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:11.030731916 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:11.039280891 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:12.208085060 CEST	192.168.2.11	1.1.1.1	0x7439	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:12.267612934 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:12.275348902 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:12.291404009 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:12.307531118 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:12.325329065 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:13.546014071 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:13.553754091 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:13.570485115 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:13.578900099 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:13.593044043 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:14.746707916 CEST	192.168.2.11	1.1.1.1	0x7d3	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:15.019551039 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:15.027896881 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:15.038031101 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:15.046416044 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:15.054730892 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:16.308128119 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:16.315968990 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:16.326462030 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:16.336654902 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:16.345911026 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:17.529544115 CEST	192.168.2.11	1.1.1.1	0xc768	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:17.589742899 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:17.597275972 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:17.605940104 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:17.615679979 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:17.631155014 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:18.811594963 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:18.994154930 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:19.014723063 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:19.025816917 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:19.042843103 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:20.211648941 CEST	192.168.2.11	1.1.1.1	0x4b9d	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:20.378281116 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:20.385562897 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:20.401206970 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:20.408689022 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:20.423410892 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:21.941957951 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:21.950232983 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:21.966963053 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:21.995604992 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:22.012712955 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:23.400167942 CEST	192.168.2.11	1.1.1.1	0x6aab	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:23.458935976 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:23.467716932 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:23.484426975 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:23.499535084 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:23.509670019 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:24.737256050 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:24.745918989 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:24.753571987 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:24.768297911 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:24.775731087 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:25.880845070 CEST	192.168.2.11	1.1.1.1	0xea96	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:25.976509094 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:25.984149933 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:25.992275000 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:26.040543079 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:26.056608915 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:27.236747026 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:27.244339943 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:27.259820938 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:27.276892900 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:27.288222075 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:28.479434013 CEST	192.168.2.11	1.1.1.1	0x2c58	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:28.537770987 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:28.547226906 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:28.556001902 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:28.569228888 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:28.579566956 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:29.710371017 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:29.721838951 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:29.730612040 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:29.739330053 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:29.754452944 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:30.850526094 CEST	192.168.2.11	1.1.1.1	0x6a62	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:30.947144032 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:30.955631018 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:30.969863892 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:30.980148077 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:31.000895977 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:32.091449976 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:32.099128962 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:32.114670992 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:32.124763966 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:32.132370949 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:33.422940016 CEST	192.168.2.11	1.1.1.1	0xc758	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:33.519455910 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:33.531264067 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:33.538969994 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:33.548487902 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:33.556602955 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:34.563090086 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:34.570920944 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:34.586529970 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:34.594779015 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:34.603363037 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:35.571561098 CEST	192.168.2.11	1.1.1.1	0xa29a	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:35.630676031 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:35.639755011 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:35.659584045 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:35.679867029 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:35.691569090 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:36.642393112 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:36.651139021 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:36.660154104 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:36.677498102 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:36.685770988 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:37.595499039 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:37.602919102 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:37.616792917 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:37.634646893 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:37.649279118 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:38.526057959 CEST	192.168.2.11	1.1.1.1	0x3d46	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:38.789582968 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:38.799359083 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:38.822572947 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:38.838584900 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:38.846837044 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:39.731370926 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:39.739177942 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:39.747205019 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:39.763863087 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:39.771177053 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:40.597038984 CEST	192.168.2.11	1.1.1.1	0xc494	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:40.690278053 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:40.699153900 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:40.717782974 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:40.742422104 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:40.750323057 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:41.567104101 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:42.382127047 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:42.399621964 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:42.414079905 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:42.422332048 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:43.204268932 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:43.352864027 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:43.362364054 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:43.380310059 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:43.390188932 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:44.150959015 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:44.305594921 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:44.313292980 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:44.327964067 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:44.336977959 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.080777884 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:45.088836908 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.097557068 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.113097906 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.120738029 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.831598997 CEST	192.168.2.11	1.1.1.1	0xae59	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.926100016 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:45.934477091 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.946060896 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.955578089 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.963529110 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:46.664391041 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:46.672059059 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:46.693116903 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:46.709949970 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:46.731321096 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:47.400863886 CEST	192.168.2.11	1.1.1.1	0x5bdb	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:47.457556009 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:47.935235023 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:47.943519115 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:47.958353996 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:47.967104912 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:48.620944977 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:48.629703999 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:48.646342993 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:48.656088114 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:48.669651985 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:49.320671082 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:50.036577940 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.044437885 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:50.052485943 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.074291945 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:50.734767914 CEST	192.168.2.11	1.1.1.1	0xd822	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.778858900 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:50.789374113 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.797152042 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:50.807449102 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.815179110 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:51.416765928 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:51.424163103 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:51.432133913 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:51.441513062 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:51.449004889 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.032001019 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:52.041357994 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.052541971 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.060659885 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.068502903 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.623692036 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:52.631211042 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.651117086 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.659678936 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.667649031 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:53.228163004 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:53.235608101 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:53.250307083 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:53.258421898 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:53.268120050 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:53.963267088 CEST	192.168.2.11	1.1.1.1	0x6a09	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.063302994 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:54.070832968 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.079173088 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:54.087711096 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.095751047 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:54.616667032 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:54.624180079 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.631176949 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:54.646893978 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.661662102 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.171997070 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:55.180171967 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.188555002 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.197343111 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.206559896 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.691967010 CEST	192.168.2.11	1.1.1.1	0x26b4	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.749983072 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:55.758219957 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.765881062 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.782300949 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.789788961 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.294055939 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:56.306112051 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.314475060 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.323988914 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.348160028 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.795636892 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:56.807188988 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.822695017 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.831836939 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.842327118 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.294154882 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:57.302613974 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.310905933 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.320804119 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.328644991 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.778863907 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:57.786391973 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.795207024 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.802901983 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.810761929 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.227099895 CEST	192.168.2.11	1.1.1.1	0xb687	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.322304964 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:58.330256939 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.338046074 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.347958088 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.356167078 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.770442009 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:58.870629072 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.878861904 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.886713982 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.896403074 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.297887087 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:59.305377007 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.313180923 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.329834938 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.345920086 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.782042980 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:59.790081024 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.797652006 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.805763006 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.814344883 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.187239885 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:00.194963932 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.210783958 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.219058037 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.227055073 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.594161987 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:00.601950884 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.609694958 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.618174076 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.628402948 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.977452993 CEST	192.168.2.11	1.1.1.1	0x964d	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.995570898 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:01.002882957 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.010726929 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:01.021749973 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.029306889 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:01.625197887 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:01.632983923 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.642026901 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:01.649926901 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.665478945 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.001776934 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:02.010278940 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.026597977 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.040154934 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.057336092 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.463725090 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:02.483169079 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.505887985 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.522099972 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.538053989 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.870035887 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:02.877336025 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.887300968 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.898163080 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.907049894 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:03.232323885 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:03.239761114 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:03.250021935 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:03.257164001 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:03.267663956 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:03.563322067 CEST	192.168.2.11	1.1.1.1	0x6ffc	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.127182007 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:04.134912014 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.151686907 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.164367914 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.176400900 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.476335049 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:04.484649897 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.494865894 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.503375053 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.520944118 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.817255020 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:04.825731039 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.835103035 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.842567921 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.854708910 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:05.148825884 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:05.346319914 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:05.355796099 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:05.371625900 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:05.379630089 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.198451042 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:06.207973957 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.219769955 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.231741905 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.250169039 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.516191006 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:06.524120092 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.532672882 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.541507006 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.549751997 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.809099913 CEST	192.168.2.11	1.1.1.1	0x7e09	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.974435091 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:06.982145071 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.990880966 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.998585939 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.009056091 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.265808105 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:07.274472952 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.282340050 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.291766882 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.299602985 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.556988955 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:07.565130949 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.574476004 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.583678961 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.593848944 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.833379030 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:07.845211983 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.853341103 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.863279104 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.873486042 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.112533092 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:08.120253086 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.130223989 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.138797998 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.147433043 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.382703066 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:08.390641928 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.406416893 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.414465904 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.422611952 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.654752970 CEST	192.168.2.11	1.1.1.1	0x4b18	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.917826891 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:08.926342964 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.945954084 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.962340117 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.969961882 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.186676979 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.196044922 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.205218077 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.213449001 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.221374035 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.435925961 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.443619967 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.451251030 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.460565090 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.469485998 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.671861887 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.680241108 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.691123962 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.701756001 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.709912062 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.919224024 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.926750898 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.934613943 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.942585945 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.952899933 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.154891968 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.163395882 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.171519041 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.179441929 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.189551115 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.402628899 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.410218954 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.420922041 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.430561066 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.438219070 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.626502991 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.634661913 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.642930031 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.652580976 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.660594940 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.867623091 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.874978065 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.883220911 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.892235994 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.903763056 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.099293947 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.224222898 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.232685089 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.241822004 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.250231028 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.419128895 CEST	192.168.2.11	1.1.1.1	0xaf2c	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.475337982 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.483520031 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.491400957 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.499129057 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.515140057 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.687274933 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.695091963 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.703392982 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.719543934 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.730551958 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.912574053 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.920615911 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.928564072 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.936774015 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.944196939 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.129961014 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:12.137737989 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.145495892 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.153306961 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.682356119 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.865430117 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:12.873213053 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.881843090 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.890100956 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.901102066 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.063249111 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.071645021 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.083259106 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.091377974 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.101521969 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.260442972 CEST	192.168.2.11	1.1.1.1	0xa50f	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.354974985 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.362831116 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.371212959 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.379045010 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.388904095 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.556787968 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.567807913 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.575567007 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.585355043 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.595663071 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.749999046 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.757519960 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.767311096 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.776366949 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.785315990 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.957495928 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.965471983 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.976629972 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.984741926 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.993149996 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.141689062 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.149460077 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.166657925 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.176902056 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.184989929 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.328758001 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.336143017 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.344405890 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.352453947 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.360893965 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.514327049 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.524396896 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.533463955 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.542707920 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.551309109 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.687737942 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.696623087 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.705985069 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.714747906 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.723707914 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.863768101 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.872967958 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.881984949 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.892237902 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.902596951 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.036210060 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.044456959 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.062978029 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.070831060 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.080668926 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.223469973 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.231631994 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.239331007 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.247443914 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.255748987 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.388710022 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.397950888 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.406003952 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.414227009 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.423976898 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.569109917 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.578000069 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.586422920 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.595954895 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.604288101 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.750823021 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.758796930 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.766993046 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.775161982 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.784104109 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.935420990 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.942866087 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.952229977 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.960858107 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.969028950 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.098658085 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.108781099 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.118938923 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.138724089 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.147691965 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.295953035 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.305901051 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.316052914 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.326231956 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.335726976 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.456187963 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.466247082 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.476130962 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.486846924 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.495990038 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.608340979 CEST	192.168.2.11	1.1.1.1	0x1120	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.665155888 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.672499895 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.681005955 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.689809084 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.697774887 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.814450026 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.821850061 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.832273960 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.840889931 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.848282099 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.990309000 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.997769117 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.006331921 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.014069080 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.023123026 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.140441895 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.147876024 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.157860041 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.166168928 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.174010992 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.289791107 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.297771931 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.305821896 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.315722942 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.323590994 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.442117929 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.451819897 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.459676981 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.471803904 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.483716965 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.599618912 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.607816935 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.619856119 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.630287886 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.642152071 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.750847101 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.759752035 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.767832994 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.779715061 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.787638903 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.896836042 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.907124996 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.919296980 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.927098989 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.934849024 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.061173916 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.075815916 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.086318970 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.099080086 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.107393980 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.219819069 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.230377913 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.240053892 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.249803066 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.261305094 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.352790117 CEST	192.168.2.11	1.1.1.1	0x7ab1	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.367508888 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.376389027 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.384967089 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.393248081 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.405304909 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.499649048 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.507788897 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.519735098 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.527645111 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.539716959 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.665218115 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.673825026 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.682952881 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.693751097 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.705862999 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.803215981 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.814410925 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.825855970 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.834167004 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.845849037 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.938508987 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.946727991 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.955889940 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.962933064 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.970844984 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.069094896 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.077276945 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.085544109 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.093147039 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.100512028 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.256824970 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.266815901 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.276176929 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.287026882 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.296194077 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.389691114 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.396959066 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.405106068 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.413130999 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.426212072 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.529942036 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.540137053 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.548958063 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.566267014 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.575340986 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.685106039 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.693232059 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.700159073 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.708789110 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.716077089 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.810848951 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.818497896 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.827306986 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.839890957 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.849103928 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.944806099 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.952461004 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.960944891 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.969017982 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.977878094 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.076530933 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.084148884 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.092400074 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.100281000 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.108975887 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.201978922 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.210215092 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.218910933 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.228087902 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.236124992 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.326822042 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.337146044 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.347827911 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.362550020 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.373788118 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.474386930 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.484627962 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.493191004 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.501936913 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.511478901 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.593770027 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.609349012 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.618334055 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.627223015 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.637089014 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.723854065 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.732225895 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.742635012 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.753329992 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.766792059 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.858139038 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.868092060 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.879621029 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.889116049 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.898900986 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.990763903 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.000905991 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.011919975 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.020648956 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.033066034 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.132006884 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.139494896 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.148456097 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.156131983 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.165307045 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.242960930 CEST	192.168.2.11	1.1.1.1	0x6032	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.415829897 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.423974037 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.432764053 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.441778898 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.451987982 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.528142929 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.536118984 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.545629978 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.554975033 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.562781096 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.644725084 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.652089119 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.660788059 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.668342113 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.676415920 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.774460077 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.782922983 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.793493986 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.803335905 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.811518908 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.889404058 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.897496939 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.906317949 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.915739059 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.926088095 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.019726992 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.031089067 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.043354034 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.052349091 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.063146114 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.165985107 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.173746109 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.181129932 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.189280987 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.199469090 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.281749010 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.289494038 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.300738096 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.310612917 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.320255041 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.405572891 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.418006897 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.427309990 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.435516119 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.443414927 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.530405045 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.543128967 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.551671982 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.562386990 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.572613001 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.655781984 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.663220882 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.672732115 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.680521965 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.687757969 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.773387909 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.781311989 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.799719095 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.808940887 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.819071054 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.891402006 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.899593115 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.907787085 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.915863991 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.923485041 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.004084110 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.014113903 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.023828983 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.034073114 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.045300007 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.142092943 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.150682926 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.160115957 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.175493956 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.186741114 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.259159088 CEST	192.168.2.11	1.1.1.1	0xf4e2	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.316736937 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.324340105 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.334311962 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.346081972 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.353877068 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.447690964 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.456783056 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.474833012 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.486680984 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.495486975 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.577445030 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.587462902 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.598654985 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.611747980 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.623745918 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.708271980 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.716255903 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.726113081 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.738092899 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.749955893 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.838881016 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.847830057 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.859638929 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.869292974 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.877362013 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.955902100 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.963295937 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.971828938 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.979665995 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.990128994 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.074960947 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.082885981 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.091265917 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.098993063 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.106744051 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.198837996 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.206098080 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.214124918 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.221869946 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.230109930 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.318211079 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.325473070 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.333246946 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.340939999 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.349193096 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.420697927 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.432029009 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.443820000 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.454529047 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.463157892 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.545547962 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.554274082 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.561692953 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.573565006 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.580724955 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.664541960 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.673892975 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.685786963 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.694658995 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.707817078 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.784770012 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.798372984 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.807940006 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.819817066 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.831866026 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.905538082 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.915663958 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.923408031 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.931377888 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.941139936 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.019591093 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.029047966 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.038347960 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.046734095 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.055272102 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.153480053 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.166920900 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.181390047 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.193900108 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.202522039 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.295999050 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.306334019 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.316245079 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.327341080 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.338327885 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.428642988 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.437979937 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.449702024 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.461749077 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.473854065 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.895756006 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.907969952 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.918548107 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.927293062 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.939313889 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.066992998 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.075054884 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.083028078 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.094221115 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.102596045 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.189273119 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.199438095 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.208554983 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.216814041 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.227747917 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.295500994 CEST	192.168.2.11	1.1.1.1	0x777a	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.560513020 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.569796085 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.577836037 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.586421013 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.595462084 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.678802967 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.686451912 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.694022894 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.702610970 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.710947037 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.782349110 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.790056944 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.797714949 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.805569887 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.813155890 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.896861076 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.904794931 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.914958954 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.925398111 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.933362007 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.005386114 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.012712955 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.020703077 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.029191971 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.037587881 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.115876913 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.125483990 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.134308100 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.149194002 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.159982920 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.266616106 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.275876999 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.286081076 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.298571110 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.310497999 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.394856930 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.406682014 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.419925928 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.435849905 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.447860003 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.536215067 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.546941042 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.557959080 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.569905043 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.581995010 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.654259920 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.666032076 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.673835039 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.685908079 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.697813034 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.767122984 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.774606943 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.783044100 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.791786909 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.801209927 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.882160902 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.891182899 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.901417017 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.911789894 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.926637888 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.006213903 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.014487982 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.022802114 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.030967951 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.039505005 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.148926020 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.158294916 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.167464018 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.176856041 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.185575008 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.692295074 CEST	192.168.2.11	1.1.1.1	0x467	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.786263943 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.796952963 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.805105925 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.812726021 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.820663929 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.892810106 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.901189089 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.912183046 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.920444012 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.929804087 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.015511990 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.023504019 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.037847996 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.050595999 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.063945055 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.148065090 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.160959005 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.174638033 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.188055038 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.202888012 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.286180019 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.297715902 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.308706045 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.320909023 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.330872059 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.406259060 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.414114952 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.423193932 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.430857897 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.442291975 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.517519951 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.527976990 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.536317110 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.547143936 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.558195114 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.626286983 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.636643887 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.646991968 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.661781073 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.672530890 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.749768019 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.757608891 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.766024113 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.774542093 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.782668114 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.864635944 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.872108936 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.881211996 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.890376091 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.898714066 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.966485023 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.973573923 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.981811047 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.991472006 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.000817060 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.080625057 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.090534925 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.099473000 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.108210087 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.118153095 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.190740108 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.201576948 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.211524963 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.221663952 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.230245113 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.300880909 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.308732033 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.317985058 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.325630903 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.333988905 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.406985044 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.415807009 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.423983097 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.432986975 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.441986084 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.516066074 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.523572922 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.531747103 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.539632082 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.548034906 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.624397993 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.632239103 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.639625072 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.647492886 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.655730963 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.732279062 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.743774891 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.751717091 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.767932892 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.779710054 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.856839895 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.870269060 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.882030964 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.893951893 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.906267881 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.989451885 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.001528978 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.011406898 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.021615982 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.031152010 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.116897106 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.126677990 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.135077000 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.150976896 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.164237022 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.240391016 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.252990007 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.265094995 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.278028011 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.292263985 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.374367952 CEST	192.168.2.11	1.1.1.1	0xc4e4	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.541033983 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.548439980 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.557205915 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.566998959 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.576548100 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.658420086 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.670011997 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.678498030 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.689857960 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.697746038 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.767637014 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.774971962 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.786910057 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.795018911 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.805403948 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.875859022 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.883951902 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.894254923 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.907433987 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.916532040 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.988775969 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.997036934 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.006978035 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.014852047 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.022099972 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.107752085 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.115392923 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.124295950 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.131941080 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.139220953 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.208894968 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.216552019 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.224858999 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.237024069 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.246507883 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.317812920 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.327003956 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.339376926 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.348929882 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.358830929 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.430489063 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.438200951 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.445425034 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.453082085 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.460690022 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.532469034 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.540190935 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.547976971 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.556123972 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.564542055 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.645390034 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.653964043 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.664514065 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.672960997 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.681762934 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.769604921 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.778487921 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.789556026 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.797719955 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.809066057 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.889908075 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.900340080 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.909122944 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.919969082 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.929639101 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.001614094 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.011523008 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.019113064 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.028060913 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.037377119 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.140476942 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.148883104 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.157022953 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.164856911 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.172780991 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.244983912 CEST	192.168.2.11	1.1.1.1	0x4e68	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.260756016 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.269011021 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.276320934 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.284584045 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.292124987 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.372477055 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.379991055 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.387749910 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.396116018 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.405880928 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.484760046 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.493773937 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.501765013 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.510162115 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.519747019 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.617610931 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.627911091 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.639884949 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.651992083 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.663758993 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.739226103 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.746695995 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.759952068 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.771955967 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.783854961 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.867315054 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.879903078 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.891794920 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.903793097 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.918879986 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.983694077 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.994014978 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.001765966 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.009080887 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.016702890 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.094351053 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.104944944 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.115241051 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.124181032 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.132667065 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.207499027 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.214683056 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.221617937 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.229281902 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.239806890 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.317219019 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.325699091 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.333477020 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.340709925 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.349421978 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.426831007 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.434967995 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.443851948 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.457859993 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.467988968 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.531224012 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.541873932 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.552462101 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.563177109 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.574004889 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.633146048 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.641904116 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.650842905 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.659531116 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.666691065 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.739327908 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.747817039 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.756802082 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.765276909 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.773509979 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.862598896 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.872503042 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.881774902 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.889779091 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.899746895 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.966516972 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.975003004 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.983732939 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.995826006 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.007850885 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.289503098 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.301520109 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.313462019 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.329171896 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.336956024 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.610960007 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.618705988 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.626434088 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.634171963 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.644336939 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.712290049 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.719974995 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.727477074 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.735657930 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.744167089 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.811341047 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.819832087 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.828300953 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.837377071 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.849930048 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.919939041 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.930026054 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.937822104 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.948544025 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.958108902 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.021636963 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.028947115 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.036412954 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.046508074 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.055635929 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.120145082 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.127389908 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.135117054 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.144685030 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.152935028 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.249458075 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.257582903 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.267801046 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.280915022 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.289426088 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.352251053 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.360285044 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.368896008 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.376559019 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.384808064 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.443574905 CEST	192.168.2.11	1.1.1.1	0xa1	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.503370047 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.512054920 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.521706104 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.530081987 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.538794994 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.612266064 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.619996071 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.631938934 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.643929005 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.651680946 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.770008087 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.778417110 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.786699057 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.795650959 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.804826021 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.889008999 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.903985977 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.915860891 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.927839041 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.939795017 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.094719887 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.102739096 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.121079922 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.131223917 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.142765999 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.226541996 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.233735085 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.242511034 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.250731945 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.262590885 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.328119993 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.336659908 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.347397089 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.357218027 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.366413116 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.448156118 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.455998898 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.464931011 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.474160910 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.482711077 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.587011099 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.595347881 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.602840900 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.611085892 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.619306087 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.691015005 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.700903893 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.709939003 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.718286037 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.727700949 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.019638062 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.035415888 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.067673922 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.078989983 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.090496063 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.294035912 CEST	192.168.2.11	1.1.1.1	0xc8ea	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.351795912 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.359240055 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.367424011 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.377346992 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.385987043 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.449421883 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.459700108 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.468061924 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.475928068 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.483433962 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.545593977 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.557660103 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.572865009 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.584379911 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.594394922 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.665467978 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.673259020 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.681701899 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.689755917 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.697463989 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.762831926 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.770051003 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.780072927 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.788475990 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.797250032 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.858350992 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.865613937 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.874171019 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.882507086 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.890474081 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.964732885 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.973328114 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.981237888 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.990329027 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.998986959 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.065936089 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.074135065 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.082721949 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.090315104 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.099304914 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.165482998 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.174678087 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.185062885 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.193039894 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.202291965 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.273901939 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.288126945 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.306035042 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.316179991 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.328464031 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.399626970 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.408128977 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.417030096 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.427853107 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.435771942 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.503860950 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.512522936 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.523201942 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.531805038 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.543822050 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.607870102 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.615906954 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.630139112 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.643769026 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.655769110 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.720071077 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.730488062 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.743824959 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.755928993 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.767703056 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.830952883 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:40.316637993 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.325531006 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:40.332880020 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.340241909 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:40.421116114 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:40.802315950 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.812006950 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:40.819869041 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.832395077 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.072300911 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.080303907 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.089176893 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.098264933 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.107635021 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.175733089 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.185648918 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.194034100 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.203525066 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.212374926 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.270873070 CEST	192.168.2.11	1.1.1.1	0x5464	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.328668118 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.337939978 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.350821018 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.358875036 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.366609097 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.428894043 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.436965942 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.445429087 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.907828093 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.917973042 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.986239910 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.995536089 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.003735065 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.015825033 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.027895927 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.102188110 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.109388113 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.116754055 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.124682903 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.132982969 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.205518961 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.214720011 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.224128962 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.234081030 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.241405964 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.308511972 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.315563917 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.323435068 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.334604979 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.343903065 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.418396950 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.427753925 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.437041044 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.446877956 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.454437971 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.516848087 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.525610924 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.533006907 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.540602922 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.548738003 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.611505985 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.618915081 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.626200914 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.155492067 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.163595915 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.448020935 CEST	192.168.2.11	1.1.1.1	0x882	Standard query (0)	ns1.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.742279053 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:43.753675938 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.761781931 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.769809961 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.781764984 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.852368116 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:43.861887932 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.870799065 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.879883051 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.890008926 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.952317953 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:43.963002920 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.971008062 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.979026079 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.986974955 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.049462080 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.057019949 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.065861940 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.074733019 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.081981897 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.193773985 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.201432943 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.211663008 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.219516039 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.792917013 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.857172966 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.864959002 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.872128010 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.880314112 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.888858080 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.962213039 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.969904900 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.977623940 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.985438108 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.993746996 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.055677891 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.063586950 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.071621895 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.079261065 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.088849068 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.612005949 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.622064114 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.632642031 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.646090031 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.657785892 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.722105026 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.736002922 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.748699903 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.757797003 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.784774065 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.894398928 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.906487942 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.918154001 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.925785065 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.933940887 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.027364016 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.038367987 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.049810886 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.058168888 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.069896936 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.182290077 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.189733028 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.197695971 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.205450058 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.213596106 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.347500086 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.357868910 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.370696068 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.382320881 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.395740032 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.458518028 CEST	192.168.2.11	1.1.1.1	0x8b94	Standard query (0)	ns2.cloud-name.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.518785954 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.527837038 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.537853956 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.550043106 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.557995081 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.629947901 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.637298107 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.645925045 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.655821085 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.663568974 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.730370998 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.739985943 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.976125002 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.985980988 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.995475054 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.093381882 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.102169991 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.114039898 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.122137070 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.130054951 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.210268021 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.218703985 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.226634026 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.234793901 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.243248940 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.309693098 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.318742990 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.326749086 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.336905003 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.345199108 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.408494949 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.417557955 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.427747965 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.438242912 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.447753906 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.514508963 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.524008989 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.536195993 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.544321060 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.551958084 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.612134933 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.621412039 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.631702900 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.642450094 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.652220964 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.713586092 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.721476078 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.733757973 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.741822004 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.749433994 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.810439110 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.817873001 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.826571941 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.835591078 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.843705893 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.906975985 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.917561054 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.926285028 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.937799931 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.947087049 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.016510963 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:48.025903940 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.034226894 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.044377089 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	ransomware.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.052509069 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	ransomware.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.121074915 CEST	192.168.2.11	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:48.128585100 CEST	192.168.2.11	1.1.1.1	0x2	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.137007952 CEST	192.168.2.11	1.1.1.1	0x3	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.145597935 CEST	192.168.2.11	1.1.1.1	0x4	Standard query (0)	zonealarm.bit	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.153660059 CEST	192.168.2.11	1.1.1.1	0x5	Standard query (0)	zonealarm.bit	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 16:03:47.680965900 CEST	1.1.1.1	192.168.2.11	0xe1ff	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:47.805489063 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:47.871238947 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:47.889507055 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:47.926399946 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:47.935403109 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:49.088488102 CEST	1.1.1.1	192.168.2.11	0x289	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:49.106600046 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:49.117207050 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:49.131844997 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:49.149068117 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:49.158987045 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:50.683156013 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:50.692665100 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:50.707458973 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:50.717467070 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:50.737943888 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:51.836666107 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:51.857816935 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:51.867506981 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:51.887192965 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:51.896087885 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:53.435378075 CEST	1.1.1.1	192.168.2.11	0x1f6d	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:53.461950064 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:53.478097916 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:53.490907907 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:53.506895065 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:53.516374111 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:54.657802105 CEST	1.1.1.1	192.168.2.11	0xdfc4	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:54.678339005 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:54.687315941 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:54.698839903 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:54.707211018 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:54.727705956 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:56.836749077 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:56.847038984 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:56.861613989 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:56.877643108 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:56.891129971 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:57.999921083 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:58.009596109 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:58.032846928 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:58.042644978 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:58.057732105 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:59.285491943 CEST	1.1.1.1	192.168.2.11	0xf476	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:59.303621054 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:03:59.319468021 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:59.330456972 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:03:59.350780964 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:03:59.366853952 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:00.610440969 CEST	1.1.1.1	192.168.2.11	0x28bd	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:00.630398989 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:00.649519920 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:00.659753084 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:00.670264006 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:00.686781883 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:01.863192081 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:01.873826027 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:01.883842945 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:01.908102989 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:01.928551912 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:03.098648071 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:03.116215944 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:03.124727964 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:03.135585070 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:03.150015116 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:04.336779118 CEST	1.1.1.1	192.168.2.11	0xed9	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:05.393795013 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:05.404474974 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:05.420907021 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:05.437273026 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:05.453911066 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:07.031116009 CEST	1.1.1.1	192.168.2.11	0xd7a7	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:07.049798012 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:07.068737984 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:07.081748009 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:07.092657089 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:07.109291077 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:08.304173946 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:08.320239067 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:08.336157084 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:08.361104012 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:08.377526045 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:09.697345018 CEST	1.1.1.1	192.168.2.11	0xdfd2	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:09.721174002 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:09.741790056 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:09.749995947 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:09.766967058 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:09.779350996 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:11.006304979 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:11.022349119 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:11.030344963 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:11.038984060 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:11.047502995 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:12.257260084 CEST	1.1.1.1	192.168.2.11	0x7439	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:12.274775028 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:12.290659904 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:12.307190895 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:12.324875116 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:12.341464043 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:13.553267956 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:13.570120096 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:13.578596115 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:13.592706919 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:13.603951931 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:15.008519888 CEST	1.1.1.1	192.168.2.11	0x7d3	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:15.027267933 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:15.037590981 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:15.045941114 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:15.054208040 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:15.062285900 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:16.315550089 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:16.326114893 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:16.336224079 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:16.345469952 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:16.354556084 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:17.578751087 CEST	1.1.1.1	192.168.2.11	0xc768	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:17.596712112 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:17.605592012 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:17.615161896 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:17.630722046 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:17.640847921 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:18.993335009 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:19.014178038 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:19.025468111 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:19.042473078 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:19.053687096 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:20.368280888 CEST	1.1.1.1	192.168.2.11	0x4b9d	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:20.385109901 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:20.400547028 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:20.408437967 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:20.423118114 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:20.433808088 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:21.949076891 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:21.966165066 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:21.981168985 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:22.002841949 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:22.022468090 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:23.448793888 CEST	1.1.1.1	192.168.2.11	0x6aab	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:23.467268944 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:23.484067917 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:23.499228954 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:23.509365082 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:23.530438900 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:24.745419979 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:24.753271103 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:24.768012047 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:24.775418997 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:24.784169912 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:25.966466904 CEST	1.1.1.1	192.168.2.11	0xea96	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:25.983437061 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:25.991871119 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:26.039942026 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:26.056350946 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:26.064404964 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:27.243802071 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:27.259430885 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:27.276513100 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:27.287839890 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:27.302649975 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:28.527673960 CEST	1.1.1.1	192.168.2.11	0x2c58	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:28.546701908 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:28.555650949 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:28.568897963 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:28.579083920 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:28.589957952 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:29.719471931 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:29.729110956 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:29.738178968 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:29.754086971 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:29.764384031 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:30.937041998 CEST	1.1.1.1	192.168.2.11	0x6a62	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:30.955058098 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:30.969449997 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:30.979613066 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:31.000426054 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:31.020565033 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:32.098752975 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:32.114301920 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:32.124341011 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:32.132179976 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:32.140723944 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:33.510096073 CEST	1.1.1.1	192.168.2.11	0xc758	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:33.530755997 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:33.538676023 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:33.548229933 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:33.556344986 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:33.564141035 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:34.570430994 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:34.586143017 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:34.594559908 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:34.603159904 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:34.611448050 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:35.620667934 CEST	1.1.1.1	192.168.2.11	0xa29a	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:35.639117002 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:35.656002998 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:35.675667048 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:35.687429905 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:35.700293064 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:36.650800943 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:36.659907103 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:36.677251101 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:36.685513973 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:36.694166899 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:37.602462053 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:37.614917040 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:37.634232044 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:37.648922920 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:37.656883001 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:38.782001019 CEST	1.1.1.1	192.168.2.11	0x3d46	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:38.798826933 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:38.821994066 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:38.838181019 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:38.846627951 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:38.866648912 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:39.738771915 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:39.746893883 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:39.763490915 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:39.770860910 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:39.779083967 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:40.682077885 CEST	1.1.1.1	192.168.2.11	0xc494	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:40.698074102 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:40.714271069 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:40.737967014 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:40.749912024 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:40.758110046 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:42.381412029 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:42.399029016 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:42.413646936 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:42.421993017 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:42.432146072 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:43.352175951 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:43.361932039 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:43.379834890 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:43.389545918 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:43.398680925 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:44.304833889 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:44.312887907 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:44.327604055 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:44.336777925 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:44.353435040 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.088253975 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:45.096915007 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.112756014 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.120394945 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.128200054 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.916619062 CEST	1.1.1.1	192.168.2.11	0xae59	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.933974028 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:45.945554972 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.955214024 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:45.963253021 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:45.971112013 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:46.671577930 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:46.692682028 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:46.709444046 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:46.730784893 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:46.740237951 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:47.450015068 CEST	1.1.1.1	192.168.2.11	0x5bdb	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:47.934752941 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:47.943288088 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:47.958163023 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:47.966937065 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:47.975147009 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:48.629255056 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:48.645946026 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:48.655735970 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:48.669296980 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:48.683312893 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:50.036127090 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:50.044127941 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.052251101 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:50.073954105 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.092200994 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:50.743048906 CEST	1.1.1.1	192.168.2.11	0xd822	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.788976908 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:50.796871901 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.807179928 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:50.814907074 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:50.822787046 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:51.423712969 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:51.431791067 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:51.441293001 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:51.448802948 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:51.464116096 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.040864944 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:52.052123070 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.060431004 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.068263054 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.079049110 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.630850077 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:52.650851011 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.659377098 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:52.667408943 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:52.682557106 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:53.235227108 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:53.249922991 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:53.258213997 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:53.267873049 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:53.275789976 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:54.055732012 CEST	1.1.1.1	192.168.2.11	0x6a09	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.070451975 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:54.078763008 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.087455034 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:54.095500946 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.111157894 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:54.623800993 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:54.630956888 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.646595955 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:54.661380053 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:54.677218914 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.179794073 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:55.188234091 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.197125912 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.206298113 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.216953993 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.742280960 CEST	1.1.1.1	192.168.2.11	0x26b4	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.757857084 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:55.765604019 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.782012939 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:55.789581060 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:55.799020052 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.301989079 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:56.314131975 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.323225021 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.347783089 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.355468988 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.806607962 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:56.822257042 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.831594944 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:56.842083931 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:56.851170063 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.302054882 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:57.310596943 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.320215940 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.328283072 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.336616039 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.785934925 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:57.794851065 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.802653074 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:57.810511112 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:57.818612099 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.315054893 CEST	1.1.1.1	192.168.2.11	0xb687	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.329849005 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:58.337655067 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.347700119 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.355885983 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.365712881 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.869823933 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:58.878515005 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.886473894 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:58.896030903 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:58.904687881 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.304934978 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:59.312912941 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.329603910 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.345633030 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.354187012 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.789711952 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:04:59.797369957 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.805442095 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:04:59.814049006 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:04:59.822900057 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.194535971 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:00.210370064 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.218848944 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.226843119 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.235249996 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.601340055 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:00.609399080 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.617897034 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.628146887 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:00.637717962 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:00.988385916 CEST	1.1.1.1	192.168.2.11	0x964d	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.002465010 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:01.010458946 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.021387100 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:01.029055119 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.282668114 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:01.632359028 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:01.641716003 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.649665117 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:01.665033102 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:01.672703981 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.009691000 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:02.026263952 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.039841890 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.057096004 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.066117048 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.471477032 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:02.491008043 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.521517992 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.536942005 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.545844078 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.876892090 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:02.886986017 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.897954941 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:02.906904936 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:02.915596008 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:03.239275932 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:03.249654055 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:03.256980896 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:03.267438889 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:03.276134014 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.119267941 CEST	1.1.1.1	192.168.2.11	0x6ffc	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.134474039 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:04.151204109 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.164022923 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.176042080 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.184489965 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.484221935 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:04.494529963 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.503040075 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.520575047 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.531461000 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.824585915 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:04.834780931 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.842367887 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:04.854196072 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:04.863455057 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:05.345813990 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:05.355393887 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:05.371164083 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:05.379452944 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:05.929912090 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.205008030 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:06.216595888 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.228921890 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.247901917 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.258550882 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.523674965 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:06.532346964 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.541296959 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.549505949 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.557760954 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:06.967264891 CEST	1.1.1.1	192.168.2.11	0x7e09	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.981817007 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:06.990622997 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:06.998410940 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.008851051 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.018627882 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.274144888 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:07.282157898 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.291516066 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.299352884 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.308556080 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.564784050 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:07.573903084 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.583506107 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.593651056 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.603869915 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.844738007 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:07.853120089 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.863070011 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:07.873229980 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:07.881139040 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.119924068 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:08.130013943 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.138586044 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.147253036 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.156975031 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.390141964 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:08.405989885 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.414294958 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.422420025 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.446954966 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.910636902 CEST	1.1.1.1	192.168.2.11	0x4b18	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.925929070 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:08.945589066 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.962122917 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:08.969650030 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:08.977685928 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.195703983 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.204880953 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.213116884 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.221060038 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.229831934 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.443181992 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.450952053 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.460340023 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.469206095 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.477446079 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.679717064 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.690781116 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.701442957 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.709672928 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.717926979 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.926336050 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:09.934312105 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.942301035 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:09.952641964 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:09.961074114 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.163033962 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.171156883 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.179213047 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.189198017 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.198618889 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.409861088 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.420655966 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.430295944 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.437906027 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.446307898 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.634164095 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.642579079 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.652357101 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.660384893 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.676611900 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.874588966 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:10.882987022 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.891994953 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:10.903520107 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:10.914664984 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.223617077 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.232260942 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.241544962 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.249990940 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.257467031 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.467832088 CEST	1.1.1.1	192.168.2.11	0xaf2c	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.483004093 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.491023064 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.498867989 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.514673948 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.524724007 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.694679022 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.703074932 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.719177008 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.730251074 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.740802050 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.920253038 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:11.928301096 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.936547041 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:11.943924904 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:11.952310085 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.137418985 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:12.145252943 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.153043985 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.682041883 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.690615892 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.872667074 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:12.881536961 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.889833927 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:12.900830030 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:12.908994913 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.071286917 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.082920074 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.091080904 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.101130962 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.110130072 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.346955061 CEST	1.1.1.1	192.168.2.11	0xa50f	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.362365961 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.370825052 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.378753901 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.388580084 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.405129910 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.567395926 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.575340033 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.585155010 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.595474005 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.603451967 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.757106066 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.766925097 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.776031017 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.784972906 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.793528080 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.965051889 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:13.976349115 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:13.984446049 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:13.992924929 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.001133919 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.148869991 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.164772034 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.176157951 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.184405088 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.192173004 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.335659027 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.344050884 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.352216959 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.360641956 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.369548082 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.523714066 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.532888889 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.542349100 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.550981998 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.560986996 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.696178913 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.705538034 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.714451075 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.723473072 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.732516050 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.872438908 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:14.881489992 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.891948938 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:14.902328014 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:14.911604881 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.044116974 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.062622070 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.070594072 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.080388069 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.089385033 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.231134892 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.238966942 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.247267008 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.255589008 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.267139912 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.397620916 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.405746937 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.414021969 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.423716068 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.433161974 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.577647924 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.586170912 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.595730066 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.604044914 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.613384962 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.758441925 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.766711950 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.774918079 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.783857107 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.791768074 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.942548037 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:15.952008009 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.960643053 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:15.968811989 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:15.979340076 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.108411074 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.118721962 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.138514042 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.147506952 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.155951023 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.305548906 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.315732002 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.326005936 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.335525036 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.346502066 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.465732098 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.475931883 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.486651897 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.495739937 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.506211996 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.657994032 CEST	1.1.1.1	192.168.2.11	0x1120	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.672173977 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.680825949 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.689639091 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.697593927 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.706274986 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.821348906 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:16.830755949 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.840527058 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.847985983 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:16.856379986 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:16.997385979 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.006081104 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.013842106 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.022838116 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.032011032 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.147530079 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.157478094 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.165889978 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.173815966 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.185079098 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.297225952 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.305598021 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.315438032 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.323348999 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.331494093 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.450798988 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.459429979 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.469007015 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.481389046 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.492947102 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.607110023 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.617027044 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.628341913 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.638206005 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.652472973 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.757889032 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.766988993 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.775901079 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.787255049 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.796238899 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.906738997 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:17.918931007 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.926841974 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:17.934638023 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:17.943346977 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.071921110 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.086064100 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.098849058 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.107156038 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.117928982 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.229660034 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.239845991 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.249584913 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.260401964 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.269575119 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.360522985 CEST	1.1.1.1	192.168.2.11	0x7ab1	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.375947952 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.384716988 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.393047094 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.405092001 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.413289070 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.507323027 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.515693903 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.527097940 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.536106110 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.549726963 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.673032999 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.681556940 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.690542936 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.702301025 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.713385105 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.811127901 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.822592020 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.833914995 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.842125893 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.853877068 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.946283102 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:18.955601931 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.962677002 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:18.970623970 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:18.977720022 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.076970100 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.085342884 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.092950106 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.100321054 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.107572079 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.266485929 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.275909901 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.286777973 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.295888901 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.304775953 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.396684885 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.404866934 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.412969112 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.425950050 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.442455053 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.539674044 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.548657894 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.566015005 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.575136900 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.583798885 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.692284107 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.699870110 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.708576918 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.715810061 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.724035978 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.818192959 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.827080011 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.839658022 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.848869085 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.856901884 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.952115059 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:19.960709095 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.968795061 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:19.977653980 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:19.985336065 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.083803892 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.092164040 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.100063086 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.108757973 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.116709948 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.209804058 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.218614101 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.227822065 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.235903978 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.243860960 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.336643934 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.347410917 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.359872103 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.371260881 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.381227970 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.484292030 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.493016005 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.501631975 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.511221886 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.520860910 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.608961105 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.618153095 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.627038002 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.636878967 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.646514893 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.731904984 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.742326975 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.753098965 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.766549110 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.775505066 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.867520094 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:20.879122019 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.888818026 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:20.898636103 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:20.908092976 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.000571966 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.011467934 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.020350933 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.032634020 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.042469025 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.139127016 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.148214102 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.155934095 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.165126085 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.173832893 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.408685923 CEST	1.1.1.1	192.168.2.11	0x6032	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.423535109 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.432442904 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.441478968 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.451785088 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.461518049 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.535753965 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.545193911 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.554769993 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.562508106 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.570096970 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.651762009 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.660533905 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.668131113 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.676233053 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.687393904 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.782520056 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.793200016 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.802947044 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.811206102 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.819394112 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.896935940 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:21.906059027 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.915522099 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:21.925770044 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:21.936922073 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.030699968 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.042943001 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.052095890 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.062891960 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.075294018 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.173202991 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.180855989 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.189038992 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.197493076 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.208173990 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.289108992 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.300419092 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.310370922 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.320038080 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.329185963 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.414979935 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.426980019 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.435194969 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.443221092 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.451905012 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.542753935 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.551475048 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.562202930 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.572424889 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.580672979 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.662733078 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.672349930 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.680294991 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.687558889 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.697953939 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.780927896 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.797408104 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.808677912 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.817226887 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.826427937 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.899137020 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:22.907460928 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.915644884 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:22.923176050 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:22.932420015 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.013648987 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.023557901 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.033741951 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.045028925 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.054693937 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.150324106 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.159877062 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.175225019 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.186479092 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.196043015 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.306926966 CEST	1.1.1.1	192.168.2.11	0xf4e2	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.323904991 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.331924915 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.342660904 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.353099108 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.362307072 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.454993010 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.466114044 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.482865095 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.493825912 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.503556013 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.584703922 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.595645905 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.606197119 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.619887114 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.630852938 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.715823889 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.724251032 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.733787060 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.745542049 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.759488106 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.846009016 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.856679916 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.869051933 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.877156973 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.887227058 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.962954998 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:23.971584082 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.979357004 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:23.989790916 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:23.997736931 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.082483053 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.090959072 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.098752975 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.106452942 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.114494085 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.205651045 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.213736057 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.221571922 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.229867935 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.239270926 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.325120926 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.333014965 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.340692043 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.348875046 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.356261015 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.429052114 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.440329075 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.451561928 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.462796926 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.472714901 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.553900957 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.561463118 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.573175907 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.580466986 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.590636015 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.671652079 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.682769060 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.693958998 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.703079939 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.717847109 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.793633938 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.807173967 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.816781044 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.829797983 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.840212107 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.912286043 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:24.923187017 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.931143999 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:24.940905094 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:24.949662924 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.028683901 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.038009882 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.046366930 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.054646015 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.064013004 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.166217089 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.179598093 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.193520069 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.202208996 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.211699009 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.305960894 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.315910101 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.326961994 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.338021994 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.348546982 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.437052011 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.448698997 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.458723068 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.470807076 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.486057043 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.903223038 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:25.916834116 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.926867962 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:25.936692953 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:25.947643995 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.074664116 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.082412004 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.093909025 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.102248907 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.111548901 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.198554039 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.207195044 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.216051102 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.224267960 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.237102032 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.551830053 CEST	1.1.1.1	192.168.2.11	0x777a	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.569169044 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.577341080 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.586193085 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.595104933 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.602533102 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.686065912 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.693726063 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.702332020 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.710714102 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.718909979 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.789563894 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.797430038 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.805255890 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.812865973 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.821238995 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.904174089 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:26.914350033 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.925060034 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:26.933144093 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:26.943727016 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.012243986 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.020347118 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.028836966 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.037302017 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.044933081 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.125072002 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.134028912 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.148889065 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.159545898 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.169934034 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.275336027 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.285757065 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.296511889 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.310112000 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.322292089 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.404603004 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.417272091 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.433387041 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.446165085 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.460994005 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.545825958 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.554878950 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.567177057 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.577491999 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.589917898 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.663047075 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.673283100 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.682198048 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.694736004 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.706492901 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.774179935 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.782682896 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.791491032 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.800935030 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.809792042 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.890777111 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:27.901025057 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.910283089 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:27.919501066 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:27.938184977 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.014054060 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.022352934 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.030643940 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.038995028 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.049151897 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.157773972 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.166850090 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.176384926 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.185295105 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.193043947 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.778930902 CEST	1.1.1.1	192.168.2.11	0x467	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.796533108 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.804868937 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.812464952 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.820385933 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.828438997 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.900619030 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:28.911845922 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.920063972 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:28.929557085 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:28.938888073 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.023122072 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.037544012 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.050307989 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.063668966 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.077683926 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.160187006 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.174285889 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.187670946 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.202558041 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.214927912 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.297205925 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.308290958 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.320486069 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.330476046 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.338264942 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.413707018 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.422823906 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.430613995 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.442034006 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.450009108 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.527586937 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.536094904 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.546920061 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.557996035 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.568145037 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.635688066 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.646612883 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.656786919 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.672234058 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.683408976 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.757189035 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.765692949 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.774312973 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.782407045 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.791635036 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.871783972 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.880956888 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.890135050 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.898454905 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.906219959 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:29.973234892 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:29.981494904 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:29.991095066 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.000538111 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.010402918 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.090164900 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.099196911 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.107981920 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.117938042 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.126991987 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.201138973 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.211292982 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.221343040 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.229899883 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.237246037 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.308012962 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.317678928 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.325211048 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.333520889 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.342778921 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.414135933 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.423485994 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.432743073 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.441582918 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.449856043 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.523122072 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.531500101 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.539347887 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.547771931 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.556744099 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.631613016 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.639353037 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.647301912 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.654995918 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.662990093 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.739875078 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.751331091 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.763676882 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.778188944 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.787709951 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.866767883 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:30.878844976 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.892421961 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:30.905775070 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:30.918101072 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.001034021 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.010885954 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.021042109 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.030828953 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.040769100 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.126297951 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.134754896 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.150654078 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.163921118 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.177027941 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.252540112 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.264750957 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.277678013 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.291789055 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.300276041 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.529920101 CEST	1.1.1.1	192.168.2.11	0xc4e4	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.547977924 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.556984901 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.566562891 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.576179981 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.584379911 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.669508934 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.678162098 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.687035084 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.696943045 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.706300974 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.774578094 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.786483049 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.794728994 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.805104971 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.813803911 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.883413076 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:31.893064022 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.904542923 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.916198015 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:31.924680948 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:31.996522903 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.006738901 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.014565945 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.021883965 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.033220053 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.115063906 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.124058962 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.131721020 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.139031887 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.146259069 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.216195107 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.224592924 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.236722946 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.245832920 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.255624056 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.326643944 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.338900089 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.348618031 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.358535051 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.368628025 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.437671900 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.445197105 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.452842951 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.460465908 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.469785929 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.539745092 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.547583103 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.555670977 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.564285040 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.571994066 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.652791977 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.662101030 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.672750950 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.681598902 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.690849066 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.777612925 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.785912991 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.797439098 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.806994915 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.817009926 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.899808884 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:32.908869028 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.919466019 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:32.929222107 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:32.939675093 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.010929108 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.018740892 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.027683973 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.036915064 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.045066118 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.148422003 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.156493902 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.164593935 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.172529936 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.180901051 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.252309084 CEST	1.1.1.1	192.168.2.11	0x4e68	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.268488884 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.275973082 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.284245014 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.291821003 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.300251007 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.379554987 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.387135983 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.395814896 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.403362989 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.413696051 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.492125034 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.501007080 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.509536028 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.518354893 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.528088093 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.625416994 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.638463974 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.647515059 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.659394026 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.671494007 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.746339083 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.754432917 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.768201113 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.780502081 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.794429064 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.874183893 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:33.887774944 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.899051905 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.917238951 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:33.926573038 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:33.990896940 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.000785112 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.008784056 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.016338110 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.023734093 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.104237080 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.114860058 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.123827934 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.132324934 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.144345045 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.214339018 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.221375942 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.229036093 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.239546061 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.248090982 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.325203896 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.333142042 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.340424061 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.349143982 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.358011007 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.434053898 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.443187952 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.452737093 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.467582941 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.476982117 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.541491985 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.552112103 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.562926054 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.573788881 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.581140041 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.640430927 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.649382114 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.659104109 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.666316032 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.674671888 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.746860027 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.756526947 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.764918089 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.773303032 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.781006098 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.869678974 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.881424904 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.889520884 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.897368908 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.907139063 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:34.973567963 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:34.982652903 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:34.991461039 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.004189968 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.016786098 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.298579931 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.310157061 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.321177006 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.336376905 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.344886065 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.618331909 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.626156092 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.633904934 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.644077063 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.652584076 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.719420910 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.727174044 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.735375881 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.743869066 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.752341032 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.818923950 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.827558994 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.836960077 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.845675945 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.857367039 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.927573919 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:35.937342882 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.945893049 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:35.956505060 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:35.965960026 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.028527975 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.036135912 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.046184063 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.055299997 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.064059973 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.127022028 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.134825945 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.144399881 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.152657032 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.161041975 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.257117987 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.267427921 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.280574083 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.289102077 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.297250032 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.359870911 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.368628025 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.376075983 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.384187937 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.393696070 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.493020058 CEST	1.1.1.1	192.168.2.11	0xa1	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.510965109 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.519740105 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.529664993 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.538480997 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.547342062 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.619395018 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.627775908 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.639558077 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.651439905 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.658690929 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.778047085 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.786442041 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.793981075 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.804603100 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.815947056 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.899485111 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:36.914329052 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.927432060 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:36.938215971 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:36.947544098 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.102273941 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.120718956 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.130929947 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.142420053 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.152851105 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.233356953 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.242264986 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.250452042 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.262334108 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.270845890 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.336226940 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.347068071 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.356894970 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.366101027 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.375960112 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.455513000 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.464576960 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.473834038 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.482430935 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.490669012 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.594309092 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.602560997 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.610816002 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.619050980 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.626619101 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.700525999 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:37.708259106 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.717261076 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:37.725191116 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:37.735472918 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.028161049 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.044097900 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.074851036 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.087518930 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.102320910 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.342597961 CEST	1.1.1.1	192.168.2.11	0xc8ea	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.358863115 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.367168903 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.377104998 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.385668993 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.394864082 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.458996058 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.467773914 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.475712061 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.483166933 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.492114067 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.557188034 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.572439909 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.584130049 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.594028950 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.604366064 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.672673941 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.681364059 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.689435005 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.696980000 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.707546949 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.769582033 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.779757023 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.788140059 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.796987057 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.804975033 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.865277052 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.873930931 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.882273912 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.890245914 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.898742914 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.972843885 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:38.980909109 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:38.990108967 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:38.998780966 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.008569956 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.073302031 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.082510948 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.090025902 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.099092960 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.106934071 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.174242973 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.184715986 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.192775965 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.201867104 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.211051941 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.283036947 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.305676937 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.315874100 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.328111887 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.342255116 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.407737970 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.416706085 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.425957918 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.435482025 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.444327116 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.512113094 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.522696018 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.531423092 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.540843010 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.551621914 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.614871979 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.624439955 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.640789986 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.653794050 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.666222095 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.729990005 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:39.741302967 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.753851891 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:39.765093088 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:39.776458025 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:40.315733910 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:40.324966908 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.332421064 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:40.339813948 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.348418951 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:40.669446945 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:40.811211109 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.819525003 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:40.827029943 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:40.840261936 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.079864979 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.088861942 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.097920895 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.107368946 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.116014004 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.183480978 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.193437099 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.203224897 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.212152004 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.220495939 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.321294069 CEST	1.1.1.1	192.168.2.11	0x5464	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.335880041 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.347074032 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.358582973 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.366365910 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.374758959 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.436563969 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:41.445226908 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.906358957 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.915431023 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:41.925782919 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:41.993940115 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.002737999 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.012836933 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.024343014 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.036051035 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.109010935 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.116529942 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.124409914 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.132740021 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.140968084 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.214406013 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.223905087 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.233815908 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.241185904 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.249574900 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.315216064 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.323031902 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.334364891 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.343674898 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.352111101 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.427419901 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.436772108 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.446510077 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.454224110 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.462158918 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.525028944 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.532813072 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.540445089 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.548484087 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:42.558912039 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:42.618493080 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:42.625942945 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.154913902 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.163103104 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.170996904 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.704454899 CEST	1.1.1.1	192.168.2.11	0x882	Name error (3)	ns1.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.750194073 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:43.761049032 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.769450903 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.779269934 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.791733027 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.859437943 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:43.869139910 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.878443956 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.889503956 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.899183989 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.959661961 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:43.970663071 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.978821993 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:43.986799955 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:43.997045040 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.056602955 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.065587044 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.074507952 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.081794024 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.090126991 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.200907946 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.211451054 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.219280005 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.791217089 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.800676107 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.864502907 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.871848106 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.879987955 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.888447046 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.896538973 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.969548941 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:44.977340937 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:44.985163927 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:44.993352890 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.002145052 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.063226938 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.071436882 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.079051971 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.088665009 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.550004005 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.619756937 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.629997015 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.643153906 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.653934002 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.665822983 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.730781078 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.745346069 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.756841898 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.765330076 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.792695045 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.901797056 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:45.913922071 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.925575018 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:45.933631897 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:45.942125082 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.034873962 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.046500921 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.057192087 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.065860987 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.078810930 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.189218998 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.197362900 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.205233097 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.213145971 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.222666979 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.354829073 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.365964890 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.379282951 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.392138958 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.404526949 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.509542942 CEST	1.1.1.1	192.168.2.11	0x8b94	Name error (3)	ns2.cloud-name.ru	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.525888920 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.535367012 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.549725056 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.557800055 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.568562031 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.636769056 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.645565033 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.653628111 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.663289070 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.671173096 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.737744093 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:46.971584082 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:46.983907938 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:46.994968891 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.003762960 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.101119995 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.110997915 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.121874094 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.129791021 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.137806892 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.218256950 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.226377964 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.234525919 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.242902994 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.251497984 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.318265915 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.326443911 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.336560011 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.344891071 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.352839947 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.416878939 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.427408934 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.437975883 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.445274115 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.455271959 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.521843910 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.532052994 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.543822050 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.551609039 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.558552980 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.621035099 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.631426096 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.642121077 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.651984930 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.660059929 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.721082926 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.733426094 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.741605043 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.749207973 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.757148027 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.817482948 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.825464010 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.835263968 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.843508005 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.850975990 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.914623022 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:47.924786091 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.935065031 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:47.946746111 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:47.957619905 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.023612022 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:48.033915997 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.042006969 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.052212954 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	ransomware.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.060190916 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	ransomware.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.128180027 CEST	1.1.1.1	192.168.2.11	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 16:05:48.136729956 CEST	1.1.1.1	192.168.2.11	0x2	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.145279884 CEST	1.1.1.1	192.168.2.11	0x3	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false
Sep 30, 2024 16:05:48.153398037 CEST	1.1.1.1	192.168.2.11	0x4	Name error (3)	zonealarm.bit	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 16:05:48.161362886 CEST	1.1.1.1	192.168.2.11	0x5	Name error (3)	zonealarm.bit	none	none	28	IN (0x0001)	false

Target ID:	0
Start time:	10:03:42
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe00000
File size:	749'568 bytes
MD5 hash:	5027E6B49AB2616A8F08F4C868B90DBA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000003.1583581493.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:03:42
Start date:	30/09/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff7782e0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:03:46
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:03:46
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:03:47
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:03:47
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:03:49
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:03:49
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:03:50
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:03:50
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:03:51
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:03:52
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:03:53
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:03:53
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:03:53
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Imagebase:	0xfd0000
File size:	749'568 bytes
MD5 hash:	792DCCE2F5F5C326C8A2A36E993BB215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:03:54
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:03:54
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:03:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:03:56
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:03:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:03:58
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:03:59
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:03:59
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:04:00
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:04:00
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:04:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:04:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:04:02
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Imagebase:	0xfd0000
File size:	749'568 bytes
MD5 hash:	792DCCE2F5F5C326C8A2A36E993BB215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Gandcrab, Description: Gandcrab Payload, Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:04:03
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:04:03
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:04:05
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:04:05
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:04:07
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:04:07
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:04:08
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	10:04:08
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	10:04:09
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	10:04:09
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:04:11
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	10:04:11
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	10:04:12
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	10:04:12
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	10:04:13
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:04:13
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	10:04:15
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	10:04:15
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	10:04:16
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	10:04:16
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	10:04:17
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	10:04:17
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	10:04:19
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	10:04:19
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	10:04:20
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	10:04:20
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	10:04:21
Start date:	30/09/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7d7750000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	10:04:21
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	10:04:22
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	10:04:22
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	10:04:23
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	10:04:23
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	10:04:24
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	10:04:24
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	10:04:26
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	10:04:26
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	10:04:27
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	10:04:27
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	10:04:28
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup zonealarm.bit ns2.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	10:04:28
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	10:04:29
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup ransomware.bit ns1.cloud-name.ru
Imagebase:	0x5d0000
File size:	77'824 bytes
MD5 hash:	9D2EB13476B126CB61B12CDD03C7DCA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	10:04:29
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	45.7%
Signature Coverage:	23.4%
Total number of Nodes:	1529
Total number of Limit Nodes:	138

Executed Functions

Function 00BB7600 Relevance: 154.5, APIs: 55, Strings: 33, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00BB7627
GetUserNameW.ADVAPI32(00000000,?), ref: 00BB7638
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00BB7656
GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00BB7660
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00BB7680
wsprintfW.USER32 ref: 00BB76C1
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00BB76DE
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00BB7702
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,00BB4820,?), ref: 00BB7726
GetLastError.KERNEL32 ref: 00BB7739
RegCloseKey.KERNEL32(00000000), ref: 00BB7742
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB775F
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 00BB777D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00BB7793
wsprintfW.USER32 ref: 00BB77AD
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 00BB77CF
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00BB4820,?), ref: 00BB77F1
GetLastError.KERNEL32 ref: 00BB7804
RegCloseKey.KERNEL32(?), ref: 00BB780D
lstrcmpiW.KERNEL32(00BB4820,00000419), ref: 00BB7821
wsprintfW.USER32 ref: 00BB784E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB785D
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 00BB787D
wsprintfW.USER32 ref: 00BB78C6
GetNativeSystemInfo.KERNEL32(?), ref: 00BB78D5
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 00BB78E6
wsprintfW.USER32 ref: 00BB790A
ExitProcess.KERNEL32 ref: 00BB7911
wsprintfW.USER32 ref: 00BB7939
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00BB7977
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 00BB798A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00BB7994
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 00BB79CE
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00BB7A00
wsprintfW.USER32 ref: 00BB7A38
lstrcatW.KERNEL32(?,0000060C), ref: 00BB7A4D
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00BB7A59
GetProcAddress.KERNEL32(00000000), ref: 00BB7A60
lstrlenW.KERNEL32(?), ref: 00BB7A70
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB7AA1

Part of subcall function 00BB7CE0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,756EF3C0,?,760773E0), ref: 00BB7CFD
Part of subcall function 00BB7CE0: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00BB7D71
Part of subcall function 00BB7CE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB7D86
Part of subcall function 00BB7CE0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB7D9C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00BB7AF8
GetDriveTypeW.KERNEL32(?), ref: 00BB7B3F
lstrcatW.KERNEL32(?,?), ref: 00BB7B66
lstrcatW.KERNEL32(?,00BC0334), ref: 00BB7B78
lstrcatW.KERNEL32(?,00BC03A8), ref: 00BB7B82
GetDiskFreeSpaceW.KERNEL32(?,?,00BB4820,?,00000000), ref: 00BB7B98
lstrlenW.KERNEL32(?,?,00000000,00BB4820,00000000,00000000,00000000,00BB4820,00000000), ref: 00BB7BE0
wsprintfW.USER32 ref: 00BB7BFA
lstrlenW.KERNEL32(?), ref: 00BB7C08
wsprintfW.USER32 ref: 00BB7C1C
lstrcatW.KERNEL32(?,00BC03C8), ref: 00BB7C2F
lstrcatW.KERNEL32(?,00BC03CC), ref: 00BB7C3B
lstrlenW.KERNEL32(?), ref: 00BB7C56
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 00BB7C79
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 00BB7CA0

Strings

RtlComputeCrc32, xrefs: 00BB7A4F
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00BB7695
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00BB79E6, 00BB7A1B
%I64u, xrefs: 00BB7C13
Unknown, xrefs: 00BB7933
ntdll.dll, xrefs: 00BB7A54
%I64u/, xrefs: 00BB7BF4
REMOVABLE, xrefs: 00BB7AD5
x64, xrefs: 00BB7917
?:\, xrefs: 00BB7B1D
FIXED, xrefs: 00BB7ADC
x86, xrefs: 00BB792C
NO_ROOT_DIR, xrefs: 00BB7ACE
REMOTE, xrefs: 00BB7AE3
WORKGROUP, xrefs: 00BB76B1
undefined, xrefs: 00BB76B9
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 00BB78AF
00000419, xrefs: 00BB7819
error, xrefs: 00BB78BE
Domain, xrefs: 00BB7690
Identifier, xrefs: 00BB7A16
CDROM, xrefs: 00BB7AEA
UNKNOWN, xrefs: 00BB7AC7
LocaleName, xrefs: 00BB771E
RAMDISK, xrefs: 00BB7AF1
Itanium, xrefs: 00BB7925
Control Panel\International, xrefs: 00BB76F1
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00BB788B
ProcessorNameString, xrefs: 00BB79E1
@, xrefs: 00BB770F
Keyboard Layout\Preload, xrefs: 00BB77C5
ARM, xrefs: 00BB791E
productName, xrefs: 00BB7886, 00BB78AA

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$CDROM$Control Panel\International$Domain$FIXED$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$NO_ROOT_DIR$ProcessorNameString$RAMDISK$REMOTE$REMOVABLE$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$UNKNOWN$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3109846240
Opcode ID: d534b7af877341accf3e86b10ec871d2e698a59e67cccfc87aad769e9d49aee1
Instruction ID: 27935ce747341caf4aa181062d26cc16d58936c43269191120a550ac0aa21852
Opcode Fuzzy Hash: d534b7af877341accf3e86b10ec871d2e698a59e67cccfc87aad769e9d49aee1
Instruction Fuzzy Hash: 79126C70A80305FFEB21ABA4CC4AFAABBF9FB44700F100559F645B61A0DBF1A944CB55

Function 00BB58D0 Relevance: 119.5, APIs: 54, Strings: 14, Instructions: 491
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB8130: GetTickCount.KERNEL32 ref: 00BB8139
Part of subcall function 00BB8130: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00BB818F
Part of subcall function 00BB8130: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00BB81A1
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00000000), ref: 00BB81B1
Part of subcall function 00BB8130: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB81BB
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00BC0604), ref: 00BB81D1
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00000000), ref: 00BB822C
Part of subcall function 00BB8130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB823A
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00BBFFF8), ref: 00BB8280

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,?,00000001,00000001,?,00000001), ref: 00BB5969
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?,?,00000001,00000001,?,00000001), ref: 00BB5A1C
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,00000001,00000001,?,00000001), ref: 00BB5A35
lstrlenA.KERNEL32(00000000,?,00000001,00000001,?,00000001), ref: 00BB5A3E
lstrlenA.KERNEL32(?,?,00000001,00000001,?,00000001), ref: 00BB5A46
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000001,00000001,?,00000001), ref: 00BB5A5B
lstrlenA.KERNEL32 ref: 00BB5A77
lstrlenA.KERNEL32(00000000), ref: 00BB5A9E
lstrlenA.KERNEL32(?), ref: 00BB5ABD
lstrlenA.KERNEL32(?), ref: 00BB5AE4
lstrlenA.KERNEL32(00000000), ref: 00BB5AF5
lstrlenA.KERNEL32(00000000), ref: 00BB5B17
lstrcatW.KERNEL32(?,action=call&), ref: 00BB5B2B
lstrlenW.KERNEL32(?), ref: 00BB5B38
lstrcatW.KERNEL32(756EE0B0,&id=,756EE0B0), ref: 00BB5B9A
lstrcatW.KERNEL32(756EE0B0,?), ref: 00BB5BA1
lstrcatW.KERNEL32(756EE0B0,&subid=), ref: 00BB5BA9
lstrcatW.KERNEL32(756EE0B0,?), ref: 00BB5BB0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB5BC3
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BB5BD0
lstrcatW.KERNEL32(756EE0B0,&pub_key=), ref: 00BB5BD8
lstrlenW.KERNEL32(756EE0B0), ref: 00BB5BE5
lstrlenA.KERNEL32(00000000), ref: 00BB5BEE
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,756EE0B0,00000000), ref: 00BB5BFF
lstrcatW.KERNEL32(?,&priv_key=), ref: 00BB5C0F
lstrlenW.KERNEL32(?), ref: 00BB5C16
lstrlenA.KERNEL32(00000000), ref: 00BB5C1F
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000), ref: 00BB5C30
lstrcatW.KERNEL32(00BBFCB0,00760026), ref: 00BB5C8D
lstrlenW.KERNEL32(?), ref: 00BB5C98
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00BB5CAE
lstrlenW.KERNEL32(?), ref: 00BB5CB9
lstrlenW.KERNEL32(?), ref: 00BB5CDD
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB5CF5
lstrlenW.KERNEL32(?,00003000,00000004), ref: 00BB5D06
VirtualAlloc.KERNEL32(00000000,-00000002), ref: 00BB5D0E
wsprintfA.USER32 ref: 00BB5D27

Part of subcall function 00BB6010: VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 00BB6033
Part of subcall function 00BB6010: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00BB6048
Part of subcall function 00BB6010: GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 00BB6059
Part of subcall function 00BB6010: lstrlenA.KERNEL32(00000000), ref: 00BB6064
Part of subcall function 00BB6010: wsprintfA.USER32 ref: 00BB607C
Part of subcall function 00BB6010: _memset.LIBCMT ref: 00BB609B
Part of subcall function 00BB6010: lstrlenA.KERNEL32(00000000), ref: 00BB60A4
Part of subcall function 00BB6010: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB60D3

CryptBinaryToStringA.CRYPT32(?,756EE0B0,40000001,00000000,?), ref: 00BB5D61
GetLastError.KERNEL32(?,00000001,00000001,?,00000001), ref: 00BB5D6B
lstrlenA.KERNEL32(00000000), ref: 00BB5D72
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00BB5D81
lstrlenA.KERNEL32(00000000), ref: 00BB5D8C
lstrlenA.KERNEL32(00000000), ref: 00BB5DAC
lstrlenA.KERNEL32(00000000), ref: 00BB5DD4
lstrlenA.KERNEL32(00000000), ref: 00BB5DE3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 00BB5DF4
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00BB5E2C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00BB5E3A
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00BB5E47
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00BB5E6C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00BB5E7A
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00BB5E87
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB5E9E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB5EB1

Strings

popkadurak, xrefs: 00BB58FE
action=call&, xrefs: 00BB5B25
&priv_key=, xrefs: 00BB5C09
&subid=, xrefs: 00BB5BA3
o, xrefs: 00BB5C50
., xrefs: 00BB5C68
e, xrefs: 00BB5C40
&id=, xrefs: 00BB5B94
s, xrefs: 00BB5C48
., xrefs: 00BB5C60
&advert=+380668846667, xrefs: 00BB5C75
&, xrefs: 00BB5C38
&pub_key=, xrefs: 00BB5BD2
=, xrefs: 00BB5C58

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Free$lstrcat$Alloc$BinaryByteCharCryptMultiStringWide$wsprintf$AddressCountErrorHandleLastModuleProcTick_memset
String ID: &$&advert=+380668846667$&id=$&priv_key=$&pub_key=$&subid=$.$.$=$action=call&$e$o$popkadurak$s
API String ID: 3331976855-889238998
Opcode ID: d0ca3cd12af2541b8688803f579bab54c5d4c2ada6f2638c9555e4a9ad453d03
Instruction ID: 6877c0eb6252de596230c6ac8cfb07dd21d431d89cd1a3889842607e5e05d78e
Opcode Fuzzy Hash: d0ca3cd12af2541b8688803f579bab54c5d4c2ada6f2638c9555e4a9ad453d03
Instruction Fuzzy Hash: 1E026971608705AFD721DF24CC85BABBBE9FF88704F100A5DF585A7290DBB0E9058B96

Function 00BB7CE0 Relevance: 54.4, APIs: 17, Strings: 14, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,756EF3C0,?,760773E0), ref: 00BB7CFD
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00BB7D71
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB7D86
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB7D9C
Process32FirstW.KERNEL32(00000000,00000000), ref: 00BB7DBF
lstrcmpiW.KERNEL32(00BC03D4,-00000024), ref: 00BB7DE5
Process32NextW.KERNEL32(?,?), ref: 00BB7E5E
GetLastError.KERNEL32 ref: 00BB7E68
lstrlenW.KERNEL32(00000000), ref: 00BB7E86
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB7EAB
CloseHandle.KERNEL32(?), ref: 00BB7EB0
VirtualFree.KERNEL32(?,?,00008000), ref: 00BB7EC5

Strings

fsguiexe.exe, xrefs: 00BB7D5C
msmpeng.exe, xrefs: 00BB7D6A
cmdagent.exe, xrefs: 00BB7D40
ashDisp.exe, xrefs: 00BB7D24
ekrn.exe, xrefs: 00BB7D16
pccpfw.exe, xrefs: 00BB7D55
Mcshield.exe, xrefs: 00BB7D32
persfw.exe, xrefs: 00BB7D4E
AVP.EXE, xrefs: 00BB7D0F
avgnt.exe, xrefs: 00BB7D1D
smc.exe, xrefs: 00BB7D47
NortonAntiBot.exe, xrefs: 00BB7D2B
cfp.exe, xrefs: 00BB7D63
avengine.exe, xrefs: 00BB7D39

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID: AVP.EXE$Mcshield.exe$NortonAntiBot.exe$ashDisp.exe$avengine.exe$avgnt.exe$cfp.exe$cmdagent.exe$ekrn.exe$fsguiexe.exe$msmpeng.exe$pccpfw.exe$persfw.exe$smc.exe
API String ID: 2470459410-3383346926
Opcode ID: 4ea1489317bb40e540eb6deee1cd9c420f71e30f46d379434e4832a7756d586f
Instruction ID: 43cc6de8574d4f742b88e20352844030a898f50175b1a15ec1e9627cc8c99df8
Opcode Fuzzy Hash: 4ea1489317bb40e540eb6deee1cd9c420f71e30f46d379434e4832a7756d586f
Instruction Fuzzy Hash: A4516C72E54218EBCB24AF98DC49BAE7BF4FF89710F204199E604BB290CBB05905CF55

Function 00BB84D0 Relevance: 42.1, APIs: 13, Strings: 11, Instructions: 130
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCloseHandle.WININET(?), ref: 00BB84E3
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00BB8502
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,00BB71B6,ipv4bot.whatismyipaddress.com,00BBFFB8,00000000,00000000), ref: 00BB852F
wsprintfW.USER32 ref: 00BB8543
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00BB8561
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 00BB85C5
HttpSendRequestW.WININET(00000000,00610072,0020003A,00000000,00740069), ref: 00BB85DC
InternetReadFile.WININET(00000000,0062002E,00650071,00000000), ref: 00BB85FB
InternetReadFile.WININET(00000000,0062002E,00650071,00000000), ref: 00BB8625
GetLastError.KERNEL32 ref: 00BB8631
InternetCloseHandle.WININET(00000000), ref: 00BB863E
InternetCloseHandle.WININET(00000000), ref: 00BB8643
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,00BB71B6,ipv4bot.whatismyipaddress.com,00BBFFB8), ref: 00BB864F

Strings

n, xrefs: 00BB859B
:, xrefs: 00BB858D
i, xrefs: 00BB85BE
o, xrefs: 00BB85A2
HTTP/1.1, xrefs: 00BB8557
r, xrefs: 00BB8594
s, xrefs: 00BB8586
., xrefs: 00BB85B7
w, xrefs: 00BB85A9
r, xrefs: 00BB85B0
H, xrefs: 00BB8573

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$i$n$o$r$r$s$w
API String ID: 3906118045-693250572
Opcode ID: e7a7024ba2734c74f5d931b2276a8b9119d9b8415450b65a26fcfa34a70be029
Instruction ID: 8739e0cbce05e2e153fd8eff1b9b74529125a71c4b72b4390c592fed5ac1684b
Opcode Fuzzy Hash: e7a7024ba2734c74f5d931b2276a8b9119d9b8415450b65a26fcfa34a70be029
Instruction Fuzzy Hash: BE416C31A40208BBEB209F58DC49FEE7FBCEB05794F104159F904B6290CBF59A50CBA5

Function 00BB4B30 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00BB4B3B

Part of subcall function 00BB47E0: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB483C
Part of subcall function 00BB47E0: lstrcpyW.KERNEL32(00000000,Global\,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB485F
Part of subcall function 00BB47E0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB4866
Part of subcall function 00BB47E0: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB487E
Part of subcall function 00BB47E0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB488A
Part of subcall function 00BB47E0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB4891
Part of subcall function 00BB47E0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB48AB

ExitProcess.KERNEL32 ref: 00BB4B4C
CreateThread.KERNEL32(00000000,00000000,00BB2D30,00000000,00000000,00000000), ref: 00BB4B61
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00BB4B79
TerminateThread.KERNEL32(00000000,00000000), ref: 00BB4B8C
CloseHandle.KERNEL32(00000000), ref: 00BB4B96
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 00BB4C0A
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00BB4C24
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB4C3D
ExitProcess.KERNEL32 ref: 00BB4C45

Strings

open, xrefs: 00BB4DA0

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 1393cd581c3b9695455471936f6ab1efca72602cbc48b833ae9a9e36e0234693
Instruction ID: b298b908ae65543a589ca7535f4e537cb73d9a606f6957a71c921a042c193f83
Opcode Fuzzy Hash: 1393cd581c3b9695455471936f6ab1efca72602cbc48b833ae9a9e36e0234693
Instruction Fuzzy Hash: A771E770E40208ABEB14EBA4DD5AFEEBBB4FB08B01F104558F601BA1D1DBF45A44CB65

Function 00BB5400 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB540F
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB5426
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00BB544B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,00BB5643,00000000,?), ref: 00BB54A7
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,00BB5643,00000000,?), ref: 00BB54B1
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00BB5643,00000000,?), ref: 00BB54C2
HeapFree.KERNEL32(00000000,?,?,?,?,00BB5643,00000000,?), ref: 00BB54DD
HeapFree.KERNEL32(00000000,?,?,?,?,00BB5643,00000000,?), ref: 00BB54EE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB54FD
GetLastError.KERNEL32(?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB550C
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB5542
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00BB5562
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00BB5574
lstrcatA.KERNEL32(00000000,?), ref: 00BB558E
lstrlenA.KERNEL32(00000000), ref: 00BB55E3
lstrlenW.KERNEL32(?), ref: 00BB55EF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 00BB560B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,00000000,?,00000000), ref: 00BB5665
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00BB5671
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00BB567B
InternetCloseHandle.WININET(00BB587A), ref: 00BB5685

Strings

POST, xrefs: 00BB55FA

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST
API String ID: 1287001821-1814004025
Opcode ID: 2ac341f1b3fea2aa7b7f571f58e3139b45458fb7afcddb2d103a34850ba2a6cc
Instruction ID: 7d1ccb337adf43677a8776857b993425ed0b9bbdf5b5917a6b135f87fc544702
Opcode Fuzzy Hash: 2ac341f1b3fea2aa7b7f571f58e3139b45458fb7afcddb2d103a34850ba2a6cc
Instruction Fuzzy Hash: C1719171E00709ABDB219BA9DC45BFEBBB8EF89701F104255FA05B7240DFB49940CBA1

Function 00BB8730 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111encryptionlibrarymemoryCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00BB874D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00BB877B
GetModuleHandleA.KERNEL32(?), ref: 00BB87CF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00BB87DD
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00BB87EC
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BB8835
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB8843
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BB8857
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB8865

Strings

Advapi32.dll, xrefs: 00BB87D9, 00BB87DC
CryptGenRandomAdvapi32.dll, xrefs: 00BB87E7, 00BB87EA

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: d18b5cae2c0fa20354e9bfed7827928d9d2a74aa2d3484edd4f6c1e36444c751
Instruction ID: e59021d1cae42e2280ccf1c00eec436c89f2dd9122fb6c9e4fe1f72cd01913b6
Opcode Fuzzy Hash: d18b5cae2c0fa20354e9bfed7827928d9d2a74aa2d3484edd4f6c1e36444c751
Instruction Fuzzy Hash: 4D31A575A00209ABDB209FE5DC85BFEBBBCEF05701F504169E501B7150EFB59A01CB65

Function 00BB8880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96encryptionlibrarymemoryCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00BB88A0
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 00BB88C8
GetModuleHandleA.KERNEL32(?), ref: 00BB891D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00BB892B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00BB893A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BB895E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB896C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00BB292B), ref: 00BB8980
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00BB292B), ref: 00BB898E

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00BB8935, 00BB8938
Advapi32.dll, xrefs: 00BB8927, 00BB892A

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 95919b242b9ba1afc44a580f24baf0097e23179041d46b6513cbaf173863038b
Instruction ID: 03038fe9f013be1385d867f57d43afe8e22d0e979eacacdada0d4c2f784ac394
Opcode Fuzzy Hash: 95919b242b9ba1afc44a580f24baf0097e23179041d46b6513cbaf173863038b
Instruction Fuzzy Hash: 50318475E00209AFEF109FA5DC4ABEEBBBCEB45701F104169F605B6190DBB59A00CB66

Function 00BB64F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00BB4BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,00BB4BA6,?,00BB4BAE), ref: 00BB6508
GetLastError.KERNEL32(?,00BB4BAE), ref: 00BB6512
CryptAcquireContextW.ADVAPI32(00BB4BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00BB4BAE), ref: 00BB652E
CryptGenKey.ADVAPI32(00BB4BAE,0000A400,08000001,?,?,00BB4BAE), ref: 00BB655A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 00BB657E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00BB6596
CryptDestroyKey.ADVAPI32(?), ref: 00BB65A0
CryptReleaseContext.ADVAPI32(00BB4BAE,00000000), ref: 00BB65AC
CryptAcquireContextW.ADVAPI32(00BB4BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 00BB65C1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00BB64FD, 00BB6523, 00BB65B6

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 6bdf9bc27dda57a0f6e7c8322ffa718646d4fcfa6ec12c546cca0ce3619aace5
Instruction ID: 62134179998dfec2546d277a9456d14db271782c9f52c5fb2c8b4092e1f1845d
Opcode Fuzzy Hash: 6bdf9bc27dda57a0f6e7c8322ffa718646d4fcfa6ec12c546cca0ce3619aace5
Instruction Fuzzy Hash: 1D218675B80309BBDB20DFA0DC46FEA3B78A754B00F504554F701A71D4DAF5D9409B61

Function 00BB7160 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB82C0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BB84A4
Part of subcall function 00BB82C0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00BB84BD

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,756EF3C0,?), ref: 00BB717F
lstrlenW.KERNEL32(00BBFFB4), ref: 00BB718C

Part of subcall function 00BB84D0: InternetCloseHandle.WININET(?), ref: 00BB84E3
Part of subcall function 00BB84D0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00BB8502

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,00BBFFB8,00000000,00000000,00000000,000027FF,?,00000000), ref: 00BB71BB
wsprintfW.USER32 ref: 00BB71D3
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,00BBFFB8,00000000,00000000,00000000,000027FF,?,00000000), ref: 00BB71E9
InternetCloseHandle.WININET(?), ref: 00BB71F7

Strings

ipv4bot.whatismyipaddress.com, xrefs: 00BB71AC
GET, xrefs: 00BB7194

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 46af1ea55f38af3d8961608153d3f6caed6a7242f715a04fa5f706b0107e4cbf
Instruction ID: 73237293792a8486d01dde336446b7f63db3a5581df2fbf2ec840fe009ed0199
Opcode Fuzzy Hash: 46af1ea55f38af3d8961608153d3f6caed6a7242f715a04fa5f706b0107e4cbf
Instruction Fuzzy Hash: CE019236B8120477DA206B699C8EFFF3EACEB82B51F000164FA05F21D0DEE48505C6A6

Function 00BB2F50 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 00BB2F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00BB2F8D

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: 02e56b0922c66e3d31d1602c5d932d8c9696eacb692921d58fde1a3c2c665fbf
Instruction ID: ba92a6a2be4017cf95e33f441bbf53af622dadb338d31f6b68af0d85090ba320
Opcode Fuzzy Hash: 02e56b0922c66e3d31d1602c5d932d8c9696eacb692921d58fde1a3c2c665fbf
Instruction Fuzzy Hash: 56219832A00119ABEB209B989C45FF977BCEB44711F1042A6FA04F7180DBB199059B91

Function 00E175C0 Relevance: 3.3, APIs: 2, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: 9643a78b3b1bbf8b08af985c7592dde61be512dc3ccdd5d0a345bd07aa5cda75
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: D8D19075E042168FCB24CF58C880BE9B7B1FF58B18F2955A9D895AB341D335ED81CB90

Function 00BB82C0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BB84A4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00BB84BD

Strings

T, xrefs: 00BB8353
., xrefs: 00BB8450
G, xrefs: 00BB8418
1, xrefs: 00BB8367
M, xrefs: 00BB82E4
, xrefs: 00BB842D
3, xrefs: 00BB849D
A, xrefs: 00BB8399
5, xrefs: 00BB848F
5, xrefs: 00BB8449
, xrefs: 00BB8473
0, xrefs: 00BB8317
h, xrefs: 00BB8434
L, xrefs: 00BB83FC
, xrefs: 00BB8349
o, xrefs: 00BB8426
., xrefs: 00BB8457
5, xrefs: 00BB83D2
3, xrefs: 00BB83E0
e, xrefs: 00BB83B7
e, xrefs: 00BB8411
i, xrefs: 00BB840A
a, xrefs: 00BB847A
i, xrefs: 00BB832B
6, xrefs: 00BB8385
l, xrefs: 00BB82F9
p, xrefs: 00BB83A3
3, xrefs: 00BB8465
K, xrefs: 00BB83C1
a, xrefs: 00BB8481
6, xrefs: 00BB835D
5, xrefs: 00BB830D
o, xrefs: 00BB843B
e, xrefs: 00BB8442
T, xrefs: 00BB83F5
t, xrefs: 00BB83CB
K, xrefs: 00BB83EE
c, xrefs: 00BB841F
O, xrefs: 00BB837B
7, xrefs: 00BB8496
z, xrefs: 00BB82EF
, xrefs: 00BB8403
i, xrefs: 00BB8488
, xrefs: 00BB8371
d, xrefs: 00BB8335
8, xrefs: 00BB845E
7, xrefs: 00BB83D9
8, xrefs: 00BB846C
w, xrefs: 00BB833F
a, xrefs: 00BB8303
), xrefs: 00BB838F
e, xrefs: 00BB83AD
(, xrefs: 00BB8321
, xrefs: 00BB83E7

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 9c7515bce8fb11c91b5dcaf89b1e5fd2559b11b2b8bfc63564cba51f9f9712f7
Instruction ID: 23522251ac923da7a4dc3a3e2986072c955d058e254ebbd16b4211c2e513aef9
Opcode Fuzzy Hash: 9c7515bce8fb11c91b5dcaf89b1e5fd2559b11b2b8bfc63564cba51f9f9712f7
Instruction Fuzzy Hash: 0C41B7B4811368DEEB218F91999879EBFF5FB00748F50818EC5086B201C7F60A89CF60

Function 00BB7210 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB7231
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7239
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7242
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB724A
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB7255
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB725D
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7263
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB726B
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB7277
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB727F
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7285
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB728D
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB7299
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72A1
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72A7
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72AF
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB72BB
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72C3
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72C9
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72D1
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB72DD
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72E5
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72EB
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB72F3
lstrcatW.KERNEL32(?,00BB4B46,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB72FF
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7307
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB730D
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7315
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB7321
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7329
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB732F
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7337
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB7343
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB734B
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7351
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7359
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000), ref: 00BB736C
wsprintfW.USER32 ref: 00BB7386
wsprintfW.USER32 ref: 00BB7397
lstrcatW.KERNEL32(?,?,?,00000000,00000000,?,00000000), ref: 00BB73A4
lstrcatW.KERNEL32(?,00BBFFF8,?,00000000,00000000,?,00000000), ref: 00BB73AC
lstrcatW.KERNEL32(?,?,?,00000000,00000000,?,00000000), ref: 00BB73B2
lstrcatW.KERNEL32(?,00BBFFFC,?,00000000,00000000,?,00000000), ref: 00BB73BA
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00BB73C6
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00BB73D6
lstrcatW.KERNEL32(?,00BBFFF8,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB73DE
lstrcatW.KERNEL32(?,?,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB73E4
lstrcatW.KERNEL32(?,00BBFFFC,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB73EC
lstrlenW.KERNEL32(?,00000000,00000000,?,?,00BB4879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB73EF

Strings

%x%x, xrefs: 00BB7380
undefined, xrefs: 00BB7391

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 1daf4a86037a01dfc52d723ca22865656cdce408d9d05a228ed9a51390d2c5fa
Instruction ID: 1ff593f149aa74c46929e2ed7d3be1cc003ee5756866dd8f0ad6cd5cd5926a4d
Opcode Fuzzy Hash: 1daf4a86037a01dfc52d723ca22865656cdce408d9d05a228ed9a51390d2c5fa
Instruction Fuzzy Hash: 6551FF31147565B7CB273B658C49FFF3E99EFC6701F1500A0F900640A68FA98652DFAA

Function 00BB48D0 Relevance: 84.1, APIs: 10, Strings: 38, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BB4A42
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 00BB4A5C
Process32FirstW.KERNEL32(00000000,00000000), ref: 00BB4A75
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00BB4A95
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BB4AA5
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BB4AB4
CloseHandle.KERNEL32(00000000), ref: 00BB4AC1
Process32NextW.KERNEL32(?,00000000), ref: 00BB4ADA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB4AF3
CloseHandle.KERNEL32(?), ref: 00BB4AFA

Strings

outlook.exe, xrefs: 00BB49D4
sqlservr.exe, xrefs: 00BB48FB, 00BB49F5
synctime.exe, xrefs: 00BB4923
sqlbrowser.exe, xrefs: 00BB48F3
visio.exe, xrefs: 00BB4A21
infopath.exe, xrefs: 00BB49AB
mysqld-opt.exe, xrefs: 00BB498B
agntsvc.exeencsvc.exe, xrefs: 00BB495B
msaccess.exe, xrefs: 00BB49B3
sqbcoreservice.exe, xrefs: 00BB499B
onenote.exe, xrefs: 00BB49C9
mydesktopservice.exe, xrefs: 00BB4943
firefoxconfig.exe, xrefs: 00BB4963
powerpnt.exe, xrefs: 00BB49DF
ocssd.exe, xrefs: 00BB4913
sqlwriter.exe, xrefs: 00BB4903
ocautoupds.exe, xrefs: 00BB494B
msftesql.exe, xrefs: 00BB48E3
thunderbird.exe, xrefs: 00BB4A16
tbirdconfig.exe, xrefs: 00BB496B
steam.exe, xrefs: 00BB49EA
winword.exe, xrefs: 00BB4A2C
excel.exe, xrefs: 00BB49A3
mysqld-nt.exe, xrefs: 00BB4983
dbeng50.exe, xrefs: 00BB4993
oracle.exe, xrefs: 00BB490B
xfssvccon.exe, xrefs: 00BB493B
mysqld.exe, xrefs: 00BB497B
mydesktopqos.exe, xrefs: 00BB492B
dbsnmp.exe, xrefs: 00BB491B
agntsvc.exeisqlplussvc.exe, xrefs: 00BB4933
mspub.exe, xrefs: 00BB49BE
agntsvc.exeagntsvc.exe, xrefs: 00BB4953
wordpad.exe, xrefs: 00BB4A37
sqlagent.exe, xrefs: 00BB48EB
ocomm.exe, xrefs: 00BB4973
thebat64.exe, xrefs: 00BB4A0B
thebat.exe, xrefs: 00BB4A00

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: agntsvc.exeagntsvc.exe$agntsvc.exeencsvc.exe$agntsvc.exeisqlplussvc.exe$dbeng50.exe$dbsnmp.exe$excel.exe$firefoxconfig.exe$infopath.exe$msaccess.exe$msftesql.exe$mspub.exe$mydesktopqos.exe$mydesktopservice.exe$mysqld-nt.exe$mysqld-opt.exe$mysqld.exe$ocautoupds.exe$ocomm.exe$ocssd.exe$onenote.exe$oracle.exe$outlook.exe$powerpnt.exe$sqbcoreservice.exe$sqlagent.exe$sqlbrowser.exe$sqlservr.exe$sqlwriter.exe$steam.exe$synctime.exe$tbirdconfig.exe$thebat.exe$thebat64.exe$thunderbird.exe$visio.exe$winword.exe$wordpad.exe$xfssvccon.exe
API String ID: 3586910739-2697476765
Opcode ID: cfff25c21cf80ce7e699b4415aa01c89ff5b511d045c8f9026640d4ab49fb870
Instruction ID: 9ce458cdc4ef00f49493c73fe6fb9e8eb7781b89055536b43c61b4f85f860eb2
Opcode Fuzzy Hash: cfff25c21cf80ce7e699b4415aa01c89ff5b511d045c8f9026640d4ab49fb870
Instruction Fuzzy Hash: 495130B25083429FD7208F559C487FBBBE4FB85708F504AACE5996B261DBF08809CF56

Function 00BB5070 Relevance: 68.4, APIs: 8, Strings: 31, Instructions: 119
pipememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32(00BC3080,00BC307C,?,00000000,00000001,00000001,00000000), ref: 00BB518D
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00BB51B1
CreatePipe.KERNEL32(00BC3078,00BC3084,0000000C,00000000), ref: 00BB51CA
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00BB51DA
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 00BB51EE
wsprintfW.USER32 ref: 00BB51FF
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB5220

Strings

u, xrefs: 00BB5105
l, xrefs: 00BB5113
o, xrefs: 00BB50E2
l, xrefs: 00BB508F
c, xrefs: 00BB5144
1, xrefs: 00BB50D4
S, xrefs: 00BB50C6
S, xrefs: 00BB512F
., xrefs: 00BB5167
o, xrefs: 00BB514B
n, xrefs: 00BB50F0
d, xrefs: 00BB5152
n, xrefs: 00BB510C
c, xrefs: 00BB50DB
n, xrefs: 00BB5159
fabian wosar <3, xrefs: 00BB522F
n, xrefs: 00BB5136
, xrefs: 00BB5128
u, xrefs: 00BB516E
u, xrefs: 00BB50AD
2, xrefs: 00BB513D
m, xrefs: 00BB50F7
m, xrefs: 00BB5160
o, xrefs: 00BB5099
u, xrefs: 00BB5121
n, xrefs: 00BB5085
o, xrefs: 00BB511A
d, xrefs: 00BB50E9
., xrefs: 00BB50FE
n, xrefs: 00BB50CD
, xrefs: 00BB50BF

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $.$.$1$2$S$S$c$c$d$d$fabian wosar <3$l$l$m$m$n$n$n$n$n$n$o$o$o$o$u$u$u$u
API String ID: 1490407255-1922363339
Opcode ID: a2f9e564a52772667de5a725514ad6665ef6923998c078a452f4f229b3a3d9f6
Instruction ID: 4f4550631a5955406035f51f7031ad5f0c64d5e81e18c5a528c54b278c6b27f9
Opcode Fuzzy Hash: a2f9e564a52772667de5a725514ad6665ef6923998c078a452f4f229b3a3d9f6
Instruction Fuzzy Hash: EF412D71E40318ABEB209F94DC49BEDBFF6EB04B05F504159E504AB291CBF645898FA1

Function 00BB42C0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB3BD0: GetProcessHeap.KERNEL32(?,?,00BB4817,00000000,?,00000000,00000000), ref: 00BB3C6C

Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00BB7627
Part of subcall function 00BB7600: GetUserNameW.ADVAPI32(00000000,?), ref: 00BB7638
Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00BB7656
Part of subcall function 00BB7600: GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00BB7660
Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00BB7680
Part of subcall function 00BB7600: wsprintfW.USER32 ref: 00BB76C1
Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00BB76DE
Part of subcall function 00BB7600: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00BB7702
Part of subcall function 00BB7600: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,00BB4820,?), ref: 00BB7726
Part of subcall function 00BB7600: RegCloseKey.KERNEL32(00000000), ref: 00BB7742

Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7462
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB746D
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7483
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB748E
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74A4
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74AF
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74C5
Part of subcall function 00BB7410: lstrlenW.KERNEL32(00BB4B46,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74D0
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74E6
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74F1
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7507
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7512
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7531
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB753C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB4331
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB4373
lstrcpyW.KERNEL32(00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB43F2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB43F9

Strings

r, xrefs: 00BB44A5
o, xrefs: 00BB44ED
r, xrefs: 00BB44AD
w, xrefs: 00BB448D
d, xrefs: 00BB44FD
j, xrefs: 00BB44B5
/, xrefs: 00BB44D5
h, xrefs: 00BB4535
o, xrefs: 00BB44DD
w, xrefs: 00BB4505
t, xrefs: 00BB449D
w, xrefs: 00BB4495
{USERID}, xrefs: 00BB43CF, 00BB441D, 00BB4423
s, xrefs: 00BB447D
c, xrefs: 00BB44BD
., xrefs: 00BB4545
n, xrefs: 00BB44E5
., xrefs: 00BB44C5
y, xrefs: 00BB452D
a, xrefs: 00BB4515
t, xrefs: 00BB4475
r, xrefs: 00BB44CD
-, xrefs: 00BB451D
a, xrefs: 00BB4525
d, xrefs: 00BB44F5
ransom_id=, xrefs: 00BB4360, 00BB436C
/, xrefs: 00BB4485
h, xrefs: 00BB446D
n, xrefs: 00BB454D
l, xrefs: 00BB450D
m, xrefs: 00BB453D

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 2b2e06a3861af6c9328ce237a756d111cd9d5d227a0dac42c8bd781e33607ad4
Instruction ID: e317ff50f23f112562df49f5868361cacfd9d5984d50ee585eccdf6a20d67041
Opcode Fuzzy Hash: 2b2e06a3861af6c9328ce237a756d111cd9d5d227a0dac42c8bd781e33607ad4
Instruction Fuzzy Hash: E27113705043409BE7209F14C81ABBBBBE1FB80B48F144A6CF6855B292DFF59948CB96

Function 00BB43B6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB43F2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB43F9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00BB4565
wsprintfW.USER32 ref: 00BB457F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB4596

Strings

r, xrefs: 00BB44A5
o, xrefs: 00BB44ED
r, xrefs: 00BB44AD
w, xrefs: 00BB448D
d, xrefs: 00BB44FD
j, xrefs: 00BB44B5
/, xrefs: 00BB44D5
h, xrefs: 00BB4535
o, xrefs: 00BB44DD
t, xrefs: 00BB449D
w, xrefs: 00BB4505
w, xrefs: 00BB4495
{USERID}, xrefs: 00BB43CF, 00BB441D, 00BB4423
s, xrefs: 00BB447D
c, xrefs: 00BB44BD
., xrefs: 00BB4545
., xrefs: 00BB44C5
n, xrefs: 00BB44E5
y, xrefs: 00BB452D
a, xrefs: 00BB4515
t, xrefs: 00BB4475
r, xrefs: 00BB44CD
-, xrefs: 00BB451D
a, xrefs: 00BB4525
d, xrefs: 00BB44F5
/, xrefs: 00BB4485
h, xrefs: 00BB446D
n, xrefs: 00BB454D
l, xrefs: 00BB450D
m, xrefs: 00BB453D

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: 64089055a0745a464a411b93d4a4c0b8ff5394c7858d0f61931f47074c62afd1
Instruction ID: aa22306df30a21ba7bea02dbc41b5aebf2ccad73992187733735f539e213d1eb
Opcode Fuzzy Hash: 64089055a0745a464a411b93d4a4c0b8ff5394c7858d0f61931f47074c62afd1
Instruction Fuzzy Hash: 164190B0504341CBD7209F14D8587BBBFE2FB81B48F04895CE6850B262DBFA8589CB52

Function 00BB2960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00520050,00000041,7572F770,00000000), ref: 00BB299D

Part of subcall function 00BB8730: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00BB874D
Part of subcall function 00BB8730: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00BB877B
Part of subcall function 00BB8730: GetModuleHandleA.KERNEL32(?), ref: 00BB87CF
Part of subcall function 00BB8730: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00BB87DD
Part of subcall function 00BB8730: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00BB87EC
Part of subcall function 00BB8730: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BB8835
Part of subcall function 00BB8730: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB8843

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,00BB2C45,00000000), ref: 00BB2A84
lstrlenW.KERNEL32(00000000), ref: 00BB2A8F
RegSetValueExW.KERNEL32(00BB2C45,00520050,00000000,00000001,00000000,00000000), ref: 00BB2AA4
RegCloseKey.KERNEL32(00BB2C45), ref: 00BB2AB1

Strings

F, xrefs: 00BB29BD
f, xrefs: 00BB2A0D
n, xrefs: 00BB2A45
i, xrefs: 00BB2A5A
d, xrefs: 00BB2A22
i, xrefs: 00BB2A1B
r, xrefs: 00BB2A53
R, xrefs: 00BB29CE
R, xrefs: 00BB2A68
n, xrefs: 00BB2A61
s, xrefs: 00BB2A06
A, xrefs: 00BB298C
r, xrefs: 00BB29FF
r, xrefs: 00BB2A3E
H, xrefs: 00BB2993
U, xrefs: 00BB2984
V, xrefs: 00BB2A4C
w, xrefs: 00BB2A29
I, xrefs: 00BB2979
u, xrefs: 00BB2A37
W, xrefs: 00BB29C7
\, xrefs: 00BB29EB
\, xrefs: 00BB2A30
n, xrefs: 00BB2A76
P, xrefs: 00BB296D
\, xrefs: 00BB2A14
i, xrefs: 00BB29F8
e, xrefs: 00BB2A7D
n, xrefs: 00BB2A6F
S, xrefs: 00BB29B0

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 7b8a0611e079440f0376193382c7a52401465d9f0403cfc7d3389c12d4d58af3
Instruction ID: cce1de1e8b621166b1bb1c735b34dabe639d28e3e0051ceabddf08c623716745
Opcode Fuzzy Hash: 7b8a0611e079440f0376193382c7a52401465d9f0403cfc7d3389c12d4d58af3
Instruction Fuzzy Hash: F331E9B0D0021CDFEB208F91A848BEDBFB9FB01709F508159D5186A291DBFA49488F95

Function 00BB2D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB2F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 00BB2F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00BB2E19
LoadCursorW.USER32(00000000,00007F00), ref: 00BB2E2E
LoadIconW.USER32 ref: 00BB2E59
RegisterClassExW.USER32(?), ref: 00BB2E68
ExitThread.KERNEL32 ref: 00BB2E75

Part of subcall function 00BB2F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00BB2F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00BB2E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00BB2E81
CreateWindowExW.USER32(00000000,win32app,firefox,00CF0000,80000000,80000000,00000005,00000005,00000000,00000000,00000000), ref: 00BB2EA7
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BB2EB4
ExitThread.KERNEL32 ref: 00BB2EBF

Part of subcall function 00BB2F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 00BB2FA8
Part of subcall function 00BB2F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 00BB2FCF
Part of subcall function 00BB2F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00BB2FE3
Part of subcall function 00BB2F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB2FFA

ExitThread.KERNEL32 ref: 00BB2F3F

Part of subcall function 00BB2AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00BB2AEA
Part of subcall function 00BB2AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00BB2B2C
Part of subcall function 00BB2AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00BB2B38
Part of subcall function 00BB2AD0: ExitThread.KERNEL32 ref: 00BB2C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00BB2EC8
UpdateWindow.USER32(00000000), ref: 00BB2ECF
CreateThread.KERNEL32(00000000,00000000,00BB2D10,00000000,00000000,00000000), ref: 00BB2EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00BB2EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BB2F05
TranslateMessage.USER32(?), ref: 00BB2F1C
DispatchMessageW.USER32(?), ref: 00BB2F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BB2F37

Strings

firefox, xrefs: 00BB2E9B
1, xrefs: 00BB2D6F
w, xrefs: 00BB2DB1
k, xrefs: 00BB2D67
0, xrefs: 00BB2DF1
s, xrefs: 00BB2DB9
d, xrefs: 00BB2DA9
win32app, xrefs: 00BB2E51, 00BB2EA0
s, xrefs: 00BB2D77
s, xrefs: 00BB2D7F
s, xrefs: 00BB2DC1
f, xrefs: 00BB2DA1

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 509b58e09620f3154e42db347f85ac4d85817910aaee7d676a57964dee9e706e
Instruction ID: d1e99c8fc373816659ba1997f711af32c0e20ff2d367ee36c982baa6458d1f5a
Opcode Fuzzy Hash: 509b58e09620f3154e42db347f85ac4d85817910aaee7d676a57964dee9e706e
Instruction Fuzzy Hash: CC517B70548301AFE3209F61CC09BAB7AE4EF45B44F104918F684AB2D0EBF49509CB96

Function 00BB2AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00BB2AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00BB2B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00BB2B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00BB2B7D

Part of subcall function 00BB8730: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00BB874D
Part of subcall function 00BB8730: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00BB877B
Part of subcall function 00BB8730: GetModuleHandleA.KERNEL32(?), ref: 00BB87CF
Part of subcall function 00BB8730: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00BB87DD
Part of subcall function 00BB8730: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00BB87EC
Part of subcall function 00BB8730: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BB8835
Part of subcall function 00BB8730: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB8843

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00BB2B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00BB2BE4
lstrcatW.KERNEL32(00000000,?), ref: 00BB2BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00BB2BF4
wsprintfW.USER32 ref: 00BB2C35
ExitThread.KERNEL32 ref: 00BB2C47

Strings

.exe, xrefs: 00BB2BEE
\Microsoft\, xrefs: 00BB2BDE
U, xrefs: 00BB2B75
I, xrefs: 00BB2B6C
"%s", xrefs: 00BB2C2F
AppData, xrefs: 00BB2B97
P, xrefs: 00BB2B55

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: ee973c86c8df754c015e68dd440eeaf490eb5d9ed102101e0250bfd1ff7cd9cf
Instruction ID: 162acd1aea7631906d035cbe4ccb0c482d205902f3abdbf0bf810af579132e51
Opcode Fuzzy Hash: ee973c86c8df754c015e68dd440eeaf490eb5d9ed102101e0250bfd1ff7cd9cf
Instruction Fuzzy Hash: 0D41BE71604300ABE304EF24DC8ABBF7BD9EF84704F040568B955A7292DEF49908CBA7

Function 00BB5250 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 89memorystringsleepCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 00BB52AD
Sleep.KERNEL32(000003E8), ref: 00BB52F0
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00BB52FE
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00BB530E
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00BB532A
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB533B
wsprintfW.USER32 ref: 00BB5353
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB5364

Strings

t, xrefs: 00BB5285
alar, xrefs: 00BB5277
fabian wosar <3, xrefs: 00BB5324
m.bi, xrefs: 00BB527E
zone, xrefs: 00BB5263
it, xrefs: 00BB52A0
rans, xrefs: 00BB528B
omwa, xrefs: 00BB5292
re.b, xrefs: 00BB5299

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: alar$fabian wosar <3$it$m.bi$omwa$rans$re.b$t$zone
API String ID: 2709691373-1552681713
Opcode ID: 0a8cda0e771bd0409fb63209e25d5afb50ff73ab2d0c21a11c19c01a57593e77
Instruction ID: 6d0da09a7d67da35e91ab11df4abecb529b60e97e894694b91fc2867aab42627
Opcode Fuzzy Hash: 0a8cda0e771bd0409fb63209e25d5afb50ff73ab2d0c21a11c19c01a57593e77
Instruction Fuzzy Hash: B431B370E00318ABDB209FA8DD86BEE7BB8FF44714F100255FA16B72D0DAF459048B96

Function 00BB8130 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121stringmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00BB8139

Part of subcall function 00BB7FB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 00BB809A
Part of subcall function 00BB7FB0: lstrcatW.KERNEL32(00000000,00BC0584), ref: 00BB8115

lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00BB818F
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00BB81A1
lstrcatW.KERNEL32(00000000,00000000), ref: 00BB81B1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB81BB
lstrcatW.KERNEL32(00000000,00BC0604), ref: 00BB81D1
lstrcatW.KERNEL32(00000000,00000000), ref: 00BB822C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB823A
lstrcatW.KERNEL32(00000000,00BBFFF8), ref: 00BB8280
lstrcatW.KERNEL32(00000000,00000000), ref: 00BB8288
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB8296
lstrcatW.KERNEL32(00000000,00BBFFFC), ref: 00BB82A7

Strings

VUUU, xrefs: 00BB81FA
VUUU, xrefs: 00BB824A

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtual$Free$Alloc$CountTicklstrlen
String ID: VUUU$VUUU
API String ID: 2785072370-3149182767
Opcode ID: 4f6cf208b125c3ad44cc61afbf0c8abb32152c225ab548e07a783b21077283b8
Instruction ID: d9f2cdbc1a939e2f2cb9715ac3460d75c3c86c6e9b81fb86ed0f86448e50198a
Opcode Fuzzy Hash: 4f6cf208b125c3ad44cc61afbf0c8abb32152c225ab548e07a783b21077283b8
Instruction Fuzzy Hash: 2031EC72E40100ABD31CAB2CDC4AF7D7AECEB55711F04057DF902EB291DEB4AA00CA65

Function 00BB5520 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB82C0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BB84A4
Part of subcall function 00BB82C0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00BB84BD

Part of subcall function 00BB5250: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 00BB52AD
Part of subcall function 00BB5250: Sleep.KERNEL32(000003E8), ref: 00BB52F0
Part of subcall function 00BB5250: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00BB52FE
Part of subcall function 00BB5250: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00BB530E
Part of subcall function 00BB5250: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00BB532A
Part of subcall function 00BB5250: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB533B
Part of subcall function 00BB5250: wsprintfW.USER32 ref: 00BB5353
Part of subcall function 00BB5250: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB5364

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB5542
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00BB5562
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00BB5574
lstrcatA.KERNEL32(00000000,?), ref: 00BB558E
lstrlenA.KERNEL32(00000000), ref: 00BB55E3
lstrlenW.KERNEL32(?), ref: 00BB55EF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 00BB560B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,00000000,?,00000000), ref: 00BB5665
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00BB5671
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00BB567B
InternetCloseHandle.WININET(00BB587A), ref: 00BB5685

Strings

POST, xrefs: 00BB55FA

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST
API String ID: 2554059081-1814004025
Opcode ID: f38a784b56b3d0283d2765751ef5b806dd6e80b51b6cb4216f756a1f824b8897
Instruction ID: 4e5113ef50ac7e39c50a6c700c66ca878d5bf6e8641495c88cd08f16bb6845dc
Opcode Fuzzy Hash: f38a784b56b3d0283d2765751ef5b806dd6e80b51b6cb4216f756a1f824b8897
Instruction Fuzzy Hash: B3419071D0070AABEB219BA8DC55BFEBBB8EF88740F104255EA44B7240DFF45644CB91

Function 00E0123B Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

_fast_error_exit.LIBCMT ref: 00E012A2
_fast_error_exit.LIBCMT ref: 00E012B3
__RTC_Initialize.LIBCMT ref: 00E012B9
__ioinit.LIBCMT ref: 00E012C2
_fast_error_exit.LIBCMT ref: 00E012CD
GetCommandLineA.KERNEL32(00E0FD50,00000014), ref: 00E012D3
___crtGetEnvironmentStringsA.LIBCMT ref: 00E012DE
__setargv.LIBCMT ref: 00E012E8
__setenvp.LIBCMT ref: 00E012F9
__cinit.LIBCMT ref: 00E0130C

Strings

.$, xrefs: 00E01282

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: _fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__setargv__setenvp
String ID: .$
API String ID: 3919536372-2223841709
Opcode ID: dbb733a5e10b4fae72fb9b3a4c589561448fcb65a6d9c54a36be18f213393641
Instruction ID: e142a31e64e4df3c1a55f3b50acac9504b33397bac4141d9dcc45f5873fa0522
Opcode Fuzzy Hash: dbb733a5e10b4fae72fb9b3a4c589561448fcb65a6d9c54a36be18f213393641
Instruction Fuzzy Hash: F2219770A003019EDB2477F5AC46B6D32E4AB10719F1175EAF618FE0E2EF7589C89A51

Function 00BB6010 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66stringmemorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 00BB6033
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00BB6048
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 00BB6059
lstrlenA.KERNEL32(00000000), ref: 00BB6064
wsprintfA.USER32 ref: 00BB607C
_memset.LIBCMT ref: 00BB609B
lstrlenA.KERNEL32(00000000), ref: 00BB60A4
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB60D3

Strings

ntdll.dll, xrefs: 00BB6043
RtlComputeCrc32, xrefs: 00BB6053
%Xeuropol, xrefs: 00BB6076

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 2b9435e0ca987735441182af9bdc63787cc651079525766c16f534b318369ef3
Instruction ID: d5e1efe7d2ac6c48cecfef4997ed02d78f9a975b4f36c732ab8b7aa2139aab2a
Opcode Fuzzy Hash: 2b9435e0ca987735441182af9bdc63787cc651079525766c16f534b318369ef3
Instruction Fuzzy Hash: 2D119375E40208BBD7216B689C4AFFE7FACEB55B00F1001A4F945F3190DEF459408A52

Function 00BB47E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3BD0: GetProcessHeap.KERNEL32(?,?,00BB4817,00000000,?,00000000,00000000), ref: 00BB3C6C

Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00BB7627
Part of subcall function 00BB7600: GetUserNameW.ADVAPI32(00000000,?), ref: 00BB7638
Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00BB7656
Part of subcall function 00BB7600: GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00BB7660
Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00BB7680
Part of subcall function 00BB7600: wsprintfW.USER32 ref: 00BB76C1
Part of subcall function 00BB7600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00BB76DE
Part of subcall function 00BB7600: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00BB7702
Part of subcall function 00BB7600: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,00BB4820,?), ref: 00BB7726
Part of subcall function 00BB7600: RegCloseKey.KERNEL32(00000000), ref: 00BB7742

Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7462
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB746D
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7483
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB748E
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74A4
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74AF
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74C5
Part of subcall function 00BB7410: lstrlenW.KERNEL32(00BB4B46,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74D0
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74E6
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74F1
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7507
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7512
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7531
Part of subcall function 00BB7410: lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB753C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB483C
lstrcpyW.KERNEL32(00000000,Global\,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB485F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB4866
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB487E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB488A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB4891
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB48AB

Strings

Global\, xrefs: 00BB4859

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 14c6eb073eb9c7c40c7ec8be1bbc02cb4a7bc681d29ffa71d6f92834d54ddd60
Instruction ID: 7557d2030d13acb1be9ee5189671c3fd798b1c4475acd7d343fc610259ab2e9d
Opcode Fuzzy Hash: 14c6eb073eb9c7c40c7ec8be1bbc02cb4a7bc681d29ffa71d6f92834d54ddd60
Instruction Fuzzy Hash: 8921A171AA43147BE124A724DC8BFBF7A98EB40B40F500668B605670D1AFD46D0486E6

Function 00BB81E6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7FB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 00BB809A
Part of subcall function 00BB7FB0: lstrcatW.KERNEL32(00000000,00BC0584), ref: 00BB8115

lstrcatW.KERNEL32(00000000,00000000), ref: 00BB822C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB823A
lstrcatW.KERNEL32(00000000,00BBFFF8), ref: 00BB8280
lstrcatW.KERNEL32(00000000,00000000), ref: 00BB8288
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB8296
lstrcatW.KERNEL32(00000000,00BBFFFC), ref: 00BB82A7

Strings

VUUU, xrefs: 00BB81FA
VUUU, xrefs: 00BB824A

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtual$Free$Alloc
String ID: VUUU$VUUU
API String ID: 418921519-3149182767
Opcode ID: 97bee9ef7aa90ab3cdea991c69be380785cc49c894778bfd9cfd4bb6c8c00b2b
Instruction ID: ba0118ab2fc1b7e1b3db66940813c98e3ad4d013c26b961fa413736291d29f02
Opcode Fuzzy Hash: 97bee9ef7aa90ab3cdea991c69be380785cc49c894778bfd9cfd4bb6c8c00b2b
Instruction Fuzzy Hash: 2E11B233E04100ABC31CAB2CDC8AF79BBECE795700F04496DF542EB291CEB4A5018B65

Function 00BB35C0 Relevance: 13.6, APIs: 9, Instructions: 94memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,756EE0B0,?), ref: 00BB35E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,756F0440), ref: 00BB3600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BB3616
GetFileSize.KERNEL32(00000000,00000000), ref: 00BB3626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00BB3639
ReadFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 00BB364C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB368D
CloseHandle.KERNEL32(00000000), ref: 00BB3694
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB36A2

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$CloseCreateHandleModuleNameReadSize
String ID:
API String ID: 2352497600-0
Opcode ID: 2d6ea4edd7d3eef2904868cb10a4df0b0d8fd06a404e3338ae97719ba39ce48d
Instruction ID: 976b9396d256430e073f642e55cdafb50452a7e26a40bcd7dd010264dcf8cab9
Opcode Fuzzy Hash: 2d6ea4edd7d3eef2904868cb10a4df0b0d8fd06a404e3338ae97719ba39ce48d
Instruction Fuzzy Hash: 9021D831B403047BEB255BA89C86FEE7BE8EB49B11F200159FB05B62D0DBF59A018755

Function 00BB2890 Relevance: 12.1, APIs: 8, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,7572F770,00000000,?,?,00BB2C02), ref: 00BB28AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00BB2C02), ref: 00BB28BA
CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00BB2C02), ref: 00BB28E5
CloseHandle.KERNEL32(00000000,?,?,00BB2C02), ref: 00BB28F3
MapViewOfFile.KERNEL32(00000000,7572F771,00000000,00000000,00000000,?,?,00BB2C02), ref: 00BB290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00BB2C02), ref: 00BB2942
CloseHandle.KERNEL32(?,?,?,00BB2C02), ref: 00BB2951
CloseHandle.KERNEL32(00000000,?,?,00BB2C02), ref: 00BB2954

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 2cf95b9974d6997dbfa5303ef1226b49b127844bbe97bf02b6a5b9db907e9fa4
Instruction ID: 041d3738aa7131e5374c1339803d05c51191fa0bced3ec7fded8ece0a1a331d5
Opcode Fuzzy Hash: 2cf95b9974d6997dbfa5303ef1226b49b127844bbe97bf02b6a5b9db907e9fa4
Instruction Fuzzy Hash: E621D471E112197FE7106B789C86FBE7BECDB46665F1002A5FC05B3280EAB49D0145A1

Function 00BB4E20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BB4E39
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00BB4E7F
GetLastError.KERNEL32(?,?,00000000), ref: 00BB4E89
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00BB4E9D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00BB4EA2

Strings

D, xrefs: 00BB4E68

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 418e63c98e47f95181f83f90d55b10d466524a518fa583bbcdca6a2ba25ef7e4
Instruction ID: 5f75a430d6a1427a78fcbaf12a7f7fa4d3673cee7454c3d374e189457acd7ade
Opcode Fuzzy Hash: 418e63c98e47f95181f83f90d55b10d466524a518fa583bbcdca6a2ba25ef7e4
Instruction Fuzzy Hash: 3E016171E40318ABDB20DFA8AC42BDE7BB8EF09710F104256FA08B7190EBB055548B95

Function 00E011A8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47threadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000000,00000000,00000000), ref: 00E011F2
GetLastError.KERNEL32 ref: 00E011F8
ExitProcess.KERNEL32(00000000), ref: 00E01204
ExitThread.KERNEL32 ref: 00E01234

Strings

1, xrefs: 00E011E8
-, xrefs: 00E011E1

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastOpenThread
String ID: -$1
API String ID: 153595879-1877142845
Opcode ID: 955e73982a6bfb51cc31bd11b2bb9f578a65e42054012477822fa454edf00ee4
Instruction ID: e91f1c886941b94453cdcf9325dd80abaa10652b36601afd5942e578e7925ba7
Opcode Fuzzy Hash: 955e73982a6bfb51cc31bd11b2bb9f578a65e42054012477822fa454edf00ee4
Instruction Fuzzy Hash: BF01ADB0D012149FDB189FE588087EEBEF9FF09301F20826AD515FA292D37409C5CBA4

Function 00BB4A88 Relevance: 10.5, APIs: 7, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00BB4A95
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BB4AA5
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BB4AB4
CloseHandle.KERNEL32(00000000), ref: 00BB4AC1
Process32NextW.KERNEL32(?,00000000), ref: 00BB4ADA
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB4AF3
CloseHandle.KERNEL32(?), ref: 00BB4AFA

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 999196985-0
Opcode ID: e9e0884ff4d4d53e34ff36270e6528bb16919ed2302a5e65a46e7ebfd44fb9f9
Instruction ID: 28813b44d729414f4d3a36343afe9f201a6f0f38414ad337a443c9431bb8ce6b
Opcode Fuzzy Hash: e9e0884ff4d4d53e34ff36270e6528bb16919ed2302a5e65a46e7ebfd44fb9f9
Instruction Fuzzy Hash: F101F932640100BFD7206F54AC85BBA73ACFF85701F254254FD09A7062EFF09C048B66

Function 00BB7FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 00BB809A
lstrcatW.KERNEL32(00000000,00BC0584), ref: 00BB8115

Strings

ere, xrefs: 00BB8093
eigh, xrefs: 00BB803F
ore, xrefs: 00BB808C

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtuallstrcat
String ID: eigh$ere$ore
API String ID: 3624338217-3418171569
Opcode ID: 0921b74b2eaa943e34de65a7a3ba9426d9f8c9f82c86c7de4a3476443b6407bd
Instruction ID: 0c061ba8f33baae9ab3416364e847947bbc3ee877302a864f9e9ebb3ca17070f
Opcode Fuzzy Hash: 0921b74b2eaa943e34de65a7a3ba9426d9f8c9f82c86c7de4a3476443b6407bd
Instruction Fuzzy Hash: 8F3115B2D21209CBCB14EF889888BADBEF8EB64708F20469CD5147B240CBB48549CF54

Function 00BB7580 Relevance: 7.5, APIs: 5, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,0000060C,?,00BB79F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00BB7596
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000080,?,?,00BB79F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00BB75B7
RegCloseKey.KERNEL32(?,?,00BB79F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00BB75C7
GetLastError.KERNEL32(?,00BB79F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00BB75D6
RegCloseKey.ADVAPI32(?,?,00BB79F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00BB75DF

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 5a5014d4e6abfa81a7aa8bda26a59a19197e07ac386cb55f05f1559c6289f832
Instruction ID: 5b016eb5f0a2e71289d179a8257ba7adf0e3b19f16c9e56ff152a97bde1d29d3
Opcode Fuzzy Hash: 5a5014d4e6abfa81a7aa8bda26a59a19197e07ac386cb55f05f1559c6289f832
Instruction Fuzzy Hash: 75012132A0411CFFDB20AF94ED05DEA7BA8EB08751F004162FD05D6120DB729A24EBE1

Function 00BB2830 Relevance: 4.5, APIs: 3, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00BB2C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,00BB2C02,?,00BB293C,?), ref: 00BB284C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,00BB293C,?,?,?,?,00BB2C02), ref: 00BB2869
CloseHandle.KERNEL32(00000000,?,00BB293C,?,?,?,?,00BB2C02), ref: 00BB2879

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: f4df484e4dbb1067c1e77300625ac3e3ebe78fabca88512d137517cd29466fa1
Instruction ID: c5a00f636c8e9e97e3f70445309c2f6a09aaef4bfbc1d8ee6547eea47390fab6
Opcode Fuzzy Hash: f4df484e4dbb1067c1e77300625ac3e3ebe78fabca88512d137517cd29466fa1
Instruction Fuzzy Hash: 71F0A772B0021477E6300B99AC8AFBBB69CDB86B60F104265FE08F71E0DAE09C0142A5

Function 00BB4FC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00001000,00000000,00000000,00000000,00000000,00000000,?,00BB5218), ref: 00BB4FEE

Strings

Can't find server, xrefs: 00BB5008, 00BB5010

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: Can't find server
API String ID: 2738559852-1141070784
Opcode ID: a53c179413f5b703a67a7a25b7bc535ccce99f48dc1a22ef3645d892ca1cd19a
Instruction ID: 6f4e47851ecc1f897e6f489e4ce6bb140760d56da68eb7143a1b22412c585a48
Opcode Fuzzy Hash: a53c179413f5b703a67a7a25b7bc535ccce99f48dc1a22ef3645d892ca1cd19a
Instruction Fuzzy Hash: 34113A35C046999BEB32DB548D507FABBF8EF4A301F5481E5E88457200E6F06E88C7D2

Function 00E01113 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00E120C0,00012400,00000040,00000002,00E0FD30,00000018,00E0122F), ref: 00E0114C
VirtualProtect.KERNEL32(00E120C0,00012400,00000002,?), ref: 00E01180

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1a25784f5432ec4e6d66403147ebe41fb5819c2b2908947c924fbd11187f0127
Instruction ID: ffbed86ddfa6aa4488dbe9ad3d50018e8e359af524a993504836ff84e5c7e471
Opcode Fuzzy Hash: 1a25784f5432ec4e6d66403147ebe41fb5819c2b2908947c924fbd11187f0127
Instruction Fuzzy Hash: F90171B0940309AADB10DFE18C42FDDB6B5BB0C714F542299E601F61C1DB749690CA34

Function 00E05982 Relevance: 3.0, APIs: 2, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,?,?,?,?,5EFC4D8B,00000000,00000000,00000000,?,00E055A0,?,?,00000000,?,00000000), ref: 00E059A9
LCMapStringW.KERNEL32(00000000,?,?,?,?,5EFC4D8B,?,00E055A0,?,?,00000000,?,00000000,00000000), ref: 00E059C6

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: d39e46c3a5830d02ef7c731f15eef126025364efb5db656053f9a5641b6aece8
Instruction ID: 4439011cd06bed74223b6164a7e77caea22579b866f5bced0ed3a26d4b60e864
Opcode Fuzzy Hash: d39e46c3a5830d02ef7c731f15eef126025364efb5db656053f9a5641b6aece8
Instruction Fuzzy Hash: 55F07F7301014EFFDF069F94EC0ACEA3B6AFB48360B408114FA2855070D772A9B1ABA0

Function 00BB4DD0 Relevance: 3.0, APIs: 2, Instructions: 26threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00BB4B30,00000000,00000000,00000000), ref: 00BB4DFC
CloseHandle.KERNEL32(00000000), ref: 00BB4E0F

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: d59538cb0cc1220faf05d959e7d8b8384b8d1f1095278ede652887371d06077b
Instruction ID: d6cdcf0b610547e4c4b91393698561990f6621e4aa19c5d40f3658ea7f18f11e
Opcode Fuzzy Hash: d59538cb0cc1220faf05d959e7d8b8384b8d1f1095278ede652887371d06077b
Instruction Fuzzy Hash: CDF01C34A80208FBDB24DF94984ABACB7B0FB15705F20819AE901772D1D7F1AA50CB05

Function 00BB6660 Relevance: 2.5, APIs: 2, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,00BB4BAE), ref: 00BB6675
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,00BB4BAE), ref: 00BB668F

Part of subcall function 00BB64F0: CryptAcquireContextW.ADVAPI32(00BB4BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,00BB4BA6,?,00BB4BAE), ref: 00BB6508
Part of subcall function 00BB64F0: GetLastError.KERNEL32(?,00BB4BAE), ref: 00BB6512
Part of subcall function 00BB64F0: CryptAcquireContextW.ADVAPI32(00BB4BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00BB4BAE), ref: 00BB652E

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: 1cf136f125ab2abe70a1331d0bf40081dbd0e370f5683e943f8059859e43a1db
Instruction ID: d4a0418c709f7d4b4e5ecdf2a2ac8e0ab3f7b4a66f0cf5c4b02a0e64d6718f7d
Opcode Fuzzy Hash: 1cf136f125ab2abe70a1331d0bf40081dbd0e370f5683e943f8059859e43a1db
Instruction Fuzzy Hash: 7211DB74A40208EFD704CF88DA55F99B7F5EF88709F208188E908AB381D7B5AF009F54

Non-executed Functions

Function 00BB56A0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 188stringmemoryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB8130: GetTickCount.KERNEL32 ref: 00BB8139
Part of subcall function 00BB8130: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00BB818F
Part of subcall function 00BB8130: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00BB81A1
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00000000), ref: 00BB81B1
Part of subcall function 00BB8130: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB81BB
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00BC0604), ref: 00BB81D1
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00000000), ref: 00BB822C
Part of subcall function 00BB8130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB823A
Part of subcall function 00BB8130: lstrcatW.KERNEL32(00000000,00BBFFF8), ref: 00BB8280

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 00BB56E4
wsprintfW.USER32 ref: 00BB5714
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00BB575D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00BB5779
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00BB5790
lstrlenW.KERNEL32(00000000,00003000,00000004,?,00000000,00000000,?,00000000), ref: 00BB579E
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 00BB57A6
wsprintfA.USER32 ref: 00BB57BC
CryptBinaryToStringA.CRYPT32(?,756EE0B0,40000001,00000000,?,?,00000000,00000000,?,00000000), ref: 00BB57F0
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 00BB57FA
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00BB5807
VirtualAlloc.KERNEL32(00000000,-00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 00BB5819
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00BB5823
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00BB5841
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00BB5860
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00BB58A0
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00BB58AC
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00BB58C3

Strings

popkadurak, xrefs: 00BB56C7
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 00BB570E

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$lstrlen$Free$Alloclstrcat$wsprintf$BinaryCountCryptErrorLastStringTick
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 487841380-2102589890
Opcode ID: 0131b8d2707cf480eb64118d8a42182e1cc7f2082ac197a935fcdfacc228d569
Instruction ID: 4fcea715bac4abc45919c2b981bae38d4e961e6ad64fe6a652372aee4b4d0b7a
Opcode Fuzzy Hash: 0131b8d2707cf480eb64118d8a42182e1cc7f2082ac197a935fcdfacc228d569
Instruction Fuzzy Hash: 8E517070E40219BBEB209B64DC46FAE7BB9EB44700F1001A9F605B7190DBF4AE01CB96

Function 00BB6CB0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136stringfilememoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,00000000), ref: 00BB6CC2
lstrcatW.KERNEL32(00000000,00BBFF64,?,00000000), ref: 00BB6CD4
FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00BB6CE2
lstrcmpW.KERNEL32(?,00BBFF68,?,00000000), ref: 00BB6D0C
lstrcmpW.KERNEL32(?,00BBFF6C,?,00000000), ref: 00BB6D22
lstrcatW.KERNEL32(00000000,?,?,00000000), ref: 00BB6D34
lstrlenW.KERNEL32(00000000,?,00000000), ref: 00BB6D3B
lstrcmpW.KERNEL32(-00000001,.sql,?,00000000), ref: 00BB6D6A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00BB6D81
GetFileSize.KERNEL32(00000000,00000000,?,00000000), ref: 00BB6D8C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,00000000), ref: 00BB6DAA
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000), ref: 00BB6DBF
lstrlenA.KERNEL32(*******************,?,00000000), ref: 00BB6DDE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00BB6DF9
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00BB6E03
FindNextFileW.KERNEL32(?,?,?,00000000), ref: 00BB6E2C
FindClose.KERNEL32(?,?,00000000), ref: 00BB6E3D

Strings

*******************, xrefs: 00BB6DC9, 00BB6DD9
.sql, xrefs: 00BB6D64

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: f8eebcad8bc811b9b0f3e964c5664a81ca0f5a1aa2b94c49177a16a0b11b1910
Instruction ID: 4c87c9155f2a2738749a6076ae83cfe4863c77ffcb76f4a49d6f4e3ac85adeb0
Opcode Fuzzy Hash: f8eebcad8bc811b9b0f3e964c5664a81ca0f5a1aa2b94c49177a16a0b11b1910
Instruction Fuzzy Hash: 9A411971A01219ABDB20AB64DC89BBA77ACEB05700F5045A5F902E3150EFF89E05CB61

Function 00BB6770 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00BC3058,?,00BB38F4,00000000,00000000,00000000,?,00000800), ref: 00BB677B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,00BB38F4,00000000,00000000,00000000), ref: 00BB67A1
GetLastError.KERNEL32(?,00BB38F4,00000000,00000000,00000000), ref: 00BB67AB
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00BB38F4,00000000,00000000,00000000), ref: 00BB67C7
LeaveCriticalSection.KERNEL32(00BC3058,?,00BB38F4,00000000,00000000,00000000), ref: 00BB67D6
LeaveCriticalSection.KERNEL32(00BC3058,?,00BB38F4,00000000,00000000,00000000), ref: 00BB67EA
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00BB38F4,00000000,00000000), ref: 00BB6812
CryptGetKeyParam.ADVAPI32(00000000,00000008,00BB38F4,0000000A,00000000,?,00BB38F4,00000000), ref: 00BB6833
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,00BB38F4,?,00BB38F4,00000000), ref: 00BB685B
GetLastError.KERNEL32(?,00BB38F4,00000000), ref: 00BB6864
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00BB38F4,00000000,00000000), ref: 00BB6881
LeaveCriticalSection.KERNEL32(00BC3058,?,00BB38F4,00000000,00000000), ref: 00BB688C

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00BB6796, 00BB67BC

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Crypt$CriticalSection$ContextLeave$AcquireErrorLast$EncryptEnterImportParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 3173605824-1948191093
Opcode ID: 1425753556e8a1d2de9d22e439ac4a1ee5197224e81b5428220ac8d6acd6e209
Instruction ID: 46d5b8e3a3f3face8d6b6cc18ee27c3f0b80418ddc0c1264e4fcdcb6caa5b646
Opcode Fuzzy Hash: 1425753556e8a1d2de9d22e439ac4a1ee5197224e81b5428220ac8d6acd6e209
Instruction Fuzzy Hash: F2313E75A40209BBDB10DFA0DD89FEE7BF8AB48B00F504158FA01A7190DBF59A049B62

Function 00BB6F00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 152stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00BB6F60
lstrcatW.KERNEL32(00000000,00BBFF64,?,?), ref: 00BB6F78
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00BB6F82

Part of subcall function 00BB68A0: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB68BC
Part of subcall function 00BB68A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB6914

lstrcmpW.KERNEL32(?,00BBFF68,?,?), ref: 00BB6FB0
lstrcmpW.KERNEL32(?,00BBFF6C,?,?), ref: 00BB6FCA
lstrcatW.KERNEL32(00000000,?,?,?), ref: 00BB6FE0
lstrcatW.KERNEL32(00000000,00BBFFA4,?,?), ref: 00BB7007
FindNextFileW.KERNEL32(00000000,?,?,?), ref: 00BB708D
FindClose.KERNEL32(00000000,?,?), ref: 00BB709E

Strings

SQL, xrefs: 00BB6FF1

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Findlstrcat$FileVirtuallstrcmp$AllocCloseFirstFreeNextlstrlen
String ID: SQL
API String ID: 991218351-1299261525
Opcode ID: 6f5150fa4595fdb399ebff7a73f93d377645a19fd1cc67fea985152cfeb50506
Instruction ID: 32ad9adef1ff386ad68ba7ada4323329f919c999c22c753ce6723d770dfcb2ff
Opcode Fuzzy Hash: 6f5150fa4595fdb399ebff7a73f93d377645a19fd1cc67fea985152cfeb50506
Instruction Fuzzy Hash: 95516D31A04209ABDF10AF64EC85AFEB7F9EF85314F4441EAE908E7150DBB59E10DB51

Function 00BB34F0 Relevance: 12.1, APIs: 8, Instructions: 79memorystringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00BB3673,?), ref: 00BB3504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,00BB3673,?), ref: 00BB351C
CryptStringToBinaryA.CRYPT32(00BB3673,00000000,00000001,00000000,?,00000000,00000000), ref: 00BB3535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00BB3673,?), ref: 00BB354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00BB3673,?), ref: 00BB3561
wsprintfW.USER32 ref: 00BB3587
wsprintfW.USER32 ref: 00BB3597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00BB3673,?), ref: 00BB35A9

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: 339b522fa149f62166e950adb27ac84d0a920654c56a1241a558089980a473ca
Instruction ID: 8d66901d27e36e909cba2ae8b17d3b42bf1bcf045caff4058ca0c4d4cca633ce
Opcode Fuzzy Hash: 339b522fa149f62166e950adb27ac84d0a920654c56a1241a558089980a473ca
Instruction Fuzzy Hash: 8A219371A40219BFEB219B688C41FAABFECEF45B50F1000A5F644F7290DAF55E008B95

Function 00BB3C80 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43memorylibraryloaderCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BB3CB0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00BB3CC3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00BB3CCF
FreeSid.ADVAPI32(?), ref: 00BB3CEA

Strings

CheckTokenMembership, xrefs: 00BB3CC9
advapi32.dll, xrefs: 00BB3CBE

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 3eac1e5ae813115c82d88c69d9875605bc20de633ce8dc4961ccc377f0b34066
Instruction ID: a796aafe7ac1c8a1e4d9b5354740d5c6bb2069a8e68749651db6049bf0097043
Opcode Fuzzy Hash: 3eac1e5ae813115c82d88c69d9875605bc20de633ce8dc4961ccc377f0b34066
Instruction Fuzzy Hash: 91F0FF34E4030DBBDB109BE4DC0AFFD77B8EB04705F504694F905A7190EBB456148B55

Function 00BB33E0 Relevance: 7.6, APIs: 5, Instructions: 101memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB32B0: lstrlenA.KERNEL32(?,00000000,?,00BB5474,?,?,00BB33F6,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB32C5
Part of subcall function 00BB32B0: lstrlenA.KERNEL32(?,?,00BB33F6,00000000,00000000,?,?,00BB5474,00000000,?,?,?,?,00BB5643,00000000,?), ref: 00BB32EE

lstrlenA.KERNEL32(00BB5475,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000,?,?,?,?,00BB5643,00000000,?), ref: 00BB3484
GetProcessHeap.KERNEL32(00000008,00000001,?,00BB5474,00000000,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB348E
HeapAlloc.KERNEL32(00000000,?,00BB5474,00000000,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB3495
lstrcpyA.KERNEL32(00000000,00BB5475,?,00BB5474,00000000,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB34A7
ExitProcess.KERNEL32 ref: 00BB34DB

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 6532d76ae2262c9f0e79a1ae2ba26e9588dd15f8696a536b179b0f89a3d59fc9
Instruction ID: 3735ebe6879db8ea29d8715b11182ca55d4418899c50ca066e1fdb09035c2ead
Opcode Fuzzy Hash: 6532d76ae2262c9f0e79a1ae2ba26e9588dd15f8696a536b179b0f89a3d59fc9
Instruction Fuzzy Hash: D53106305042455BEB265F2CD8447FA7BD8DB02B10F1841D9E8C597381EAFD8E8787A1

Function 00E0315A Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E03FD0,?,?,?,00000000), ref: 00E0315F
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00E03168

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8ae23a750a4facf96aa6ce76a76f913cdeb702a5d6e0cc0422a596de8f474aeb
Instruction ID: c5a846b77f07ed1a63ae63e16d7d5130576bd400f14c90aa26a5080b8276716f
Opcode Fuzzy Hash: 8ae23a750a4facf96aa6ce76a76f913cdeb702a5d6e0cc0422a596de8f474aeb
Instruction Fuzzy Hash: 4CB09231044208EFDE002BA2EC09B883F28EB04762F50C210F64D950A08BA3549CCAA1

Function 00E03129 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00E0167E,00E01633), ref: 00E0312F

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: efb30208a39f4882cd1dc7bb840d82f44d041022d98ac1a5d4fad4e6dfc90cd4
Instruction ID: 96b49768d1403871abe0bc4ccf622516346d7bec9ea12460484d4cafc7801fc9
Opcode Fuzzy Hash: efb30208a39f4882cd1dc7bb840d82f44d041022d98ac1a5d4fad4e6dfc90cd4
Instruction Fuzzy Hash: F4A0123000010CEBCE001B52EC044447F2CD7002507008010F40C410218773545485A0

Function 00BB1C20 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a370402c8f36a930ee149746bf0578ec2ff8896c03207179a6bb8e52cd571a3d
Instruction ID: e9481bd742ed380a984c310cd5df46cb97538498c70d4d7cee5188f0eeeaf462
Opcode Fuzzy Hash: a370402c8f36a930ee149746bf0578ec2ff8896c03207179a6bb8e52cd571a3d
Instruction Fuzzy Hash: 68722431C1026CCFDB84EF6EECA443677E1E744311B47072AAA816B1F5DAB4B624EB54

Function 00E130E0 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9c5fe904c489d02b3b7d9e900f18b990942105089b618e14aa1948d2f8417e
Instruction ID: 864197d3d18e669f7748bb40b7949ac61832fb667389f660c12eb96559cc134d
Opcode Fuzzy Hash: 6f9c5fe904c489d02b3b7d9e900f18b990942105089b618e14aa1948d2f8417e
Instruction Fuzzy Hash: 8A721331D103BC8FEB88EF6ECCE443673A1E745391B47052AEB815B5A9D634B620EB54

Function 00BB1020 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8350f0bc9bb7423d88f710df3d79838e50089caad6667fa2a4da052bb2c9a
Instruction ID: 6b34ed3766d3914dc491bf4f20ef00da459443006b0764cb8ca3dd2c25f02866
Opcode Fuzzy Hash: 70f8350f0bc9bb7423d88f710df3d79838e50089caad6667fa2a4da052bb2c9a
Instruction Fuzzy Hash: BF622431C042789FDB80DF6EEC8402673A6E744311B4E4726AB815B2B5DE7CB624EB75

Function 00E124E0 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c5e297ccaa2e6a28d94ac4a99c0bb1d90e8d3fc4d8b6d6121cc56ea4fb8072
Instruction ID: b9178d23fa1d18e34365cb11b232dab6d2c9566671c174b956080957120820ea
Opcode Fuzzy Hash: c4c5e297ccaa2e6a28d94ac4a99c0bb1d90e8d3fc4d8b6d6121cc56ea4fb8072
Instruction Fuzzy Hash: B962C631D046788FEB80DF6ECCC402673A2A74A351B4A4726EB905B2F9D63C7564EB74

Function 00BB89A0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186bebec836a3c904466e695e660aff9312295d36805ce3368992e7941ae0aab
Instruction ID: c9a7e1a6bc1416237383f7dcbf5faa1dd633cb751b38bffc2c28c812b474e3de
Opcode Fuzzy Hash: 186bebec836a3c904466e695e660aff9312295d36805ce3368992e7941ae0aab
Instruction Fuzzy Hash: 7012DA70A101189FCB48CF6DD4919AABBF1FB4D300B4285AEE94ADB391CB71EA51DF50

Function 00E19E60 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7c3b91ea077c504f33d54bc5dd0cc1295d74d4335e5fbadce14f44d3c6f4f7
Instruction ID: 21e0bee45f58194022fee992da4ee3bb7d5da45b4afd13a44acffbf8f3a68135
Opcode Fuzzy Hash: ad7c3b91ea077c504f33d54bc5dd0cc1295d74d4335e5fbadce14f44d3c6f4f7
Instruction Fuzzy Hash: DE12D870A105689FDB48CF2DD4D09AABBF1FB4D340B4281AEE90ADB391C735AA51CB50

Function 00BB6100 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: 6cc74999f4c2fc34b04ab8ed7a327539a7fc8c56cc85c253eee546c5e78fb965
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: 09D17971E002168FDB24CF58C880ABAB7F1FF58314F2945A9D855AB342E3B9ED51CB80

Function 00BB45C0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3D00: _memset.LIBCMT ref: 00BB3D52
Part of subcall function 00BB3D00: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00BB3D76
Part of subcall function 00BB3D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00BB3D7A
Part of subcall function 00BB3D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00BB3D7E
Part of subcall function 00BB3D00: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00BB3DA5

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 00BB477F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00BB4795
lstrcatW.KERNEL32(00000000,0063005C), ref: 00BB479D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 00BB47B3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB47C7

Strings

x, xrefs: 00BB469C
e, xrefs: 00BB4663
/, xrefs: 00BB46A9
., xrefs: 00BB460E
/, xrefs: 00BB4747
h, xrefs: 00BB4705
b, xrefs: 00BB45E6
o, xrefs: 00BB4633
n, xrefs: 00BB46D1
w, xrefs: 00BB45FE
e, xrefs: 00BB475D
x, xrefs: 00BB4616
, xrefs: 00BB464B
d, xrefs: 00BB4710
s, xrefs: 00BB46B9
m, xrefs: 00BB45F2
p, xrefs: 00BB4643
u, xrefs: 00BB4752
a, xrefs: 00BB462B
s, xrefs: 00BB4623
, xrefs: 00BB46FA
l, xrefs: 00BB473C
w, xrefs: 00BB471B
t, xrefs: 00BB46EF
., xrefs: 00BB4690
, xrefs: 00BB4726
l, xrefs: 00BB46E4
, xrefs: 00BB46B1
i, xrefs: 00BB4606
e, xrefs: 00BB4653
d, xrefs: 00BB46D9
m, xrefs: 00BB46C9
a, xrefs: 00BB46C1
m, xrefs: 00BB467C
open, xrefs: 00BB47AC
\, xrefs: 00BB45DE
c, xrefs: 00BB463B
\, xrefs: 00BB4672
a, xrefs: 00BB4731
e, xrefs: 00BB465B

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 265316e354c6173454986a7b35f45216d74e84e5b97e08764252637b8e617798
Instruction ID: fd47593a6fa750b747cda48b403c55761efeea291362ce1261475eb86300d259
Opcode Fuzzy Hash: 265316e354c6173454986a7b35f45216d74e84e5b97e08764252637b8e617798
Instruction Fuzzy Hash: A94139B0548380DFE3608F119849B9BBFE6BB81B48F10491CF6985A291CBF6854CCF97

Function 00BB3DC0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109memorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3D00: _memset.LIBCMT ref: 00BB3D52
Part of subcall function 00BB3D00: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00BB3D76
Part of subcall function 00BB3D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00BB3D7A
Part of subcall function 00BB3D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00BB3D7E
Part of subcall function 00BB3D00: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00BB3DA5

Part of subcall function 00BB3C80: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BB3CB0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BB3E6D
wsprintfW.USER32 ref: 00BB3F37
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00BB3F4B
GetForegroundWindow.USER32 ref: 00BB3F60
ShellExecuteExW.SHELL32(00000000), ref: 00BB3FC1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB3FD4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BB3FE6
CloseHandle.KERNEL32(?), ref: 00BB3FEF
ExitProcess.KERNEL32 ref: 00BB3FF7

Strings

t, xrefs: 00BB3F16
\, xrefs: 00BB3E55
w, xrefs: 00BB3E45
s, xrefs: 00BB3F00
r, xrefs: 00BB3F75
m, xrefs: 00BB3EDF
m, xrefs: 00BB3E35
e, xrefs: 00BB3E4D
o, xrefs: 00BB3E88
e, xrefs: 00BB3E91
a, xrefs: 00BB3F0B
t, xrefs: 00BB3E2D
s, xrefs: 00BB3E99
c, xrefs: 00BB3EA1
p, xrefs: 00BB3E78
", xrefs: 00BB3F2C
n, xrefs: 00BB3F7D
r, xrefs: 00BB3EB9
c, xrefs: 00BB3EF5
l, xrefs: 00BB3EA9
d, xrefs: 00BB3E0D
, xrefs: 00BB3EB1
2, xrefs: 00BB3E3D
e, xrefs: 00BB3EC9
a, xrefs: 00BB3EC1
%, xrefs: 00BB3F21
i, xrefs: 00BB3E04
s, xrefs: 00BB3F85
c, xrefs: 00BB3E65
, xrefs: 00BB3EEA
\, xrefs: 00BB3E1D
%, xrefs: 00BB3DF7
", xrefs: 00BB3ED4
r, xrefs: 00BB3E15
y, xrefs: 00BB3E25

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: edb48c950c36929faeffe674dd53d09eba4c7b11819a8004c8082c7c24eaab07
Instruction ID: 10c70df45bbc6f55189fbabec1256cc341473591c0f79b41b60529814b813c54
Opcode Fuzzy Hash: edb48c950c36929faeffe674dd53d09eba4c7b11819a8004c8082c7c24eaab07
Instruction Fuzzy Hash: 4C5149B0508340EFE3208F51D848B9ABFF9FF85748F004A1DE69896251DBFA9558CF96

Function 00BB37B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320memorystringwindowCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 00BB37C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00BB37CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 00BB380A
lstrcpyW.KERNEL32(00000000,00000000), ref: 00BB3828
lstrcatW.KERNEL32(00000000,0043002E), ref: 00BB3833

Part of subcall function 00BB8880: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00BB88A0
Part of subcall function 00BB8880: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 00BB88C8
Part of subcall function 00BB8880: GetModuleHandleA.KERNEL32(?), ref: 00BB891D
Part of subcall function 00BB8880: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00BB892B
Part of subcall function 00BB8880: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00BB893A
Part of subcall function 00BB8880: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BB895E
Part of subcall function 00BB8880: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BB896C

Part of subcall function 00BB8880: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00BB292B), ref: 00BB8980
Part of subcall function 00BB8880: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00BB292B), ref: 00BB898E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00BB3896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00BB38C1

Part of subcall function 00BB6770: EnterCriticalSection.KERNEL32(00BC3058,?,00BB38F4,00000000,00000000,00000000,?,00000800), ref: 00BB677B
Part of subcall function 00BB6770: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,00BB38F4,00000000,00000000,00000000), ref: 00BB67A1
Part of subcall function 00BB6770: GetLastError.KERNEL32(?,00BB38F4,00000000,00000000,00000000), ref: 00BB67AB
Part of subcall function 00BB6770: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00BB38F4,00000000,00000000,00000000), ref: 00BB67C7
Part of subcall function 00BB6770: LeaveCriticalSection.KERNEL32(00BC3058,?,00BB38F4,00000000,00000000,00000000), ref: 00BB67D6

MessageBoxA.USER32(00000000,Fatal error: rsaenh.dll is not initialized as well,Fatal error,00000010), ref: 00BB390F
GetLastError.KERNEL32 ref: 00BB3933
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00BB398D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB3999
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB3BB8

Strings

., xrefs: 00BB380E
B, xrefs: 00BB3821
R, xrefs: 00BB381A
Fatal error: rsaenh.dll is not initialized as well, xrefs: 00BB3908
, xrefs: 00BB38DA
Fatal error, xrefs: 00BB3903

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCryptFree$Alloc$Acquire$AttributesCriticalErrorFileLastReleaseSection$AddressEnterHandleLeaveLibraryLoadMessageModuleProclstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 3050744578-4284454829
Opcode ID: 13241cf238e69dd36f3cbce506236c34e981d8ca82122f71f3fcbcb696a123e5
Instruction ID: 628978a97ff212ea6ae2142dd801059b7e53b8dbe6884a681588920ea02f4dc4
Opcode Fuzzy Hash: 13241cf238e69dd36f3cbce506236c34e981d8ca82122f71f3fcbcb696a123e5
Instruction Fuzzy Hash: 5FC11971E40309ABEB219B94DC46FEEBBB8EF48B00F204155F640BA190DBF56A44CF65

Function 00BB6A10 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00BB6C13), ref: 00BB6A1C
lstrlenW.KERNEL32(00000000), ref: 00BB6A21
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 00BB6A4D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00BB6A62
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 00BB6A6E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 00BB6A7A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 00BB6A86
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 00BB6A92
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 00BB6A9E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 00BB6AAA
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 00BB6AB6

Strings

ntuser.dat, xrefs: 00BB6A68
ntuser.dat.log, xrefs: 00BB6A98
thumbs.db, xrefs: 00BB6AA4
bootsect.bak, xrefs: 00BB6A80
boot.ini, xrefs: 00BB6A8C
iconcache.db, xrefs: 00BB6A74
desktop.ini, xrefs: 00BB6A47
CRAB-DECRYPT.txt, xrefs: 00BB6AB0
autorun.inf, xrefs: 00BB6A5C

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3936223242
Opcode ID: b3826b32d36f7758543afd84cb364569efcc1a89a98699993fcecc88a4219aed
Instruction ID: ca233b920e6bd98d283120b84f65aed6a8df04262cd37c70e619fc2c7fcea196
Opcode Fuzzy Hash: b3826b32d36f7758543afd84cb364569efcc1a89a98699993fcecc88a4219aed
Instruction Fuzzy Hash: 3A117C62641627675E21B67DDC01DFF63CCDED1B8430582B5EA00F20A5EBD9DE0389B1

Function 00BB68A0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB68BC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB6914
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB697E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB69A6
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB69C4
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00000000,?,00BB6F26,00000000,?,?), ref: 00BB69E2

Strings

\Boot\, xrefs: 00BB68E4
\IETldCache\, xrefs: 00BB68D4
\Program Files\, xrefs: 00BB68F4
\Tor Browser\, xrefs: 00BB6923
\Windows\, xrefs: 00BB6963
\All Users\, xrefs: 00BB6943
\Local Settings\, xrefs: 00BB6953
Ransomware, xrefs: 00BB6933
\ProgramData\, xrefs: 00BB68C2

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$AllocFree
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 4167578076-3735464813
Opcode ID: f5640c6f23b41443a9e01523fa677ad25c569d20b9ad43e8a66544662831e2f6
Instruction ID: 104c26111a2ad365ae48a74aac6afa639e893ca63d10117b7fdd0197b4de20df
Opcode Fuzzy Hash: f5640c6f23b41443a9e01523fa677ad25c569d20b9ad43e8a66544662831e2f6
Instruction Fuzzy Hash: 4C317620B0061557EA2426664C56BFF53CECB95B44F1040F4EE86DB2CAEEF8CC0293E6

Function 00BB7410 Relevance: 20.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7462
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB746D
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7483
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB748E
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74A4
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74AF
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74C5
lstrlenW.KERNEL32(00BB4B46,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74D0
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74E6
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB74F1
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7507
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7512
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7531
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB753C
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7558
lstrlenW.KERNEL32(?,?,?,?,00BB4829,00000000,?,00000000,00000000,?,00000000), ref: 00BB7566

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 89475b979cd1e58bb29982286d29ea4d01db4ed9c87d55fd5a046d131ca7c689
Instruction ID: 046af7be01c39bbcff5ce1d544ec3f1e97aa0927243614c7c6d0701f6893c509
Opcode Fuzzy Hash: 89475b979cd1e58bb29982286d29ea4d01db4ed9c87d55fd5a046d131ca7c689
Instruction Fuzzy Hash: 7B410C32640651FFC7116FB8DDC8798BBA2FF04316F884674E41683A60DBB5A878DB81

Function 00BB6E50 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59filememorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,00000000,?,00BB6F5F,00000000,?,?), ref: 00BB6E65
wsprintfW.USER32 ref: 00BB6E73
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00BB6E8F
GetLastError.KERNEL32(?,?), ref: 00BB6E9C
lstrlenW.KERNEL32(?,?,00000000,?,?), ref: 00BB6EBE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 00BB6ECE
CloseHandle.KERNEL32(00000000,?,?), ref: 00BB6ED5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00BB6EE8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 00BB6E6D

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: 9f08795fcb2f0757d2cae3917ae09bb5a3dadbe07c486d570a4518868a7ebec3
Instruction ID: 0f07bf8ad7a73c909e0509661a638a7b78599fbc7577c045dc2dc58453bc978d
Opcode Fuzzy Hash: 9f08795fcb2f0757d2cae3917ae09bb5a3dadbe07c486d570a4518868a7ebec3
Instruction Fuzzy Hash: 16019235740200BBE6601B68AD8AFBA3A9CEB46B15F100210FB05F61D0DEE9AD00866A

Function 00BB5380 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,00BB5519,00000000,?,?,?,?,00BB5643,00000000,?,00000000), ref: 00BB5396
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB53A8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00BB5643,00000000,?,00000000,00000000,?,00000000), ref: 00BB53B8
wsprintfW.USER32 ref: 00BB53C9
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00BB53E3
ExitProcess.KERNEL32 ref: 00BB53EB

Strings

cmd.exe, xrefs: 00BB53D7
open, xrefs: 00BB53DC
/c timeout -c 5 & del "%s" /f /q, xrefs: 00BB53C3

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 7b8a6565ef8172cf2801776737ee9b45a5808a7924738a62aff76f401c6df5ec
Instruction ID: 6f8b68f152be4851da9bb05cf911a4adc185bd6b550450c5b493a147922f3b05
Opcode Fuzzy Hash: 7b8a6565ef8172cf2801776737ee9b45a5808a7924738a62aff76f401c6df5ec
Instruction Fuzzy Hash: 82F03031BC171133F17117685C1FF672DA89B46F52F240154F709BF1D18DE054018AAE

Function 00BB3BD0 Relevance: 15.0, APIs: 1, Strings: 9, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00BB4817,00000000,?,00000000,00000000), ref: 00BB3C6C

Strings

pc_keyb, xrefs: 00BB3C32
hdd, xrefs: 00BB3C55
ransom_id, xrefs: 00BB3C4E
pc_lang, xrefs: 00BB3C2B
os_major, xrefs: 00BB3C39
pc_user, xrefs: 00BB3C08
os_bit, xrefs: 00BB3C40
pc_name, xrefs: 00BB3C0F
pc_group, xrefs: 00BB3C1D

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID: hdd$os_bit$os_major$pc_group$pc_keyb$pc_lang$pc_name$pc_user$ransom_id
API String ID: 54951025-631784635
Opcode ID: d58b813c06a3cee2651ccbd422f3f4eab426f88fa8b91d6f8d2bdd484ceed0a3
Instruction ID: a0be1f5273dbfc39c313b929913a3f54654389390e3efb798ca23d29af806b55
Opcode Fuzzy Hash: d58b813c06a3cee2651ccbd422f3f4eab426f88fa8b91d6f8d2bdd484ceed0a3
Instruction Fuzzy Hash: D0115DB5501B458FC7A0CF69C9846AABBF0BB08758B40496DE99AD7B10D3B1F448CF48

Function 00BB7EE0 Relevance: 12.6, APIs: 10, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7EF9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F0B
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F1D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F2F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F41
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F53
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F65
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F77
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7F89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00BB48BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00BB7FA1

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8314e05aada40d4ca2ccf08448e2df8d4d282001b4fe326b7a5ea45fbcf421e7
Instruction ID: f81c5e96d3a81dab1604e552560c2d1e9704f02ac655ee92d3b7e97b726172f3
Opcode Fuzzy Hash: 8314e05aada40d4ca2ccf08448e2df8d4d282001b4fe326b7a5ea45fbcf421e7
Instruction Fuzzy Hash: ED219E30284B44ABE7765A15DC06BB576E1FF80B45F254968E2C1348F08BF57899DF48

Function 00BB4000 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00BB4020
GetTickCount.KERNEL32 ref: 00BB4045
GetDriveTypeW.KERNEL32(?), ref: 00BB406A
CreateThread.KERNEL32(00000000,00000000,00BB70B0,?,00000000,00000000), ref: 00BB40A9
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 00BB40EB
GetTickCount.KERNEL32 ref: 00BB40F1

Strings

?:\, xrefs: 00BB4033

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 872d3e398188838a9c06b6cfd71fbe5e5460f0692ac7ba0c8cc267a9bdb505f3
Instruction ID: d2936a78ed123cf0075d772a46da3b65d24166c216bec197b02d1c719156f9e5
Opcode Fuzzy Hash: 872d3e398188838a9c06b6cfd71fbe5e5460f0692ac7ba0c8cc267a9bdb505f3
Instruction Fuzzy Hash: 3A5134709083009FD310DF18D884BAABBE5FF88314F504A6DFA89A7361D7B5A944CB96

Function 00BB70B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 00BB70C9
wsprintfW.USER32 ref: 00BB70DE
InitializeCriticalSection.KERNEL32(?), ref: 00BB70EC
VirtualAlloc.KERNEL32 ref: 00BB7120
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00009C40,00003000,00000004), ref: 00BB714D
ExitThread.KERNEL32 ref: 00BB7155

Strings

%c:\, xrefs: 00BB70D8

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFreeInitializeSectionThreadwsprintf
String ID: %c:\
API String ID: 2059066847-3142399695
Opcode ID: 7c370f18c0afd873ba652723727d695012c33ebc457b5338baf310e1fc18d311
Instruction ID: 8c6b74f40aa5b61f89e6707d6b3d42be927e445212a2976d2516e1a354801080
Opcode Fuzzy Hash: 7c370f18c0afd873ba652723727d695012c33ebc457b5338baf310e1fc18d311
Instruction Fuzzy Hash: 3611C4B5544300BFE3509F54CC8AF667BA8AB45B11F004704FB64AA1D1DBF49500CBA6

Function 00BB6AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,00BB6BFA), ref: 00BB6AF2

Strings

%s , xrefs: 00BB6B36

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 321b6c67fad7278b766b30ccdd9022a5d04c203e478a0e1dc2b5738795b97618
Instruction ID: 8708b734b89ddccfd2f94483683492f8dfa4697b3668057f4aec4a679f320b84
Opcode Fuzzy Hash: 321b6c67fad7278b766b30ccdd9022a5d04c203e478a0e1dc2b5738795b97618
Instruction Fuzzy Hash: C1212172E012259BDB305B2C9C427F673F8EB95325F4482A6ED05E7180EBF89D41C390

Function 00BB2C50 Relevance: 10.6, APIs: 7, Instructions: 62stringthreadCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00BB2C8A
BeginPaint.USER32(?,?), ref: 00BB2C9F
lstrlenW.KERNEL32(?), ref: 00BB2CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00BB2CBD
EndPaint.USER32(?,?), ref: 00BB2CCB
CreateThread.KERNEL32(00000000,00000000,Function_00002AD0,00000000,00000000,00000000), ref: 00BB2CE9
DestroyWindow.USER32(?), ref: 00BB2CF2

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID:
API String ID: 572880375-0
Opcode ID: 0d8181090cdbf3fcc8b4f57cf9c14fedf482740419bad536b71f6cc8939d5e74
Instruction ID: d6a8f56880818505c5dbc9de51386ec7d53ef86447f1b601b1b75ba04904cc6a
Opcode Fuzzy Hash: 0d8181090cdbf3fcc8b4f57cf9c14fedf482740419bad536b71f6cc8939d5e74
Instruction Fuzzy Hash: EE115E32504209BBD711DF68DC0AFBA7BA8FB49711F004616FD45E61A0EBB19910DB92

Function 00E01A4C Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00E01A4C

Part of subcall function 00E01BFB: EncodePointer.KERNEL32(00000000,?,00E01A51,00E012AD,00E0FD50,00000014), ref: 00E01BFE
Part of subcall function 00E01BFB: __initp_misc_winsig.LIBCMT ref: 00E01C19
Part of subcall function 00E01BFB: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E02EA5
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E02EB9
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E02ECC
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E02EDF
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E02EF2
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E02F05
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E02F18
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E02F2B
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E02F3E
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E02F51
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E02F64
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E02F77
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E02F8A
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E02F9D
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E02FB0
Part of subcall function 00E01BFB: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E02FC3

__mtinitlocks.LIBCMT ref: 00E01A51
__mtterm.LIBCMT ref: 00E01A5A

Part of subcall function 00E01AC2: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E01A5F,00E012AD,00E0FD50,00000014), ref: 00E031BB
Part of subcall function 00E01AC2: _free.LIBCMT ref: 00E031C2
Part of subcall function 00E01AC2: DeleteCriticalSection.KERNEL32(pP,?,?,00E01A5F,00E012AD,00E0FD50,00000014), ref: 00E031E4

__calloc_crt.LIBCMT ref: 00E01A7F
__initptd.LIBCMT ref: 00E01AA1
GetCurrentThreadId.KERNEL32 ref: 00E01AA8

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 49316563cc1fb7c8b29a21b8a9a445781e38bf96bd8657ec2f93dc38732d4752
Instruction ID: e2f3e748bc4fb253e76e79b39c5d1ad28aa0ca98c4f89bc5c26a8e2fa2ce8e99
Opcode Fuzzy Hash: 49316563cc1fb7c8b29a21b8a9a445781e38bf96bd8657ec2f93dc38732d4752
Instruction Fuzzy Hash: BCF06D3261A7515EE224BBB57C0678B26E8AB017B9B20269EF660BD0D2FF1189C14190

Function 00E14C70 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 320COMMON

Download Yara Rule

Strings

R, xrefs: 00E14CDA
B, xrefs: 00E14CE1
, xrefs: 00E14D9A
., xrefs: 00E14CCE

Memory Dump Source

Source File: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID:
String ID: $.$B$R
API String ID: 0-2564718622
Opcode ID: c4397fe68df17939edc0105940fd75740397e122c90b7a27d9ab24e3aa98428a
Instruction ID: 50346a21238b6942180f2da0544b5da8fee2da0f175e921cd3bcec0196503fc4
Opcode Fuzzy Hash: c4397fe68df17939edc0105940fd75740397e122c90b7a27d9ab24e3aa98428a
Instruction Fuzzy Hash: 37C11DB1E40318ABEB119B94CC46FEEBBB8FF49704F105115F640BA2D0DBB569948FA4

Function 00BB3200 Relevance: 8.8, APIs: 7, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00BB5474,00000000,?,00BB5475,?,00BB34BF,00BB5475,00000001,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB3251
GetProcessHeap.KERNEL32(00000008,00000001,?,00BB34BF,00BB5475,00000001,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB325B
HeapAlloc.KERNEL32(00000000,?,00BB34BF,00BB5475,00000001,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB3262
lstrlenA.KERNEL32(00BB5474,00000000,?,00BB5475,?,00BB34BF,00BB5475,00000001,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB3273
GetProcessHeap.KERNEL32(00000008,00000001,?,00BB34BF,00BB5475,00000001,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB327D
HeapAlloc.KERNEL32(00000000,?,00BB34BF,00BB5475,00000001,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB3284
lstrcpyA.KERNEL32(00000000,00BB5474,?,00BB34BF,00BB5475,00000001,00BB5475,00000000,00000000,00000000,?,?,00BB5474,00000000), ref: 00BB3293

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 5785967e425a0f0dad637735612c1bbbaf67a7b182f8970cf1a262d68e528d1e
Instruction ID: c0567841a8639686dab1f4f55b9f3c716d2862e8e4ffa66277e3b6184f3dd3ef
Opcode Fuzzy Hash: 5785967e425a0f0dad637735612c1bbbaf67a7b182f8970cf1a262d68e528d1e
Instruction Fuzzy Hash: 8E1190308082946FDB611F6CD848BF6BBD8EF13B50F244296E9C5D7211CBB58D4687A2

Function 00BB3D00 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BB3D52
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00BB3D76
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00BB3D7A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00BB3D7E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00BB3DA5

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: ce2a42939653c626c55946bc191be169b17e80c6344bda28126cd1c69655041d
Instruction ID: c5af721c8bc6a877ee0afdd770b777004da9ad1f40b439ed234d5099d32f0f6f
Opcode Fuzzy Hash: ce2a42939653c626c55946bc191be169b17e80c6344bda28126cd1c69655041d
Instruction Fuzzy Hash: 05111EB0D4031C6EEB719F64DC0ABEA7ABCEB08700F0081D9A608E71C1D6B45B948FD5

Function 00E01ADF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00E01B1E,00000000,?,00E04E28,000000FF,0000001E,00000000,00000000,00000000,?,00E03385), ref: 00E01AEE
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00E01B00

Strings

mscoree.dll, xrefs: 00E01AE7
CorExitProcess, xrefs: 00E01AF8

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 9d4e9582c801e36fdfa61eb56d6dd6cb0f4baf87f6649244dd37d57c103b6268
Instruction ID: 6f713044fa527d053017a453f37ae6527882d8b5e8bdd2f3da233e5ace8d882b
Opcode Fuzzy Hash: 9d4e9582c801e36fdfa61eb56d6dd6cb0f4baf87f6649244dd37d57c103b6268
Instruction Fuzzy Hash: 3DD01230340208FBDB215B96DC06F697B7DEB04746F101298F904F50D0EB629E94DA60

Function 00BB4EB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 117stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00BB5218), ref: 00BB4F23
lstrlenA.KERNEL32(00000000,?,00BB5218), ref: 00BB4F7F
lstrcpyA.KERNEL32(?,?,?,00BB5218), ref: 00BB4FAE

Strings

fabian wosar <3, xrefs: 00BB4F1B

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 6917693300857f17e9079d508a50438060845ee4c234bb5cdff83846b304cc2b
Instruction ID: 4e2fc984ddbc7e322445796b77f3f3178f28c1c10278e6b55f1675f4ae9b42d8
Opcode Fuzzy Hash: 6917693300857f17e9079d508a50438060845ee4c234bb5cdff83846b304cc2b
Instruction Fuzzy Hash: F831ED218082A59BDF228F6C98507FABFE1FF43745F6811DAD8D99721BD7E18846C390

Function 00E0737A Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E073B0
__isleadbyte_l.LIBCMT ref: 00E073DE
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00E0740C
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00E07442

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8fab9fe81dcfd28424b4f936f5b847a95221475551e65d1c362ff959717044c8
Instruction ID: b08fe04fae7803f171694886f1f8712439ee6d24950ae1ac07d03ee3a72bbc64
Opcode Fuzzy Hash: 8fab9fe81dcfd28424b4f936f5b847a95221475551e65d1c362ff959717044c8
Instruction Fuzzy Hash: B731C130A08246AFDB218F65CC45BAA7FE5FF40314F155529E8A4A71E1E730F8D0EB50

Function 00E04E8D Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E04EAC

Part of subcall function 00E04DFB: __FF_MSGBANNER.LIBCMT ref: 00E04E12
Part of subcall function 00E04DFB: __NMSG_WRITE.LIBCMT ref: 00E04E19
Part of subcall function 00E04DFB: HeapAlloc.KERNEL32(00FA0000,00000000,00000001,00000000,00000000,00000000,?,00E03385,00000000,00000000,00000000,00000000,?,00E0323A,00000018,00E0FE20), ref: 00E04E3E

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: AllocHeap_free
String ID:
API String ID: 1080816511-0
Opcode ID: 81882f9aee01dd6954c753e02282d26078e63ccd807e4e39f1cbd643b2024d13
Instruction ID: f9b7130a012610fcb446d3d078558ebdcd793690707b9f845bef36814c7f34b4
Opcode Fuzzy Hash: 81882f9aee01dd6954c753e02282d26078e63ccd807e4e39f1cbd643b2024d13
Instruction Fuzzy Hash: BF11A3F2904216AFCB313FB5FE0569A37D4AF40364B207126FF44BA1E1DA3588D096E5

Function 00E08BED Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00E08C11

Part of subcall function 00E092F8: __fltout2.LIBCMT ref: 00E09321

__cftog_l.LIBCMT ref: 00E08C37
__cftoe_l.LIBCMT ref: 00E08C69

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: ed737c6f3f553842245351af73272b28864018b3ad26054dfff4ed908eda36ec
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6F017B3200114EBBDF125E84CE818EE7F72BB19394B589515FA9868072C736C9F1AB92

Function 00BB3190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(00BB5474,mask), ref: 00BB31B9
lstrcmpiA.KERNEL32(00BB5474,pub_key), ref: 00BB31D1

Strings

pub_key, xrefs: 00BB31BF
mask, xrefs: 00BB31B1

Memory Dump Source

Source File: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_file.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: c8c08ea4cc54db6e456cbc0d40f2e83b40bf7c5b90bec5f5fcbc5e661b5a8518
Instruction ID: e99539f8400b01ca1e8863f167077567bd8e71cf253a7b2476e31a6f3dbbe734
Opcode Fuzzy Hash: c8c08ea4cc54db6e456cbc0d40f2e83b40bf7c5b90bec5f5fcbc5e661b5a8518
Instruction Fuzzy Hash: 41F046723082841FE7194A6C9C857F1BBCCDB05B00F9401BFF689C2190D6FA8C81C350

Function 00E013C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E029CC
___raise_securityfailure.LIBCMT ref: 00E02AB3

Strings

@M, xrefs: 00E02AAE

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @M
API String ID: 3761405300-2208089455
Opcode ID: 1ebc8a753b531519b232eca6b5484240aeed96c9bf6cf1925c65108d997cbba7
Instruction ID: 3456bab06bbe346db633d137bd365370ecd907e10edea75b9bcfed7fbfa73a7c
Opcode Fuzzy Hash: 1ebc8a753b531519b232eca6b5484240aeed96c9bf6cf1925c65108d997cbba7
Instruction Fuzzy Hash: 7D21EDF59002089FE721DF56FD867547BE4BB08310F56606AEA08AF3E0E7B1598A8F45

Function 00E04762 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00E04784
__calloc_crt.LIBCMT ref: 00E0479D

Strings

`R, xrefs: 00E047B4

Memory Dump Source

Source File: 00000000.00000002.2791285958.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2791252862.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791318792.0000000000E0C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2791395923.0000000000E27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_file.jbxd

Yara matches

Similarity

API ID: __calloc_crt
String ID: `R
API String ID: 3494438863-1244114338
Opcode ID: 944a9d667d6547103449f5ebce6bc9516829cdeb801c3fedcf27aa64e8522c60
Instruction ID: 581cba5c14a10c5cd4b2a36248f78cda973418372f6e1441558c09c5122667c7
Opcode Fuzzy Hash: 944a9d667d6547103449f5ebce6bc9516829cdeb801c3fedcf27aa64e8522c60
Instruction Fuzzy Hash: A2F0C2F2249302CEF7348B2ABE41BA167D8E716764B58611BE700FA5E5E7308CC28780

Analysis Process: dwqocx.exePID: 2524, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1522
Total number of Limit Nodes:	76

Executed Functions

Function 00F94B30 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8), ref: 00F94B3B

Part of subcall function 00F947E0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9483C
Part of subcall function 00F947E0: lstrcpyW.KERNEL32(00000000,Global\,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9485F
Part of subcall function 00F947E0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F94866
Part of subcall function 00F947E0: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9487E
Part of subcall function 00F947E0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9488A
Part of subcall function 00F947E0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F94891
Part of subcall function 00F947E0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F948AB

ExitProcess.KERNEL32 ref: 00F94B4C
CreateThread.KERNEL32(00000000,00000000,00F92D30,00000000,00000000,00000000), ref: 00F94B61
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00F94B79
TerminateThread.KERNEL32(00000000,00000000), ref: 00F94B8C
CloseHandle.KERNEL32(00000000), ref: 00F94B96
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 00F94C0A
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00F94C24
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F94C3D
ExitProcess.KERNEL32 ref: 00F94C45

Strings

open, xrefs: 00F94DA0

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 29f167e663a1fae8eb35b505b1e95e31fd9f8185a72e33c2f74831372f6b1e67
Instruction ID: 5405e61ecd3b87bbd2ede52009cb75506e6dd3e821403896f63307e2bd37dae4
Opcode Fuzzy Hash: 29f167e663a1fae8eb35b505b1e95e31fd9f8185a72e33c2f74831372f6b1e67
Instruction Fuzzy Hash: 36712B70A40208ABFF14EFE0DC5AFAE7B74AB58705F104115F601BA1D0DBB86A45EFA5

Function 00FE75C0 Relevance: 3.3, APIs: 2, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: acc3c6b7cf5f200e19a5288f6cb2b264b7ef56a4d6dde45517f8b293f951a3bf
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: 48D1AE75E043568FCB24DF5AC880BA9B7B1FF58324F2945A9D855AB341E330ED41EB90

Function 00F97600 Relevance: 154.5, APIs: 55, Strings: 33, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00F97627
GetUserNameW.ADVAPI32(00000000,?), ref: 00F97638
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00F97656
GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00F97660
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00F97680
wsprintfW.USER32 ref: 00F976C1
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00F976DE
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00F97702
RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,00F94820,?), ref: 00F97726
GetLastError.KERNEL32 ref: 00F97739
RegCloseKey.ADVAPI32(00000000), ref: 00F97742
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F9775F
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 00F9777D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00F97793
wsprintfW.USER32 ref: 00F977AD
RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 00F977CF
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00F94820,?), ref: 00F977F1
GetLastError.KERNEL32 ref: 00F97804
RegCloseKey.ADVAPI32(?), ref: 00F9780D
lstrcmpiW.KERNEL32(00F94820,00000419), ref: 00F97821
wsprintfW.USER32 ref: 00F9784E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9785D
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 00F9787D
wsprintfW.USER32 ref: 00F978C6
GetNativeSystemInfo.KERNEL32(?), ref: 00F978D5
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 00F978E6
wsprintfW.USER32 ref: 00F9790A
ExitProcess.KERNEL32 ref: 00F97911
wsprintfW.USER32 ref: 00F97939
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 00F97977
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 00F9798A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00F97994
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 00F979CE
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00F97A00
wsprintfW.USER32 ref: 00F97A38
lstrcatW.KERNEL32(?,0000060C), ref: 00F97A4D
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00F97A59
GetProcAddress.KERNEL32(00000000), ref: 00F97A60
lstrlenW.KERNEL32(?), ref: 00F97A70
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F97AA1

Part of subcall function 00F97CE0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,756EF3C0,?,760773E0), ref: 00F97CFD
Part of subcall function 00F97CE0: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00F97D71
Part of subcall function 00F97CE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F97D86
Part of subcall function 00F97CE0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F97D9C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00F97AF8
GetDriveTypeW.KERNEL32(?), ref: 00F97B3F
lstrcatW.KERNEL32(?,?), ref: 00F97B66
lstrcatW.KERNEL32(?,00FA0334), ref: 00F97B78
lstrcatW.KERNEL32(?,00FA03A8), ref: 00F97B82
GetDiskFreeSpaceW.KERNEL32(?,?,00F94820,?,00000000), ref: 00F97B98
lstrlenW.KERNEL32(?,?,00000000,00F94820,00000000,00000000,00000000,00F94820,00000000), ref: 00F97BE0
wsprintfW.USER32 ref: 00F97BFA
lstrlenW.KERNEL32(?), ref: 00F97C08
wsprintfW.USER32 ref: 00F97C1C
lstrcatW.KERNEL32(?,00FA03C8), ref: 00F97C2F
lstrcatW.KERNEL32(?,00FA03CC), ref: 00F97C3B
lstrlenW.KERNEL32(?), ref: 00F97C56
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 00F97C79
VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 00F97CA0

Strings

ARM, xrefs: 00F9791E
%I64u/, xrefs: 00F97BF4
00000419, xrefs: 00F97819
Control Panel\International, xrefs: 00F976F1
ProcessorNameString, xrefs: 00F979E1
CDROM, xrefs: 00F97AEA
Keyboard Layout\Preload, xrefs: 00F977C5
x64, xrefs: 00F97917
ntdll.dll, xrefs: 00F97A54
Itanium, xrefs: 00F97925
%I64u, xrefs: 00F97C13
@, xrefs: 00F9770F
Domain, xrefs: 00F97690
RAMDISK, xrefs: 00F97AF1
REMOTE, xrefs: 00F97AE3
LocaleName, xrefs: 00F9771E
REMOVABLE, xrefs: 00F97AD5
UNKNOWN, xrefs: 00F97AC7
x86, xrefs: 00F9792C
NO_ROOT_DIR, xrefs: 00F97ACE
FIXED, xrefs: 00F97ADC
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00F979E6, 00F97A1B
?:\, xrefs: 00F97B1D
Identifier, xrefs: 00F97A16
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00F97695
RtlComputeCrc32, xrefs: 00F97A4F
undefined, xrefs: 00F976B9
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 00F978AF
productName, xrefs: 00F97886, 00F978AA
WORKGROUP, xrefs: 00F976B1
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00F9788B
Unknown, xrefs: 00F97933
error, xrefs: 00F978BE

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: %I64u$%I64u/$00000419$?:\$@$ARM$CDROM$Control Panel\International$Domain$FIXED$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$NO_ROOT_DIR$ProcessorNameString$RAMDISK$REMOTE$REMOVABLE$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$UNKNOWN$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3109846240
Opcode ID: b14c83247486a8ceb57d0260a7cb7f997deed4c21413447b4019fd505922ee0d
Instruction ID: 9a697bdf2823c1759a7e2d03f151b334f09c69bbf315dd513ca112c06e21f502
Opcode Fuzzy Hash: b14c83247486a8ceb57d0260a7cb7f997deed4c21413447b4019fd505922ee0d
Instruction Fuzzy Hash: 211294B0A50304BFEB21AFA4DC4AFAEBBB4FF04700F100519F645A61E0DBB5A954EB55

Function 00F97210 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F97231
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97239
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97242
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9724A
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F97255
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9725D
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97263
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9726B
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F97277
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9727F
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97285
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9728D
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F97299
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972A1
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972A7
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972AF
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F972BB
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972C3
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972C9
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972D1
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F972DD
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972E5
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972EB
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F972F3
lstrcatW.KERNEL32(?,00F94B46,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F972FF
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97307
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9730D
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97315
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F97321
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97329
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9732F
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97337
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F97343
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9734B
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97351
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97359
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000), ref: 00F9736C
wsprintfW.USER32 ref: 00F97386
wsprintfW.USER32 ref: 00F97397
lstrcatW.KERNEL32(?,?,?,00000000,00000000,?,00000000), ref: 00F973A4
lstrcatW.KERNEL32(?,00F9FFF8,?,00000000,00000000,?,00000000), ref: 00F973AC
lstrcatW.KERNEL32(?,?,?,00000000,00000000,?,00000000), ref: 00F973B2
lstrcatW.KERNEL32(?,00F9FFFC,?,00000000,00000000,?,00000000), ref: 00F973BA
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00F973C6
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00F973D6
lstrcatW.KERNEL32(?,00F9FFF8,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F973DE
lstrcatW.KERNEL32(?,?,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F973E4
lstrcatW.KERNEL32(?,00F9FFFC,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F973EC
lstrlenW.KERNEL32(?,00000000,00000000,?,?,00F94879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F973EF

Strings

undefined, xrefs: 00F97391
%x%x, xrefs: 00F97380

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 0f1d4a71d75f0997e549079b1378a9bc601894d2ac6dfa86319298faaefed450
Instruction ID: c841f0b0080e1a91c4f2b1c307593ee0e72b6913157741632ff07ae8343ab5a7
Opcode Fuzzy Hash: 0f1d4a71d75f0997e549079b1378a9bc601894d2ac6dfa86319298faaefed450
Instruction Fuzzy Hash: 8A517E31146768B6EF233F628C49F9F3E18EFC6715F120060F910940968B698656FFAB

Function 00FD123B Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 00FD12A2
_fast_error_exit.LIBCMT ref: 00FD12B3
__RTC_Initialize.LIBCMT ref: 00FD12B9
__ioinit.LIBCMT ref: 00FD12C2
_fast_error_exit.LIBCMT ref: 00FD12CD
GetCommandLineA.KERNEL32(00FDFD50,00000014), ref: 00FD12D3
___crtGetEnvironmentStringsA.LIBCMT ref: 00FD12DE
__setargv.LIBCMT ref: 00FD12E8
__setenvp.LIBCMT ref: 00FD12F9
__cinit.LIBCMT ref: 00FD130C

Strings

.$, xrefs: 00FD1282

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: _fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__setargv__setenvp
String ID: .$
API String ID: 3919536372-2223841709
Opcode ID: 24c9c4311bc750d5e0ccac79c5dd694301c6fb432178821fd52028e7db77623e
Instruction ID: 4c4a3c52a4f298ec50975f80f6b0a156269d8a53e5fc2565a9e4a997c25d44ed
Opcode Fuzzy Hash: 24c9c4311bc750d5e0ccac79c5dd694301c6fb432178821fd52028e7db77623e
Instruction Fuzzy Hash: 8621A871A00305BAEB10BBB0AC46B6D32577F10312F1C412BF504D63D2EF798944F6A1

Function 00F947E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
stringmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F93BD0: GetProcessHeap.KERNEL32(?,?,00F94817,00000000,?,00000000,00000000), ref: 00F93C6C

Part of subcall function 00F97600: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00F97627
Part of subcall function 00F97600: GetUserNameW.ADVAPI32(00000000,?), ref: 00F97638
Part of subcall function 00F97600: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00F97656
Part of subcall function 00F97600: GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00F97660
Part of subcall function 00F97600: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00F97680
Part of subcall function 00F97600: wsprintfW.USER32 ref: 00F976C1
Part of subcall function 00F97600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00F976DE
Part of subcall function 00F97600: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00F97702
Part of subcall function 00F97600: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,00F94820,?), ref: 00F97726
Part of subcall function 00F97600: RegCloseKey.ADVAPI32(00000000), ref: 00F97742

Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97462
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9746D
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97483
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9748E
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974A4
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974AF
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974C5
Part of subcall function 00F97410: lstrlenW.KERNEL32(00F94B46,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974D0
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974E6
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974F1
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97507
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97512
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97531
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9753C

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9483C
lstrcpyW.KERNEL32(00000000,Global\,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9485F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F94866
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9487E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F9488A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F94891
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F948AB

Strings

Global\, xrefs: 00F94859

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 036d8e851d38ea85d97a14e8cdd5a15778e25f68f0e188fdabdf1a3108d33daa
Instruction ID: edb9bc3400cf877e527a132b86a35ea1d2e4958bc488b1cffa159b7b50add97c
Opcode Fuzzy Hash: 036d8e851d38ea85d97a14e8cdd5a15778e25f68f0e188fdabdf1a3108d33daa
Instruction Fuzzy Hash: 2F2135716A43147BF924B724DC4BF7F7A58DB50B10F100628F615A60E0AA947D05D7EA

Function 00FD11A8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000000,00000000,00000000), ref: 00FD11F2
GetLastError.KERNEL32 ref: 00FD11F8
ExitProcess.KERNEL32(00000000), ref: 00FD1204
ExitThread.KERNEL32 ref: 00FD1234

Strings

-, xrefs: 00FD11E1
1, xrefs: 00FD11E8

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastOpenThread
String ID: -$1
API String ID: 153595879-1877142845
Opcode ID: dbf335a80af57721a373f0a47146686aed70db8ee54d8d1fd812214ff50e9b6d
Instruction ID: 39e37954ade39b9d0e22eeca014c4be64610bbb521af32e5e05f9d038b420d79
Opcode Fuzzy Hash: dbf335a80af57721a373f0a47146686aed70db8ee54d8d1fd812214ff50e9b6d
Instruction Fuzzy Hash: D501ADB0D01219ABDB149FB5980C7EEBFBAFF09751F10812AD115E6291D3B40981EBE4

Function 00F97580 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,00F979F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00F97596
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,00F979F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00F975B7
RegCloseKey.KERNELBASE(?,?,00F979F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00F975C7
GetLastError.KERNEL32(?,00F979F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00F975D6
RegCloseKey.ADVAPI32(?,?,00F979F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00F975DF

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: c6e24eebf34854cf0f13e3d67e88278e657f312c28c027480f359fc46ed678f3
Instruction ID: 74dd0e84ab5b7ac2b5493ad6a0f71040cf55778fc8daabeea2f19d78a056bf2a
Opcode Fuzzy Hash: c6e24eebf34854cf0f13e3d67e88278e657f312c28c027480f359fc46ed678f3
Instruction Fuzzy Hash: A7011E32A0411CFBDF119F94ED05D9A7B68EB04761B004162FD05D6120D7329A24FBE1

Function 00FD1113 Relevance: 3.0, APIs: 2, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00FE20C0,00012400,00000040,00000002,00FDFD30,00000018,00FD122F), ref: 00FD114C
VirtualProtect.KERNELBASE(00FE20C0,00012400,00000002,?), ref: 00FD1180

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a575496715ffb97dfe96e2e5cf3493775e1783eb0543a58548d37cced62cabfe
Instruction ID: 1cf86a20bb4d178dab8c6ad9c66637ea4398d85d825132eca27c0a0458430c14
Opcode Fuzzy Hash: a575496715ffb97dfe96e2e5cf3493775e1783eb0543a58548d37cced62cabfe
Instruction Fuzzy Hash: 080171B1940309AADB10EFE58C46EDDB7BABF08710F58511AE601F62C1D774D640EA35

Function 00FD5982 Relevance: 3.0, APIs: 2, Instructions: 30
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,?,?,?,?,5EFC4D8B,00000000,00000000,00000000,?,00FD55A0,?,?,00000000,?,00000000), ref: 00FD59A9
LCMapStringW.KERNEL32(00000000,?,?,?,?,5EFC4D8B,?,00FD55A0,?,?,00000000,?,00000000,00000000), ref: 00FD59C6

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: d08033042f2598613868b70d6831cd1a4cd94775e720337cc696cc366ae95281
Instruction ID: a44501e951f873170fcd98459423a4a044dd7f1aeac133862b4e04ce0708c331
Opcode Fuzzy Hash: d08033042f2598613868b70d6831cd1a4cd94775e720337cc696cc366ae95281
Instruction Fuzzy Hash: 4FF07F3201014EFFDF069F94EC0ACAE3B6AFB08360B048115FA2885020D772A971FBA1

Function 00F94DD0 Relevance: 3.0, APIs: 2, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00F94B30,00000000,00000000,00000000), ref: 00F94DFC
CloseHandle.KERNEL32(00000000), ref: 00F94E0F

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: fec420704e13f53a0766b5346ffc605a96947ab43964c4a0e98efa2fed4ac57e
Instruction ID: 9891ad00b8b481463b0fa182f49b78527890944fc97e078bde296bc330b80d5e
Opcode Fuzzy Hash: fec420704e13f53a0766b5346ffc605a96947ab43964c4a0e98efa2fed4ac57e
Instruction Fuzzy Hash: 4CF01C34A80208FBEB24DF949809F9CB770AB24705F20805AE901672C0D6B1AA50EF45

Non-executed Functions

Function 00F958D0 Relevance: 119.5, APIs: 54, Strings: 14, Instructions: 491stringmemoryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98130: GetTickCount.KERNEL32 ref: 00F98139
Part of subcall function 00F98130: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00F9818F
Part of subcall function 00F98130: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00F981A1
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00000000), ref: 00F981B1
Part of subcall function 00F98130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F981BB
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00FA0604), ref: 00F981D1
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00000000), ref: 00F9822C
Part of subcall function 00F98130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9823A
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00F9FFF8), ref: 00F98280

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,?,00000001,00000001,?,00000001), ref: 00F95969
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?,?,00000001,00000001,?,00000001), ref: 00F95A1C
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,00000001,00000001,?,00000001), ref: 00F95A35
lstrlenA.KERNEL32(00000000,?,00000001,00000001,?,00000001), ref: 00F95A3E
lstrlenA.KERNEL32(?,?,00000001,00000001,?,00000001), ref: 00F95A46
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000001,00000001,?,00000001), ref: 00F95A5B
lstrlenA.KERNEL32 ref: 00F95A77
lstrlenA.KERNEL32(00000000), ref: 00F95A9E
lstrlenA.KERNEL32(?), ref: 00F95ABD
lstrlenA.KERNEL32(?), ref: 00F95AE4
lstrlenA.KERNEL32(00000000), ref: 00F95AF5
lstrlenA.KERNEL32(00000000), ref: 00F95B17
lstrcatW.KERNEL32(?,action=call&), ref: 00F95B2B
lstrlenW.KERNEL32(?), ref: 00F95B38
lstrcatW.KERNEL32(756EE0B0,&id=,756EE0B0), ref: 00F95B9A
lstrcatW.KERNEL32(756EE0B0,?), ref: 00F95BA1
lstrcatW.KERNEL32(756EE0B0,&subid=), ref: 00F95BA9
lstrcatW.KERNEL32(756EE0B0,?), ref: 00F95BB0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F95BC3
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F95BD0
lstrcatW.KERNEL32(756EE0B0,&pub_key=), ref: 00F95BD8
lstrlenW.KERNEL32(756EE0B0), ref: 00F95BE5
lstrlenA.KERNEL32(00000000), ref: 00F95BEE
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,756EE0B0,00000000), ref: 00F95BFF
lstrcatW.KERNEL32(?,&priv_key=), ref: 00F95C0F
lstrlenW.KERNEL32(?), ref: 00F95C16
lstrlenA.KERNEL32(00000000), ref: 00F95C1F
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000), ref: 00F95C30
lstrcatW.KERNEL32(00F9FCB0,00760026), ref: 00F95C8D
lstrlenW.KERNEL32(?), ref: 00F95C98
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00F95CAE
lstrlenW.KERNEL32(?), ref: 00F95CB9
lstrlenW.KERNEL32(?), ref: 00F95CDD
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F95CF5
lstrlenW.KERNEL32(?,00003000,00000004), ref: 00F95D06
VirtualAlloc.KERNEL32(00000000,-00000002), ref: 00F95D0E
wsprintfA.USER32 ref: 00F95D27

Part of subcall function 00F96010: VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 00F96033
Part of subcall function 00F96010: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00F96048
Part of subcall function 00F96010: GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 00F96059
Part of subcall function 00F96010: lstrlenA.KERNEL32(00000000), ref: 00F96064
Part of subcall function 00F96010: wsprintfA.USER32 ref: 00F9607C
Part of subcall function 00F96010: _memset.LIBCMT ref: 00F9609B
Part of subcall function 00F96010: lstrlenA.KERNEL32(00000000), ref: 00F960A4
Part of subcall function 00F96010: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F960D3

CryptBinaryToStringA.CRYPT32(?,756EE0B0,40000001,00000000,?), ref: 00F95D61
GetLastError.KERNEL32(?,00000001,00000001,?,00000001), ref: 00F95D6B
lstrlenA.KERNEL32(00000000), ref: 00F95D72
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00F95D81
lstrlenA.KERNEL32(00000000), ref: 00F95D8C
lstrlenA.KERNEL32(00000000), ref: 00F95DAC
lstrlenA.KERNEL32(00000000), ref: 00F95DD4
lstrlenA.KERNEL32(00000000), ref: 00F95DE3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 00F95DF4
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00F95E2C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00F95E3A
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00F95E47
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00F95E6C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00F95E7A
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00F95E87
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F95E9E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F95EB1

Strings

&subid=, xrefs: 00F95BA3
popkadurak, xrefs: 00F958FE
action=call&, xrefs: 00F95B25
., xrefs: 00F95C60
&priv_key=, xrefs: 00F95C09
&id=, xrefs: 00F95B94
&pub_key=, xrefs: 00F95BD2
&advert=+380668846667, xrefs: 00F95C75
&, xrefs: 00F95C38
=, xrefs: 00F95C58
o, xrefs: 00F95C50
s, xrefs: 00F95C48
., xrefs: 00F95C68
e, xrefs: 00F95C40

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Free$lstrcat$Alloc$BinaryByteCharCryptMultiStringWide$wsprintf$AddressCountErrorHandleLastModuleProcTick_memset
String ID: &$&advert=+380668846667$&id=$&priv_key=$&pub_key=$&subid=$.$.$=$action=call&$e$o$popkadurak$s
API String ID: 3331976855-889238998
Opcode ID: f9a5c5c14162d99635616f028e4afeb3339ae50bbd381a2161b2baedbaf6792a
Instruction ID: 40393a48e2f775f93dad4500e8e7e4b2101f381f8e05af51205157d73dc2c291
Opcode Fuzzy Hash: f9a5c5c14162d99635616f028e4afeb3339ae50bbd381a2161b2baedbaf6792a
Instruction Fuzzy Hash: 72028C71508315AFEB21DF24CC85B1BBBE9FF88B14F00091DF585A72A0D7B4E9099B96

Function 00F95400 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F9540F
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F95426
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00F9544B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,00F95643,00000000,?), ref: 00F954A7
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,00F95643,00000000,?), ref: 00F954B1
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00F95643,00000000,?), ref: 00F954C2
HeapFree.KERNEL32(00000000,?,?,?,?,00F95643,00000000,?), ref: 00F954DD
HeapFree.KERNEL32(00000000,?,?,?,?,00F95643,00000000,?), ref: 00F954EE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F954FD
GetLastError.KERNEL32(?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F9550C
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F95542
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00F95562
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00F95574
lstrcatA.KERNEL32(00000000,?), ref: 00F9558E
lstrlenA.KERNEL32(00000000), ref: 00F955E3
lstrlenW.KERNEL32(?), ref: 00F955EF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 00F9560B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,00000000,?,00000000), ref: 00F95665
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00F95671
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00F9567B
InternetCloseHandle.WININET(00F9587A), ref: 00F95685

Strings

POST, xrefs: 00F955FA

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST
API String ID: 1287001821-1814004025
Opcode ID: 0b7e8334ddbc3c6dce9ac73ef315ea8e0e7768f560627755283aa595b9ed70eb
Instruction ID: 8bb016440b1a8ca1adf75a0826229596fb3d8242e0f59b6b46b6e0977dd9920a
Opcode Fuzzy Hash: 0b7e8334ddbc3c6dce9ac73ef315ea8e0e7768f560627755283aa595b9ed70eb
Instruction Fuzzy Hash: 6171C271E00709ABEF119FA9CC45FAEBB78FF88B50F104116FA04A7250DB749A44DB91

Function 00F956A0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 188stringmemoryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98130: GetTickCount.KERNEL32 ref: 00F98139
Part of subcall function 00F98130: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00F9818F
Part of subcall function 00F98130: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00F981A1
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00000000), ref: 00F981B1
Part of subcall function 00F98130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F981BB
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00FA0604), ref: 00F981D1
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00000000), ref: 00F9822C
Part of subcall function 00F98130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9823A
Part of subcall function 00F98130: lstrcatW.KERNEL32(00000000,00F9FFF8), ref: 00F98280

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 00F956E4
wsprintfW.USER32 ref: 00F95714
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00F9575D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00F95779
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00F95790
lstrlenW.KERNEL32(00000000,00003000,00000004,?,00000000,00000000,?,00000000), ref: 00F9579E
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 00F957A6
wsprintfA.USER32 ref: 00F957BC
CryptBinaryToStringA.CRYPT32(?,756EE0B0,40000001,00000000,?,?,00000000,00000000,?,00000000), ref: 00F957F0
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 00F957FA
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00F95807
VirtualAlloc.KERNEL32(00000000,-00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 00F95819
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00F95823
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00F95841
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00F95860
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00F958A0
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00F958AC
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00F958C3

Strings

popkadurak, xrefs: 00F956C7
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 00F9570E

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$lstrlen$Free$Alloclstrcat$wsprintf$BinaryCountCryptErrorLastStringTick
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 487841380-2102589890
Opcode ID: 520ac3942ffa9b8cb3c8ff136bb9e44d74a0867ede2d0fedd583ce45db36fbf5
Instruction ID: e09b702f56a5eb01f0702bc7c3c6c7ef817ecdeda805a02546fba9ee8b2ffd5d
Opcode Fuzzy Hash: 520ac3942ffa9b8cb3c8ff136bb9e44d74a0867ede2d0fedd583ce45db36fbf5
Instruction Fuzzy Hash: F0519270E00319BBEF219B64DC46FAE7BB8EF44B04F100069F605A6191DB74AE45EF95

Function 00F96CB0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136stringfilememoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,00000000), ref: 00F96CC2
lstrcatW.KERNEL32(00000000,00F9FF64,?,00000000), ref: 00F96CD4
FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00F96CE2
lstrcmpW.KERNEL32(?,00F9FF68,?,00000000), ref: 00F96D0C
lstrcmpW.KERNEL32(?,00F9FF6C,?,00000000), ref: 00F96D22
lstrcatW.KERNEL32(00000000,?,?,00000000), ref: 00F96D34
lstrlenW.KERNEL32(00000000,?,00000000), ref: 00F96D3B
lstrcmpW.KERNEL32(-00000001,.sql,?,00000000), ref: 00F96D6A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00F96D81
GetFileSize.KERNEL32(00000000,00000000,?,00000000), ref: 00F96D8C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,00000000), ref: 00F96DAA
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000), ref: 00F96DBF
lstrlenA.KERNEL32(*******************,?,00000000), ref: 00F96DDE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00F96DF9
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00F96E03
FindNextFileW.KERNEL32(?,?,?,00000000), ref: 00F96E2C
FindClose.KERNEL32(?,?,00000000), ref: 00F96E3D

Strings

.sql, xrefs: 00F96D64
*******************, xrefs: 00F96DC9, 00F96DD9

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: c209e73546d30aa132efab5fc6885dfc6124c1eb4a68b2ba50cc9504b5c22abe
Instruction ID: 374942a901241398985025b4acf64aa3c8dba9e16b230d28bdc0509352664732
Opcode Fuzzy Hash: c209e73546d30aa132efab5fc6885dfc6124c1eb4a68b2ba50cc9504b5c22abe
Instruction Fuzzy Hash: 08419071A00219AFEF21AF64DC49FBF77ACEF05704F104066F902E2160EB759A45EBA5

Function 00F96770 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00FA3058,?,00F938F4,00000000,00000000,00000000,?,00000800), ref: 00F9677B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,00F938F4,00000000,00000000,00000000), ref: 00F967A1
GetLastError.KERNEL32(?,00F938F4,00000000,00000000,00000000), ref: 00F967AB
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00F938F4,00000000,00000000,00000000), ref: 00F967C7
LeaveCriticalSection.KERNEL32(00FA3058,?,00F938F4,00000000,00000000,00000000), ref: 00F967D6
LeaveCriticalSection.KERNEL32(00FA3058,?,00F938F4,00000000,00000000,00000000), ref: 00F967EA
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00F938F4,00000000,00000000), ref: 00F96812
CryptGetKeyParam.ADVAPI32(00000000,00000008,00F938F4,0000000A,00000000,?,00F938F4,00000000), ref: 00F96833
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,00F938F4,?,00F938F4,00000000), ref: 00F9685B
GetLastError.KERNEL32(?,00F938F4,00000000), ref: 00F96864
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00F938F4,00000000,00000000), ref: 00F96881
LeaveCriticalSection.KERNEL32(00FA3058,?,00F938F4,00000000,00000000), ref: 00F9688C

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00F96796, 00F967BC

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Crypt$CriticalSection$ContextLeave$AcquireErrorLast$EncryptEnterImportParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 3173605824-1948191093
Opcode ID: d14f8b20e8d0e8f7f4828f5bee1859b302f63c9b00001d0a2f41eec63e34ca6a
Instruction ID: d7a4315e47f972c9ae4f609b4e5fd42a58385b25d2ed58fdef51d7e1dd9edd92
Opcode Fuzzy Hash: d14f8b20e8d0e8f7f4828f5bee1859b302f63c9b00001d0a2f41eec63e34ca6a
Instruction Fuzzy Hash: 15312F75A40309BBEB10DFA0DD49F9E77B9AB48705F108509F601E61A0DB759A04EBA2

Function 00F96F00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 152stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00F96F60
lstrcatW.KERNEL32(00000000,00F9FF64,?,?), ref: 00F96F78
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00F96F82

Part of subcall function 00F968A0: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F968BC
Part of subcall function 00F968A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F96914

lstrcmpW.KERNEL32(?,00F9FF68,?,?), ref: 00F96FB0
lstrcmpW.KERNEL32(?,00F9FF6C,?,?), ref: 00F96FCA
lstrcatW.KERNEL32(00000000,?,?,?), ref: 00F96FE0
lstrcatW.KERNEL32(00000000,00F9FFA4,?,?), ref: 00F97007
FindNextFileW.KERNEL32(00000000,?,?,?), ref: 00F9708D
FindClose.KERNEL32(00000000,?,?), ref: 00F9709E

Strings

SQL, xrefs: 00F96FF1

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Findlstrcat$FileVirtuallstrcmp$AllocCloseFirstFreeNextlstrlen
String ID: SQL
API String ID: 991218351-1299261525
Opcode ID: 1eab1733ac2681e431f21beeff054f443f0eff9ee7759c8fae7e67a6a115e69a
Instruction ID: b36d21d695c402eecbfa5adb8ffc8a28d8b492121a41588c9b783be762a82031
Opcode Fuzzy Hash: 1eab1733ac2681e431f21beeff054f443f0eff9ee7759c8fae7e67a6a115e69a
Instruction Fuzzy Hash: FD519131E0430CABEF10EF64EC84AAEB7B9EF45324F0441A6F908D6160E7359E54BB91

Function 00F98730 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111encryptionlibrarymemoryCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00F9874D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00F9877B
GetModuleHandleA.KERNEL32(?), ref: 00F987CF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00F987DD
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00F987EC
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F98835
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F98843
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F98857
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F98865

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00F987E7, 00F987EA
Advapi32.dll, xrefs: 00F987D9, 00F987DC

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: a43c668ec5241ef24187676237942c3dd21cf2a9035d81d18aed8732a43b9917
Instruction ID: 9e563d2679283a070ef5ef51af5a28924c55828960f7dc92255726d8ebca2fa9
Opcode Fuzzy Hash: a43c668ec5241ef24187676237942c3dd21cf2a9035d81d18aed8732a43b9917
Instruction Fuzzy Hash: 4931F875A0020DABEF208FE5DC45BEEBB78FF45740F104069E501A6150DB359A01EBB9

Function 00F98880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96encryptionlibrarymemoryCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00F988A0
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 00F988C8
GetModuleHandleA.KERNEL32(?), ref: 00F9891D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00F9892B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00F9893A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F9895E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9896C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00F9292B), ref: 00F98980
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00F9292B), ref: 00F9898E

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00F98935, 00F98938
Advapi32.dll, xrefs: 00F98927, 00F9892A

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: e54b4d7cb15833dfdb2a88f6ac1c523d53ccddd4834a598ce4b27418565492ad
Instruction ID: ccc216c6b4c03cbb8c93773d818773344c7dcf1fc7649484b7a42e6ea5b2fa76
Opcode Fuzzy Hash: e54b4d7cb15833dfdb2a88f6ac1c523d53ccddd4834a598ce4b27418565492ad
Instruction Fuzzy Hash: 4931C971E0020CAFEF118FA5DC49BEE7B78EF45741F10405AE601E6150DB749A01DFA6

Function 00F964F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00F94BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,00F94BA6,?,00F94BAE), ref: 00F96508
GetLastError.KERNEL32(?,00F94BAE), ref: 00F96512
CryptAcquireContextW.ADVAPI32(00F94BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00F94BAE), ref: 00F9652E
CryptGenKey.ADVAPI32(00F94BAE,0000A400,08000001,?,?,00F94BAE), ref: 00F9655A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 00F9657E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00F96596
CryptDestroyKey.ADVAPI32(?), ref: 00F965A0
CryptReleaseContext.ADVAPI32(00F94BAE,00000000), ref: 00F965AC
CryptAcquireContextW.ADVAPI32(00F94BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 00F965C1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00F964FD, 00F96523, 00F965B6

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: fabc112d3ae10de3c51c312063a4e0ab069fbb956e2793cce6c4052f6873dd82
Instruction ID: a5b6138a6e4c47dc4049b3f31d3c101b0744cc6fe1c78d74ce808953cacf6bed
Opcode Fuzzy Hash: fabc112d3ae10de3c51c312063a4e0ab069fbb956e2793cce6c4052f6873dd82
Instruction Fuzzy Hash: CA213375B90309BBEF20CBA0DD4AFDA7779AB48B01F104444FB01EA1D4D6B5DA04BBA1

Function 00F97160 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F982C0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F984A4
Part of subcall function 00F982C0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00F984BD

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,756EF3C0,?), ref: 00F9717F
lstrlenW.KERNEL32(00F9FFB4), ref: 00F9718C

Part of subcall function 00F984D0: InternetCloseHandle.WININET(?), ref: 00F984E3
Part of subcall function 00F984D0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00F98502

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,00F9FFB8,00000000,00000000,00000000,000027FF,?,00000000), ref: 00F971BB
wsprintfW.USER32 ref: 00F971D3
VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,00F9FFB8,00000000,00000000,00000000,000027FF,?,00000000), ref: 00F971E9
InternetCloseHandle.WININET(?), ref: 00F971F7

Strings

GET, xrefs: 00F97194
ipv4bot.whatismyipaddress.com, xrefs: 00F971AC

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 32e973544dac1148d9aa11f09b34fbd5f7423ca089882e781f1fc1d4c4386d57
Instruction ID: 53196bc15c3552242358d47a5bae8b9d206ecc37dfb54e28003c2ad619942781
Opcode Fuzzy Hash: 32e973544dac1148d9aa11f09b34fbd5f7423ca089882e781f1fc1d4c4386d57
Instruction Fuzzy Hash: B401B53274031477EF216B669C4EF5B3E28AF82B51F000035FA09E11D0DA649559FAEB

Function 00F934F0 Relevance: 12.1, APIs: 8, Instructions: 79memorystringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00F93673,?), ref: 00F93504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,00F93673,?), ref: 00F9351C
CryptStringToBinaryA.CRYPT32(00F93673,00000000,00000001,00000000,?,00000000,00000000), ref: 00F93535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00F93673,?), ref: 00F9354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00F93673,?), ref: 00F93561
wsprintfW.USER32 ref: 00F93587
wsprintfW.USER32 ref: 00F93597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00F93673,?), ref: 00F935A9

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID:
API String ID: 2885909284-0
Opcode ID: d5c7d8fc8df205dfac76339a9bb98a0464f78c692393fbe3119da8ae0d3163ae
Instruction ID: 95c30289484569895ec3ef8c4373959e793218cd11c146a53011e51d00d3eec2
Opcode Fuzzy Hash: d5c7d8fc8df205dfac76339a9bb98a0464f78c692393fbe3119da8ae0d3163ae
Instruction Fuzzy Hash: 2821C071A402197BEB219BA88C41F9ABFACEF49750F140061F604E7290D6B1AE409BD5

Function 00F92F50 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00F92F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00F92F8D

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: 33ffaeccd7f6ac1a2e7136f627a4df3012f2b8d33df964d9665f483d721ac401
Instruction ID: 72f0ddf2631e96d939592258edbdda449bbe333b0fbaacba22b54badf3e3fe57
Opcode Fuzzy Hash: 33ffaeccd7f6ac1a2e7136f627a4df3012f2b8d33df964d9665f483d721ac401
Instruction Fuzzy Hash: 27219532B0021DBBEF209B98AC85FEDB7BCEB44715F1041A7FA04D6180D7719A55AFA1

Function 00F982C0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F984A4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00F984BD

Strings

p, xrefs: 00F983A3
w, xrefs: 00F9833F
., xrefs: 00F98450
t, xrefs: 00F983CB
6, xrefs: 00F9835D
A, xrefs: 00F98399
e, xrefs: 00F983B7
, xrefs: 00F98349
i, xrefs: 00F9832B
K, xrefs: 00F983EE
T, xrefs: 00F98353
5, xrefs: 00F983D2
a, xrefs: 00F98481
1, xrefs: 00F98367
., xrefs: 00F98457
3, xrefs: 00F983E0
, xrefs: 00F983E7
K, xrefs: 00F983C1
, xrefs: 00F9842D
8, xrefs: 00F9846C
e, xrefs: 00F98442
, xrefs: 00F98371
8, xrefs: 00F9845E
h, xrefs: 00F98434
6, xrefs: 00F98385
O, xrefs: 00F9837B
5, xrefs: 00F9848F
G, xrefs: 00F98418
(, xrefs: 00F98321
7, xrefs: 00F983D9
i, xrefs: 00F98488
0, xrefs: 00F98317
3, xrefs: 00F9849D
l, xrefs: 00F982F9
a, xrefs: 00F9847A
e, xrefs: 00F983AD
3, xrefs: 00F98465
i, xrefs: 00F9840A
d, xrefs: 00F98335
7, xrefs: 00F98496
, xrefs: 00F98473
o, xrefs: 00F98426
M, xrefs: 00F982E4
c, xrefs: 00F9841F
a, xrefs: 00F98303
T, xrefs: 00F983F5
5, xrefs: 00F9830D
, xrefs: 00F98403
), xrefs: 00F9838F
o, xrefs: 00F9843B
e, xrefs: 00F98411
z, xrefs: 00F982EF
5, xrefs: 00F98449
L, xrefs: 00F983FC

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: e17e4731a0118dfd9854b96f48bf71a725530964410ffe091c5894cc41d8bdf8
Instruction ID: 880b5c934e3ad443b879966fbf0f1990f9894aee93cde35463d1097ccac1f182
Opcode Fuzzy Hash: e17e4731a0118dfd9854b96f48bf71a725530964410ffe091c5894cc41d8bdf8
Instruction Fuzzy Hash: DB4197B4811368DEEB25CF91999879EBFF5BB04748F50819ED5086B201C7F60A89CF64

Function 00F948D0 Relevance: 84.1, APIs: 10, Strings: 38, Instructions: 114processmemorystringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F94A42
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 00F94A5C
Process32FirstW.KERNEL32(00000000,00000000), ref: 00F94A75
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00F94A95
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F94AA5
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F94AB4
CloseHandle.KERNEL32(00000000), ref: 00F94AC1
Process32NextW.KERNEL32(?,00000000), ref: 00F94ADA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F94AF3
CloseHandle.KERNEL32(?), ref: 00F94AFA

Strings

mydesktopqos.exe, xrefs: 00F9492B
tbirdconfig.exe, xrefs: 00F9496B
ocautoupds.exe, xrefs: 00F9494B
mysqld.exe, xrefs: 00F9497B
winword.exe, xrefs: 00F94A2C
dbsnmp.exe, xrefs: 00F9491B
mysqld-nt.exe, xrefs: 00F94983
sqlservr.exe, xrefs: 00F948FB, 00F949F5
thebat64.exe, xrefs: 00F94A0B
infopath.exe, xrefs: 00F949AB
sqlbrowser.exe, xrefs: 00F948F3
onenote.exe, xrefs: 00F949C9
sqlwriter.exe, xrefs: 00F94903
sqbcoreservice.exe, xrefs: 00F9499B
visio.exe, xrefs: 00F94A21
xfssvccon.exe, xrefs: 00F9493B
outlook.exe, xrefs: 00F949D4
steam.exe, xrefs: 00F949EA
oracle.exe, xrefs: 00F9490B
powerpnt.exe, xrefs: 00F949DF
thebat.exe, xrefs: 00F94A00
thunderbird.exe, xrefs: 00F94A16
firefoxconfig.exe, xrefs: 00F94963
ocomm.exe, xrefs: 00F94973
synctime.exe, xrefs: 00F94923
mydesktopservice.exe, xrefs: 00F94943
mspub.exe, xrefs: 00F949BE
excel.exe, xrefs: 00F949A3
msaccess.exe, xrefs: 00F949B3
msftesql.exe, xrefs: 00F948E3
agntsvc.exeagntsvc.exe, xrefs: 00F94953
sqlagent.exe, xrefs: 00F948EB
agntsvc.exeisqlplussvc.exe, xrefs: 00F94933
ocssd.exe, xrefs: 00F94913
agntsvc.exeencsvc.exe, xrefs: 00F9495B
dbeng50.exe, xrefs: 00F94993
wordpad.exe, xrefs: 00F94A37
mysqld-opt.exe, xrefs: 00F9498B

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: agntsvc.exeagntsvc.exe$agntsvc.exeencsvc.exe$agntsvc.exeisqlplussvc.exe$dbeng50.exe$dbsnmp.exe$excel.exe$firefoxconfig.exe$infopath.exe$msaccess.exe$msftesql.exe$mspub.exe$mydesktopqos.exe$mydesktopservice.exe$mysqld-nt.exe$mysqld-opt.exe$mysqld.exe$ocautoupds.exe$ocomm.exe$ocssd.exe$onenote.exe$oracle.exe$outlook.exe$powerpnt.exe$sqbcoreservice.exe$sqlagent.exe$sqlbrowser.exe$sqlservr.exe$sqlwriter.exe$steam.exe$synctime.exe$tbirdconfig.exe$thebat.exe$thebat64.exe$thunderbird.exe$visio.exe$winword.exe$wordpad.exe$xfssvccon.exe
API String ID: 3586910739-2697476765
Opcode ID: d5364ff0cef00a8ee2a2607b322290a2fc4a400f8e6c19837f95b772d7f57458
Instruction ID: 02a0efd25f1dc70dec556cbd6791292156abc421a5caf19de819b388ca35d18b
Opcode Fuzzy Hash: d5364ff0cef00a8ee2a2607b322290a2fc4a400f8e6c19837f95b772d7f57458
Instruction Fuzzy Hash: 21514DB15083849FFB20CF55D84875BBBE4BB81718F64492CE598DA262C7B0940DEF9B

Function 00F945C0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93D00: _memset.LIBCMT ref: 00F93D52
Part of subcall function 00F93D00: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00F93D76
Part of subcall function 00F93D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00F93D7A
Part of subcall function 00F93D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00F93D7E
Part of subcall function 00F93D00: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00F93DA5

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 00F9477F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00F94795
lstrcatW.KERNEL32(00000000,0063005C), ref: 00F9479D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 00F947B3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F947C7

Strings

/, xrefs: 00F946A9
t, xrefs: 00F946EF
d, xrefs: 00F946D9
w, xrefs: 00F9471B
, xrefs: 00F9464B
x, xrefs: 00F9469C
x, xrefs: 00F94616
\, xrefs: 00F945DE
e, xrefs: 00F9465B
a, xrefs: 00F94731
e, xrefs: 00F94663
/, xrefs: 00F94747
l, xrefs: 00F9473C
m, xrefs: 00F946C9
b, xrefs: 00F945E6
c, xrefs: 00F9463B
d, xrefs: 00F94710
, xrefs: 00F946B1
a, xrefs: 00F946C1
s, xrefs: 00F94623
p, xrefs: 00F94643
\, xrefs: 00F94672
w, xrefs: 00F945FE
l, xrefs: 00F946E4
e, xrefs: 00F94653
h, xrefs: 00F94705
n, xrefs: 00F946D1
s, xrefs: 00F946B9
i, xrefs: 00F94606
open, xrefs: 00F947AC
e, xrefs: 00F9475D
., xrefs: 00F9460E
a, xrefs: 00F9462B
o, xrefs: 00F94633
, xrefs: 00F94726
., xrefs: 00F94690
u, xrefs: 00F94752
m, xrefs: 00F9467C
m, xrefs: 00F945F2
, xrefs: 00F946FA

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 78fa3a6a1b1ee8054e89ade4f95d584b3cf8c4248652df0f0d05785c73fc2086
Instruction ID: fd16b1f4c47532598d3cdcf5c746f82bd2ce77e7c167408fa4a66470d37f252c
Opcode Fuzzy Hash: 78fa3a6a1b1ee8054e89ade4f95d584b3cf8c4248652df0f0d05785c73fc2086
Instruction Fuzzy Hash: 164138B0148384DFE7208F119848B5BBFE2BB81B48F10491DF6985A291C7F6858CCFA7

Function 00F93DC0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109memorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93D00: _memset.LIBCMT ref: 00F93D52
Part of subcall function 00F93D00: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00F93D76
Part of subcall function 00F93D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00F93D7A
Part of subcall function 00F93D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00F93D7E
Part of subcall function 00F93D00: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00F93DA5

Part of subcall function 00F93C80: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F93CB0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F93E6D
wsprintfW.USER32 ref: 00F93F37
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00F93F4B
GetForegroundWindow.USER32 ref: 00F93F60
ShellExecuteExW.SHELL32(00000000), ref: 00F93FC1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F93FD4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F93FE6
CloseHandle.KERNEL32(?), ref: 00F93FEF
ExitProcess.KERNEL32 ref: 00F93FF7

Strings

a, xrefs: 00F93F0B
e, xrefs: 00F93EC9
p, xrefs: 00F93E78
y, xrefs: 00F93E25
a, xrefs: 00F93EC1
%, xrefs: 00F93F21
s, xrefs: 00F93F00
m, xrefs: 00F93EDF
e, xrefs: 00F93E91
, xrefs: 00F93EEA
i, xrefs: 00F93E04
c, xrefs: 00F93E65
r, xrefs: 00F93EB9
n, xrefs: 00F93F7D
o, xrefs: 00F93E88
t, xrefs: 00F93F16
2, xrefs: 00F93E3D
t, xrefs: 00F93E2D
%, xrefs: 00F93DF7
l, xrefs: 00F93EA9
, xrefs: 00F93EB1
d, xrefs: 00F93E0D
e, xrefs: 00F93E4D
\, xrefs: 00F93E55
w, xrefs: 00F93E45
s, xrefs: 00F93F85
c, xrefs: 00F93EA1
", xrefs: 00F93F2C
r, xrefs: 00F93F75
", xrefs: 00F93ED4
m, xrefs: 00F93E35
r, xrefs: 00F93E15
\, xrefs: 00F93E1D
c, xrefs: 00F93EF5
s, xrefs: 00F93E99

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: d8e4138a363b7ae2b5cf33392bcfb5e74e1dbb2bf568049c8b4f76767b03a3e9
Instruction ID: f457036ca0ef93eb0b74161a11db20868120dd388875b5a929413fd51a999a9a
Opcode Fuzzy Hash: d8e4138a363b7ae2b5cf33392bcfb5e74e1dbb2bf568049c8b4f76767b03a3e9
Instruction Fuzzy Hash: 325136B0508344EFE3208F51D848B9ABBF9BF84748F004A1DE69886251D7BA9558DFD6

Function 00F95070 Relevance: 68.4, APIs: 8, Strings: 31, Instructions: 119pipememoryCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(00FA3080,00FA307C,?,00000000,00000001,00000001,00000000), ref: 00F9518D
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00F951B1
CreatePipe.KERNEL32(00FA3078,00FA3084,0000000C,00000000), ref: 00F951CA
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00F951DA
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 00F951EE
wsprintfW.USER32 ref: 00F951FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F95220

Strings

l, xrefs: 00F95113
u, xrefs: 00F9516E
o, xrefs: 00F9511A
n, xrefs: 00F95159
n, xrefs: 00F95085
u, xrefs: 00F950AD
u, xrefs: 00F95105
., xrefs: 00F95167
, xrefs: 00F95128
n, xrefs: 00F9510C
d, xrefs: 00F95152
m, xrefs: 00F95160
o, xrefs: 00F950E2
S, xrefs: 00F9512F
, xrefs: 00F950BF
l, xrefs: 00F9508F
m, xrefs: 00F950F7
c, xrefs: 00F95144
n, xrefs: 00F95136
d, xrefs: 00F950E9
2, xrefs: 00F9513D
o, xrefs: 00F95099
u, xrefs: 00F95121
n, xrefs: 00F950CD
fabian wosar <3, xrefs: 00F9522F
1, xrefs: 00F950D4
n, xrefs: 00F950F0
c, xrefs: 00F950DB
o, xrefs: 00F9514B
S, xrefs: 00F950C6
., xrefs: 00F950FE

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $.$.$1$2$S$S$c$c$d$d$fabian wosar <3$l$l$m$m$n$n$n$n$n$n$o$o$o$o$u$u$u$u
API String ID: 1490407255-1922363339
Opcode ID: 7514a1a7416360a1be02b0d47b62ffd7a47de5de294daff00d1e00877da820d5
Instruction ID: a43352fce32026445a4fed1159cf488e7017bbb7f9615a94e6d47c65d38d5919
Opcode Fuzzy Hash: 7514a1a7416360a1be02b0d47b62ffd7a47de5de294daff00d1e00877da820d5
Instruction Fuzzy Hash: 704150B0E4031CABEB209F90EC497EDBFB6FB04B19F104119E504AA291C7F65989DF95

Function 00F937B0 Relevance: 66.8, APIs: 32, Strings: 6, Instructions: 320memorystringwindowCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 00F937C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00F937CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 00F9380A
lstrcpyW.KERNEL32(00000000,00000000), ref: 00F93828
lstrcatW.KERNEL32(00000000,0043002E), ref: 00F93833

Part of subcall function 00F98880: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00F988A0
Part of subcall function 00F98880: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 00F988C8
Part of subcall function 00F98880: GetModuleHandleA.KERNEL32(?), ref: 00F9891D
Part of subcall function 00F98880: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00F9892B
Part of subcall function 00F98880: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00F9893A
Part of subcall function 00F98880: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F9895E
Part of subcall function 00F98880: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9896C

Part of subcall function 00F98880: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00F9292B), ref: 00F98980
Part of subcall function 00F98880: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00F9292B), ref: 00F9898E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00F93896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00F938C1

Part of subcall function 00F96770: EnterCriticalSection.KERNEL32(00FA3058,?,00F938F4,00000000,00000000,00000000,?,00000800), ref: 00F9677B
Part of subcall function 00F96770: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,00F938F4,00000000,00000000,00000000), ref: 00F967A1
Part of subcall function 00F96770: GetLastError.KERNEL32(?,00F938F4,00000000,00000000,00000000), ref: 00F967AB
Part of subcall function 00F96770: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00F938F4,00000000,00000000,00000000), ref: 00F967C7
Part of subcall function 00F96770: LeaveCriticalSection.KERNEL32(00FA3058,?,00F938F4,00000000,00000000,00000000), ref: 00F967D6

MessageBoxA.USER32(00000000,Fatal error: rsaenh.dll is not initialized as well,Fatal error,00000010), ref: 00F9390F
GetLastError.KERNEL32 ref: 00F93933
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9398D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F93999
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F93BB8

Strings

R, xrefs: 00F9381A
, xrefs: 00F938DA
., xrefs: 00F9380E
Fatal error, xrefs: 00F93903
Fatal error: rsaenh.dll is not initialized as well, xrefs: 00F93908
B, xrefs: 00F93821

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCryptFree$Alloc$Acquire$AttributesCriticalErrorFileLastReleaseSection$AddressEnterHandleLeaveLibraryLoadMessageModuleProclstrcatlstrcpy
String ID: $.$B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$R
API String ID: 3050744578-4284454829
Opcode ID: 7172a6f46de754887fdd36c01a77cb8df565cbe05c7d78aacb507c5f22fa411c
Instruction ID: 7a2009fbe76c57f2d4b5de094ad7d52aff7f03f86f63e61102912b4e1eb5ecf9
Opcode Fuzzy Hash: 7172a6f46de754887fdd36c01a77cb8df565cbe05c7d78aacb507c5f22fa411c
Instruction Fuzzy Hash: C0C13A71E40308ABEF219B94DC46FEEBBB8BF48714F104115FA40BA1D0DBB56A449FA5

Function 00F942C0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93BD0: GetProcessHeap.KERNEL32(?,?,00F94817,00000000,?,00000000,00000000), ref: 00F93C6C

Part of subcall function 00F97600: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00F97627
Part of subcall function 00F97600: GetUserNameW.ADVAPI32(00000000,?), ref: 00F97638
Part of subcall function 00F97600: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00F97656
Part of subcall function 00F97600: GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00F97660
Part of subcall function 00F97600: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00F97680
Part of subcall function 00F97600: wsprintfW.USER32 ref: 00F976C1
Part of subcall function 00F97600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00F976DE
Part of subcall function 00F97600: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00F97702
Part of subcall function 00F97600: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,00F94820,?), ref: 00F97726
Part of subcall function 00F97600: RegCloseKey.ADVAPI32(00000000), ref: 00F97742

Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97462
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9746D
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97483
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9748E
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974A4
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974AF
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974C5
Part of subcall function 00F97410: lstrlenW.KERNEL32(00F94B46,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974D0
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974E6
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974F1
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97507
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97512
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97531
Part of subcall function 00F97410: lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9753C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F94331
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F94373
lstrcpyW.KERNEL32(00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F943F2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F943F9

Strings

d, xrefs: 00F944FD
o, xrefs: 00F944DD
h, xrefs: 00F94535
l, xrefs: 00F9450D
/, xrefs: 00F944D5
t, xrefs: 00F94475
a, xrefs: 00F94515
r, xrefs: 00F944A5
., xrefs: 00F94545
w, xrefs: 00F94505
ransom_id=, xrefs: 00F94360, 00F9436C
c, xrefs: 00F944BD
o, xrefs: 00F944ED
w, xrefs: 00F94495
y, xrefs: 00F9452D
s, xrefs: 00F9447D
., xrefs: 00F944C5
n, xrefs: 00F944E5
r, xrefs: 00F944CD
-, xrefs: 00F9451D
m, xrefs: 00F9453D
t, xrefs: 00F9449D
w, xrefs: 00F9448D
r, xrefs: 00F944AD
/, xrefs: 00F94485
j, xrefs: 00F944B5
n, xrefs: 00F9454D
h, xrefs: 00F9446D
{USERID}, xrefs: 00F943CF, 00F9441D, 00F94423
d, xrefs: 00F944F5
a, xrefs: 00F94525

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: 59e05851b52bfe5a5f3de2626af6271cd4870b147469e798893c5078fb5499d2
Instruction ID: e1c450bb2461f09aab63624dc0b0c2c450a4e0dafe3a732eb089c4225d327351
Opcode Fuzzy Hash: 59e05851b52bfe5a5f3de2626af6271cd4870b147469e798893c5078fb5499d2
Instruction Fuzzy Hash: 2F7115B05083409BFB20DF14C809B7B7BE1FB91758F10891CFA855B291DBF99949EB92

Function 00F943B6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F943F2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F943F9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00F94565
wsprintfW.USER32 ref: 00F9457F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F94596

Strings

d, xrefs: 00F944FD
o, xrefs: 00F944DD
h, xrefs: 00F94535
l, xrefs: 00F9450D
/, xrefs: 00F944D5
t, xrefs: 00F94475
a, xrefs: 00F94515
r, xrefs: 00F944A5
., xrefs: 00F94545
w, xrefs: 00F94505
c, xrefs: 00F944BD
o, xrefs: 00F944ED
y, xrefs: 00F9452D
w, xrefs: 00F94495
s, xrefs: 00F9447D
., xrefs: 00F944C5
n, xrefs: 00F944E5
r, xrefs: 00F944CD
-, xrefs: 00F9451D
m, xrefs: 00F9453D
t, xrefs: 00F9449D
w, xrefs: 00F9448D
r, xrefs: 00F944AD
/, xrefs: 00F94485
n, xrefs: 00F9454D
j, xrefs: 00F944B5
h, xrefs: 00F9446D
{USERID}, xrefs: 00F943CF, 00F9441D, 00F94423
d, xrefs: 00F944F5
a, xrefs: 00F94525

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: ca85908122a7b79c3e1b8e1f75dfdb59ed4e402ae6d758cf682744a4de40f925
Instruction ID: b2a5b1aaf3fad32b0723f5310de70f276cda0d77bcc9444a736c26859ea2c625
Opcode Fuzzy Hash: ca85908122a7b79c3e1b8e1f75dfdb59ed4e402ae6d758cf682744a4de40f925
Instruction Fuzzy Hash: 28417EB0508340CBEB20DF14D85872ABFE2FB9175CF14891CE6854B261D7FA9989DF92

Function 00F92960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00520050,00000041,7572F770,00000000), ref: 00F9299D

Part of subcall function 00F98730: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00F9874D
Part of subcall function 00F98730: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00F9877B
Part of subcall function 00F98730: GetModuleHandleA.KERNEL32(?), ref: 00F987CF
Part of subcall function 00F98730: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00F987DD
Part of subcall function 00F98730: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00F987EC
Part of subcall function 00F98730: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F98835
Part of subcall function 00F98730: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F98843

RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,00F92C45,00000000), ref: 00F92A84
lstrlenW.KERNEL32(00000000), ref: 00F92A8F
RegSetValueExW.ADVAPI32(00F92C45,00520050,00000000,00000001,00000000,00000000), ref: 00F92AA4
RegCloseKey.ADVAPI32(00F92C45), ref: 00F92AB1

Strings

u, xrefs: 00F92A37
s, xrefs: 00F92A06
n, xrefs: 00F92A61
F, xrefs: 00F929BD
I, xrefs: 00F92979
H, xrefs: 00F92993
d, xrefs: 00F92A22
W, xrefs: 00F929C7
A, xrefs: 00F9298C
i, xrefs: 00F92A5A
n, xrefs: 00F92A45
r, xrefs: 00F929FF
e, xrefs: 00F92A7D
\, xrefs: 00F92A14
\, xrefs: 00F929EB
V, xrefs: 00F92A4C
R, xrefs: 00F92A68
r, xrefs: 00F92A53
P, xrefs: 00F9296D
r, xrefs: 00F92A3E
S, xrefs: 00F929B0
R, xrefs: 00F929CE
f, xrefs: 00F92A0D
\, xrefs: 00F92A30
n, xrefs: 00F92A6F
w, xrefs: 00F92A29
i, xrefs: 00F929F8
n, xrefs: 00F92A76
U, xrefs: 00F92984
i, xrefs: 00F92A1B

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 5fa35847b1af723553878cd3c03130be03888d01e21f75ca510da100f97cd5d3
Instruction ID: 3c0b519f0306d375a33a71aa02048666020fd5205c9ee12ed1ab882deb78326a
Opcode Fuzzy Hash: 5fa35847b1af723553878cd3c03130be03888d01e21f75ca510da100f97cd5d3
Instruction Fuzzy Hash: 3E31ECB0D0121CDFEB20CF91E949BEDBFB9FB01709F108119D5186A291D7BA4948DF95

Function 00F97CE0 Relevance: 54.4, APIs: 17, Strings: 14, Instructions: 150memorystringprocessCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,756EF3C0,?,760773E0), ref: 00F97CFD
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00F97D71
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F97D86
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F97D9C
Process32FirstW.KERNEL32(00000000,00000000), ref: 00F97DBF
lstrcmpiW.KERNEL32(00FA03D4,-00000024), ref: 00F97DE5
Process32NextW.KERNEL32(?,?), ref: 00F97E5E
GetLastError.KERNEL32 ref: 00F97E68
lstrlenW.KERNEL32(00000000), ref: 00F97E86
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F97EAB
CloseHandle.KERNEL32(?), ref: 00F97EB0
VirtualFree.KERNEL32(?,?,00008000), ref: 00F97EC5

Strings

NortonAntiBot.exe, xrefs: 00F97D2B
smc.exe, xrefs: 00F97D47
cmdagent.exe, xrefs: 00F97D40
msmpeng.exe, xrefs: 00F97D6A
pccpfw.exe, xrefs: 00F97D55
ashDisp.exe, xrefs: 00F97D24
cfp.exe, xrefs: 00F97D63
fsguiexe.exe, xrefs: 00F97D5C
persfw.exe, xrefs: 00F97D4E
avengine.exe, xrefs: 00F97D39
AVP.EXE, xrefs: 00F97D0F
Mcshield.exe, xrefs: 00F97D32
avgnt.exe, xrefs: 00F97D1D
ekrn.exe, xrefs: 00F97D16

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID: AVP.EXE$Mcshield.exe$NortonAntiBot.exe$ashDisp.exe$avengine.exe$avgnt.exe$cfp.exe$cmdagent.exe$ekrn.exe$fsguiexe.exe$msmpeng.exe$pccpfw.exe$persfw.exe$smc.exe
API String ID: 2470459410-3383346926
Opcode ID: 0ff5129fbc45ab716640238627544958f7d722c4a081eedda7e19c5f745937e7
Instruction ID: 510d87c56c8abf531f1522183399ea1da1f2abb0702dca0ab485488a01b96c4c
Opcode Fuzzy Hash: 0ff5129fbc45ab716640238627544958f7d722c4a081eedda7e19c5f745937e7
Instruction Fuzzy Hash: 1F516FB1D14318ABDF20EF55EC48B9D7BB4FF89710F20405AE604AB290CBB15945EF95

Function 00F92D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137windowthreadregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00F92F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00F92E19
LoadCursorW.USER32(00000000,00007F00), ref: 00F92E2E
LoadIconW.USER32 ref: 00F92E59
RegisterClassExW.USER32(?), ref: 00F92E68
ExitThread.KERNEL32 ref: 00F92E75

Part of subcall function 00F92F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00F92F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00F92E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00F92E81
CreateWindowExW.USER32(00000000,win32app,firefox,00CF0000,80000000,80000000,00000005,00000005,00000000,00000000,00000000), ref: 00F92EA7
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F92EB4
ExitThread.KERNEL32 ref: 00F92EBF

Part of subcall function 00F92F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 00F92FA8
Part of subcall function 00F92F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 00F92FCF
Part of subcall function 00F92F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00F92FE3
Part of subcall function 00F92F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F92FFA

ExitThread.KERNEL32 ref: 00F92F3F

Part of subcall function 00F92AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00F92AEA
Part of subcall function 00F92AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00F92B2C
Part of subcall function 00F92AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00F92B38
Part of subcall function 00F92AD0: ExitThread.KERNEL32 ref: 00F92C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00F92EC8
UpdateWindow.USER32(00000000), ref: 00F92ECF
CreateThread.KERNEL32(00000000,00000000,00F92D10,00000000,00000000,00000000), ref: 00F92EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00F92EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F92F05
TranslateMessage.USER32(?), ref: 00F92F1C
DispatchMessageW.USER32(?), ref: 00F92F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F92F37

Strings

s, xrefs: 00F92D77
s, xrefs: 00F92DB9
1, xrefs: 00F92D6F
d, xrefs: 00F92DA9
f, xrefs: 00F92DA1
s, xrefs: 00F92D7F
s, xrefs: 00F92DC1
0, xrefs: 00F92DF1
win32app, xrefs: 00F92E51, 00F92EA0
k, xrefs: 00F92D67
firefox, xrefs: 00F92E9B
w, xrefs: 00F92DB1

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: f3afe5a892fd934d13366122705224fd9723ef4aeb18633f531ed3bf1dc824d2
Instruction ID: 77cbbb9424fe27f3c98c875ec8f1e5a789b9cc145ac1fa8db92b2f485b1032f3
Opcode Fuzzy Hash: f3afe5a892fd934d13366122705224fd9723ef4aeb18633f531ed3bf1dc824d2
Instruction Fuzzy Hash: 8F519E70648305AFF760AF608C49B5B7BE4AF44B58F10081EF684AA1D0E7B4D589DF96

Function 00F984D0 Relevance: 42.1, APIs: 13, Strings: 11, Instructions: 130networkfilememoryCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(?), ref: 00F984E3
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00F98502
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,00F971B6,ipv4bot.whatismyipaddress.com,00F9FFB8,00000000,00000000), ref: 00F9852F
wsprintfW.USER32 ref: 00F98543
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00F98561
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 00F985C5
HttpSendRequestW.WININET(00000000,00610072,0020003A,00000000,00740069), ref: 00F985DC
InternetReadFile.WININET(00000000,0062002E,00650071,00000000), ref: 00F985FB
InternetReadFile.WININET(00000000,0062002E,00650071,00000000), ref: 00F98625
GetLastError.KERNEL32 ref: 00F98631
InternetCloseHandle.WININET(00000000), ref: 00F9863E
InternetCloseHandle.WININET(00000000), ref: 00F98643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,00F971B6,ipv4bot.whatismyipaddress.com,00F9FFB8), ref: 00F9864F

Strings

H, xrefs: 00F98573
s, xrefs: 00F98586
n, xrefs: 00F9859B
:, xrefs: 00F9858D
w, xrefs: 00F985A9
., xrefs: 00F985B7
HTTP/1.1, xrefs: 00F98557
i, xrefs: 00F985BE
r, xrefs: 00F985B0
o, xrefs: 00F985A2
r, xrefs: 00F98594

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$i$n$o$r$r$s$w
API String ID: 3906118045-693250572
Opcode ID: f5403b7ce1dd5cc412ea7560c873e56c6b6dc077596aa39b62e137adc06dd416
Instruction ID: 960dbc03479c542d9060d1a6c7f182612503c0ff08d4ab21adcc43c834d16aa3
Opcode Fuzzy Hash: f5403b7ce1dd5cc412ea7560c873e56c6b6dc077596aa39b62e137adc06dd416
Instruction Fuzzy Hash: AF419331A40208BBEF118F55DC48FAE7FB8EF05794F14401AF904AA2A0DBB59951EFA5

Function 00F96A10 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00F96C13), ref: 00F96A1C
lstrlenW.KERNEL32(00000000), ref: 00F96A21
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 00F96A4D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00F96A62
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 00F96A6E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 00F96A7A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 00F96A86
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 00F96A92
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 00F96A9E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 00F96AAA
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 00F96AB6

Strings

ntuser.dat, xrefs: 00F96A68
ntuser.dat.log, xrefs: 00F96A98
iconcache.db, xrefs: 00F96A74
thumbs.db, xrefs: 00F96AA4
autorun.inf, xrefs: 00F96A5C
bootsect.bak, xrefs: 00F96A80
desktop.ini, xrefs: 00F96A47
CRAB-DECRYPT.txt, xrefs: 00F96AB0
boot.ini, xrefs: 00F96A8C

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3936223242
Opcode ID: 63bf7948e49d05b7dae6dfb27fe07b2702aa7bd5a910e68ba6f2ae7faf5e477e
Instruction ID: 155cd47c31c8a4dc9a6d92c1bdddf5f4d35ae5de0cf7cb1c979f5b8c14ea7c37
Opcode Fuzzy Hash: 63bf7948e49d05b7dae6dfb27fe07b2702aa7bd5a910e68ba6f2ae7faf5e477e
Instruction Fuzzy Hash: 52110853B4062A257E20F23D9C01DAF53CC5DD2BA43058235F900F2095EF8ACE1779B2

Function 00F92AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114stringmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00F92AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00F92B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00F92B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00F92B7D

Part of subcall function 00F98730: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00F9874D
Part of subcall function 00F98730: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00F9877B
Part of subcall function 00F98730: GetModuleHandleA.KERNEL32(?), ref: 00F987CF
Part of subcall function 00F98730: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00F987DD
Part of subcall function 00F98730: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00F987EC
Part of subcall function 00F98730: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F98835
Part of subcall function 00F98730: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F98843

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00F92B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00F92BE4
lstrcatW.KERNEL32(00000000,?), ref: 00F92BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00F92BF4
wsprintfW.USER32 ref: 00F92C35
ExitThread.KERNEL32 ref: 00F92C47

Strings

U, xrefs: 00F92B75
.exe, xrefs: 00F92BEE
I, xrefs: 00F92B6C
P, xrefs: 00F92B55
\Microsoft\, xrefs: 00F92BDE
"%s", xrefs: 00F92C2F
AppData, xrefs: 00F92B97

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: d5866ac42b75341a58ecf1b2faf12fa60408382dfe33e6784da17be57c867d43
Instruction ID: 5226d760f56bd34c8c2c525b64f12d54f1a56769b9e882d98530ccde83ca9ab8
Opcode Fuzzy Hash: d5866ac42b75341a58ecf1b2faf12fa60408382dfe33e6784da17be57c867d43
Instruction Fuzzy Hash: 1E41CE71604304ABFB44DF20AC4AB6F7BD8AFC4714F040429B545D6292DBB8D948EBE7

Function 00F95250 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 89memorystringsleepCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 00F952AD
Sleep.KERNEL32(000003E8), ref: 00F952F0
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00F952FE
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00F9530E
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00F9532A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9533B
wsprintfW.USER32 ref: 00F95353
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F95364

Strings

t, xrefs: 00F95285
re.b, xrefs: 00F95299
omwa, xrefs: 00F95292
it, xrefs: 00F952A0
fabian wosar <3, xrefs: 00F95324
rans, xrefs: 00F9528B
alar, xrefs: 00F95277
zone, xrefs: 00F95263
m.bi, xrefs: 00F9527E

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: alar$fabian wosar <3$it$m.bi$omwa$rans$re.b$t$zone
API String ID: 2709691373-1552681713
Opcode ID: 8d873da71dc55ef7b53e2fc36f9fc841e27b0fd0aa0fc0a96a427c1d4f0f7054
Instruction ID: 8fff0cba036701f1fb5efd182ca2c4425053d45cf19514e732984c155cbac7dc
Opcode Fuzzy Hash: 8d873da71dc55ef7b53e2fc36f9fc841e27b0fd0aa0fc0a96a427c1d4f0f7054
Instruction Fuzzy Hash: 0A31B471E00318ABEF118FA5EC86BEE7BB8FF44714F100125FA16A72D0D7745A049B9A

Function 00F968A0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F968BC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F96914
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F9697E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F969A6
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F969C4
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00000000,?,00F96F26,00000000,?,?), ref: 00F969E2

Strings

Ransomware, xrefs: 00F96933
\Windows\, xrefs: 00F96963
\All Users\, xrefs: 00F96943
\ProgramData\, xrefs: 00F968C2
\IETldCache\, xrefs: 00F968D4
\Local Settings\, xrefs: 00F96953
\Program Files\, xrefs: 00F968F4
\Boot\, xrefs: 00F968E4
\Tor Browser\, xrefs: 00F96923

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$AllocFree
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 4167578076-3735464813
Opcode ID: 758ee544179d3d434d08f491e13cfea33f7dbb0363e2dd43b06d945ca3f4b879
Instruction ID: f67b47353bb335aef07a6bb99cd3d874f99d7d0f27554962012e680f42e1560e
Opcode Fuzzy Hash: 758ee544179d3d434d08f491e13cfea33f7dbb0363e2dd43b06d945ca3f4b879
Instruction Fuzzy Hash: 8B314120B4071563FF2427664D66B2F659A8FD2B94F104026EA05DF2C6FEB8CD0376E6

Function 00F98130 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121stringmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00F98139

Part of subcall function 00F97FB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 00F9809A
Part of subcall function 00F97FB0: lstrcatW.KERNEL32(00000000,00FA0584), ref: 00F98115

lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00F9818F
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00F981A1
lstrcatW.KERNEL32(00000000,00000000), ref: 00F981B1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F981BB
lstrcatW.KERNEL32(00000000,00FA0604), ref: 00F981D1
lstrcatW.KERNEL32(00000000,00000000), ref: 00F9822C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9823A
lstrcatW.KERNEL32(00000000,00F9FFF8), ref: 00F98280
lstrcatW.KERNEL32(00000000,00000000), ref: 00F98288
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F98296
lstrcatW.KERNEL32(00000000,00F9FFFC), ref: 00F982A7

Strings

VUUU, xrefs: 00F981FA
VUUU, xrefs: 00F9824A

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtual$Free$Alloc$CountTicklstrlen
String ID: VUUU$VUUU
API String ID: 2785072370-3149182767
Opcode ID: 067dfe1daa6bf20867e2948ffcda57ade6f95afd7eb06d4c71cc324aaa6d6441
Instruction ID: aeef5b641cdb6db2f11d17e5d9aced1187867719c8c7ab75667f4c9860afc324
Opcode Fuzzy Hash: 067dfe1daa6bf20867e2948ffcda57ade6f95afd7eb06d4c71cc324aaa6d6441
Instruction Fuzzy Hash: 19313FB3E042049BD71DAB29DC4AF3D76ACEB55314F05043DF502DB291CE78A941AF95

Function 00F95520 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F982C0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F984A4
Part of subcall function 00F982C0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00F984BD

Part of subcall function 00F95250: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 00F952AD
Part of subcall function 00F95250: Sleep.KERNEL32(000003E8), ref: 00F952F0
Part of subcall function 00F95250: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00F952FE
Part of subcall function 00F95250: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00F9530E
Part of subcall function 00F95250: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00F9532A
Part of subcall function 00F95250: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9533B
Part of subcall function 00F95250: wsprintfW.USER32 ref: 00F95353
Part of subcall function 00F95250: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F95364

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F95542
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00F95562
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00F95574
lstrcatA.KERNEL32(00000000,?), ref: 00F9558E
lstrlenA.KERNEL32(00000000), ref: 00F955E3
lstrlenW.KERNEL32(?), ref: 00F955EF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 00F9560B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,00000000,?,00000000), ref: 00F95665
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00F95671
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00F9567B
InternetCloseHandle.WININET(00F9587A), ref: 00F95685

Strings

POST, xrefs: 00F955FA

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST
API String ID: 2554059081-1814004025
Opcode ID: bee5f8c6119807f7521b8bc87b49e1453c8b057152132531c6a0424b736cd0f4
Instruction ID: 2835ddabd33ac80122e4bb752528ff59700088a76a777bbd56ab4a01369d428a
Opcode Fuzzy Hash: bee5f8c6119807f7521b8bc87b49e1453c8b057152132531c6a0424b736cd0f4
Instruction Fuzzy Hash: 5941B072E0070AAAEF119FA8CC45FEEBB78FF88750F100116EA44B6250EB755685DB90

Function 00F97410 Relevance: 20.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97462
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9746D
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97483
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9748E
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974A4
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974AF
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974C5
lstrlenW.KERNEL32(00F94B46,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974D0
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974E6
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F974F1
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97507
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97512
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97531
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F9753C
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97558
lstrlenW.KERNEL32(?,?,?,?,00F94829,00000000,?,00000000,00000000,?,00000000), ref: 00F97566

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 76d4b4f7edb8436398d75b5193e96ca11ef57caa2923608ea294cb6ea30b8da8
Instruction ID: e87d0321075f46775e81bf372a3c032739e7dc996c65c7580a0a8ad69196a890
Opcode Fuzzy Hash: 76d4b4f7edb8436398d75b5193e96ca11ef57caa2923608ea294cb6ea30b8da8
Instruction Fuzzy Hash: 49410D32600755EFDB119FB9DD8C794BBA1BF04315F084535E41682A31D775A878EBC1

Function 00F96010 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66stringmemorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 00F96033
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00F96048
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 00F96059
lstrlenA.KERNEL32(00000000), ref: 00F96064
wsprintfA.USER32 ref: 00F9607C
_memset.LIBCMT ref: 00F9609B
lstrlenA.KERNEL32(00000000), ref: 00F960A4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F960D3

Strings

RtlComputeCrc32, xrefs: 00F96053
%Xeuropol, xrefs: 00F96076
ntdll.dll, xrefs: 00F96043

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 57e426f9fcfc2c0b084e8ef693a40c240ab3fef28f0bf0c0b50ecc20442792eb
Instruction ID: acaad0e9a0879e6a84802fb215d7224bda51ae642a3b89a70fe887764e3811e7
Opcode Fuzzy Hash: 57e426f9fcfc2c0b084e8ef693a40c240ab3fef28f0bf0c0b50ecc20442792eb
Instruction Fuzzy Hash: A5112B31E4020CBBEB215B64AC49FAE7F78AB54710F100065F905E21E0DAB45A84FF92

Function 00F96E50 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59filememorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,00000000,?,00F96F5F,00000000,?,?), ref: 00F96E65
wsprintfW.USER32 ref: 00F96E73
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00F96E8F
GetLastError.KERNEL32(?,?), ref: 00F96E9C
lstrlenW.KERNEL32(?,?,00000000,?,?), ref: 00F96EBE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 00F96ECE
CloseHandle.KERNEL32(00000000,?,?), ref: 00F96ED5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00F96EE8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 00F96E6D

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: 64ff5d199592e66193be694388ef41f17931759c1aff441b1fe70d7b912b3deb
Instruction ID: 37719f83a5eb100d11679e8ab81d6cb00f5ab8922126ae9f1555e93bf87d307f
Opcode Fuzzy Hash: 64ff5d199592e66193be694388ef41f17931759c1aff441b1fe70d7b912b3deb
Instruction Fuzzy Hash: 7E01D475380218BBF6211B74ED8FF6A3A6CEB45B15F100211FB05E51D0DBA56910AAAE

Function 00F95380 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,00F95519,00000000,?,?,?,?,00F95643,00000000,?,00000000), ref: 00F95396
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F953A8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F953B8
wsprintfW.USER32 ref: 00F953C9
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00F953E3
ExitProcess.KERNEL32 ref: 00F953EB

Strings

open, xrefs: 00F953DC
cmd.exe, xrefs: 00F953D7
/c timeout -c 5 & del "%s" /f /q, xrefs: 00F953C3

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 0600ed54ca91b0f010dfeb1ce1e1df2da46ece31845dad795e7084d6f37e609b
Instruction ID: 84e60f1dcb918b0110eb585680da7499db0baf81c63073c081aa68d1eceec3b6
Opcode Fuzzy Hash: 0600ed54ca91b0f010dfeb1ce1e1df2da46ece31845dad795e7084d6f37e609b
Instruction Fuzzy Hash: 23F01C31BC172433F52217655C0BF0B3E589B85F66F240016B708FE1D189E09444ABEA

Function 00F93BD0 Relevance: 15.0, APIs: 1, Strings: 9, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00F94817,00000000,?,00000000,00000000), ref: 00F93C6C

Strings

pc_group, xrefs: 00F93C1D
os_major, xrefs: 00F93C39
ransom_id, xrefs: 00F93C4E
pc_lang, xrefs: 00F93C2B
os_bit, xrefs: 00F93C40
pc_name, xrefs: 00F93C0F
hdd, xrefs: 00F93C55
pc_user, xrefs: 00F93C08
pc_keyb, xrefs: 00F93C32

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID: hdd$os_bit$os_major$pc_group$pc_keyb$pc_lang$pc_name$pc_user$ransom_id
API String ID: 54951025-631784635
Opcode ID: 1e8adacd97a0346e6265bee196685f6b21e81bd3c2aca05e40c19c45a681401d
Instruction ID: 7f3db642b9f3154dee6eef22465d75978faa425965ae131564c256905c31f240
Opcode Fuzzy Hash: 1e8adacd97a0346e6265bee196685f6b21e81bd3c2aca05e40c19c45a681401d
Instruction Fuzzy Hash: 8A1150B4501B44CFDBA0CF69C584A8ABBF0BB08758B50592DE99AC7B11D3B9F448DF44

Function 00F981E6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97FB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 00F9809A
Part of subcall function 00F97FB0: lstrcatW.KERNEL32(00000000,00FA0584), ref: 00F98115

lstrcatW.KERNEL32(00000000,00000000), ref: 00F9822C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9823A
lstrcatW.KERNEL32(00000000,00F9FFF8), ref: 00F98280
lstrcatW.KERNEL32(00000000,00000000), ref: 00F98288
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F98296
lstrcatW.KERNEL32(00000000,00F9FFFC), ref: 00F982A7

Strings

VUUU, xrefs: 00F981FA
VUUU, xrefs: 00F9824A

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtual$Free$Alloc
String ID: VUUU$VUUU
API String ID: 418921519-3149182767
Opcode ID: 23f045b9e2483321a86d54b179c716ed38d7a68b4e61924ba395df23fe8a2ba9
Instruction ID: 105d8d02fdac1eba8c1be51ac6a306861378d8c110809d655fd53ed1c379d5fe
Opcode Fuzzy Hash: 23f045b9e2483321a86d54b179c716ed38d7a68b4e61924ba395df23fe8a2ba9
Instruction Fuzzy Hash: 29110473A042089BD71DAB2CDC4AB39B7A8E751308F05482EF503DB1A1CE34A155AF95

Function 00F935C0 Relevance: 13.6, APIs: 9, Instructions: 94memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,756EE0B0,?), ref: 00F935E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,756F0440), ref: 00F93600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F93616
GetFileSize.KERNEL32(00000000,00000000), ref: 00F93626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00F93639
ReadFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 00F9364C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F9368D
CloseHandle.KERNEL32(00000000), ref: 00F93694
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F936A2

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$CloseCreateHandleModuleNameReadSize
String ID:
API String ID: 2352497600-0
Opcode ID: ef5122f29e3d9c40e6869e0dc4cdc80fccdddcbadbfe0ff50deb4f205f7b66e4
Instruction ID: 286799eaca1470128365ea2fdc102e1b164479114a696f97ed24dea034bb34b5
Opcode Fuzzy Hash: ef5122f29e3d9c40e6869e0dc4cdc80fccdddcbadbfe0ff50deb4f205f7b66e4
Instruction Fuzzy Hash: 80213031B403087BFF255BA59C86FAE7B78EB44711F200059FB05B52D0CBB49A409F95

Function 00F97EE0 Relevance: 12.6, APIs: 10, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97EF9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F0B
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F1D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F2F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F41
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F53
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F65
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F77
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97F89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00F948BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00F97FA1

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2f482115c25e6495cea2e1d14a3bbf8da4ca53cda7dab0831a1faf98bde2b4e4
Instruction ID: f5e7b17f3b44cdd8763551fb8815038d639c08d18c15ed8571369b87c465090c
Opcode Fuzzy Hash: 2f482115c25e6495cea2e1d14a3bbf8da4ca53cda7dab0831a1faf98bde2b4e4
Instruction Fuzzy Hash: 7F21EF30654B04AAFB766B15DC0AF66B6E1BF40B15F254838E2C1348F08BF57899EF48

Function 00F94000 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00F94020
GetTickCount.KERNEL32 ref: 00F94045
GetDriveTypeW.KERNEL32(?), ref: 00F9406A
CreateThread.KERNEL32(00000000,00000000,00F970B0,?,00000000,00000000), ref: 00F940A9
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 00F940EB
GetTickCount.KERNEL32 ref: 00F940F1

Strings

?:\, xrefs: 00F94033

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 360bfa564486f0685acf15e62b4ebb99a2c8c1365dc4d99982e066dfa18ffcd5
Instruction ID: 5dd8291c6ff111b780edcbbd413ac6424ac316e46ffc88dbd8afe47eec17f0a8
Opcode Fuzzy Hash: 360bfa564486f0685acf15e62b4ebb99a2c8c1365dc4d99982e066dfa18ffcd5
Instruction Fuzzy Hash: 1F5125719083009FD710CF18D884B5ABBE5FFD8324F504A2EFA8997360D775A984CB96

Function 00F970B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 00F970C9
wsprintfW.USER32 ref: 00F970DE
InitializeCriticalSection.KERNEL32(?), ref: 00F970EC
VirtualAlloc.KERNEL32 ref: 00F97120
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00009C40,00003000,00000004), ref: 00F9714D
ExitThread.KERNEL32 ref: 00F97155

Strings

%c:\, xrefs: 00F970D8

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFreeInitializeSectionThreadwsprintf
String ID: %c:\
API String ID: 2059066847-3142399695
Opcode ID: 21db8a6d0925ff6553e225a735ed59f37097c8b4a2ca50e8d4e3c21c61b085f9
Instruction ID: 934ad4bb0c061ef3a16574055113b34cb2d3c1afe92ae88f39ee8b4614df46ff
Opcode Fuzzy Hash: 21db8a6d0925ff6553e225a735ed59f37097c8b4a2ca50e8d4e3c21c61b085f9
Instruction Fuzzy Hash: 5511D2B5244304BFE7109F54CC8AF1A3BA8AB84B21F004605FB649E1D1D7B4E554DFAB

Function 00F92890 Relevance: 12.1, APIs: 8, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,7572F770,00000000,?,?,00F92C02), ref: 00F928AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00F92C02), ref: 00F928BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00F92C02), ref: 00F928E5
CloseHandle.KERNEL32(00000000,?,?,00F92C02), ref: 00F928F3
MapViewOfFile.KERNEL32(00000000,7572F771,00000000,00000000,00000000,?,?,00F92C02), ref: 00F9290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00F92C02), ref: 00F92942
CloseHandle.KERNEL32(?,?,?,00F92C02), ref: 00F92951
CloseHandle.KERNEL32(00000000,?,?,00F92C02), ref: 00F92954

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 62fac2241c1859bcdcca50d11b393266efc8139ffdf9eb2e2528cb65927a4a3d
Instruction ID: 327187a992e84fae2b0e8bd7637041a1b46ec015c1d1e1798d8d6cdf15436560
Opcode Fuzzy Hash: 62fac2241c1859bcdcca50d11b393266efc8139ffdf9eb2e2528cb65927a4a3d
Instruction Fuzzy Hash: 1B212671E1111C7FFB106B749C86F7E776CDB45665F000226FC01E2290EA349D1169E1

Function 00F96AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,00F96BFA), ref: 00F96AF2

Strings

%s , xrefs: 00F96B36

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 3a9517a2c8476ba1b617f48b16588d184a46e4ef533c651d4b534d2a153e2052
Instruction ID: 8ce4e0a33a112678e425217a2baeae872155510e16c99df015083f4eb0670883
Opcode Fuzzy Hash: 3a9517a2c8476ba1b617f48b16588d184a46e4ef533c651d4b534d2a153e2052
Instruction Fuzzy Hash: 9E21DE72E012299BEF305F28AC017B673E8EBD5379F058226ED06D7190FBB59D41E690

Function 00F92C50 Relevance: 10.6, APIs: 7, Instructions: 62stringthreadCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F92C8A
BeginPaint.USER32(?,?), ref: 00F92C9F
lstrlenW.KERNEL32(?), ref: 00F92CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00F92CBD
EndPaint.USER32(?,?), ref: 00F92CCB
CreateThread.KERNEL32(00000000,00000000,Function_00002AD0,00000000,00000000,00000000), ref: 00F92CE9
DestroyWindow.USER32(?), ref: 00F92CF2

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID:
API String ID: 572880375-0
Opcode ID: 0e25c8c77d2f696183914637ca44ae47510273d56e86846f540696ca9e095cfd
Instruction ID: 4ad92ca7df797492c987c08a8cb67b7599bbf75dd69ae6356b4aa9f385e5fdde
Opcode Fuzzy Hash: 0e25c8c77d2f696183914637ca44ae47510273d56e86846f540696ca9e095cfd
Instruction Fuzzy Hash: 62115E3250420CABE711DF68EC09FAA7BA8FB48311F004617FA45D61A0E7719964EBD2

Function 00F94E20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F94E39
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00F94E7F
GetLastError.KERNEL32(?,?,00000000), ref: 00F94E89
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00F94E9D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00F94EA2

Strings

D, xrefs: 00F94E68

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 0967344e7662a8b400a961de11c35c7e38457c90d1aff5c5330bbc9d55a6a62c
Instruction ID: 7b4ae3bb8a5b6b152b414fa4656a4d1d7b6252914169cf05be5037ed7913d956
Opcode Fuzzy Hash: 0967344e7662a8b400a961de11c35c7e38457c90d1aff5c5330bbc9d55a6a62c
Instruction Fuzzy Hash: 71018471E4031CABEB20DBA8EC42BDE7BB8EF08714F104216FA08F6190E7B465548BD5

Function 00F94A88 Relevance: 10.5, APIs: 7, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00F94A95
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F94AA5
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F94AB4
CloseHandle.KERNEL32(00000000), ref: 00F94AC1
Process32NextW.KERNEL32(?,00000000), ref: 00F94ADA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F94AF3
CloseHandle.KERNEL32(?), ref: 00F94AFA

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 999196985-0
Opcode ID: 45575ff0fc39a8f75b5c6a45dcd8e1ad630da8d5a3a2221d89dfa192f7565e0c
Instruction ID: fd17994a3a306c91c86bd529349fa947009bd27aabaa3ab585632724ef25efb8
Opcode Fuzzy Hash: 45575ff0fc39a8f75b5c6a45dcd8e1ad630da8d5a3a2221d89dfa192f7565e0c
Instruction Fuzzy Hash: EA01F932240114AFEB209F50AC45F6A736CEFA4711F254115FE09D6060EB75AC06AFEA

Function 00FD1A4C Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FD1A4C

Part of subcall function 00FD1BFB: EncodePointer.KERNEL32(00000000,?,00FD1A51,00FD12AD,00FDFD50,00000014), ref: 00FD1BFE
Part of subcall function 00FD1BFB: __initp_misc_winsig.LIBCMT ref: 00FD1C19
Part of subcall function 00FD1BFB: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FD2EA5
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FD2EB9
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FD2ECC
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FD2EDF
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FD2EF2
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FD2F05
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FD2F18
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FD2F2B
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FD2F3E
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FD2F51
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FD2F64
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FD2F77
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FD2F8A
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FD2F9D
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FD2FB0
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FD2FC3

__mtinitlocks.LIBCMT ref: 00FD1A51
__mtterm.LIBCMT ref: 00FD1A5A

Part of subcall function 00FD1AC2: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FD1A5F,00FD12AD,00FDFD50,00000014), ref: 00FD31BB
Part of subcall function 00FD1AC2: _free.LIBCMT ref: 00FD31C2
Part of subcall function 00FD1AC2: DeleteCriticalSection.KERNEL32(00FE1068,?,?,00FD1A5F,00FD12AD,00FDFD50,00000014), ref: 00FD31E4

__calloc_crt.LIBCMT ref: 00FD1A7F
__initptd.LIBCMT ref: 00FD1AA1
GetCurrentThreadId.KERNEL32 ref: 00FD1AA8

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 6405ccc4a814573800a549d28fc162e67e54cf06079e9764ed0cd3e68d9e56bb
Instruction ID: ee18717636b055cfe61792edee5497ce39623e6580926d584108df8498c16d0c
Opcode Fuzzy Hash: 6405ccc4a814573800a549d28fc162e67e54cf06079e9764ed0cd3e68d9e56bb
Instruction Fuzzy Hash: 06F06D32A1A65129E224BB747C0364A3797BB01771B2C061BF650D93D5FE288541B191

Function 00F93C80 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43memorylibraryloaderCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F93CB0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00F93CC3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00F93CCF
FreeSid.ADVAPI32(?), ref: 00F93CEA

Strings

advapi32.dll, xrefs: 00F93CBE
CheckTokenMembership, xrefs: 00F93CC9

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 5bef1ffdf158b4c3fb9f9c878f82b653e11a41d35522c78fc7e4519cd5974659
Instruction ID: f9ab542327d21a10b69ba31b0c438b639774bef2f4c93e4ea182014095123388
Opcode Fuzzy Hash: 5bef1ffdf158b4c3fb9f9c878f82b653e11a41d35522c78fc7e4519cd5974659
Instruction Fuzzy Hash: B3F0FF34E4030DBBEF109BE4DC0AFAD77B8EB04705F104595F905E6190E7745654AB96

Function 00F97FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 00F9809A
lstrcatW.KERNEL32(00000000,00FA0584), ref: 00F98115

Strings

eigh, xrefs: 00F9803F
ere, xrefs: 00F98093
ore, xrefs: 00F9808C

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocVirtuallstrcat
String ID: eigh$ere$ore
API String ID: 3624338217-3418171569
Opcode ID: 3ec4b9b1a908b46f2fb295e3ed311dab6e3b380fcea2fbf75a4ea10b138b7bd9
Instruction ID: 15dbd4bd1c96f1561e36a517804edfbc5ef6f27069e07f7900cd21030547a1e7
Opcode Fuzzy Hash: 3ec4b9b1a908b46f2fb295e3ed311dab6e3b380fcea2fbf75a4ea10b138b7bd9
Instruction Fuzzy Hash: 1B3132F1C012099FDB14CF84F848AADBEF4EB47318F284618E5146B242CFB4994AEF94

Function 00F93200 Relevance: 8.8, APIs: 7, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00F95474,00000000,?,00F95475,?,00F934BF,00F95475,00000001,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000), ref: 00F93251
GetProcessHeap.KERNEL32(00000008,00000001,?,00F934BF,00F95475,00000001,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000), ref: 00F9325B
HeapAlloc.KERNEL32(00000000,?,00F934BF,00F95475,00000001,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000), ref: 00F93262
lstrlenA.KERNEL32(00F95474,00000000,?,00F95475,?,00F934BF,00F95475,00000001,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000), ref: 00F93273
GetProcessHeap.KERNEL32(00000008,00000001,?,00F934BF,00F95475,00000001,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000), ref: 00F9327D
HeapAlloc.KERNEL32(00000000,?,00F934BF,00F95475,00000001,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000), ref: 00F93284
lstrcpyA.KERNEL32(00000000,00F95474,?,00F934BF,00F95475,00000001,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000), ref: 00F93293

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: cb3bb807c42615330acb245cb4a74ba6281fd49acdda3e9044ca705f7fd8c730
Instruction ID: a8580429854ba32544fba151fc709e89971692237bc88cbe61124860933eae88
Opcode Fuzzy Hash: cb3bb807c42615330acb245cb4a74ba6281fd49acdda3e9044ca705f7fd8c730
Instruction Fuzzy Hash: EF11B6318082986EFF211F68980C766BB59EF12760F244046E8C5C7261C7368D86ABA2

Function 00F933E0 Relevance: 7.6, APIs: 5, Instructions: 101memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F932B0: lstrlenA.KERNEL32(?,00000000,?,00F95474,?,?,00F933F6,00000000,00000000,?,?,00F95474,00000000), ref: 00F932C5
Part of subcall function 00F932B0: lstrlenA.KERNEL32(?,?,00F933F6,00000000,00000000,?,?,00F95474,00000000,?,?,?,?,00F95643,00000000,?), ref: 00F932EE

lstrlenA.KERNEL32(00F95475,00F95475,00000000,00000000,00000000,?,?,00F95474,00000000,?,?,?,?,00F95643,00000000,?), ref: 00F93484
GetProcessHeap.KERNEL32(00000008,00000001,?,00F95474,00000000,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F9348E
HeapAlloc.KERNEL32(00000000,?,00F95474,00000000,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F93495
lstrcpyA.KERNEL32(00000000,00F95475,?,00F95474,00000000,?,?,?,?,00F95643,00000000,?,00000000,00000000,?,00000000), ref: 00F934A7
ExitProcess.KERNEL32 ref: 00F934DB

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: 739e3193fd75e889820b19a4b6ff959abaa49ff8d40336c896a3267114000873
Instruction ID: 28af2165daefebe0bc4bcb78ad512648d69f856a71bd8f0bb4b6810b101252a4
Opcode Fuzzy Hash: 739e3193fd75e889820b19a4b6ff959abaa49ff8d40336c896a3267114000873
Instruction Fuzzy Hash: 96312B30D042455AFF27CF6C98447797B65DB02320F19418AE8D5C7291D67A4E87BBA2

Function 00F93D00 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F93D52
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00F93D76
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00F93D7A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00F93D7E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00F93DA5

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 1e7d3998864721a80d1b78a92f71d3ceaad0b197ce0aa22cd9db244449a5238b
Instruction ID: b56f579d01d664f0aa0f574477b7897f107f9a48583364768d15744f2f7b3ec1
Opcode Fuzzy Hash: 1e7d3998864721a80d1b78a92f71d3ceaad0b197ce0aa22cd9db244449a5238b
Instruction Fuzzy Hash: 49111BB0D4031C6EEB619F65DC0ABEA7ABCEB08700F008199A608E61C1D6B84B948FD5

Function 00FD1ADF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00FD1B1E,00000000,?,00FD4E28,000000FF,0000001E,00000000,00000000,00000000,?,00FD3385), ref: 00FD1AEE
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00FD1B00

Strings

CorExitProcess, xrefs: 00FD1AF8
mscoree.dll, xrefs: 00FD1AE7

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: eccdd178e8e2c9f56d34adefa2d811054299e28ee71fe997b9f8c70216b9eef3
Instruction ID: 231d15481f79ffcd6e22c26b64e01cc446cd2f7cac17fdf3d1a27bb029db8a41
Opcode Fuzzy Hash: eccdd178e8e2c9f56d34adefa2d811054299e28ee71fe997b9f8c70216b9eef3
Instruction Fuzzy Hash: DBD0123174420EFBDB005BA5DC06F597B6FAB41752F044157F804E1250EA71DA10F6A1

Function 00F94EB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 117stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00F95218), ref: 00F94F23
lstrlenA.KERNEL32(00000000,?,00F95218), ref: 00F94F7F
lstrcpyA.KERNEL32(?,?,?,00F95218), ref: 00F94FAE

Strings

fabian wosar <3, xrefs: 00F94F1B

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 139ed242759f1a93580d859044872b97bd57eb66465dd3de38a632e57d67f57a
Instruction ID: 1ce9b6191b832fb43c0653c88aa96176593e40630886d76d2880133cb185bb1b
Opcode Fuzzy Hash: 139ed242759f1a93580d859044872b97bd57eb66465dd3de38a632e57d67f57a
Instruction Fuzzy Hash: FC312322C0819A5EEF328F285840BFABFE1AF6736DF58009AD8D5C7215D3212847E790

Function 00FD737A Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FD73B0
__isleadbyte_l.LIBCMT ref: 00FD73DE
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00FD740C
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00FD7442

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2ca933369b502092202da194a3e7a68c40d75dab3ce013aa95d75aa07d974747
Instruction ID: 074de734c3d0b9f37ee6af8eafc4742fcda3c0eb3dacefe04e2294ad9c2dd922
Opcode Fuzzy Hash: 2ca933369b502092202da194a3e7a68c40d75dab3ce013aa95d75aa07d974747
Instruction Fuzzy Hash: A2318431A08346EFDB22EE65CC45B6A7FA7AF41320F19451AE8549B290F731D850F750

Function 00FD4E8D Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FD4EAC

Part of subcall function 00FD4DFB: __FF_MSGBANNER.LIBCMT ref: 00FD4E12
Part of subcall function 00FD4DFB: __NMSG_WRITE.LIBCMT ref: 00FD4E19
Part of subcall function 00FD4DFB: HeapAlloc.KERNEL32(01210000,00000000,00000001,00000000,00000000,00000000,?,00FD3385,00000000,00000000,00000000,00000000,?,00FD323A,00000018,00FDFE20), ref: 00FD4E3E

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocHeap_free
String ID:
API String ID: 1080816511-0
Opcode ID: 23d789c686f58522c5286ee17a11d0718fcb3394a012ea8fb89a341c937fead2
Instruction ID: 257afde2d162f4e025d353d02cdc22eb3793c3cbfb3961ad2a0fcec27e2ce097
Opcode Fuzzy Hash: 23d789c686f58522c5286ee17a11d0718fcb3394a012ea8fb89a341c937fead2
Instruction Fuzzy Hash: 4F117733905215ABCB317F74BC0A75A379BAF40370B184527FA45D7361DB35A840B6A5

Function 00FD8BED Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FD8C11

Part of subcall function 00FD92F8: __fltout2.LIBCMT ref: 00FD9321

__cftog_l.LIBCMT ref: 00FD8C37
__cftoe_l.LIBCMT ref: 00FD8C69

Memory Dump Source

Source File: 0000000F.00000002.1671034739.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000000F.00000002.1671018492.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671051955.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000F.00000002.1671088593.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a8292b613ccd047416a34022aaf5a22d8ab77da8b922757973516e6eda3415f7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F501397241514EFBCF126F84CD428EE3F27BB18394B588516FA5858231C636C9B2BB91

Function 00F93190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(00F95474,mask), ref: 00F931B9
lstrcmpiA.KERNEL32(00F95474,pub_key), ref: 00F931D1

Strings

pub_key, xrefs: 00F931BF
mask, xrefs: 00F931B1

Memory Dump Source

Source File: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: bcea0d06e80f3fa9bea726febc81da29d0354f890af5944e4ad4043acf9fb7f0
Instruction ID: 6aedbd83b113cf957a34420989105b5aa34b744f2864a735b2e22ad42f661470
Opcode Fuzzy Hash: bcea0d06e80f3fa9bea726febc81da29d0354f890af5944e4ad4043acf9fb7f0
Instruction Fuzzy Hash: B2F02B72B082881EFF294B6C9C457A1BBDD9B55320F54047FE6C9C21B0C6AACDC1E396

Analysis Process: dwqocx.exePID: 3536, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	45.4%
Signature Coverage:	0%
Total number of Nodes:	1523
Total number of Limit Nodes:	76

Executed Functions

Function 00434B30 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 182
threadsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8), ref: 00434B3B

Part of subcall function 004347E0: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043483C
Part of subcall function 004347E0: lstrcpyW.KERNEL32(00000000,Global\,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043485F
Part of subcall function 004347E0: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00434866
Part of subcall function 004347E0: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043487E
Part of subcall function 004347E0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043488A
Part of subcall function 004347E0: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00434891
Part of subcall function 004347E0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004348AB

ExitProcess.KERNEL32 ref: 00434B4C
CreateThread.KERNEL32(00000000,00000000,00432D30,00000000,00000000,00000000), ref: 00434B61
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00434B79
TerminateThread.KERNEL32(00000000,00000000), ref: 00434B8C
CloseHandle.KERNEL32(00000000), ref: 00434B96
VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004,00000000,00000000,00000000,00000000), ref: 00434C0A
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00434C24
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00434C3D
ExitProcess.KERNEL32 ref: 00434C45

Strings

open, xrefs: 00434DA0

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateErrorExitFreeLastProcessThread$CloseFileHandleModuleMutexNameObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 1803241880-2758837156
Opcode ID: 510f34315a944320fde0d297b71ddb95fff3216178cec1227e7fe0cfd4fcb831
Instruction ID: 259d84bce463408e5f73b001bd175b929a173bc17ff6a376004f99816a8ac4ee
Opcode Fuzzy Hash: 510f34315a944320fde0d297b71ddb95fff3216178cec1227e7fe0cfd4fcb831
Instruction Fuzzy Hash: 8C711170A80308ABEB14DFE0DD5AFEE7774AB48705F106119F641762D0DBB86944CF59

Function 00FE75C0 Relevance: 3.3, APIs: 2, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction ID: acc3c6b7cf5f200e19a5288f6cb2b264b7ef56a4d6dde45517f8b293f951a3bf
Opcode Fuzzy Hash: 794c13284e084b999102786f7c7132ff237cb24c9401df5e3aaca089a4b1fbef
Instruction Fuzzy Hash: 48D1AE75E043568FCB24DF5AC880BA9B7B1FF58324F2945A9D855AB341E330ED41EB90

Function 00437600 Relevance: 156.2, APIs: 55, Strings: 34, Instructions: 499
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00437627
GetUserNameW.ADVAPI32(00000000,?), ref: 00437638
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00437656
GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00437660
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00437680
wsprintfW.USER32 ref: 004376C1
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 004376DE
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00437702
RegQueryValueExW.ADVAPI32(?,LocaleName,00000000,00000000, HC,?), ref: 00437726
GetLastError.KERNEL32 ref: 00437739
RegCloseKey.ADVAPI32(?), ref: 00437742
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0043775F
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 0043777D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00437793
wsprintfW.USER32 ref: 004377AD
RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,?), ref: 004377CF
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000, HC,?), ref: 004377F1
GetLastError.KERNEL32 ref: 00437804
RegCloseKey.ADVAPI32(?), ref: 0043780D
lstrcmpiW.KERNEL32(?,00000419), ref: 00437821
wsprintfW.USER32 ref: 0043784E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043785D
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 0043787D
wsprintfW.USER32 ref: 004378C6
GetNativeSystemInfo.KERNEL32(?), ref: 004378D5
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 004378E6
wsprintfW.USER32 ref: 0043790A
ExitProcess.KERNEL32 ref: 00437911
wsprintfW.USER32 ref: 00437939
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 00437977
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0043798A
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00437994
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 004379CE
lstrlenW.KERNEL32(0000060C,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00437A00
wsprintfW.USER32 ref: 00437A38
lstrcatW.KERNEL32(?,0000060C), ref: 00437A4D
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00437A59
GetProcAddress.KERNEL32(00000000), ref: 00437A60
lstrlenW.KERNEL32(?), ref: 00437A70
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00437AA1

Part of subcall function 00437CE0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,756EF3C0,?,760773E0), ref: 00437CFD
Part of subcall function 00437CE0: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00437D71
Part of subcall function 00437CE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00437D86
Part of subcall function 00437CE0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00437D9C

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00437AF8
GetDriveTypeW.KERNEL32(?), ref: 00437B3F
lstrcatW.KERNEL32(?,?), ref: 00437B66
lstrcatW.KERNEL32(?,00440334), ref: 00437B78
lstrcatW.KERNEL32(?,004403A8), ref: 00437B82
GetDiskFreeSpaceW.KERNEL32(?,?, HC,?,00000000), ref: 00437B98
lstrlenW.KERNEL32(?,?,00000000, HC,00000000,00000000,00000000, HC,00000000), ref: 00437BE0
wsprintfW.USER32 ref: 00437BFA
lstrlenW.KERNEL32(?), ref: 00437C08
wsprintfW.USER32 ref: 00437C1C
lstrcatW.KERNEL32(?,004403C8), ref: 00437C2F
lstrcatW.KERNEL32(?,004403CC), ref: 00437C3B
lstrlenW.KERNEL32(?), ref: 00437C56
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 00437C79
VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 00437CA0

Strings

00000419, xrefs: 00437819
ARM, xrefs: 0043791E
%I64u/, xrefs: 00437BF4
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0043788B
RAMDISK, xrefs: 00437AF1
ProcessorNameString, xrefs: 004379E1
x64, xrefs: 00437917
HC, xrefs: 00437B8C, 00437BA9, 004377E4, 00437717, 00437B8F, 00437BAF, 00437BBC
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00437695
error, xrefs: 004378BE
@, xrefs: 0043770F
?:\, xrefs: 00437B1D
FIXED, xrefs: 00437ADC
Identifier, xrefs: 00437A16
undefined, xrefs: 004376B9
Itanium, xrefs: 00437925
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 004378AF
CDROM, xrefs: 00437AEA
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 004379E6, 00437A1B
REMOTE, xrefs: 00437AE3
RtlComputeCrc32, xrefs: 00437A4F
Control Panel\International, xrefs: 004376F1
x86, xrefs: 0043792C
Unknown, xrefs: 00437933
Keyboard Layout\Preload, xrefs: 004377C5
productName, xrefs: 00437886, 004378AA
UNKNOWN, xrefs: 00437AC7
%I64u, xrefs: 00437C13
ntdll.dll, xrefs: 00437A54
Domain, xrefs: 00437690
NO_ROOT_DIR, xrefs: 00437ACE
REMOVABLE, xrefs: 00437AD5
LocaleName, xrefs: 0043771E
WORKGROUP, xrefs: 004376B1

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$Freelstrcat$lstrlen$CloseErrorLastNameOpenQueryValue$AddressComputerCreateDirectoryDiskDriveExitHandleInfoInformationModuleNativeProcProcessSnapshotSpaceSystemToolhelp32TypeUserVolumeWindowslstrcmpi
String ID: HC$%I64u$%I64u/$00000419$?:\$@$ARM$CDROM$Control Panel\International$Domain$FIXED$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$NO_ROOT_DIR$ProcessorNameString$RAMDISK$REMOTE$REMOVABLE$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$UNKNOWN$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 153366582-3118981487
Opcode ID: 2759df5b08363d1af26ce123b5e1ec21710157d4ce9f6850e5a6b69b8439aa81
Instruction ID: a62553e4ba828ed4612e03980f7297fffbc922da8bdfb12e0ea806a2768df308
Opcode Fuzzy Hash: 2759df5b08363d1af26ce123b5e1ec21710157d4ce9f6850e5a6b69b8439aa81
Instruction Fuzzy Hash: 6812A6B0680304BFE7259F64CD4AFAEBBB4BF08704F10151AF685A61E0D7B9A914CB5D

Function 00437210 Relevance: 91.2, APIs: 49, Strings: 3, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00437231
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437239
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437242
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043724A
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00437255
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043725D
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437263
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043726B
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00437277
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043727F
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437285
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043728D
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00437299
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372A1
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372A7
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372AF
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 004372BB
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372C3
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372C9
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372D1
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 004372DD
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372E5
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372EB
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004372F3
lstrcatW.KERNEL32(?,FKC,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 004372FF
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437307
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043730D
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437315
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00437321
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437329
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043732F
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437337
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 00437343
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043734B
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437351
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437359
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000), ref: 0043736C
wsprintfW.USER32 ref: 00437386
wsprintfW.USER32 ref: 00437397
lstrcatW.KERNEL32(?,?,?,00000000,00000000,?,00000000), ref: 004373A4
lstrcatW.KERNEL32(?,0043FFF8,?,00000000,00000000,?,00000000), ref: 004373AC
lstrcatW.KERNEL32(?,?,?,00000000,00000000,?,00000000), ref: 004373B2
lstrcatW.KERNEL32(?,0043FFFC,?,00000000,00000000,?,00000000), ref: 004373BA
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 004373C6
lstrcatW.KERNEL32(?,?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000), ref: 004373D6
lstrcatW.KERNEL32(?,0043FFF8,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004373DE
lstrcatW.KERNEL32(?,?,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004373E4
lstrcatW.KERNEL32(?,0043FFFC,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004373EC
lstrlenW.KERNEL32(?,00000000,00000000,?,?,00434879,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004373EF

Strings

%x%x, xrefs: 00437380
undefined, xrefs: 00437391
FKC, xrefs: 004372FB

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$FKC$undefined
API String ID: 3872469520-1630041561
Opcode ID: ce0aacd2c557261a61b19dbd1abd15f72bfa26219bbfe1e5f34f59a176a0db1f
Instruction ID: 7689675a593380f58a1ffeaf2a74be0481d0b19a4b569ea59ddbc8c5faeaa7e3
Opcode Fuzzy Hash: ce0aacd2c557261a61b19dbd1abd15f72bfa26219bbfe1e5f34f59a176a0db1f
Instruction Fuzzy Hash: 63514D31146668B6DF273F618C49F9F3E19EFCA701F211062FD00540968B6D8666DFAE

Function 00FD123B Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 00FD12A2
_fast_error_exit.LIBCMT ref: 00FD12B3
__RTC_Initialize.LIBCMT ref: 00FD12B9
__ioinit.LIBCMT ref: 00FD12C2
_fast_error_exit.LIBCMT ref: 00FD12CD
GetCommandLineA.KERNEL32(00FDFD50,00000014), ref: 00FD12D3
___crtGetEnvironmentStringsA.LIBCMT ref: 00FD12DE
__setargv.LIBCMT ref: 00FD12E8
__setenvp.LIBCMT ref: 00FD12F9
__cinit.LIBCMT ref: 00FD130C

Strings

XO\, xrefs: 00FD1328
.$, xrefs: 00FD1282

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: _fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__setargv__setenvp
String ID: .$$XO\
API String ID: 3919536372-2616302168
Opcode ID: 24c9c4311bc750d5e0ccac79c5dd694301c6fb432178821fd52028e7db77623e
Instruction ID: 4c4a3c52a4f298ec50975f80f6b0a156269d8a53e5fc2565a9e4a997c25d44ed
Opcode Fuzzy Hash: 24c9c4311bc750d5e0ccac79c5dd694301c6fb432178821fd52028e7db77623e
Instruction Fuzzy Hash: 8621A871A00305BAEB10BBB0AC46B6D32577F10312F1C412BF504D63D2EF798944F6A1

Function 004347E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
stringmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00433BD0: GetProcessHeap.KERNEL32(?,?,00434817,00000000,?,00000000,00000000), ref: 00433C6C

Part of subcall function 00437600: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00437627
Part of subcall function 00437600: GetUserNameW.ADVAPI32(00000000,?), ref: 00437638
Part of subcall function 00437600: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00437656
Part of subcall function 00437600: GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00437660
Part of subcall function 00437600: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00437680
Part of subcall function 00437600: wsprintfW.USER32 ref: 004376C1
Part of subcall function 00437600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 004376DE
Part of subcall function 00437600: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00437702
Part of subcall function 00437600: RegQueryValueExW.ADVAPI32(?,LocaleName,00000000,00000000, HC,?), ref: 00437726
Part of subcall function 00437600: RegCloseKey.ADVAPI32(?), ref: 00437742

Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437462
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043746D
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437483
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043748E
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374A4
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374AF
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374C5
Part of subcall function 00437410: lstrlenW.KERNEL32(00434B46,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374D0
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374E6
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374F1
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437507
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437512
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437531
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043753C

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043483C
lstrcpyW.KERNEL32(00000000,Global\,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043485F
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00434866
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043487E
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 0043488A
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00434891
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004348AB

Strings

Global\, xrefs: 00434859

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: c44c51e84d478383cc654803b70d6c840e8462e3207af0c2bc696bfb1746a790
Instruction ID: 5200edbe95c3a89c1697d8105df1adbe9b1e47502206c23b252a156d01117bc5
Opcode Fuzzy Hash: c44c51e84d478383cc654803b70d6c840e8462e3207af0c2bc696bfb1746a790
Instruction Fuzzy Hash: AD2143706943147BE128BB24CC4BFBF7A28DB94B44F10052DB645660D0AA987D0486EE

Function 00FD11A8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000000,00000000,00000000), ref: 00FD11F2
GetLastError.KERNEL32 ref: 00FD11F8
ExitProcess.KERNEL32(00000000), ref: 00FD1204
ExitThread.KERNEL32 ref: 00FD1234

Strings

-, xrefs: 00FD11E1
1, xrefs: 00FD11E8

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastOpenThread
String ID: -$1
API String ID: 153595879-1877142845
Opcode ID: dbf335a80af57721a373f0a47146686aed70db8ee54d8d1fd812214ff50e9b6d
Instruction ID: 39e37954ade39b9d0e22eeca014c4be64610bbb521af32e5e05f9d038b420d79
Opcode Fuzzy Hash: dbf335a80af57721a373f0a47146686aed70db8ee54d8d1fd812214ff50e9b6d
Instruction Fuzzy Hash: D501ADB0D01219ABDB149FB5980C7EEBFBAFF09751F10812AD115E6291D3B40981EBE4

Function 00437580 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,0000060C,?,004379F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 00437596
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000080,?,?,004379F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 004375B7
RegCloseKey.KERNELBASE(?,?,004379F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 004375C7
GetLastError.KERNEL32(?,004379F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 004375D6
RegCloseKey.ADVAPI32(?,?,004379F5,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,ProcessorNameString,0000060C,00000080), ref: 004375DF

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 50f1296fbe005f4d514e5e73b39dcfade595f4cb02c2d4eb407e96724553dec0
Instruction ID: 3513fe0f41514a3fe818a8c1ca9a075d39d7cadd0e503532e746727269c7a951
Opcode Fuzzy Hash: 50f1296fbe005f4d514e5e73b39dcfade595f4cb02c2d4eb407e96724553dec0
Instruction Fuzzy Hash: 7B012C7264111CFBDB209F94ED09DDABB78EB08351F008162FD05D6120D7329A34EBE5

Function 00FD1113 Relevance: 3.0, APIs: 2, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00FE20C0,00012400,00000040,00000002,00FDFD30,00000018,00FD122F), ref: 00FD114C
VirtualProtect.KERNELBASE(00FE20C0,00012400,00000002,?), ref: 00FD1180

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a575496715ffb97dfe96e2e5cf3493775e1783eb0543a58548d37cced62cabfe
Instruction ID: 1cf86a20bb4d178dab8c6ad9c66637ea4398d85d825132eca27c0a0458430c14
Opcode Fuzzy Hash: a575496715ffb97dfe96e2e5cf3493775e1783eb0543a58548d37cced62cabfe
Instruction Fuzzy Hash: 080171B1940309AADB10EFE58C46EDDB7BABF08710F58511AE601F62C1D774D640EA35

Function 00FD5982 Relevance: 3.0, APIs: 2, Instructions: 30
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,?,?,?,?,5EFC4D8B,00000000,00000000,00000000,?,00FD55A0,?,?,00000000,?,00000000), ref: 00FD59A9
LCMapStringW.KERNEL32(00000000,?,?,?,?,5EFC4D8B,?,00FD55A0,?,?,00000000,?,00000000,00000000), ref: 00FD59C6

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: d08033042f2598613868b70d6831cd1a4cd94775e720337cc696cc366ae95281
Instruction ID: a44501e951f873170fcd98459423a4a044dd7f1aeac133862b4e04ce0708c331
Opcode Fuzzy Hash: d08033042f2598613868b70d6831cd1a4cd94775e720337cc696cc366ae95281
Instruction Fuzzy Hash: 4FF07F3201014EFFDF069F94EC0ACAE3B6AFB08360B048115FA2885020D772A971FBA1

Function 00434DD0 Relevance: 3.0, APIs: 2, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00434B30,00000000,00000000,00000000), ref: 00434DFC
CloseHandle.KERNEL32(00000000), ref: 00434E0F

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: f15bb76eeb390713cf23b1aa4dedcbcb12aeb9e1d63bea81addf2df97737fffc
Instruction ID: ab00b43da8913ad787f121c3b9dbab8b04f0021a1a2fa3c5e2840548e075ecbb
Opcode Fuzzy Hash: f15bb76eeb390713cf23b1aa4dedcbcb12aeb9e1d63bea81addf2df97737fffc
Instruction Fuzzy Hash: 42F03034A80308FBDB14DF94DC0ABDDB770EB58705F20905AE911673C0D6B57A50CB09

Non-executed Functions

Function 004358D0 Relevance: 119.5, APIs: 54, Strings: 14, Instructions: 491stringmemoryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00438130: GetTickCount.KERNEL32 ref: 00438139
Part of subcall function 00438130: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0043818F
Part of subcall function 00438130: VirtualAlloc.KERNEL32(00000000,00000000), ref: 004381A1
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,00000000), ref: 004381B1
Part of subcall function 00438130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004381BB
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,00440604), ref: 004381D1
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,00000000), ref: 0043822C
Part of subcall function 00438130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043823A
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,0043FFF8), ref: 00438280

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,?,00000001,00000001,?,00000001), ref: 00435969
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?,?,00000001,00000001,?,00000001), ref: 00435A1C
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,00000001,00000001,?,00000001), ref: 00435A35
lstrlenA.KERNEL32(00000000,?,00000001,00000001,?,00000001), ref: 00435A3E
lstrlenA.KERNEL32(?,?,00000001,00000001,?,00000001), ref: 00435A46
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000001,00000001,?,00000001), ref: 00435A5B
lstrlenA.KERNEL32 ref: 00435A77
lstrlenA.KERNEL32(00000000), ref: 00435A9E
lstrlenA.KERNEL32(?), ref: 00435ABD
lstrlenA.KERNEL32(?), ref: 00435AE4
lstrlenA.KERNEL32(00000000), ref: 00435AF5
lstrlenA.KERNEL32(00000000), ref: 00435B17
lstrcatW.KERNEL32(?,action=call&), ref: 00435B2B
lstrlenW.KERNEL32(?), ref: 00435B38
lstrcatW.KERNEL32(756EE0B0,&id=,756EE0B0), ref: 00435B9A
lstrcatW.KERNEL32(756EE0B0,?), ref: 00435BA1
lstrcatW.KERNEL32(756EE0B0,&subid=), ref: 00435BA9
lstrcatW.KERNEL32(756EE0B0,?), ref: 00435BB0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00435BC3
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00435BD0
lstrcatW.KERNEL32(756EE0B0,&pub_key=), ref: 00435BD8
lstrlenW.KERNEL32(756EE0B0), ref: 00435BE5
lstrlenA.KERNEL32(00000000), ref: 00435BEE
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,756EE0B0,00000000), ref: 00435BFF
lstrcatW.KERNEL32(?,&priv_key=), ref: 00435C0F
lstrlenW.KERNEL32(?), ref: 00435C16
lstrlenA.KERNEL32(00000000), ref: 00435C1F
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000), ref: 00435C30
lstrcatW.KERNEL32(0043FCB0,00760026), ref: 00435C8D
lstrlenW.KERNEL32(?), ref: 00435C98
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00435CAE
lstrlenW.KERNEL32(?), ref: 00435CB9
lstrlenW.KERNEL32(?), ref: 00435CDD
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00435CF5
lstrlenW.KERNEL32(?,00003000,00000004), ref: 00435D06
VirtualAlloc.KERNEL32(00000000,-00000002), ref: 00435D0E
wsprintfA.USER32 ref: 00435D27

Part of subcall function 00436010: VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 00436033
Part of subcall function 00436010: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00436048
Part of subcall function 00436010: GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 00436059
Part of subcall function 00436010: lstrlenA.KERNEL32(00000000), ref: 00436064
Part of subcall function 00436010: wsprintfA.USER32 ref: 0043607C
Part of subcall function 00436010: _memset.LIBCMT ref: 0043609B
Part of subcall function 00436010: lstrlenA.KERNEL32(00000000), ref: 004360A4
Part of subcall function 00436010: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004360D3

CryptBinaryToStringA.CRYPT32(?,756EE0B0,40000001,00000000,?), ref: 00435D61
GetLastError.KERNEL32(?,00000001,00000001,?,00000001), ref: 00435D6B
lstrlenA.KERNEL32(00000000), ref: 00435D72
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00435D81
lstrlenA.KERNEL32(00000000), ref: 00435D8C
lstrlenA.KERNEL32(00000000), ref: 00435DAC
lstrlenA.KERNEL32(00000000), ref: 00435DD4
lstrlenA.KERNEL32(00000000), ref: 00435DE3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 00435DF4
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00435E2C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00435E3A
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00435E47
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00435E6C
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00435E7A
VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,00000001,?,00000001), ref: 00435E87
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00435E9E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00435EB1

Strings

o, xrefs: 00435C50
&id=, xrefs: 00435B94
&advert=+380668846667, xrefs: 00435C75
., xrefs: 00435C68
=, xrefs: 00435C58
s, xrefs: 00435C48
action=call&, xrefs: 00435B25
&priv_key=, xrefs: 00435C09
popkadurak, xrefs: 004358FE
e, xrefs: 00435C40
&subid=, xrefs: 00435BA3
., xrefs: 00435C60
&pub_key=, xrefs: 00435BD2
&, xrefs: 00435C38

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Free$lstrcat$Alloc$BinaryByteCharCryptMultiStringWide$wsprintf$AddressCountErrorHandleLastModuleProcTick_memset
String ID: &$&advert=+380668846667$&id=$&priv_key=$&pub_key=$&subid=$.$.$=$action=call&$e$o$popkadurak$s
API String ID: 3331976855-889238998
Opcode ID: f8b72f1225a0d917f4ae91d51a1f1bf55770924196addbf8a80f893759e7f761
Instruction ID: 4a204a3c7df4551d7f0b658188d3845bbb2bf401ece93798b97eae74eec981cc
Opcode Fuzzy Hash: f8b72f1225a0d917f4ae91d51a1f1bf55770924196addbf8a80f893759e7f761
Instruction Fuzzy Hash: 3D029C71548305AFD720DF24CC85B5BBBE9FF88704F10192EF585A7290D7B8E9098B9A

Function 00435400 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 230stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 0043540F
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 00435426
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0043544B
lstrlenA.KERNEL32(?,00003000,00000004,00000000,?,?,?,?,00435643,00000000,?), ref: 004354A7
VirtualAlloc.KERNEL32(00000000,00000001,?,?,?,?,00435643,00000000,?), ref: 004354B1
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00435643,00000000,?), ref: 004354C2
HeapFree.KERNEL32(00000000,?,?,?,?,00435643,00000000,?), ref: 004354DD
HeapFree.KERNEL32(00000000,?,?,?,?,00435643,00000000,?), ref: 004354EE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 004354FD
GetLastError.KERNEL32(?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 0043550C
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00435542
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00435562
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00435574
lstrcatA.KERNEL32(00000000,?), ref: 0043558E
lstrlenA.KERNEL32(00000000), ref: 004355E3
lstrlenW.KERNEL32(?), ref: 004355EF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0043560B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,00000000,?,00000000), ref: 00435665
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00435671
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0043567B
InternetCloseHandle.WININET(zXC), ref: 00435685

Strings

zXC, xrefs: 0043567D, 00435684
POST, xrefs: 004355FA

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Heap$BinaryCloseCryptErrorHandleInternetLastStringlstrcatlstrcpy
String ID: POST$zXC
API String ID: 1287001821-776939764
Opcode ID: ee42ce115a4b16cb4ba2bcb3b104a9aba2a8884fbf59fced4c2d2c13c9f94483
Instruction ID: 1e01e09f9a7e2494bec5d6e0a50989de2f934f58deb692394d2adba2b7df040f
Opcode Fuzzy Hash: ee42ce115a4b16cb4ba2bcb3b104a9aba2a8884fbf59fced4c2d2c13c9f94483
Instruction Fuzzy Hash: 3271D371E40705ABEB109FA5CC45FAFBB78FF88700F105126FA44A3250DB78AA44CB99

Function 004356A0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 188stringmemoryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00438130: GetTickCount.KERNEL32 ref: 00438139
Part of subcall function 00438130: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0043818F
Part of subcall function 00438130: VirtualAlloc.KERNEL32(00000000,00000000), ref: 004381A1
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,00000000), ref: 004381B1
Part of subcall function 00438130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004381BB
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,00440604), ref: 004381D1
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,00000000), ref: 0043822C
Part of subcall function 00438130: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043823A
Part of subcall function 00438130: lstrcatW.KERNEL32(00000000,0043FFF8), ref: 00438280

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 004356E4
wsprintfW.USER32 ref: 00435714
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 0043575D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00435779
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00435790
lstrlenW.KERNEL32(00000000,00003000,00000004,?,00000000,00000000,?,00000000), ref: 0043579E
VirtualAlloc.KERNEL32(00000000,-00000002,?,00000000,00000000,?,00000000), ref: 004357A6
wsprintfA.USER32 ref: 004357BC
CryptBinaryToStringA.CRYPT32(?,756EE0B0,40000001,00000000,?,?,00000000,00000000,?,00000000), ref: 004357F0
GetLastError.KERNEL32(?,00000000,00000000,?,00000000), ref: 004357FA
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00435807
VirtualAlloc.KERNEL32(00000000,-00000004,00003000,00000040,?,00000000,00000000,?,00000000), ref: 00435819
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00435823
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00435841
lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00435860
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,00000000), ref: 004358A0
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 004358AC
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 004358C3

Strings

popkadurak, xrefs: 004356C7
action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 0043570E

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$lstrlen$Free$Alloclstrcat$wsprintf$BinaryCountCryptErrorLastStringTick
String ID: action=result&e_files=%d&e_size=%I64u&e_time=%d&$popkadurak
API String ID: 487841380-2102589890
Opcode ID: 7bc97a010d46d3dfa9836f98c47bd523f482a879171de50c4fdab0066587ea16
Instruction ID: 16b2db685a16c9f9b50c1a8262274fe9e582f6e79b8917032972418e11f9387f
Opcode Fuzzy Hash: 7bc97a010d46d3dfa9836f98c47bd523f482a879171de50c4fdab0066587ea16
Instruction Fuzzy Hash: 3E518170E40218BBEB249F65CD46FAF7B78EF48704F10106AF645A6290DB786E148B99

Function 00436CB0 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 136stringfilememoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,00000000), ref: 00436CC2
lstrcatW.KERNEL32(00000000,0043FF64,?,00000000), ref: 00436CD4
FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00436CE2
lstrcmpW.KERNEL32(?,0043FF68,?,00000000), ref: 00436D0C
lstrcmpW.KERNEL32(?,0043FF6C,?,00000000), ref: 00436D22
lstrcatW.KERNEL32(00000000,?,?,00000000), ref: 00436D34
lstrlenW.KERNEL32(00000000,?,00000000), ref: 00436D3B
lstrcmpW.KERNEL32(-00000001,.sql,?,00000000), ref: 00436D6A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00436D81
GetFileSize.KERNEL32(00000000,00000000,?,00000000), ref: 00436D8C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,00000000), ref: 00436DAA
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000), ref: 00436DBF
lstrlenA.KERNEL32(*******************,?,00000000), ref: 00436DDE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00436DF9
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00436E03
FindNextFileW.KERNEL32(?,?,?,00000000), ref: 00436E2C
FindClose.KERNEL32(?,?,00000000), ref: 00436E3D

Strings

FoC, xrefs: 00436E1A
.sql, xrefs: 00436D64
*******************, xrefs: 00436DC9, 00436DD9

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql$FoC
API String ID: 3616287438-3199560638
Opcode ID: 41295924c2982df45563df33fbc22a3da42de978ebdedaee3a044bf2b5e783dd
Instruction ID: 154a3f852d3e68e5b8d199ea9b10af92f83cc8ba9f43ebfbca36aa04c439a7ac
Opcode Fuzzy Hash: 41295924c2982df45563df33fbc22a3da42de978ebdedaee3a044bf2b5e783dd
Instruction Fuzzy Hash: B1417171A40216BBDB10AF64DC49FAF77BCEF09700F11A07AF941E2250DB789A15CB69

Function 00436770 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00443058,?,004338F4,00000000,00000000,00000000,?,00000800), ref: 0043677B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,004338F4,00000000,00000000,00000000), ref: 004367A1
GetLastError.KERNEL32(?,004338F4,00000000,00000000,00000000), ref: 004367AB
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,004338F4,00000000,00000000,00000000), ref: 004367C7
LeaveCriticalSection.KERNEL32(00443058,?,004338F4,00000000,00000000,00000000), ref: 004367D6
LeaveCriticalSection.KERNEL32(00443058,?,004338F4,00000000,00000000,00000000), ref: 004367EA
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,004338F4,00000000,00000000), ref: 00436812
CryptGetKeyParam.ADVAPI32(00000000,00000008,004338F4,0000000A,00000000,?,004338F4,00000000), ref: 00436833
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,004338F4,?,004338F4,00000000), ref: 0043685B
GetLastError.KERNEL32(?,004338F4,00000000), ref: 00436864
CryptReleaseContext.ADVAPI32(00000000,00000000,?,004338F4,00000000,00000000), ref: 00436881
LeaveCriticalSection.KERNEL32(00443058,?,004338F4,00000000,00000000), ref: 0043688C

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00436796, 004367BC

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Crypt$CriticalSection$ContextLeave$AcquireErrorLast$EncryptEnterImportParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 3173605824-1948191093
Opcode ID: 0e0a048ea892ab32ce8c7366eb9b4cf964e1db8335bc1e49bb5ed8f98aab4d99
Instruction ID: 32e3c8fdeaff6c6d3323de5a700303564d74c0eed246302fbd441789a465c971
Opcode Fuzzy Hash: 0e0a048ea892ab32ce8c7366eb9b4cf964e1db8335bc1e49bb5ed8f98aab4d99
Instruction Fuzzy Hash: D131A274A80309FBEB14DFA0DD49F9E77B4BB0CB01F109419F601A62D0DB789A049B6A

Function 00438880 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 96encryptionlibrarymemoryCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 004388A0
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 004388C8
GetModuleHandleA.KERNEL32(?), ref: 0043891D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0043892B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0043893A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0043895E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043896C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0043292B), ref: 00438980
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0043292B), ref: 0043898E

Strings

Advapi32.dll, xrefs: 00438927, 0043892A
+)C, xrefs: 00438947
CryptGenRandomAdvapi32.dll, xrefs: 00438935, 00438938

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: +)C$Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-3562963855
Opcode ID: bdc47e917cd96e78b25b98ca702dcb3d60257618ce87bbb665803f7cf372b6c6
Instruction ID: 94ed8f11723f58c0ceade5f673b7aad24be7eded976a1cf52f37bedd84d460e3
Opcode Fuzzy Hash: bdc47e917cd96e78b25b98ca702dcb3d60257618ce87bbb665803f7cf372b6c6
Instruction Fuzzy Hash: 7A31DB75A40208AFDF10CFA5DC49BEEBB78EF48701F10506DF601E5250DB749A10CB6A

Function 00436F00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 152stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00436F60
lstrcatW.KERNEL32(00000000,0043FF64,?,?), ref: 00436F78
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00436F82

Part of subcall function 004368A0: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00000000,?,00436F26,00000000,?,?), ref: 004368BC
Part of subcall function 004368A0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,?,00436F26,00000000,?,?), ref: 00436914

lstrcmpW.KERNEL32(?,0043FF68,?,?), ref: 00436FB0
lstrcmpW.KERNEL32(?,0043FF6C,?,?), ref: 00436FCA
lstrcatW.KERNEL32(00000000,?,?,?), ref: 00436FE0
lstrcatW.KERNEL32(00000000,0043FFA4,?,?), ref: 00437007
FindNextFileW.KERNEL32(00000000,?,?,?), ref: 0043708D
FindClose.KERNEL32(00000000,?,?), ref: 0043709E

Strings

SQL, xrefs: 00436FF1

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Findlstrcat$FileVirtuallstrcmp$AllocCloseFirstFreeNextlstrlen
String ID: SQL
API String ID: 991218351-1299261525
Opcode ID: 8caa70a0deb192c90fe91785785ee40a52ac4c4529b630e69311878d29a866ed
Instruction ID: aaafa7620e5b8d118cab4b8575951e93e10bba7dcbcc2df595aabc3a2b094abf
Opcode Fuzzy Hash: 8caa70a0deb192c90fe91785785ee40a52ac4c4529b630e69311878d29a866ed
Instruction Fuzzy Hash: BB51C671A04209ABDF24DF65EC84AAE77B9EF4C314F0050ABF908D7250D7399E149F59

Function 00438730 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111encryptionlibrarymemoryCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0043874D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0043877B
GetModuleHandleA.KERNEL32(?), ref: 004387CF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 004387DD
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 004387EC
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00438835
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00438843
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00438857
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00438865

Strings

Advapi32.dll, xrefs: 004387D9, 004387DC
CryptGenRandomAdvapi32.dll, xrefs: 004387E7, 004387EA

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 911351f24165fa7eaf494d2e389e262030128a5ed9dc25737fdad033713c3afe
Instruction ID: 695a1934e568c2e87584e475b85c0918550c98b40ca8976c1a78554fcc220862
Opcode Fuzzy Hash: 911351f24165fa7eaf494d2e389e262030128a5ed9dc25737fdad033713c3afe
Instruction Fuzzy Hash: 3031E575A00309AADF249FE5DC49BEEFB78EF09700F20506EF501A6250EB749A11CB6D

Function 004364F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00434BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,00434BA6,?,00434BAE), ref: 00436508
GetLastError.KERNEL32(?,00434BAE), ref: 00436512
CryptAcquireContextW.ADVAPI32(00434BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00434BAE), ref: 0043652E
CryptGenKey.ADVAPI32(00434BAE,0000A400,08000001,?,?,00434BAE), ref: 0043655A
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 0043657E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00436596
CryptDestroyKey.ADVAPI32(?), ref: 004365A0
CryptReleaseContext.ADVAPI32(00434BAE,00000000), ref: 004365AC
CryptAcquireContextW.ADVAPI32(00434BAE,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 004365C1

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 004364FD, 00436523, 004365B6

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: cc5522aa096706174fe5bff732e78697c4c6e57e60ae94610d03768685aaec63
Instruction ID: 6d7d2e28d8c8822cc569d70d8e8d16e44964cec52c7ba4d3d41fcc4b245fff03
Opcode Fuzzy Hash: cc5522aa096706174fe5bff732e78697c4c6e57e60ae94610d03768685aaec63
Instruction Fuzzy Hash: 88218375BC0305BBEB24CFA0DD4AFDB3778AB48B00F205464FB41EA1C0C6B999109B69

Function 004334F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79memorystringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00433673,?), ref: 00433504
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,00433673,?), ref: 0043351C
CryptStringToBinaryA.CRYPT32(s6C,00000000,00000001,00000000,?,00000000,00000000), ref: 00433535
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00433673,?), ref: 0043354C
VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00433673,?), ref: 00433561
wsprintfW.USER32 ref: 00433587
wsprintfW.USER32 ref: 00433597
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00433673,?), ref: 004335A9

Strings

s6C, xrefs: 00433532

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$BinaryCryptFreeStringlstrlen
String ID: s6C
API String ID: 2885909284-3477048900
Opcode ID: 8318c37a17a5c5fe56e1cc474ffb619b23a047d775bcf52a0ab2c2d4f17650ce
Instruction ID: 8a6002ad0cfeb5cd94c8101aac161a66623eb1b27cf9c0d69dce74bc698e6803
Opcode Fuzzy Hash: 8318c37a17a5c5fe56e1cc474ffb619b23a047d775bcf52a0ab2c2d4f17650ce
Instruction Fuzzy Hash: 9B21A571A41318BFEB119F648C41F9BBFACEF49750F100065F644E72D0D6B55E108B99

Function 00437160 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 004382C0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004384A4
Part of subcall function 004382C0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004384BD

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,756EF3C0,?), ref: 0043717F
lstrlenW.KERNEL32(0043FFB4), ref: 0043718C

Part of subcall function 004384D0: InternetCloseHandle.WININET(?), ref: 004384E3
Part of subcall function 004384D0: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00438502

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,0043FFB8,00000000,00000000,00000000,000027FF,?,00000000), ref: 004371BB
wsprintfW.USER32 ref: 004371D3
VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,0043FFB8,00000000,00000000,00000000,000027FF,?,00000000), ref: 004371E9
InternetCloseHandle.WININET(?), ref: 004371F7

Strings

ipv4bot.whatismyipaddress.com, xrefs: 004371AC
GET, xrefs: 00437194

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: 4c2a3969607ee640ffa78f5d447d68b7b7634abf872920277f7b75469356b936
Instruction ID: e49d8e4db9504770c6e818353ada2229ad03a7ecce0d58d76e4ea1ab67923283
Opcode Fuzzy Hash: 4c2a3969607ee640ffa78f5d447d68b7b7634abf872920277f7b75469356b936
Instruction Fuzzy Hash: 8601D836B8021077DF206B669D4EF5B7E3CAB99B11F10103AFA45E11C0DE688919D6AE

Function 00432F50 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00432F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00432F8D

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID:
API String ID: 4140748134-0
Opcode ID: bbaec4300c439773b8d015a901dc51f26042c503698d0e00c501af714f8eb26f
Instruction ID: 017289b7111aad03095c2dda45e622744453d622ad93bbae8a249e0e99ae8930
Opcode Fuzzy Hash: bbaec4300c439773b8d015a901dc51f26042c503698d0e00c501af714f8eb26f
Instruction Fuzzy Hash: 9D210A32640118BBEB10CF98DD41FEA77BCEB08714F0001A7FE44D2180D7B59915AB95

Function 004382C0 Relevance: 96.3, APIs: 2, Strings: 53, Instructions: 88networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004384A4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004384BD

Strings

M, xrefs: 004382E4
i, xrefs: 0043840A
i, xrefs: 00438488
l, xrefs: 004382F9
5, xrefs: 0043830D
t, xrefs: 004383CB
3, xrefs: 0043849D
K, xrefs: 004383C1
5, xrefs: 0043848F
p, xrefs: 004383A3
(, xrefs: 00438321
3, xrefs: 00438465
e, xrefs: 004383B7
o, xrefs: 00438426
1, xrefs: 00438367
A, xrefs: 00438399
h, xrefs: 00438434
a, xrefs: 00438303
T, xrefs: 004383F5
e, xrefs: 00438411
), xrefs: 0043838F
3, xrefs: 004383E0
8, xrefs: 0043845E
, xrefs: 00438473
6, xrefs: 0043835D
O, xrefs: 0043837B
8, xrefs: 0043846C
7, xrefs: 004383D9
0, xrefs: 00438317
G, xrefs: 00438418
., xrefs: 00438450
, xrefs: 00438371
a, xrefs: 0043847A
, xrefs: 004383E7
7, xrefs: 00438496
5, xrefs: 004383D2
., xrefs: 00438457
w, xrefs: 0043833F
c, xrefs: 0043841F
K, xrefs: 004383EE
o, xrefs: 0043843B
L, xrefs: 004383FC
e, xrefs: 004383AD
T, xrefs: 00438353
, xrefs: 00438403
a, xrefs: 00438481
6, xrefs: 00438385
d, xrefs: 00438335
5, xrefs: 00438449
z, xrefs: 004382EF
e, xrefs: 00438442
i, xrefs: 0043832B
, xrefs: 00438349

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-3622400399
Opcode ID: f5435782f192dd437789189a76dad48bbc1b5d78f8784f006b3c7a9fc9f47e6e
Instruction ID: b9cf64c6504292ca68169b652b7d57b02b7815e932c5476c4f4d83df9d59a15b
Opcode Fuzzy Hash: f5435782f192dd437789189a76dad48bbc1b5d78f8784f006b3c7a9fc9f47e6e
Instruction Fuzzy Hash: 7D41A8B4811368DEEB25CF91999879EBFF5BB04748F50819ED5086B201C7F60A89CF64

Function 004348D0 Relevance: 84.1, APIs: 10, Strings: 38, Instructions: 114processmemorystringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00434A42
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 00434A5C
Process32FirstW.KERNEL32(00000000,00000000), ref: 00434A75
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00434A95
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00434AA5
TerminateProcess.KERNEL32(00000000,00000000), ref: 00434AB4
CloseHandle.KERNEL32(00000000), ref: 00434AC1
Process32NextW.KERNEL32(?,00000000), ref: 00434ADA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00434AF3
CloseHandle.KERNEL32(?), ref: 00434AFA

Strings

dbsnmp.exe, xrefs: 0043491B
sqlbrowser.exe, xrefs: 004348F3
outlook.exe, xrefs: 004349D4
mspub.exe, xrefs: 004349BE
sqlservr.exe, xrefs: 004348FB, 004349F5
dbeng50.exe, xrefs: 00434993
agntsvc.exeencsvc.exe, xrefs: 0043495B
wordpad.exe, xrefs: 00434A37
infopath.exe, xrefs: 004349AB
thunderbird.exe, xrefs: 00434A16
mysqld-opt.exe, xrefs: 0043498B
agntsvc.exeagntsvc.exe, xrefs: 00434953
mydesktopqos.exe, xrefs: 0043492B
thebat.exe, xrefs: 00434A00
ocomm.exe, xrefs: 00434973
winword.exe, xrefs: 00434A2C
synctime.exe, xrefs: 00434923
xfssvccon.exe, xrefs: 0043493B
sqbcoreservice.exe, xrefs: 0043499B
sqlwriter.exe, xrefs: 00434903
sqlagent.exe, xrefs: 004348EB
mydesktopservice.exe, xrefs: 00434943
ocssd.exe, xrefs: 00434913
oracle.exe, xrefs: 0043490B
agntsvc.exeisqlplussvc.exe, xrefs: 00434933
excel.exe, xrefs: 004349A3
visio.exe, xrefs: 00434A21
onenote.exe, xrefs: 004349C9
steam.exe, xrefs: 004349EA
msaccess.exe, xrefs: 004349B3
ocautoupds.exe, xrefs: 0043494B
mysqld.exe, xrefs: 0043497B
msftesql.exe, xrefs: 004348E3
mysqld-nt.exe, xrefs: 00434983
powerpnt.exe, xrefs: 004349DF
tbirdconfig.exe, xrefs: 0043496B
thebat64.exe, xrefs: 00434A0B
firefoxconfig.exe, xrefs: 00434963

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: agntsvc.exeagntsvc.exe$agntsvc.exeencsvc.exe$agntsvc.exeisqlplussvc.exe$dbeng50.exe$dbsnmp.exe$excel.exe$firefoxconfig.exe$infopath.exe$msaccess.exe$msftesql.exe$mspub.exe$mydesktopqos.exe$mydesktopservice.exe$mysqld-nt.exe$mysqld-opt.exe$mysqld.exe$ocautoupds.exe$ocomm.exe$ocssd.exe$onenote.exe$oracle.exe$outlook.exe$powerpnt.exe$sqbcoreservice.exe$sqlagent.exe$sqlbrowser.exe$sqlservr.exe$sqlwriter.exe$steam.exe$synctime.exe$tbirdconfig.exe$thebat.exe$thebat64.exe$thunderbird.exe$visio.exe$winword.exe$wordpad.exe$xfssvccon.exe
API String ID: 3586910739-2697476765
Opcode ID: 4d7ee9e4de71bdc0425fccf302184aa7262f0c41c139441d03b8e52cfa931fa4
Instruction ID: 5e5e87f45280335569a4c58fe6e0773d0e9aa3705455475bc36201c6da4238fc
Opcode Fuzzy Hash: 4d7ee9e4de71bdc0425fccf302184aa7262f0c41c139441d03b8e52cfa931fa4
Instruction Fuzzy Hash: 53516FB18483809FD7209F50994D74BBBF4BB99318F10E92EE5985A260C7B8980DCF5F

Function 004345C0 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00433D00: _memset.LIBCMT ref: 00433D52
Part of subcall function 00433D00: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00433D76
Part of subcall function 00433D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00433D7A
Part of subcall function 00433D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00433D7E
Part of subcall function 00433D00: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00433DA5

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 0043477F
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00434795
lstrcatW.KERNEL32(00000000,0063005C), ref: 0043479D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 004347B3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004347C7

Strings

e, xrefs: 00434653
x, xrefs: 00434616
w, xrefs: 004345FE
, xrefs: 00434726
e, xrefs: 0043475D
d, xrefs: 004346D9
\, xrefs: 00434672
a, xrefs: 0043462B
., xrefs: 0043460E
c, xrefs: 0043463B
m, xrefs: 004346C9
s, xrefs: 00434623
l, xrefs: 004346E4
t, xrefs: 004346EF
u, xrefs: 00434752
s, xrefs: 004346B9
., xrefs: 00434690
o, xrefs: 00434633
, xrefs: 0043464B
/, xrefs: 004346A9
open, xrefs: 004347AC
a, xrefs: 00434731
n, xrefs: 004346D1
, xrefs: 004346B1
x, xrefs: 0043469C
l, xrefs: 0043473C
m, xrefs: 004345F2
h, xrefs: 00434705
i, xrefs: 00434606
b, xrefs: 004345E6
m, xrefs: 0043467C
d, xrefs: 00434710
w, xrefs: 0043471B
a, xrefs: 004346C1
e, xrefs: 00434663
, xrefs: 004346FA
p, xrefs: 00434643
e, xrefs: 0043465B
/, xrefs: 00434747
\, xrefs: 004345DE

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 882c6864745679a9344f0147b9335992b95e8697f65f2e3d8f04cd83bca2b763
Instruction ID: d6a0ed6731b8fbd9fed2d070f43b4628c2c0033e30d8563d6f94286ad6db5c07
Opcode Fuzzy Hash: 882c6864745679a9344f0147b9335992b95e8697f65f2e3d8f04cd83bca2b763
Instruction Fuzzy Hash: AE4118B0148380DFE3208F119849B5BBFE6BBC5B49F10591DE6985A291C7F6854CCF9B

Function 00433DC0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109memorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00433D00: _memset.LIBCMT ref: 00433D52
Part of subcall function 00433D00: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00433D76
Part of subcall function 00433D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00433D7A
Part of subcall function 00433D00: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00433D7E
Part of subcall function 00433D00: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00433DA5

Part of subcall function 00433C80: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00433CB0

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00433E6D
wsprintfW.USER32 ref: 00433F37
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00433F4B
GetForegroundWindow.USER32 ref: 00433F60
ShellExecuteExW.SHELL32(00000000), ref: 00433FC1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00433FD4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00433FE6
CloseHandle.KERNEL32(?), ref: 00433FEF
ExitProcess.KERNEL32 ref: 00433FF7

Strings

t, xrefs: 00433F16
, xrefs: 00433EB1
y, xrefs: 00433E25
l, xrefs: 00433EA9
%, xrefs: 00433DF7
s, xrefs: 00433F00
p, xrefs: 00433E78
r, xrefs: 00433E15
e, xrefs: 00433E4D
s, xrefs: 00433E99
a, xrefs: 00433EC1
i, xrefs: 00433E04
c, xrefs: 00433EA1
n, xrefs: 00433F7D
c, xrefs: 00433E65
m, xrefs: 00433E35
w, xrefs: 00433E45
%, xrefs: 00433F21
, xrefs: 00433EEA
c, xrefs: 00433EF5
m, xrefs: 00433EDF
o, xrefs: 00433E88
", xrefs: 00433F2C
e, xrefs: 00433EC9
r, xrefs: 00433F75
2, xrefs: 00433E3D
a, xrefs: 00433F0B
d, xrefs: 00433E0D
", xrefs: 00433ED4
e, xrefs: 00433E91
\, xrefs: 00433E1D
\, xrefs: 00433E55
t, xrefs: 00433E2D
s, xrefs: 00433F85
r, xrefs: 00433EB9

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 86b379afd52061868de15862654c3f7b6bb3587191c417589402d1a451560b13
Instruction ID: 9b5f52f4f4241ad75abfbba26bfacbf558d0cdd606acc89b6c9b377b119bf86b
Opcode Fuzzy Hash: 86b379afd52061868de15862654c3f7b6bb3587191c417589402d1a451560b13
Instruction Fuzzy Hash: 1C5158B0408340DFE3208F11D848B5ABFF9BF84749F005A2DE69886251C7FA9558CF9B

Function 004337B0 Relevance: 68.6, APIs: 33, Strings: 6, Instructions: 320memorystringwindowCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 004337C4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 004337CF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 0043380A
lstrcpyW.KERNEL32(00000000,00000000), ref: 00433828
lstrcatW.KERNEL32(00000000,0043002E), ref: 00433833

Part of subcall function 00438880: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 004388A0
Part of subcall function 00438880: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 004388C8
Part of subcall function 00438880: GetModuleHandleA.KERNEL32(?), ref: 0043891D
Part of subcall function 00438880: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0043892B
Part of subcall function 00438880: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 0043893A
Part of subcall function 00438880: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0043895E
Part of subcall function 00438880: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043896C

Part of subcall function 00438880: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0043292B), ref: 00438980
Part of subcall function 00438880: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0043292B), ref: 0043898E

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00433896
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 004338C1

Part of subcall function 00436770: EnterCriticalSection.KERNEL32(00443058,?,004338F4,00000000,00000000,00000000,?,00000800), ref: 0043677B
Part of subcall function 00436770: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,?,004338F4,00000000,00000000,00000000), ref: 004367A1
Part of subcall function 00436770: GetLastError.KERNEL32(?,004338F4,00000000,00000000,00000000), ref: 004367AB
Part of subcall function 00436770: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,004338F4,00000000,00000000,00000000), ref: 004367C7
Part of subcall function 00436770: LeaveCriticalSection.KERNEL32(00443058,?,004338F4,00000000,00000000,00000000), ref: 004367D6

MessageBoxA.USER32(00000000,Fatal error: rsaenh.dll is not initialized as well,Fatal error,00000010), ref: 0043390F
GetLastError.KERNEL32 ref: 00433933
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043398D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00433999
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00433BB8

Strings

HlC, xrefs: 004339FF
Fatal error: rsaenh.dll is not initialized as well, xrefs: 00433908
B, xrefs: 00433821
R, xrefs: 0043381A
, xrefs: 004338DA
Fatal error, xrefs: 00433903

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$ContextCryptFree$Alloc$Acquire$AttributesCriticalErrorFileLastReleaseSection$AddressEnterHandleLeaveLibraryLoadMessageModuleProclstrcatlstrcpy
String ID: $B$Fatal error$Fatal error: rsaenh.dll is not initialized as well$HlC$R
API String ID: 3050744578-2265939489
Opcode ID: 2d3ed79f63ef45b50a98205ba23161d5947854cda1477d5b2c749dba75acac1f
Instruction ID: 78c39a9d5d7d20ac23f1014bfe9c64397cb7d27b976d10aa486426b8763edb96
Opcode Fuzzy Hash: 2d3ed79f63ef45b50a98205ba23161d5947854cda1477d5b2c749dba75acac1f
Instruction Fuzzy Hash: 8FC14C71E40308ABEB119F94DC46FEEBB78BF48704F205125F640BA2D0DBB56A548F69

Function 00435070 Relevance: 68.4, APIs: 8, Strings: 31, Instructions: 119pipememoryCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(00443080,0044307C,?,00000000,00000001,00000001,00000000), ref: 0043518D
SetHandleInformation.KERNEL32(00000001,00000000), ref: 004351B1
CreatePipe.KERNEL32(00443078,00443084,0000000C,00000000), ref: 004351CA
SetHandleInformation.KERNEL32(00000001,00000000), ref: 004351DA
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 004351EE
wsprintfW.USER32 ref: 004351FF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00435220

Strings

u, xrefs: 00435105
n, xrefs: 00435085
S, xrefs: 0043512F
l, xrefs: 00435113
u, xrefs: 004350AD
o, xrefs: 0043511A
fabian wosar <3, xrefs: 0043522F
1, xrefs: 004350D4
d, xrefs: 004350E9
., xrefs: 004350FE
m, xrefs: 00435160
n, xrefs: 0043510C
c, xrefs: 00435144
, xrefs: 00435128
d, xrefs: 00435152
l, xrefs: 0043508F
2, xrefs: 0043513D
n, xrefs: 004350F0
m, xrefs: 004350F7
o, xrefs: 0043514B
u, xrefs: 0043516E
., xrefs: 00435167
n, xrefs: 004350CD
n, xrefs: 00435136
o, xrefs: 004350E2
, xrefs: 004350BF
c, xrefs: 004350DB
o, xrefs: 00435099
u, xrefs: 00435121
S, xrefs: 004350C6
n, xrefs: 00435159

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $ $.$.$1$2$S$S$c$c$d$d$fabian wosar <3$l$l$m$m$n$n$n$n$n$n$o$o$o$o$u$u$u$u
API String ID: 1490407255-1922363339
Opcode ID: e7c69d60045268b9f05d83bc7c2ad988fc6ae3d86090c0ec4baa969ee5410494
Instruction ID: b3010332d460fd0e518b59bfd3f3466eaf76b91192ee4a5185d4df0bec29d16b
Opcode Fuzzy Hash: e7c69d60045268b9f05d83bc7c2ad988fc6ae3d86090c0ec4baa969ee5410494
Instruction Fuzzy Hash: B9415070E40318ABEB209F90DC497DDBFB6FB04B19F104129E504AA285C7FA4999CF95

Function 004342C0 Relevance: 66.7, APIs: 7, Strings: 31, Instructions: 175stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00433BD0: GetProcessHeap.KERNEL32(?,?,00434817,00000000,?,00000000,00000000), ref: 00433C6C

Part of subcall function 00437600: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00437627
Part of subcall function 00437600: GetUserNameW.ADVAPI32(00000000,?), ref: 00437638
Part of subcall function 00437600: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00437656
Part of subcall function 00437600: GetComputerNameW.KERNEL32(00000000,0000001E), ref: 00437660
Part of subcall function 00437600: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00437680
Part of subcall function 00437600: wsprintfW.USER32 ref: 004376C1
Part of subcall function 00437600: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 004376DE
Part of subcall function 00437600: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00437702
Part of subcall function 00437600: RegQueryValueExW.ADVAPI32(?,LocaleName,00000000,00000000, HC,?), ref: 00437726
Part of subcall function 00437600: RegCloseKey.ADVAPI32(?), ref: 00437742

Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437462
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043746D
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437483
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043748E
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374A4
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374AF
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374C5
Part of subcall function 00437410: lstrlenW.KERNEL32(00434B46,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374D0
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374E6
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374F1
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437507
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437512
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437531
Part of subcall function 00437410: lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043753C

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00434331
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00434373
lstrcpyW.KERNEL32(00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004343F2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004343F9

Strings

h, xrefs: 0043446D
m, xrefs: 0043453D
y, xrefs: 0043452D
w, xrefs: 0043448D
o, xrefs: 004344DD
n, xrefs: 004344E5
r, xrefs: 004344AD
a, xrefs: 00434515
c, xrefs: 004344BD
w, xrefs: 00434505
l, xrefs: 0043450D
{USERID}, xrefs: 004343CF, 0043441D, 00434423
d, xrefs: 004344FD
/, xrefs: 004344D5
r, xrefs: 004344CD
a, xrefs: 00434525
/, xrefs: 00434485
t, xrefs: 00434475
t, xrefs: 0043449D
d, xrefs: 004344F5
o, xrefs: 004344ED
s, xrefs: 0043447D
., xrefs: 004344C5
r, xrefs: 004344A5
n, xrefs: 0043454D
w, xrefs: 00434495
-, xrefs: 0043451D
., xrefs: 00434545
h, xrefs: 00434535
j, xrefs: 004344B5
ransom_id=, xrefs: 00434360, 0043436C

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$ransom_id=$s$t$t$w$w$w$y${USERID}
API String ID: 4100118565-2385900546
Opcode ID: dc3ea8ce1bc2bf6067a6ac064b74af74e511cf7ce766b555a66a2855c16c52ed
Instruction ID: eaf93eb9c7d446b3fdd658ccdc09af9b3f7f0a0b439959cf2a8634b9fde5dff5
Opcode Fuzzy Hash: dc3ea8ce1bc2bf6067a6ac064b74af74e511cf7ce766b555a66a2855c16c52ed
Instruction Fuzzy Hash: 5971F5705443409BE7209F10D8097ABBBE1FBD4748F10592DFA855B290DBF99948CB9A

Function 004343B6 Relevance: 61.4, APIs: 5, Strings: 30, Instructions: 104stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004343F2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 004343F9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00434565
wsprintfW.USER32 ref: 0043457F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00434596

Strings

h, xrefs: 0043446D
m, xrefs: 0043453D
y, xrefs: 0043452D
o, xrefs: 004344DD
n, xrefs: 004344E5
w, xrefs: 0043448D
r, xrefs: 004344AD
a, xrefs: 00434515
c, xrefs: 004344BD
w, xrefs: 00434505
l, xrefs: 0043450D
{USERID}, xrefs: 004343CF, 0043441D, 00434423
d, xrefs: 004344FD
/, xrefs: 004344D5
a, xrefs: 00434525
r, xrefs: 004344CD
/, xrefs: 00434485
t, xrefs: 00434475
t, xrefs: 0043449D
d, xrefs: 004344F5
o, xrefs: 004344ED
s, xrefs: 0043447D
., xrefs: 004344C5
r, xrefs: 004344A5
n, xrefs: 0043454D
w, xrefs: 00434495
-, xrefs: 0043451D
., xrefs: 00434545
h, xrefs: 00434535
j, xrefs: 004344B5

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: -$.$.$/$/$a$a$c$d$d$h$h$j$l$m$n$n$o$o$r$r$r$s$t$t$w$w$w$y${USERID}
API String ID: 4033391921-3341315666
Opcode ID: c881ab77689a790921297c3dec7ad02f99da38a102c9e7b9cb1818078590ecd8
Instruction ID: 1e2e3d6369eac5a449523ad56354d5262b6e29078f9ed6beb34690da19a5defc
Opcode Fuzzy Hash: c881ab77689a790921297c3dec7ad02f99da38a102c9e7b9cb1818078590ecd8
Instruction Fuzzy Hash: 3F418DB0508340DBE7209F10D54836BBFE2FBD5B4CF10992DE6840B261D7FA8589CB5A

Function 00432960 Relevance: 59.6, APIs: 5, Strings: 29, Instructions: 87registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00520050,00000041,7572F770,00000000), ref: 0043299D

Part of subcall function 00438730: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0043874D
Part of subcall function 00438730: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0043877B
Part of subcall function 00438730: GetModuleHandleA.KERNEL32(?), ref: 004387CF
Part of subcall function 00438730: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 004387DD
Part of subcall function 00438730: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 004387EC
Part of subcall function 00438730: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00438835
Part of subcall function 00438730: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00438843

RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,E,C,00000000), ref: 00432A84
lstrlenW.KERNEL32(00000000), ref: 00432A8F
RegSetValueExW.ADVAPI32(E,C,00520050,00000000,00000001,00000000,00000000), ref: 00432AA4
RegCloseKey.ADVAPI32(?), ref: 00432AB1

Strings

w, xrefs: 00432A29
r, xrefs: 00432A53
E,C, xrefs: 004329BA, 00432AA1, 004329D7
r, xrefs: 004329FF
P, xrefs: 0043296D
d, xrefs: 00432A22
U, xrefs: 00432984
R, xrefs: 004329CE
n, xrefs: 00432A45
i, xrefs: 00432A1B
f, xrefs: 00432A0D
i, xrefs: 00432A5A
u, xrefs: 00432A37
n, xrefs: 00432A76
i, xrefs: 004329F8
\, xrefs: 004329EB
n, xrefs: 00432A61
S, xrefs: 004329B0
n, xrefs: 00432A6F
R, xrefs: 00432A68
A, xrefs: 0043298C
s, xrefs: 00432A06
\, xrefs: 00432A14
e, xrefs: 00432A7D
F, xrefs: 004329BD
r, xrefs: 00432A3E
V, xrefs: 00432A4C
W, xrefs: 004329C7
H, xrefs: 00432993

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$E,C$F$H$P$R$R$S$U$V$W$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-2677956168
Opcode ID: 344a5e7bf2300d1def5c531deeb54ca45d768d4adb6259c552854c39351c9888
Instruction ID: 470aebfde6d98ebec646bba159710dd5e735060566eb55c4f8e7e2ed5aa41241
Opcode Fuzzy Hash: 344a5e7bf2300d1def5c531deeb54ca45d768d4adb6259c552854c39351c9888
Instruction Fuzzy Hash: 1A31ECB090021CDFEB20CF91E949BEDBFB9FB05709F108119E5186A291D7FA49488F99

Function 00437CE0 Relevance: 54.4, APIs: 17, Strings: 14, Instructions: 150memorystringprocessCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,756EF3C0,?,760773E0), ref: 00437CFD
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00437D71
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00437D86
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00437D9C
Process32FirstW.KERNEL32(00000000,00000000), ref: 00437DBF
lstrcmpiW.KERNEL32(004403D4,-00000024), ref: 00437DE5
Process32NextW.KERNEL32(?,?), ref: 00437E5E
GetLastError.KERNEL32 ref: 00437E68
lstrlenW.KERNEL32(00000000), ref: 00437E86
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00437EAB
CloseHandle.KERNEL32(?), ref: 00437EB0
VirtualFree.KERNEL32(?,?,00008000), ref: 00437EC5

Strings

pccpfw.exe, xrefs: 00437D55
msmpeng.exe, xrefs: 00437D6A
persfw.exe, xrefs: 00437D4E
cmdagent.exe, xrefs: 00437D40
NortonAntiBot.exe, xrefs: 00437D2B
avgnt.exe, xrefs: 00437D1D
fsguiexe.exe, xrefs: 00437D5C
cfp.exe, xrefs: 00437D63
ashDisp.exe, xrefs: 00437D24
ekrn.exe, xrefs: 00437D16
Mcshield.exe, xrefs: 00437D32
avengine.exe, xrefs: 00437D39
smc.exe, xrefs: 00437D47
AVP.EXE, xrefs: 00437D0F

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID: AVP.EXE$Mcshield.exe$NortonAntiBot.exe$ashDisp.exe$avengine.exe$avgnt.exe$cfp.exe$cmdagent.exe$ekrn.exe$fsguiexe.exe$msmpeng.exe$pccpfw.exe$persfw.exe$smc.exe
API String ID: 2470459410-3383346926
Opcode ID: 907fe4be3d88fc7a27cc45f1a529a07b9fdc9dc51069e723141aacfe753322ee
Instruction ID: 21f5bfc5c54923c8d26755b124ebc3543c75c9281c914fa480a339de5fa49ee5
Opcode Fuzzy Hash: 907fe4be3d88fc7a27cc45f1a529a07b9fdc9dc51069e723141aacfe753322ee
Instruction Fuzzy Hash: AA518FB1944218ABDF20CF54DC49B9E7FB0FF49710F20906AEA44BB290C7785915CF59

Function 00432D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137windowthreadregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00432F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00432F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00432E19
LoadCursorW.USER32(00000000,00007F00), ref: 00432E2E
LoadIconW.USER32 ref: 00432E59
RegisterClassExW.USER32(?), ref: 00432E68
ExitThread.KERNEL32 ref: 00432E75

Part of subcall function 00432F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00432F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00432E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00432E81
CreateWindowExW.USER32(00000000,win32app,firefox,00CF0000,80000000,80000000,00000005,00000005,00000000,00000000,00000000), ref: 00432EA7
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00432EB4
ExitThread.KERNEL32 ref: 00432EBF

Part of subcall function 00432F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 00432FA8
Part of subcall function 00432F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 00432FCF
Part of subcall function 00432F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00432FE3
Part of subcall function 00432F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00432FFA

ExitThread.KERNEL32 ref: 00432F3F

Part of subcall function 00432AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00432AEA
Part of subcall function 00432AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00432B2C
Part of subcall function 00432AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00432B38
Part of subcall function 00432AD0: ExitThread.KERNEL32 ref: 00432C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00432EC8
UpdateWindow.USER32(00000000), ref: 00432ECF
CreateThread.KERNEL32(00000000,00000000,00432D10,00000000,00000000,00000000), ref: 00432EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00432EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00432F05
TranslateMessage.USER32(?), ref: 00432F1C
DispatchMessageW.USER32(?), ref: 00432F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00432F37

Strings

s, xrefs: 00432DB9
w, xrefs: 00432DB1
1, xrefs: 00432D6F
s, xrefs: 00432D7F
f, xrefs: 00432DA1
firefox, xrefs: 00432E9B
s, xrefs: 00432D77
d, xrefs: 00432DA9
s, xrefs: 00432DC1
win32app, xrefs: 00432E51, 00432EA0
k, xrefs: 00432D67
0, xrefs: 00432DF1

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: a7f6df4a2dc23f927ed558311fd1b35bf0aa5f1664acf62d7c9328f13858d450
Instruction ID: d93f4eff1973f675b1e5fa90de6dbea89ed3966c69e3e629692535ee166bef6a
Opcode Fuzzy Hash: a7f6df4a2dc23f927ed558311fd1b35bf0aa5f1664acf62d7c9328f13858d450
Instruction Fuzzy Hash: 4D518D70588301AFE7109F618D0DB5B7BE4AF48B48F10592DF684A62D0E7F89509CF9E

Function 004384D0 Relevance: 42.1, APIs: 13, Strings: 11, Instructions: 130networkfilememoryCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(?), ref: 004384E3
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00438502
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,004371B6,ipv4bot.whatismyipaddress.com,0043FFB8,00000000,00000000), ref: 0043852F
wsprintfW.USER32 ref: 00438543
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00438561
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 004385C5
HttpSendRequestW.WININET(00000000,00610072,0020003A,00000000,00740069), ref: 004385DC
InternetReadFile.WININET(00000000,0062002E,00650071,00000000), ref: 004385FB
InternetReadFile.WININET(00000000,0062002E,00650071,00000000), ref: 00438625
GetLastError.KERNEL32 ref: 00438631
InternetCloseHandle.WININET(00000000), ref: 0043863E
InternetCloseHandle.WININET(00000000), ref: 00438643
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,004371B6,ipv4bot.whatismyipaddress.com,0043FFB8), ref: 0043864F

Strings

HTTP/1.1, xrefs: 00438557
:, xrefs: 0043858D
w, xrefs: 004385A9
r, xrefs: 004385B0
n, xrefs: 0043859B
i, xrefs: 004385BE
H, xrefs: 00438573
s, xrefs: 00438586
., xrefs: 004385B7
r, xrefs: 00438594
o, xrefs: 004385A2

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$i$n$o$r$r$s$w
API String ID: 3906118045-693250572
Opcode ID: dd2016aa39268b1cb5046943caa02f765b3e1ccfa00a4b4b03db7db2211b0af2
Instruction ID: e5aa43513ad30d5dc965f3c371dee854e9e03f4b7e0c35d277b5fecd2601b40c
Opcode Fuzzy Hash: dd2016aa39268b1cb5046943caa02f765b3e1ccfa00a4b4b03db7db2211b0af2
Instruction Fuzzy Hash: 3641A731640308BFEF108F54DC49F9EBFB8EF18754F105129F944A62A0CBB59951CBA9

Function 00435250 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 89memorystringsleepCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 004352AD
Sleep.KERNEL32(000003E8), ref: 004352F0
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 004352FE
VirtualAlloc.KERNEL32(00000000,00000000), ref: 0043530E
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0043532A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043533B
wsprintfW.USER32 ref: 00435353
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00435364

Strings

>UC, xrefs: 004352D0
omwa, xrefs: 00435292
it, xrefs: 004352A0
t, xrefs: 00435285
re.b, xrefs: 00435299
fabian wosar <3, xrefs: 00435324
zone, xrefs: 00435263
alar, xrefs: 00435277
m.bi, xrefs: 0043527E
rans, xrefs: 0043528B

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: >UC$alar$fabian wosar <3$it$m.bi$omwa$rans$re.b$t$zone
API String ID: 2709691373-1154720078
Opcode ID: 3d984b5fb75fe20ce2f6f9a2f8717c6103d2f374e3b03693684e56d843308e3c
Instruction ID: d9ad50283f7951e700c6d988a95cd40867bb62399bb33fd00eee785fe144719f
Opcode Fuzzy Hash: 3d984b5fb75fe20ce2f6f9a2f8717c6103d2f374e3b03693684e56d843308e3c
Instruction Fuzzy Hash: F031D470E40318ABDB108FA5DD86BDF7B78FF48714F101129FA56A72D0D7745A048B99

Function 00436A10 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00436C13), ref: 00436A1C
lstrlenW.KERNEL32(00000000), ref: 00436A21
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 00436A4D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00436A62
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 00436A6E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 00436A7A
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 00436A86
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 00436A92
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 00436A9E
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 00436AAA
lstrcmpiW.KERNEL32(-00000004,CRAB-DECRYPT.txt), ref: 00436AB6

Strings

ntuser.dat, xrefs: 00436A68
boot.ini, xrefs: 00436A8C
thumbs.db, xrefs: 00436AA4
ntuser.dat.log, xrefs: 00436A98
CRAB-DECRYPT.txt, xrefs: 00436AB0
bootsect.bak, xrefs: 00436A80
desktop.ini, xrefs: 00436A47
autorun.inf, xrefs: 00436A5C
iconcache.db, xrefs: 00436A74

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: CRAB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3936223242
Opcode ID: d8b802445c24f7228b4d904a495d52eb0d09b8f81101daf585fb8664f1ec4cf7
Instruction ID: 78ffe90bb258a4a406e6577737e6cf1fae83e21db137853e0a75311ec7d832a1
Opcode Fuzzy Hash: d8b802445c24f7228b4d904a495d52eb0d09b8f81101daf585fb8664f1ec4cf7
Instruction Fuzzy Hash: 8311C153A40627355B20B22D9C02EAF528C4D9AB44B26F137EA40F2191EB8DCA0A48BD

Function 00432AD0 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114stringmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00432AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00432B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00432B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00432B7D

Part of subcall function 00438730: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 0043874D
Part of subcall function 00438730: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 0043877B
Part of subcall function 00438730: GetModuleHandleA.KERNEL32(?), ref: 004387CF
Part of subcall function 00438730: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 004387DD
Part of subcall function 00438730: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 004387EC
Part of subcall function 00438730: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00438835
Part of subcall function 00438730: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00438843

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00432B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00432BE4
lstrcatW.KERNEL32(00000000,?), ref: 00432BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00432BF4
wsprintfW.USER32 ref: 00432C35
ExitThread.KERNEL32 ref: 00432C47

Strings

U, xrefs: 00432B75
.exe, xrefs: 00432BEE
\Microsoft\, xrefs: 00432BDE
P, xrefs: 00432B55
AppData, xrefs: 00432B97
"%s", xrefs: 00432C2F

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$P$U$\Microsoft\
API String ID: 139215849-3336992450
Opcode ID: 91bd475c89ae23db74182cbaf97d9b25f207f30ef77e02a9dab1f4d07504185c
Instruction ID: 745a86427e57d0d4247636b9e84c9387b075cc942c17185dad63814034fb14fb
Opcode Fuzzy Hash: 91bd475c89ae23db74182cbaf97d9b25f207f30ef77e02a9dab1f4d07504185c
Instruction Fuzzy Hash: A441D6702443109BE704DF219D49B5F7798AF88704F14242DF595962D2DBBCE908CBAF

Function 004368A0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00000000,?,00436F26,00000000,?,?), ref: 004368BC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,?,00436F26,00000000,?,?), ref: 00436914
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00000000,?,00436F26,00000000,?,?), ref: 0043697E
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00000000,?,00436F26,00000000,?,?), ref: 004369A6
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00000000,?,00436F26,00000000,?,?), ref: 004369C4
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00000000,?,00436F26,00000000,?,?), ref: 004369E2

Strings

\IETldCache\, xrefs: 004368D4
\All Users\, xrefs: 00436943
\Boot\, xrefs: 004368E4
\ProgramData\, xrefs: 004368C2
\Windows\, xrefs: 00436963
\Program Files\, xrefs: 004368F4
\Tor Browser\, xrefs: 00436923
\Local Settings\, xrefs: 00436953
Ransomware, xrefs: 00436933

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$AllocFree
String ID: Ransomware$\All Users\$\Boot\$\IETldCache\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\$\Windows\
API String ID: 4167578076-3735464813
Opcode ID: d1bac45d3d3c41822532f29447c0d7f8e83347de179588fd6383f2149c4f38c8
Instruction ID: 4afd902d3260fa9aa3b89a15de715c0bf047bcaacd1e603cb7c9486f09b94e50
Opcode Fuzzy Hash: d1bac45d3d3c41822532f29447c0d7f8e83347de179588fd6383f2149c4f38c8
Instruction Fuzzy Hash: 1931486074071673EA2026664D16B2F61998F9CB48F11E02FFA45DA3C5EFBCCD0652DE

Function 00438130 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121stringmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00438139

Part of subcall function 00437FB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 0043809A
Part of subcall function 00437FB0: lstrcatW.KERNEL32(00000000,00440584), ref: 00438115

lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 0043818F
VirtualAlloc.KERNEL32(00000000,00000000), ref: 004381A1
lstrcatW.KERNEL32(00000000,00000000), ref: 004381B1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004381BB
lstrcatW.KERNEL32(00000000,00440604), ref: 004381D1
lstrcatW.KERNEL32(00000000,00000000), ref: 0043822C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043823A
lstrcatW.KERNEL32(00000000,0043FFF8), ref: 00438280
lstrcatW.KERNEL32(00000000,00000000), ref: 00438288
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00438296
lstrcatW.KERNEL32(00000000,0043FFFC), ref: 004382A7

Strings

VUUU, xrefs: 004381FA
VUUU, xrefs: 0043824A

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtual$Free$Alloc$CountTicklstrlen
String ID: VUUU$VUUU
API String ID: 2785072370-3149182767
Opcode ID: 03950ac9859dcd4c5f87cc328963fe3bb845fbab46a4fe0e2a2bedf55cf3f488
Instruction ID: 17740e1e5f42281a031850258f83e19106ded149a67980f978a015d31ca1c0e1
Opcode Fuzzy Hash: 03950ac9859dcd4c5f87cc328963fe3bb845fbab46a4fe0e2a2bedf55cf3f488
Instruction Fuzzy Hash: AE312E72E442009BD71C9B29CD4EF3DB7ACEB54711F14143EF952DB292CE78A9148A5C

Function 00435520 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 004382C0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004384A4
Part of subcall function 004382C0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 004384BD

Part of subcall function 00435250: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,00000000,00000000,00000000), ref: 004352AD
Part of subcall function 00435250: Sleep.KERNEL32(000003E8), ref: 004352F0
Part of subcall function 00435250: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 004352FE
Part of subcall function 00435250: VirtualAlloc.KERNEL32(00000000,00000000), ref: 0043530E
Part of subcall function 00435250: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 0043532A
Part of subcall function 00435250: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043533B
Part of subcall function 00435250: wsprintfW.USER32 ref: 00435353
Part of subcall function 00435250: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00435364

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00435542
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00435562
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00435574
lstrcatA.KERNEL32(00000000,?), ref: 0043558E
lstrlenA.KERNEL32(00000000), ref: 004355E3
lstrlenW.KERNEL32(?), ref: 004355EF
lstrlenA.KERNEL32(00000000,00000000,00031FFF,?,00000000), ref: 0043560B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,00000000,?,00000000), ref: 00435665
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 00435671
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000), ref: 0043567B
InternetCloseHandle.WININET(zXC), ref: 00435685

Strings

zXC, xrefs: 0043567D, 00435684
POST, xrefs: 004355FA

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Open$CloseHandleSleeplstrcatlstrcmpiwsprintf
String ID: POST$zXC
API String ID: 2554059081-776939764
Opcode ID: 0a27d543ec4beb162de6a7039b4199c249ab42d93e7e282031abadcbb6bbcb07
Instruction ID: e456c8c5458e3ee5957e9004bd95e2526e6a02c26f51314b62012fa304cd8f34
Opcode Fuzzy Hash: 0a27d543ec4beb162de6a7039b4199c249ab42d93e7e282031abadcbb6bbcb07
Instruction Fuzzy Hash: A041B571E40709AAEB109FA5CC45FEEBB78FF48740F101526FA44B6250DB786A44CB98

Function 00437410 Relevance: 20.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437462
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043746D
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437483
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043748E
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374A4
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374AF
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374C5
lstrlenW.KERNEL32(00434B46,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374D0
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374E6
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 004374F1
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437507
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437512
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437531
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 0043753C
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437558
lstrlenW.KERNEL32(?,?,?,?,00434829,00000000,?,00000000,00000000,?,00000000), ref: 00437566

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: bf5fa2fd0d6cca2a9eda67e3161693eaa7679a46e38f3fbc57a008a789b832e0
Instruction ID: 756e38c06ae182333eca88f50012fcbdd86800a81edbde6aa0795fb7086f6433
Opcode Fuzzy Hash: bf5fa2fd0d6cca2a9eda67e3161693eaa7679a46e38f3fbc57a008a789b832e0
Instruction Fuzzy Hash: 57415D72244611EFC7295FB8DE8C794BBB1BF08305F085535E49682A20D735E878DB89

Function 00436010 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66stringmemorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0000000A,00003000,00000004,00000000,00000000), ref: 00436033
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00436048
GetProcAddress.KERNEL32(00000000,RtlComputeCrc32), ref: 00436059
lstrlenA.KERNEL32(00000000), ref: 00436064
wsprintfA.USER32 ref: 0043607C
_memset.LIBCMT ref: 0043609B
lstrlenA.KERNEL32(00000000), ref: 004360A4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004360D3

Strings

RtlComputeCrc32, xrefs: 00436053
%Xeuropol, xrefs: 00436076
ntdll.dll, xrefs: 00436043

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtuallstrlen$AddressAllocFreeHandleModuleProc_memsetwsprintf
String ID: %Xeuropol$RtlComputeCrc32$ntdll.dll
API String ID: 218840185-1387466253
Opcode ID: 76f07a0b721a55472712ae53b556ed94bca62b96ef07e159992f0d308c0cf131
Instruction ID: a44c90c39bf06958be9cb491e0ff7a8539133c6c6d876780fbb9a5275460dddf
Opcode Fuzzy Hash: 76f07a0b721a55472712ae53b556ed94bca62b96ef07e159992f0d308c0cf131
Instruction Fuzzy Hash: 75115B31E80208BBDB209B649C4AFAE7F78BB18701F201079F944E22D0EAB44D549B5A

Function 00436E50 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59filememorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,00000000,?,00436F5F,00000000,?,?), ref: 00436E65
wsprintfW.USER32 ref: 00436E73
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00436E8F
GetLastError.KERNEL32(?,?), ref: 00436E9C
lstrlenW.KERNEL32(?,?,00000000,?,?), ref: 00436EBE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 00436ECE
CloseHandle.KERNEL32(00000000,?,?), ref: 00436ED5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00436EE8

Strings

%s\CRAB-DECRYPT.txt, xrefs: 00436E6D

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\CRAB-DECRYPT.txt
API String ID: 2985722263-2724392667
Opcode ID: f0888c33d032f8c5b4d23d032432fe4df8b24df741000a13a7f6a2e5a5af05cb
Instruction ID: c8139849b6c87ea7853aa124e8f7fa30baf67ad57316251052fb231d4584b046
Opcode Fuzzy Hash: f0888c33d032f8c5b4d23d032432fe4df8b24df741000a13a7f6a2e5a5af05cb
Instruction Fuzzy Hash: A60128353C0210BBF7200B34ED4FF6A366CEB19B15F201231FB41E51D0C7A86814966E

Function 00435380 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,00000000,00435519,00000000,?,?,?,?,00435643,00000000,?,00000000), ref: 00435396
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 004353A8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 004353B8
wsprintfW.USER32 ref: 004353C9
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004353E3
ExitProcess.KERNEL32 ref: 004353EB

Strings

open, xrefs: 004353DC
cmd.exe, xrefs: 004353D7
/c timeout -c 5 & del "%s" /f /q, xrefs: 004353C3

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: d30c03319386e80c933937ca9b1f101b1adf7b3d243cc145f021d9035b01c0e1
Instruction ID: 414306c989d5aa166db415b1ce975528f63741c0940740366a83e0a414805315
Opcode Fuzzy Hash: d30c03319386e80c933937ca9b1f101b1adf7b3d243cc145f021d9035b01c0e1
Instruction Fuzzy Hash: 58F06572BC171033F53127645C0FF0B2D689B59F56F342026F748BE1D189E4681086EE

Function 00433BD0 Relevance: 15.0, APIs: 1, Strings: 9, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00434817,00000000,?,00000000,00000000), ref: 00433C6C

Strings

os_major, xrefs: 00433C39
pc_group, xrefs: 00433C1D
pc_name, xrefs: 00433C0F
hdd, xrefs: 00433C55
pc_user, xrefs: 00433C08
pc_keyb, xrefs: 00433C32
ransom_id, xrefs: 00433C4E
os_bit, xrefs: 00433C40
pc_lang, xrefs: 00433C2B

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID: hdd$os_bit$os_major$pc_group$pc_keyb$pc_lang$pc_name$pc_user$ransom_id
API String ID: 54951025-631784635
Opcode ID: 613bf5c2de7dde7cb8bfd033b046fb26caf9131a16b1e566829a3c884dd12aa3
Instruction ID: 484d0df4007d703fb63f4cd7b5e50c129f85b52dc76916036531c1117f7c203c
Opcode Fuzzy Hash: 613bf5c2de7dde7cb8bfd033b046fb26caf9131a16b1e566829a3c884dd12aa3
Instruction Fuzzy Hash: CC1110B4901B448FC760CF69C58468ABBF0BB08758F50A92EE99AD7B10D3B5F4488F48

Function 004381E6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00437FB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 0043809A
Part of subcall function 00437FB0: lstrcatW.KERNEL32(00000000,00440584), ref: 00438115

lstrcatW.KERNEL32(00000000,00000000), ref: 0043822C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043823A
lstrcatW.KERNEL32(00000000,0043FFF8), ref: 00438280
lstrcatW.KERNEL32(00000000,00000000), ref: 00438288
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00438296
lstrcatW.KERNEL32(00000000,0043FFFC), ref: 004382A7

Strings

VUUU, xrefs: 004381FA
VUUU, xrefs: 0043824A

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtual$Free$Alloc
String ID: VUUU$VUUU
API String ID: 418921519-3149182767
Opcode ID: e0f1c325ce775947723f5c13252cd9321c0eaaf688ab4ccfc984a1e1d9c48b55
Instruction ID: 27330f1ff92d89dff3550715608d712ad642f2e863cfc2c11b1951dc7ad05172
Opcode Fuzzy Hash: e0f1c325ce775947723f5c13252cd9321c0eaaf688ab4ccfc984a1e1d9c48b55
Instruction Fuzzy Hash: A5110432A442009BC71CEB2DDD4EB39B7A8F755705F04283EF593DB192CE38A1158B18

Function 004335C0 Relevance: 13.6, APIs: 9, Instructions: 94memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000A00,00003000,00000004,756EE0B0,?), ref: 004335E9
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100,756F0440), ref: 00433600
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00433616
GetFileSize.KERNEL32(00000000,00000000), ref: 00433626
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00433639
ReadFile.KERNEL32(00000000,00000000,00000001,?,00000000), ref: 0043364C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0043368D
CloseHandle.KERNEL32(00000000), ref: 00433694
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004336A2

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocFree$CloseCreateHandleModuleNameReadSize
String ID:
API String ID: 2352497600-0
Opcode ID: 616fa14d18456d50b5a2cf04ffe4941b41930ff7d4d002301a201671a8eb4143
Instruction ID: 4b61e87bf15a1d7f180aee676d93f3c8abe81ed5ed55f71288a5cd8a2c180948
Opcode Fuzzy Hash: 616fa14d18456d50b5a2cf04ffe4941b41930ff7d4d002301a201671a8eb4143
Instruction Fuzzy Hash: DD21F9317803047BEB259FA49C8BFAE7B68EB49715F200069FB45A92C0C6B89A10875D

Function 00433200 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(tTC,00000000,?,tTC,?,004334BF,tTC,00000001,tTC,00000000,00000000,00000000,?,?,00435474,00000000), ref: 00433251
GetProcessHeap.KERNEL32(00000008,00000001,?,004334BF,tTC,00000001,tTC,00000000,00000000,00000000,?,?,00435474,00000000), ref: 0043325B
HeapAlloc.KERNEL32(00000000,?,004334BF,tTC,00000001,tTC,00000000,00000000,00000000,?,?,00435474,00000000), ref: 00433262
lstrlenA.KERNEL32(tTC,00000000,?,tTC,?,004334BF,tTC,00000001,tTC,00000000,00000000,00000000,?,?,00435474,00000000), ref: 00433273
GetProcessHeap.KERNEL32(00000008,00000001,?,004334BF,tTC,00000001,tTC,00000000,00000000,00000000,?,?,00435474,00000000), ref: 0043327D
HeapAlloc.KERNEL32(00000000,?,004334BF,tTC,00000001,tTC,00000000,00000000,00000000,?,?,00435474,00000000), ref: 00433284
lstrcpyA.KERNEL32(00000000,tTC,?,004334BF,tTC,00000001,tTC,00000000,00000000,00000000,?,?,00435474,00000000), ref: 00433293

Strings

tTC, xrefs: 00433203
tTC, xrefs: 00433205, 00433250, 00433272, 00433291

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID: tTC$tTC
API String ID: 511007297-1085092769
Opcode ID: e93130d8e23041165ebabb033cf6f294cbaef2813b0733c1472953291e94166f
Instruction ID: 3f576e58433450ff868980f03334413e8d194009c5c5b27ec63e5af226e95ef6
Opcode Fuzzy Hash: e93130d8e23041165ebabb033cf6f294cbaef2813b0733c1472953291e94166f
Instruction Fuzzy Hash: 4511E6304442846EEB200F68980C767BB58EF1A312F246097E8D5C7311C73D8D56876A

Function 00437EE0 Relevance: 12.6, APIs: 10, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437EF9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F0B
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F1D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F2F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F41
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F53
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F65
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F77
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437F89
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,004348BA,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00437FA1

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 01b8c508131d399be82b73d88b4a94d9f59a9416aac35fe58662302d78fac8e6
Instruction ID: aa69f7b04cc3b78753be31256a9f3197917a2f6df8a88fcb3cfbced265fd2d9b
Opcode Fuzzy Hash: 01b8c508131d399be82b73d88b4a94d9f59a9416aac35fe58662302d78fac8e6
Instruction Fuzzy Hash: A721E230284B04AAE7765B15DC06F5676E1BF44B45F255839E2C1345F08BF97899DF0C

Function 00434000 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00434020
GetTickCount.KERNEL32 ref: 00434045
GetDriveTypeW.KERNEL32(?), ref: 0043406A
CreateThread.KERNEL32(00000000,00000000,004370B0,?,00000000,00000000), ref: 004340A9
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 004340EB
GetTickCount.KERNEL32 ref: 004340F1

Strings

?:\, xrefs: 00434033

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 3e55ec5f2ad4fb261965ba65a230fc51e118d148fc429921475b8de913a0d2ca
Instruction ID: f115b0fdc591f54e61c5125b79e77d871aa6c3fa2a6c24f23318fa8ec13295e4
Opcode Fuzzy Hash: 3e55ec5f2ad4fb261965ba65a230fc51e118d148fc429921475b8de913a0d2ca
Instruction Fuzzy Hash: 595125709483009FD314CF18D988B5ABBF5FFC8324F505A2EEA8997360D775A944CB9A

Function 004370B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 004370C9
wsprintfW.USER32 ref: 004370DE
InitializeCriticalSection.KERNEL32(?), ref: 004370EC
VirtualAlloc.KERNEL32 ref: 00437120
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00009C40,00003000,00000004), ref: 0043714D
ExitThread.KERNEL32 ref: 00437155

Strings

%c:\, xrefs: 004370D8

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFreeInitializeSectionThreadwsprintf
String ID: %c:\
API String ID: 2059066847-3142399695
Opcode ID: e5b9adf75293e603e4a4bc0ce388c7b77790cfdeeef54cab3839585a59e458dd
Instruction ID: b25a7487b0060cbb47b563ff4021bd5faa0198c4eb67cb0ed06ec9650fad0b36
Opcode Fuzzy Hash: e5b9adf75293e603e4a4bc0ce388c7b77790cfdeeef54cab3839585a59e458dd
Instruction Fuzzy Hash: C211D6B5184300BFE7109F54CC8AF163BB8AB44B21F104614FBA49E1D1D7B49514CBAF

Function 00433C80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43memorylibraryloaderCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00433CB0
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00433CC3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00433CCF
FreeSid.ADVAPI32(?), ref: 00433CEA

Strings

:MC, xrefs: 00433CD5, 00433CF0, 00433CD8
CheckTokenMembership, xrefs: 00433CC9
advapi32.dll, xrefs: 00433CBE

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: :MC$CheckTokenMembership$advapi32.dll
API String ID: 3309497720-3592135811
Opcode ID: 380505c1b8e8faa85e7f2e29b19e7dd55223fcaaa862be92d19bcf4d39d827dc
Instruction ID: 3cc87387e46c1904554e82e3ebd99d833887db64e789ec8678e8e99533c2855b
Opcode Fuzzy Hash: 380505c1b8e8faa85e7f2e29b19e7dd55223fcaaa862be92d19bcf4d39d827dc
Instruction Fuzzy Hash: E0F0FF35E80309BBDF10DFE4DC0AFAD7778EB04706F105595F905A6290E77456148B59

Function 00432890 Relevance: 12.1, APIs: 8, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,7572F770,00000000,?,?,00432C02), ref: 004328AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00432C02), ref: 004328BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00432C02), ref: 004328E5
CloseHandle.KERNEL32(00000000,?,?,00432C02), ref: 004328F3
MapViewOfFile.KERNEL32(00000000,7572F771,00000000,00000000,00000000,?,?,00432C02), ref: 0043290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00432C02), ref: 00432942
CloseHandle.KERNEL32(?,?,?,00432C02), ref: 00432951
CloseHandle.KERNEL32(00000000,?,?,00432C02), ref: 00432954

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 3254d48576f18db478868325316a639651472780a2d6adff18c79931693a5136
Instruction ID: b5d5b4cb7974c10a8d0033a5b1ab38b7e41a6a6ed957fcce4ef6ed41b3173017
Opcode Fuzzy Hash: 3254d48576f18db478868325316a639651472780a2d6adff18c79931693a5136
Instruction Fuzzy Hash: 18216BB1A402187FD7106B749C8AF7F776CDB49369F00123AFC41E2280D6389D1145A5

Function 004333E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004332B0: lstrlenA.KERNEL32(?,00000000,?,tTC,?,?,004333F6,00000000,00000000,?,?,00435474,00000000), ref: 004332C5
Part of subcall function 004332B0: lstrlenA.KERNEL32(?,?,004333F6,00000000,00000000,?,?,00435474,00000000,?,?,?,?,00435643,00000000,?), ref: 004332EE

lstrlenA.KERNEL32(tTC,tTC,00000000,00000000,00000000,?,?,00435474,00000000,?,?,?,?,00435643,00000000,?), ref: 00433484
GetProcessHeap.KERNEL32(00000008,00000001,?,00435474,00000000,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 0043348E
HeapAlloc.KERNEL32(00000000,?,00435474,00000000,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 00433495
lstrcpyA.KERNEL32(00000000,tTC,?,00435474,00000000,?,?,?,?,00435643,00000000,?,00000000,00000000,?,00000000), ref: 004334A7
ExitProcess.KERNEL32 ref: 004334DB

Strings

tTC, xrefs: 004333E5, 0043343B, 00433483, 004334A5, 004334B7

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID: tTC
API String ID: 1867342102-2646315492
Opcode ID: 9fae79e1900f2d882af031b6dbdabae6ebee665c4b64686b8f3b1ace0ad1dacc
Instruction ID: 5154140b53bf1b1bac9fbf124732a4115d9350d6d01d2b15530a9fbd8b651ec3
Opcode Fuzzy Hash: 9fae79e1900f2d882af031b6dbdabae6ebee665c4b64686b8f3b1ace0ad1dacc
Instruction Fuzzy Hash: 133136305042455AEF224F6888447B77B989B2E312F18719BE8D5CB381D67E8E4787AD

Function 00436AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,?,00436BFA), ref: 00436AF2

Strings

%s , xrefs: 00436B36

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s
API String ID: 1659193697-4273690596
Opcode ID: 3f35c471cbb4abc3c7c44d2ff268614904513865b6fbe0b92a7e03cc8838182a
Instruction ID: 48a4d284fe619d5a9bbc8a8d416797cebbaa865b4fee0f59e4c35e7026c79cd3
Opcode Fuzzy Hash: 3f35c471cbb4abc3c7c44d2ff268614904513865b6fbe0b92a7e03cc8838182a
Instruction Fuzzy Hash: B521F672A00236A7DB305F589C017B7B3E8EB99325F069227ED45D7284E7B86D41CA98

Function 00432C50 Relevance: 10.6, APIs: 7, Instructions: 62stringthreadCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00432C8A
BeginPaint.USER32(?,?), ref: 00432C9F
lstrlenW.KERNEL32(?), ref: 00432CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00432CBD
EndPaint.USER32(?,?), ref: 00432CCB
CreateThread.KERNEL32(00000000,00000000,Function_00002AD0,00000000,00000000,00000000), ref: 00432CE9
DestroyWindow.USER32(?), ref: 00432CF2

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID:
API String ID: 572880375-0
Opcode ID: 2553cd1b62c3c8ca0d85b9bed10fe4aaf8a4a440eedfedc2dcb665e00cda962c
Instruction ID: 688903e592a9abc176364ccd2b8542b89120258406cb9d3450c9c9a264996639
Opcode Fuzzy Hash: 2553cd1b62c3c8ca0d85b9bed10fe4aaf8a4a440eedfedc2dcb665e00cda962c
Instruction Fuzzy Hash: 4011C432544308AFD711DF68ED09FAB7BACFB48311F001626FD81D61A0E7B19924DB9A

Function 00434E20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00434E39
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00434E7F
GetLastError.KERNEL32(?,?,00000000), ref: 00434E89
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00434E9D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00434EA2

Strings

D, xrefs: 00434E68

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: a30d77947f34d4bdcb865273184351df15e0f5a4a45aee8b391ed34b0e51d9d1
Instruction ID: 433688588b4629fc69bcbe03884571d0f4b30c3e063efe24d40815aba85d47fa
Opcode Fuzzy Hash: a30d77947f34d4bdcb865273184351df15e0f5a4a45aee8b391ed34b0e51d9d1
Instruction Fuzzy Hash: 36014871E40318ABDB20DFA4DC46BDE7BB8EF09714F100226FA48F6190E7B555548B99

Function 00434A88 Relevance: 10.5, APIs: 7, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00434A95
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00434AA5
TerminateProcess.KERNEL32(00000000,00000000), ref: 00434AB4
CloseHandle.KERNEL32(00000000), ref: 00434AC1
Process32NextW.KERNEL32(?,00000000), ref: 00434ADA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00434AF3
CloseHandle.KERNEL32(?), ref: 00434AFA

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID:
API String ID: 999196985-0
Opcode ID: 01b9d6923e309ea0a12757cd293c1d388896e487bd28c66f3657fae3921ac6c8
Instruction ID: c0a474c44ef89eb1154cdd24df0b66bc8768c65ee06be6295120578c4ff61d03
Opcode Fuzzy Hash: 01b9d6923e309ea0a12757cd293c1d388896e487bd28c66f3657fae3921ac6c8
Instruction Fuzzy Hash: A601D6322C0110ABDB10AF50AC88BAA77ACEBD9701F256125FA49D6150EB64AC158B6E

Function 00FD1A4C Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FD1A4C

Part of subcall function 00FD1BFB: EncodePointer.KERNEL32(00000000,?,00FD1A51,00FD12AD,00FDFD50,00000014), ref: 00FD1BFE
Part of subcall function 00FD1BFB: __initp_misc_winsig.LIBCMT ref: 00FD1C19
Part of subcall function 00FD1BFB: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FD2EA5
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FD2EB9
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FD2ECC
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FD2EDF
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FD2EF2
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FD2F05
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FD2F18
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FD2F2B
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FD2F3E
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FD2F51
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FD2F64
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FD2F77
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FD2F8A
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FD2F9D
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FD2FB0
Part of subcall function 00FD1BFB: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FD2FC3

__mtinitlocks.LIBCMT ref: 00FD1A51
__mtterm.LIBCMT ref: 00FD1A5A

Part of subcall function 00FD1AC2: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FD1A5F,00FD12AD,00FDFD50,00000014), ref: 00FD31BB
Part of subcall function 00FD1AC2: _free.LIBCMT ref: 00FD31C2
Part of subcall function 00FD1AC2: DeleteCriticalSection.KERNEL32(00FE1068,?,?,00FD1A5F,00FD12AD,00FDFD50,00000014), ref: 00FD31E4

__calloc_crt.LIBCMT ref: 00FD1A7F
__initptd.LIBCMT ref: 00FD1AA1
GetCurrentThreadId.KERNEL32 ref: 00FD1AA8

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 6405ccc4a814573800a549d28fc162e67e54cf06079e9764ed0cd3e68d9e56bb
Instruction ID: ee18717636b055cfe61792edee5497ce39623e6580926d584108df8498c16d0c
Opcode Fuzzy Hash: 6405ccc4a814573800a549d28fc162e67e54cf06079e9764ed0cd3e68d9e56bb
Instruction Fuzzy Hash: 06F06D32A1A65129E224BB747C0364A3797BB01771B2C061BF650D93D5FE288541B191

Function 00433190 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(tTC,mask), ref: 004331B9
lstrcmpiA.KERNEL32(tTC,pub_key), ref: 004331D1

Strings

tTC, xrefs: 004331B0
tTC, xrefs: 00433193, 004331C4, 004331B6
mask, xrefs: 004331B1
pub_key, xrefs: 004331BF

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key$tTC$tTC
API String ID: 1586166983-4235709636
Opcode ID: c63e22b0836094a3d6225de8c323bb73b2bc4b41921f35e7be9afbaf91ceb528
Instruction ID: 7b9947308841e26b6cab1d0c2403791ad88d96065e90503b74eb10f4218bddb5
Opcode Fuzzy Hash: c63e22b0836094a3d6225de8c323bb73b2bc4b41921f35e7be9afbaf91ceb528
Instruction Fuzzy Hash: D5F08B723482845EFB194E6C9C457A3BBCC9B19311F5821BFF6CAC2290C6AE8C81C35D

Function 00437FB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,?,00000003), ref: 0043809A
lstrcatW.KERNEL32(00000000,00440584), ref: 00438115

Strings

eigh, xrefs: 0043803F
ore, xrefs: 0043808C
ere, xrefs: 00438093

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocVirtuallstrcat
String ID: eigh$ere$ore
API String ID: 3624338217-3418171569
Opcode ID: 7083aa887dfd6e6a7c5c6fd3a279a3089482fbc24b335b94be0748881075152c
Instruction ID: 9562c19b8a6c338addea57ed2e41c946ff502cc89c6260b849b4e14cd7b3e2be
Opcode Fuzzy Hash: 7083aa887dfd6e6a7c5c6fd3a279a3089482fbc24b335b94be0748881075152c
Instruction Fuzzy Hash: C23138B1D11758ABEB14CF85D84869DBFF4EB44708F20961EE6146B240CBBC9569CF8C

Function 00433D00 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00433D52
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00433D76
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00433D7A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00433D7E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00433DA5

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 2576dc4616e8b2ed0041c1537906ce628c39b9779ebe1db551e1aa8ebc6d1593
Instruction ID: 54d242abe5d1c693644b470774137c53894a065a50242be6e8bdc21075493750
Opcode Fuzzy Hash: 2576dc4616e8b2ed0041c1537906ce628c39b9779ebe1db551e1aa8ebc6d1593
Instruction Fuzzy Hash: 9B111EB0D4031C6EEB659F65DC0ABEA7ABCEB08704F008199A548E61C1D6B94B948FD5

Function 00FD1ADF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00FD1B1E,00000000,?,00FD4E28,000000FF,0000001E,00000000,00000000,00000000,?,00FD3385), ref: 00FD1AEE
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00FD1B00

Strings

mscoree.dll, xrefs: 00FD1AE7
CorExitProcess, xrefs: 00FD1AF8

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: eccdd178e8e2c9f56d34adefa2d811054299e28ee71fe997b9f8c70216b9eef3
Instruction ID: 231d15481f79ffcd6e22c26b64e01cc446cd2f7cac17fdf3d1a27bb029db8a41
Opcode Fuzzy Hash: eccdd178e8e2c9f56d34adefa2d811054299e28ee71fe997b9f8c70216b9eef3
Instruction Fuzzy Hash: DBD0123174420EFBDB005BA5DC06F597B6FAB41752F044157F804E1250EA71DA10F6A1

Function 00434EB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 117stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00435218), ref: 00434F23
lstrlenA.KERNEL32(00000000,?,00435218), ref: 00434F7F
lstrcpyA.KERNEL32(?,?,?,00435218), ref: 00434FAE

Strings

fabian wosar <3, xrefs: 00434F1B

Memory Dump Source

Source File: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, Offset: 00430000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_430000_dwqocx.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 560250402e570d9fb667bf73143a7ce1051234589115c82560da08b06a1c4132
Instruction ID: 9b1f5d8883905e12cf36a450c5fb74a8fc8acc29c4fc4bd9110ac6be198f8da0
Opcode Fuzzy Hash: 560250402e570d9fb667bf73143a7ce1051234589115c82560da08b06a1c4132
Instruction Fuzzy Hash: EF310F218081955ADB228F6898407FBBFA1AFCB349F6C309BD8D5C7316D2292846C798

Function 00FD737A Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FD73B0
__isleadbyte_l.LIBCMT ref: 00FD73DE
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00FD740C
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00FD7442

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2ca933369b502092202da194a3e7a68c40d75dab3ce013aa95d75aa07d974747
Instruction ID: 074de734c3d0b9f37ee6af8eafc4742fcda3c0eb3dacefe04e2294ad9c2dd922
Opcode Fuzzy Hash: 2ca933369b502092202da194a3e7a68c40d75dab3ce013aa95d75aa07d974747
Instruction Fuzzy Hash: A2318431A08346EFDB22EE65CC45B6A7FA7AF41320F19451AE8549B290F731D850F750

Function 00FD4E8D Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FD4EAC

Part of subcall function 00FD4DFB: __FF_MSGBANNER.LIBCMT ref: 00FD4E12
Part of subcall function 00FD4DFB: __NMSG_WRITE.LIBCMT ref: 00FD4E19
Part of subcall function 00FD4DFB: HeapAlloc.KERNEL32(005C0000,00000000,00000001,00000000,00000000,00000000,?,00FD3385,00000000,00000000,00000000,00000000,?,00FD323A,00000018,00FDFE20), ref: 00FD4E3E

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: AllocHeap_free
String ID:
API String ID: 1080816511-0
Opcode ID: 23d789c686f58522c5286ee17a11d0718fcb3394a012ea8fb89a341c937fead2
Instruction ID: 257afde2d162f4e025d353d02cdc22eb3793c3cbfb3961ad2a0fcec27e2ce097
Opcode Fuzzy Hash: 23d789c686f58522c5286ee17a11d0718fcb3394a012ea8fb89a341c937fead2
Instruction Fuzzy Hash: 4F117733905215ABCB317F74BC0A75A379BAF40370B184527FA45D7361DB35A840B6A5

Function 00FD8BED Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FD8C11

Part of subcall function 00FD92F8: __fltout2.LIBCMT ref: 00FD9321

__cftog_l.LIBCMT ref: 00FD8C37
__cftoe_l.LIBCMT ref: 00FD8C69

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a8292b613ccd047416a34022aaf5a22d8ab77da8b922757973516e6eda3415f7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F501397241514EFBCF126F84CD428EE3F27BB18394B588516FA5858231C636C9B2BB91

Function 00FD3A99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FD1912: __getptd_noexit.LIBCMT ref: 00FD1913

__lock.LIBCMT ref: 00FD3ADA
_free.LIBCMT ref: 00FD3B07

Strings

0M\, xrefs: 00FD3B0D, 00FD3B15

Memory Dump Source

Source File: 0000001D.00000002.1751975964.0000000000FD1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00FD0000, based on PE: true

Associated: 0000001D.00000002.1751953110.0000000000FD0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752000225.0000000000FDC000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000001D.00000002.1752051812.0000000000FF7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_fd0000_dwqocx.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__lock_free
String ID: 0M\
API String ID: 1533244847-4229959701
Opcode ID: dabdbb8e1e309cc54a372bb0f5645119f5a03b7f73225b54385deec9feb009ed
Instruction ID: 73bdd0efa68180467d24f43d9e5c2cf9d4824505e45353f0416baeee46118fe0
Opcode Fuzzy Hash: dabdbb8e1e309cc54a372bb0f5645119f5a03b7f73225b54385deec9feb009ed
Instruction Fuzzy Hash: B811C236E0172A9BC721AF299841618B3A2BB45B30B1D021FE550A7780DB386E41FFC2

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
file.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre