Play interactive tour

Edit tour

Analysis Report CompanyLicense.exe

Overview

General Information

Sample Name:	CompanyLicense.exe
Analysis ID:	341661
MD5:	ace3e9fc3a2277aa4e72881c9f204642
SHA1:	50337a4aa52b65cac5fd2745c3fe7d88d503d00f
SHA256:	c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98
Most interesting Screenshot:

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Remcos

Yara detected GuLoader

Yara detected Remcos RAT

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Creates autostart registry keys with suspicious values (likely registry only malware)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

CompanyLicense.exe (PID: 5148 cmdline: 'C:\Users\user\Desktop\CompanyLicense.exe' MD5: ACE3E9FC3A2277AA4E72881C9F204642)

CompanyLicense.exe (PID: 6572 cmdline: 'C:\Users\user\Desktop\CompanyLicense.exe' MD5: ACE3E9FC3A2277AA4E72881C9F204642)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: CompanyLicense.exe PID: 6572	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: CompanyLicense.exe PID: 6572	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: CompanyLicense.exe PID: 6572	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: CompanyLicense.exe PID: 5148	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: CompanyLicense.exe PID: 5148	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CompanyLicense.exe, ProcessId: 6572, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY

Compliance:

Uses 32bit PE files

Show sources

Source: CompanyLicense.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 185.140.53.253:2048

Source: Joe Sandbox View

IP Address: 185.140.53.253 185.140.53.253

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: CompanyLicense.exe, 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp

String found in binary or memory: https://onedrive.live.com/download?cid=3EA7AF3CF2A8B6E2&resid=3EA7AF3CF2A8B6E2%21118&authkey=AM5VKIx

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY

System Summary:

Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A08D5 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A8B16 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A474B NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A0D52 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A8E25 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A38A7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A34CD NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A36D0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A0917 NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A35EF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A35E2 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00568B16 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00568EC6 NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00569248 NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_0056910C NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00569436 NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00568FE0 NtSetInformationThread,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_005695B9 NtSetInformationThread,

Source: C:\Users\user\Desktop\CompanyLicense.exe

Code function: 0_2_004041A1

Source: CompanyLicense.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Internering2.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CompanyLicense.exe, 00000000.00000002.667461596.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000000.00000002.667883059.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000001.00000000.666580572.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000001.00000002.1001890961.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CompanyLicense.exe
Source: CompanyLicense.exe, 00000001.00000002.1001872713.000000001DDA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs CompanyLicense.exe
Source: CompanyLicense.exe	Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe

Source: CompanyLicense.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/3@74/2

Source: C:\Users\user\Desktop\CompanyLicense.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\CompanyLicense.exe

Mutant created: \Sessions\1\BaseNamedObjects\idle-C625D6

Source: C:\Users\user\Desktop\CompanyLicense.exe

File created: C:\Users\user\AppData\Local\Temp\~DF35090EC034E56AF4.TMP

Jump to behavior

Source: CompanyLicense.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CompanyLicense.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\CompanyLicense.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\CompanyLicense.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\CompanyLicense.exe

File read: C:\Users\user\Desktop\CompanyLicense.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe'
Source: unknown	Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe'
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe'

Source: C:\Users\user\Desktop\CompanyLicense.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY
Source: Yara match	File source: Process Memory Space: CompanyLicense.exe PID: 5148, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY
Source: Yara match	File source: Process Memory Space: CompanyLicense.exe PID: 5148, type: MEMORY

Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_00405695 push edi; ret
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A5757 push edi; ret

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\CompanyLicense.exe

File created: C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Users\user\Desktop\CompanyLicense.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.vbs			Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.vbs			Jump to behavior

Source: C:\Users\user\Desktop\CompanyLicense.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid	Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid	Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid	Jump to behavior
Source: C:\Users\user\Desktop\CompanyLicense.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A0D52 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A0BD7 TerminateProcess,

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\CompanyLicense.exe

RDTSC instruction interceptor: First address: 0000000000562BFB second address: 0000000000562BFB instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\CompanyLicense.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\CompanyLicense.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\CompanyLicense.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\CompanyLicense.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: CompanyLicense.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\CompanyLicense.exe

RDTSC instruction interceptor: First address: 0000000000562BFB second address: 0000000000562BFB instructions:

Source: C:\Users\user\Desktop\CompanyLicense.exe

Code function: 0_2_020A0D52 rdtsc

Source: C:\Users\user\Desktop\CompanyLicense.exe

Window / User API: threadDelayed 930

Source: C:\Users\user\Desktop\CompanyLicense.exe TID: 6792	Thread sleep count: 930 > 30
Source: C:\Users\user\Desktop\CompanyLicense.exe TID: 6792	Thread sleep time: -9300000s >= -30000s

Source: C:\Users\user\Desktop\CompanyLicense.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\CompanyLicense.exe	Last function: Thread delayed

Source: CompanyLicense.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\CompanyLicense.exe

Code function: 0_2_020A08D5 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,?,6DDC21B5,6DDB9555,?,321C9581,?,020A8349

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\CompanyLicense.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CompanyLicense.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\CompanyLicense.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\CompanyLicense.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\CompanyLicense.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\CompanyLicense.exe

Code function: 0_2_020A0D52 rdtsc

Source: C:\Users\user\Desktop\CompanyLicense.exe

Code function: 0_2_020A457E LdrInitializeThunk,

Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A2C10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A2259 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A2C7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A7679 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A3CAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A833C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 0_2_020A6F42 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00566F42 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00567679 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_0056833C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CompanyLicense.exe	Code function: 1_2_00563CAB mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\CompanyLicense.exe

Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe'

Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp	Binary or memory string: Program Manager
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.1.dr	Binary or memory string: [ Program Manager ]
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp	Binary or memory string: Program Managerrgo.org
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp	Binary or memory string: Program Manager9

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder11	Process Injection12	Masquerading1	OS Credential Dumping	Security Software Discovery721	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion22	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
sheilabeltagy3m.hopto.org	1%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sheilabeltagy3m.hopto.org	185.140.53.253	true	false	1%, Virustotal, Browse	unknown
northside.hopto.org	185.140.53.253	true	false		unknown
sqknbg.dm.files.1drv.com	unknown	unknown	false		high
onedrive.live.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=3EA7AF3CF2A8B6E2&resid=3EA7AF3CF2A8B6E2%21118&authkey=AM5VKIx	CompanyLicense.exe, 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.253	unknown	Sweden		209623	DAVID_CRAIGGG	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	341661
Start date:	19.01.2021
Start time:	17:13:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	CompanyLicense.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/3@74/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 32.8% (good quality ratio 22.5%) Quality average: 43.7% Quality standard deviation: 33%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 13.107.42.13, 13.107.42.12, 51.11.168.160, 92.122.213.194, 92.122.213.247, 52.254.96.93, 52.251.11.100, 20.54.26.129, 8.248.117.254, 8.248.131.254, 67.26.73.254, 8.248.137.254, 8.248.147.254, 40.88.32.150 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, arc.msn.com.nsatc.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.l-msedge.net, skypedataprdcoleus15.cloudapp.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, odc-dm-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:14:22	API Interceptor	1384x Sleep call for process: CompanyLicense.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.253	16Product Specifications list -Order PCT1086586 1st Video.exe	Get hash	malicious	Browse
	15Order PCT1086586 - Project Commercial Conditions.exe	Get hash	malicious	Browse
	58Product Specifications list -Order PCT1086586 1st Video.exe	Get hash	malicious	Browse
	57Order PCT1086586 - Project Commercial Conditions.exe	Get hash	malicious	Browse
	15Product Specifications list -Order PCT1086586 1st Video.exe	Get hash	malicious	Browse
	14Order PCT1086586 - Project Commercial Conditions.exe	Get hash	malicious	Browse
	57Product Specifications list -Order PCT1086586 1st Video.exe	Get hash	malicious	Browse
	56Order PCT1086586 - Project Commercial Conditions.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	Purchase Order 2094742424.exe	Get hash	malicious	Browse	185.244.30.132
	PURCHASE OREDER. PRINT. pdf.exe	Get hash	malicious	Browse	91.193.75.45
	PO.exe	Get hash	malicious	Browse	185.140.53.234
	SWIFT.exe	Get hash	malicious	Browse	185.140.53.154
	SecuriteInfo.com.BScope.Trojan-Dropper.Injector.exe	Get hash	malicious	Browse	185.140.53.234
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse	185.140.53.131
	Orden n.#U00ba STL21119, pdf.exe	Get hash	malicious	Browse	185.140.53.129
	Proof of Payment.exe	Get hash	malicious	Browse	185.244.30.51
	DxCHoDnNLn.exe	Get hash	malicious	Browse	185.140.53.202
	T7gzTHDZ7g.rtf	Get hash	malicious	Browse	185.140.53.202
	PO - 2021-000511.exe	Get hash	malicious	Browse	185.244.30.69
	PO AR483-1590436 _ J-3000 PROJT.xlsx	Get hash	malicious	Browse	185.140.53.202
	Qotation.exe	Get hash	malicious	Browse	185.140.53.154
	PO - 2021-000511.exe	Get hash	malicious	Browse	185.244.30.69
	file.exe	Get hash	malicious	Browse	91.193.75.155
	Orden n.#U00ba 21115, pdf.exe	Get hash	malicious	Browse	185.140.53.129
	Lists.exe	Get hash	malicious	Browse	185.140.53.136
	Quotation Request.exe	Get hash	malicious	Browse	185.244.30.171
	PO-PDF_PDF.exe	Get hash	malicious	Browse	185.244.30.69
	Quiero hacer el pedido de su producto.exe	Get hash	malicious	Browse	185.244.30.18

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.exe Download File
Process:	C:\Users\user\Desktop\CompanyLicense.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.50764794769054
Encrypted:	false
SSDEEP:	768:8zNE6BYzwvWXallllllllllllllllllllllllllllllllllllllllllllllllllK:oE66zwuoPMvaB5DqinLdNW2XLnolNI8
MD5:	ACE3E9FC3A2277AA4E72881C9F204642
SHA1:	50337A4AA52B65CAC5FD2745C3FE7D88D503D00F
SHA-256:	C6CF35735AFF0EBA459A6A1F4B65722BA08DFB0BEED54B0DF8E9BE3EC3EDBA98
SHA-512:	9220FE497F297AE1D86A13DD28FFFC381A6945AC49CC2F3B904D605A193AF00DAAF18B6BC4F6E85D93F6A80B29D34DD56D7269BBC11B46D98319E571989E721F
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I...................................Rich............................PE..L......T................. ...`...............0....@.................................%...........................................(....P..p>..................................................................8... ....................................text...p........ .................. ..`.data........0.......0..............@....rsrc...p>...P...@...@..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.vbs Download File
Process:	C:\Users\user\Desktop\CompanyLicense.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.835449331887728
Encrypted:	false
SSDEEP:	3:jfF+m8nhvF3mRDt+kiE2J5xAIKQNNApUiMn:jFqhv9Iwkn23fJNN+Uvn
MD5:	3166A889BD35A61A06116E63BED83855
SHA1:	55C2B6B33B9B8DCED197373E2627F9679E29B1B9
SHA-256:	E107D87C8F8AACC01566C5A56A2A31EAC151D8A9226880D56E140DA33A76C77B
SHA-512:	74B3A0E140EB4AC10BF0326D61B16B97D884A7F3C31E48B9BE459D737456B2AA751A665F08D55163D6B940375B0BC1E1A9C292C099582C758328FD4BA53119BF
Malicious:	true
Reputation:	low
Preview:	Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.exe")

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\CompanyLicense.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.662420853767955
Encrypted:	false
SSDEEP:	3:ttUVXVrA4RXMRPHv31aeo:tmVBXqdHv3IP
MD5:	2788D81C1E91ADDC68FED1327ECA7812
SHA1:	EEFA17BC4A2DB2D655E9C42D31D51A8C2977BE99
SHA-256:	3C96343061BCFDF07B8AC699D4AB70BD04F64D71E3849850DC5BB368CA62583F
SHA-512:	271DB10D91EDC0910C80133F570FBEACC0BB51A0000290B1061AE3EA1BB3346CA92ADC5D8C6C35565D431A170BC7B1CDAA95B80A85BFC4D864D2093C887AB73C
Malicious:	true
Reputation:	low
Preview:	..[2021/01/19 17:14:22 Offline Keylogger Started]....[ Program Manager ]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.50764794769054
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CompanyLicense.exe
File size:	98304
MD5:	ace3e9fc3a2277aa4e72881c9f204642
SHA1:	50337a4aa52b65cac5fd2745c3fe7d88d503d00f
SHA256:	c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98
SHA512:	9220fe497f297ae1d86a13dd28fffc381a6945ac49cc2f3b904d605a193af00daaf18b6bc4f6e85d93f6a80b29d34dd56d7269bbc11b46d98319e571989e721f
SSDEEP:	768:8zNE6BYzwvWXallllllllllllllllllllllllllllllllllllllllllllllllllK:oE66zwuoPMvaB5DqinLdNW2XLnolNI8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I....................................Rich............................PE..L......T................. ...`...............0....@

File Icon


Icon Hash:	0919914f4707077b

Static PE Info

General
Entrypoint:	0x401480
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x54CDDCDF [Sun Feb 1 07:59:27 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cdaaae34b462dd94bb47458bdb1adef4

Entrypoint Preview

Instruction
push 004028A8h
call 00007F8E00E97DE3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx-13h], dl
xchg eax, ebx
inc edi
ror byte ptr [esi-27h], 1
inc ebx
xchg eax, ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11dd4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x3e70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x118	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11270	0x12000	False	0.344957139757	data	5.50911753026	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x13000	0x1598	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x3e70	0x4000	False	0.405883789062	data	5.82018702814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x15148	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x155b0	0x10a8	data
RT_ICON	0x16658	0x25a8	data
RT_GROUP_ICON	0x18c00	0x30	data
RT_VERSION	0x18c30	0x240	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	SKULPTURUDSTILLING
FileVersion	1.00
CompanyName	Above
ProductName	Hypotrochoid9
ProductVersion	1.00
OriginalFilename	SKULPTURUDSTILLING.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2021 17:14:22.775369883 CET	49731	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:22.824256897 CET	2048	49731	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:23.335721016 CET	49731	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:23.386931896 CET	2048	49731	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:23.897774935 CET	49731	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:23.946536064 CET	2048	49731	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:24.052889109 CET	49732	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:24.101716042 CET	2048	49732	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:24.602783918 CET	49732	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:24.651901007 CET	2048	49732	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:25.152772903 CET	49732	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:25.201525927 CET	2048	49732	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:26.294280052 CET	49733	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:26.342992067 CET	2048	49733	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:26.843080044 CET	49733	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:26.891758919 CET	2048	49733	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:27.392011881 CET	49733	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:27.440768957 CET	2048	49733	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:27.531769037 CET	49734	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:27.580243111 CET	2048	49734	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:28.080979109 CET	49734	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:28.129554987 CET	2048	49734	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:28.633030891 CET	49734	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:28.682029009 CET	2048	49734	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:29.763509989 CET	49737	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:29.814196110 CET	2048	49737	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:30.314121962 CET	49737	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:30.362899065 CET	2048	49737	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:30.864197969 CET	49737	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:30.913114071 CET	2048	49737	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:31.000382900 CET	49738	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:31.048955917 CET	2048	49738	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:31.549484015 CET	49738	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:31.599778891 CET	2048	49738	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:32.101264000 CET	49738	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:32.150471926 CET	2048	49738	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:33.234987974 CET	49740	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:33.283703089 CET	2048	49740	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:33.784394026 CET	49740	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:33.833317041 CET	2048	49740	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:34.334399939 CET	49740	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:34.383140087 CET	2048	49740	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:34.476705074 CET	49741	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:34.525707006 CET	2048	49741	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:35.026490927 CET	49741	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:35.075144053 CET	2048	49741	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:35.577543974 CET	49741	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:35.626167059 CET	2048	49741	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:36.713778973 CET	49742	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:36.762989044 CET	2048	49742	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:37.263942003 CET	49742	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:37.314929008 CET	2048	49742	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:37.815968990 CET	49742	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:37.864969015 CET	2048	49742	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:38.009288073 CET	49743	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:38.061501980 CET	2048	49743	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:38.562872887 CET	49743	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:38.613833904 CET	2048	49743	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:39.116797924 CET	49743	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:39.165838003 CET	2048	49743	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:40.367436886 CET	49745	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:40.416039944 CET	2048	49745	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:40.915915966 CET	49745	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:40.964520931 CET	2048	49745	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:41.500976086 CET	49745	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:41.549803019 CET	2048	49745	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:41.671722889 CET	49746	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:41.720578909 CET	2048	49746	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:42.220014095 CET	49746	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:42.268996954 CET	2048	49746	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:42.770032883 CET	49746	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:42.819853067 CET	2048	49746	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:43.925137043 CET	49749	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:43.973728895 CET	2048	49749	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:44.476151943 CET	49749	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:44.524817944 CET	2048	49749	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:45.027292013 CET	49749	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:45.076185942 CET	2048	49749	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:45.175616026 CET	49751	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:45.224422932 CET	2048	49751	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:45.727181911 CET	49751	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:45.775923014 CET	2048	49751	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:46.276385069 CET	49751	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:46.325015068 CET	2048	49751	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:47.433749914 CET	49754	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:47.482527018 CET	2048	49754	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:48.001429081 CET	49754	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:48.050291061 CET	2048	49754	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:48.601537943 CET	49754	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:48.649986029 CET	2048	49754	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:48.744983912 CET	49758	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:48.793597937 CET	2048	49758	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:49.294563055 CET	49758	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:49.345067024 CET	2048	49758	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:49.849251032 CET	49758	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:49.897691965 CET	2048	49758	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:51.016201973 CET	49765	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:51.064769030 CET	2048	49765	185.140.53.253	192.168.2.4
Jan 19, 2021 17:14:51.565696955 CET	49765	2048	192.168.2.4	185.140.53.253
Jan 19, 2021 17:14:51.614520073 CET	2048	49765	185.140.53.253	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 19, 2021 17:14:09.943872929 CET	54531	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:09.991911888 CET	53	54531	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:13.155688047 CET	49714	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:13.220169067 CET	53	49714	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:13.979582071 CET	58028	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:14.027462959 CET	53	58028	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:17.661808014 CET	53097	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:17.709897995 CET	53	53097	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:20.323478937 CET	49257	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:20.374639988 CET	53	49257	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:21.239258051 CET	62389	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:21.313652992 CET	53	62389	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:22.696815968 CET	49910	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:22.759778976 CET	53	49910	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:23.976702929 CET	55854	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:24.036922932 CET	53	55854	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:26.234143972 CET	64549	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:26.292227030 CET	53	64549	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:27.468760014 CET	63153	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:27.530553102 CET	53	63153	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:28.525441885 CET	52991	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:28.573491096 CET	53	52991	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:29.706235886 CET	53700	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:29.762629986 CET	53	53700	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:30.943011999 CET	51726	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:30.999347925 CET	53	51726	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:32.434756994 CET	56794	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:32.497320890 CET	53	56794	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:33.177584887 CET	56534	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:33.234193087 CET	53	56534	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:34.407461882 CET	56627	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:34.473480940 CET	53	56627	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:36.651421070 CET	56621	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:36.710648060 CET	53	56621	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:37.950375080 CET	63116	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:38.008048058 CET	53	63116	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:38.802968025 CET	64078	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:38.853876114 CET	53	64078	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:40.318720102 CET	64801	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:40.366662979 CET	53	64801	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:41.578357935 CET	61721	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:41.635349989 CET	53	61721	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:41.706896067 CET	51255	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:41.757658958 CET	53	51255	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:42.979298115 CET	61522	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:43.030193090 CET	53	61522	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:43.866233110 CET	52337	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:43.922911882 CET	53	52337	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:44.424381018 CET	55046	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:44.472414017 CET	53	55046	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:45.117981911 CET	49612	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:45.174139023 CET	53	49612	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:46.598598957 CET	49285	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:46.655139923 CET	53	49285	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:46.966098070 CET	50601	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:47.069701910 CET	53	50601	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:47.368578911 CET	60875	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:47.432704926 CET	53	60875	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:47.949451923 CET	56448	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:48.010569096 CET	53	56448	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:48.242711067 CET	59172	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:48.293348074 CET	53	59172	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:48.415158033 CET	62420	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:48.487011909 CET	53	62420	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:48.686530113 CET	60579	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:48.743086100 CET	53	60579	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:48.985090017 CET	50183	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:49.046729088 CET	53	50183	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:49.499128103 CET	61531	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:49.550054073 CET	53	61531	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:49.821460962 CET	49228	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:49.885998011 CET	53	49228	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:50.204355955 CET	59794	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:50.252202988 CET	53	59794	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:50.634546995 CET	55916	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:50.682677031 CET	53	55916	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:50.708967924 CET	52752	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:50.773046970 CET	53	52752	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:50.952425003 CET	60542	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:51.014060020 CET	53	60542	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:51.776447058 CET	60689	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:51.832902908 CET	53	60689	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:52.201205015 CET	64206	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:52.257812977 CET	53	64206	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:52.861074924 CET	50904	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:52.922400951 CET	53	50904	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:54.148149967 CET	57525	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:54.209078074 CET	53	57525	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:54.446244001 CET	53814	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:54.496059895 CET	53	53814	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:55.638669968 CET	53418	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:55.690269947 CET	62833	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:55.700361967 CET	53	53418	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:55.746643066 CET	53	62833	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:56.515439987 CET	59260	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:56.574630022 CET	53	59260	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:58.136776924 CET	49944	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:58.197926998 CET	53	49944	8.8.8.8	192.168.2.4
Jan 19, 2021 17:14:59.487055063 CET	63300	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:14:59.548501015 CET	53	63300	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:01.789062023 CET	61449	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:01.845561981 CET	53	61449	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:03.039455891 CET	51275	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:03.095740080 CET	53	51275	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:03.356487036 CET	63492	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:03.407774925 CET	53	63492	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:03.575505972 CET	58945	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:03.647437096 CET	53	58945	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:05.269073963 CET	60779	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:06.307902098 CET	64014	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:06.311877966 CET	60779	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:06.368491888 CET	53	60779	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:06.373554945 CET	53	64014	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:07.562407970 CET	57091	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:07.610485077 CET	53	57091	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:09.798381090 CET	55904	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:09.849160910 CET	53	55904	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:11.032475948 CET	52109	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:11.093702078 CET	53	52109	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:11.847198009 CET	54450	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:11.895070076 CET	53	54450	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:13.283751965 CET	49374	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:13.325629950 CET	50436	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:13.343240023 CET	53	49374	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:13.373994112 CET	53	50436	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:14.540656090 CET	62605	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:14.597177029 CET	53	62605	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:17.596970081 CET	54256	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:17.655365944 CET	53	54256	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:22.760082960 CET	52189	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:22.808008909 CET	53	52189	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:28.757800102 CET	56131	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:28.815994978 CET	53	56131	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:30.019778013 CET	62992	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:30.076164007 CET	53	62992	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:31.292248964 CET	54432	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:31.343381882 CET	53	54432	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:32.084727049 CET	57227	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:32.135871887 CET	53	57227	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:32.265638113 CET	58383	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:32.326874018 CET	53	58383	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:32.952282906 CET	63136	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:33.000319004 CET	53	63136	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:33.506709099 CET	50911	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:33.564708948 CET	53	50911	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:35.407144070 CET	63409	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:35.457967997 CET	53	63409	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:35.753662109 CET	59185	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:35.809885979 CET	53	59185	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:37.014866114 CET	64236	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:37.073565960 CET	53	64236	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:37.626287937 CET	56157	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:37.677510023 CET	53	56157	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:39.257890940 CET	55601	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:39.317043066 CET	53	55601	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:39.366555929 CET	52984	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:39.427902937 CET	53	52984	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:40.498341084 CET	51141	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:40.546051025 CET	53	51141	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:42.731714010 CET	53610	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:42.791768074 CET	53	53610	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:43.980668068 CET	61247	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:44.036858082 CET	53	61247	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:46.222735882 CET	65165	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:46.287039042 CET	53	65165	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:47.490364075 CET	52076	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:47.547096968 CET	53	52076	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:50.469167948 CET	54903	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:50.533364058 CET	53	54903	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:51.730165958 CET	55045	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:51.789258957 CET	53	55045	8.8.8.8	192.168.2.4
Jan 19, 2021 17:15:53.997497082 CET	54464	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:15:54.061994076 CET	53	54464	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:07.202050924 CET	50970	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:07.266206980 CET	53	50970	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:09.467921972 CET	55261	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:09.529237032 CET	53	55261	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:10.766552925 CET	59809	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:10.823873997 CET	53	59809	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:13.058108091 CET	51278	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:13.114248037 CET	53	51278	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:14.301039934 CET	51932	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:14.361051083 CET	53	51932	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:16.555202007 CET	59494	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:16.616471052 CET	53	59494	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:17.819614887 CET	55915	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:17.876086950 CET	53	55915	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:20.080435991 CET	49779	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:20.139585972 CET	53	49779	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:21.342369080 CET	49458	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:21.393071890 CET	53	49458	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:23.585649014 CET	57164	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:23.644537926 CET	53	57164	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:24.839747906 CET	49840	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:24.896742105 CET	53	49840	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:27.103224039 CET	57174	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:27.159734011 CET	53	57174	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:28.373641968 CET	58531	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:28.430135965 CET	53	58531	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:30.653420925 CET	49608	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:30.709765911 CET	53	49608	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:31.925923109 CET	55682	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:31.985290051 CET	53	55682	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:34.204695940 CET	62436	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:34.265736103 CET	53	62436	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:35.472865105 CET	61230	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:35.537314892 CET	53	61230	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:37.777757883 CET	64730	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:37.836141109 CET	53	64730	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:39.052273989 CET	60624	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:39.112523079 CET	53	60624	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:41.310803890 CET	62600	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:41.369627953 CET	53	62600	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:42.581015110 CET	53200	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:42.639022112 CET	53	53200	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:44.838633060 CET	61034	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:44.897322893 CET	53	61034	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:46.098861933 CET	57687	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:46.155225992 CET	53	57687	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:48.340233088 CET	49839	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:48.404742956 CET	53	49839	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:49.565933943 CET	57975	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:49.622330904 CET	53	57975	8.8.8.8	192.168.2.4
Jan 19, 2021 17:16:51.772027969 CET	57610	53	192.168.2.4	8.8.8.8
Jan 19, 2021 17:16:51.819967985 CET	53	57610	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 19, 2021 17:14:20.323478937 CET	192.168.2.4	8.8.8.8	0xd391	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:21.239258051 CET	192.168.2.4	8.8.8.8	0xc44d	Standard query (0)	sqknbg.dm.files.1drv.com	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:22.696815968 CET	192.168.2.4	8.8.8.8	0x3dab	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:23.976702929 CET	192.168.2.4	8.8.8.8	0xfa67	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:26.234143972 CET	192.168.2.4	8.8.8.8	0xbd93	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:27.468760014 CET	192.168.2.4	8.8.8.8	0xf12c	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:29.706235886 CET	192.168.2.4	8.8.8.8	0xba4f	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:30.943011999 CET	192.168.2.4	8.8.8.8	0x14b9	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:33.177584887 CET	192.168.2.4	8.8.8.8	0xf9d7	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:34.407461882 CET	192.168.2.4	8.8.8.8	0x8275	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:36.651421070 CET	192.168.2.4	8.8.8.8	0x2796	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:37.950375080 CET	192.168.2.4	8.8.8.8	0x8112	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:40.318720102 CET	192.168.2.4	8.8.8.8	0x885f	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:41.578357935 CET	192.168.2.4	8.8.8.8	0x1e9	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:43.866233110 CET	192.168.2.4	8.8.8.8	0xb475	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:45.117981911 CET	192.168.2.4	8.8.8.8	0xcffa	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:47.368578911 CET	192.168.2.4	8.8.8.8	0x300e	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:48.686530113 CET	192.168.2.4	8.8.8.8	0xd415	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:50.952425003 CET	192.168.2.4	8.8.8.8	0x93fd	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:52.201205015 CET	192.168.2.4	8.8.8.8	0x3aaf	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:54.446244001 CET	192.168.2.4	8.8.8.8	0xe354	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:55.690269947 CET	192.168.2.4	8.8.8.8	0xb8b8	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:58.136776924 CET	192.168.2.4	8.8.8.8	0x7f8e	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:59.487055063 CET	192.168.2.4	8.8.8.8	0xde20	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:01.789062023 CET	192.168.2.4	8.8.8.8	0x6eb2	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:03.039455891 CET	192.168.2.4	8.8.8.8	0x454f	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:05.269073963 CET	192.168.2.4	8.8.8.8	0x80d3	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:06.311877966 CET	192.168.2.4	8.8.8.8	0x80d3	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:07.562407970 CET	192.168.2.4	8.8.8.8	0xf2c9	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:09.798381090 CET	192.168.2.4	8.8.8.8	0xbe01	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:11.032475948 CET	192.168.2.4	8.8.8.8	0x113c	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:13.283751965 CET	192.168.2.4	8.8.8.8	0xe41c	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:14.540656090 CET	192.168.2.4	8.8.8.8	0xeec6	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:28.757800102 CET	192.168.2.4	8.8.8.8	0xfbfd	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:30.019778013 CET	192.168.2.4	8.8.8.8	0x969e	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:32.265638113 CET	192.168.2.4	8.8.8.8	0x3f0e	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:33.506709099 CET	192.168.2.4	8.8.8.8	0x7ae3	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:35.753662109 CET	192.168.2.4	8.8.8.8	0xf04b	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:37.014866114 CET	192.168.2.4	8.8.8.8	0x7653	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:39.257890940 CET	192.168.2.4	8.8.8.8	0xac4b	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:40.498341084 CET	192.168.2.4	8.8.8.8	0x9466	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:42.731714010 CET	192.168.2.4	8.8.8.8	0x1882	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:43.980668068 CET	192.168.2.4	8.8.8.8	0xb347	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:46.222735882 CET	192.168.2.4	8.8.8.8	0xdde8	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:47.490364075 CET	192.168.2.4	8.8.8.8	0xda2	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:50.469167948 CET	192.168.2.4	8.8.8.8	0xa29b	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:51.730165958 CET	192.168.2.4	8.8.8.8	0x673b	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:53.997497082 CET	192.168.2.4	8.8.8.8	0x17fe	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:07.202050924 CET	192.168.2.4	8.8.8.8	0x90f4	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:09.467921972 CET	192.168.2.4	8.8.8.8	0x6360	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:10.766552925 CET	192.168.2.4	8.8.8.8	0x696c	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:13.058108091 CET	192.168.2.4	8.8.8.8	0x4581	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:14.301039934 CET	192.168.2.4	8.8.8.8	0x2031	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:16.555202007 CET	192.168.2.4	8.8.8.8	0x7900	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:17.819614887 CET	192.168.2.4	8.8.8.8	0x1e2e	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:20.080435991 CET	192.168.2.4	8.8.8.8	0xd577	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:21.342369080 CET	192.168.2.4	8.8.8.8	0x4789	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:23.585649014 CET	192.168.2.4	8.8.8.8	0x3d2a	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:24.839747906 CET	192.168.2.4	8.8.8.8	0x94ad	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:27.103224039 CET	192.168.2.4	8.8.8.8	0x4bba	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:28.373641968 CET	192.168.2.4	8.8.8.8	0xdffd	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:30.653420925 CET	192.168.2.4	8.8.8.8	0xcaed	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:31.925923109 CET	192.168.2.4	8.8.8.8	0xf3c1	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:34.204695940 CET	192.168.2.4	8.8.8.8	0x910b	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:35.472865105 CET	192.168.2.4	8.8.8.8	0x59d9	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:37.777757883 CET	192.168.2.4	8.8.8.8	0x9222	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:39.052273989 CET	192.168.2.4	8.8.8.8	0x6cab	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:41.310803890 CET	192.168.2.4	8.8.8.8	0x2b6b	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:42.581015110 CET	192.168.2.4	8.8.8.8	0xa7bb	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:44.838633060 CET	192.168.2.4	8.8.8.8	0xed0e	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:46.098861933 CET	192.168.2.4	8.8.8.8	0x3328	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:48.340233088 CET	192.168.2.4	8.8.8.8	0x11f3	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:49.565933943 CET	192.168.2.4	8.8.8.8	0xace5	Standard query (0)	sheilabeltagy3m.hopto.org	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:51.772027969 CET	192.168.2.4	8.8.8.8	0xf495	Standard query (0)	northside.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 19, 2021 17:14:20.374639988 CET	8.8.8.8	192.168.2.4	0xd391	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 17:14:21.313652992 CET	8.8.8.8	192.168.2.4	0xc44d	No error (0)	sqknbg.dm.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 17:14:21.313652992 CET	8.8.8.8	192.168.2.4	0xc44d	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 19, 2021 17:14:22.759778976 CET	8.8.8.8	192.168.2.4	0x3dab	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:24.036922932 CET	8.8.8.8	192.168.2.4	0xfa67	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:26.292227030 CET	8.8.8.8	192.168.2.4	0xbd93	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:27.530553102 CET	8.8.8.8	192.168.2.4	0xf12c	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:29.762629986 CET	8.8.8.8	192.168.2.4	0xba4f	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:30.999347925 CET	8.8.8.8	192.168.2.4	0x14b9	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:33.234193087 CET	8.8.8.8	192.168.2.4	0xf9d7	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:34.473480940 CET	8.8.8.8	192.168.2.4	0x8275	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:36.710648060 CET	8.8.8.8	192.168.2.4	0x2796	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:38.008048058 CET	8.8.8.8	192.168.2.4	0x8112	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:40.366662979 CET	8.8.8.8	192.168.2.4	0x885f	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:41.635349989 CET	8.8.8.8	192.168.2.4	0x1e9	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:43.922911882 CET	8.8.8.8	192.168.2.4	0xb475	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:45.174139023 CET	8.8.8.8	192.168.2.4	0xcffa	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:47.432704926 CET	8.8.8.8	192.168.2.4	0x300e	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:48.743086100 CET	8.8.8.8	192.168.2.4	0xd415	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:51.014060020 CET	8.8.8.8	192.168.2.4	0x93fd	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:52.257812977 CET	8.8.8.8	192.168.2.4	0x3aaf	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:54.496059895 CET	8.8.8.8	192.168.2.4	0xe354	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:55.746643066 CET	8.8.8.8	192.168.2.4	0xb8b8	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:58.197926998 CET	8.8.8.8	192.168.2.4	0x7f8e	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:14:59.548501015 CET	8.8.8.8	192.168.2.4	0xde20	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:01.845561981 CET	8.8.8.8	192.168.2.4	0x6eb2	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:03.095740080 CET	8.8.8.8	192.168.2.4	0x454f	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:06.368491888 CET	8.8.8.8	192.168.2.4	0x80d3	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:07.610485077 CET	8.8.8.8	192.168.2.4	0xf2c9	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:09.849160910 CET	8.8.8.8	192.168.2.4	0xbe01	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:11.093702078 CET	8.8.8.8	192.168.2.4	0x113c	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:13.343240023 CET	8.8.8.8	192.168.2.4	0xe41c	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:14.597177029 CET	8.8.8.8	192.168.2.4	0xeec6	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:28.815994978 CET	8.8.8.8	192.168.2.4	0xfbfd	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:30.076164007 CET	8.8.8.8	192.168.2.4	0x969e	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:32.326874018 CET	8.8.8.8	192.168.2.4	0x3f0e	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:33.564708948 CET	8.8.8.8	192.168.2.4	0x7ae3	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:35.809885979 CET	8.8.8.8	192.168.2.4	0xf04b	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:37.073565960 CET	8.8.8.8	192.168.2.4	0x7653	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:39.317043066 CET	8.8.8.8	192.168.2.4	0xac4b	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:40.546051025 CET	8.8.8.8	192.168.2.4	0x9466	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:42.791768074 CET	8.8.8.8	192.168.2.4	0x1882	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:44.036858082 CET	8.8.8.8	192.168.2.4	0xb347	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:46.287039042 CET	8.8.8.8	192.168.2.4	0xdde8	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:47.547096968 CET	8.8.8.8	192.168.2.4	0xda2	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:50.533364058 CET	8.8.8.8	192.168.2.4	0xa29b	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:51.789258957 CET	8.8.8.8	192.168.2.4	0x673b	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:15:54.061994076 CET	8.8.8.8	192.168.2.4	0x17fe	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:07.266206980 CET	8.8.8.8	192.168.2.4	0x90f4	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:09.529237032 CET	8.8.8.8	192.168.2.4	0x6360	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:10.823873997 CET	8.8.8.8	192.168.2.4	0x696c	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:13.114248037 CET	8.8.8.8	192.168.2.4	0x4581	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:14.361051083 CET	8.8.8.8	192.168.2.4	0x2031	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:16.616471052 CET	8.8.8.8	192.168.2.4	0x7900	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:17.876086950 CET	8.8.8.8	192.168.2.4	0x1e2e	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:20.139585972 CET	8.8.8.8	192.168.2.4	0xd577	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:21.393071890 CET	8.8.8.8	192.168.2.4	0x4789	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:23.644537926 CET	8.8.8.8	192.168.2.4	0x3d2a	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:24.896742105 CET	8.8.8.8	192.168.2.4	0x94ad	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:27.159734011 CET	8.8.8.8	192.168.2.4	0x4bba	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:28.430135965 CET	8.8.8.8	192.168.2.4	0xdffd	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:30.709765911 CET	8.8.8.8	192.168.2.4	0xcaed	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:31.985290051 CET	8.8.8.8	192.168.2.4	0xf3c1	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:34.265736103 CET	8.8.8.8	192.168.2.4	0x910b	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:35.537314892 CET	8.8.8.8	192.168.2.4	0x59d9	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:37.836141109 CET	8.8.8.8	192.168.2.4	0x9222	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:39.112523079 CET	8.8.8.8	192.168.2.4	0x6cab	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:41.369627953 CET	8.8.8.8	192.168.2.4	0x2b6b	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:42.639022112 CET	8.8.8.8	192.168.2.4	0xa7bb	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:44.897322893 CET	8.8.8.8	192.168.2.4	0xed0e	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:46.155225992 CET	8.8.8.8	192.168.2.4	0x3328	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:48.404742956 CET	8.8.8.8	192.168.2.4	0x11f3	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:49.622330904 CET	8.8.8.8	192.168.2.4	0xace5	No error (0)	sheilabeltagy3m.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)
Jan 19, 2021 17:16:51.819967985 CET	8.8.8.8	192.168.2.4	0xf495	No error (0)	northside.hopto.org		185.140.53.253	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: CompanyLicense.exe PID: 5148 Parent PID: 5680

General

Start time:	17:14:06
Start date:	19/01/2021
Path:	C:\Users\user\Desktop\CompanyLicense.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CompanyLicense.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	ACE3E9FC3A2277AA4E72881C9F204642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: CompanyLicense.exe PID: 6572 Parent PID: 5148

General

Start time:	17:14:13
Start date:	19/01/2021
Path:	C:\Users\user\Desktop\CompanyLicense.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CompanyLicense.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	ACE3E9FC3A2277AA4E72881C9F204642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CompanyLicense.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics