Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Payment Confirmation.exe

Overview

General Information

Sample Name:Payment Confirmation.exe
Analysis ID:356448
MD5:800b9d7f3a47c5a18da78cb6a54f90be
SHA1:67c825ca6d8f430fdfc4cbca78c442600db7ccf0
SHA256:e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
Tags:DarkCometexenVpnRAT

Most interesting Screenshot:

Detection

DarkComet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Potential malicious icon found
Yara detected DarkComet
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionality to log keystrokes
Contains functionality to register a low level keyboard hook
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality to upload files via FTP
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Confirmation.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\Payment Confirmation.exe' MD5: 800B9D7F3A47C5A18DA78CB6A54F90BE)
    • cvcvsdf.exe (PID: 7064 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe MD5: 800B9D7F3A47C5A18DA78CB6A54F90BE)
      • cvcvsdf.exe (PID: 7148 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe MD5: 800B9D7F3A47C5A18DA78CB6A54F90BE)
  • cvcvsdf.exe (PID: 6340 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe' MD5: 800B9D7F3A47C5A18DA78CB6A54F90BE)
    • cvcvsdf.exe (PID: 4820 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe MD5: 800B9D7F3A47C5A18DA78CB6A54F90BE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000003.365577575.00000000023BA000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0x928:$c: DC_MUTEX-
  • 0x9c8:$c: DC_MUTEX-
00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0x7be68:$x1: UnActiveOfflineKeylogger
  • 0x7c92c:$x2: BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
  • 0x7bdcc:$x3: ActiveOnlineKeylogger
  • 0x7c814:$x6: BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
  • 0x7c6b5:$s2: Command successfully executed!|
  • 0x6e6f4:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!
00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
  • 0x7c79c:$a1: #BOT#URLUpdate
  • 0x7c6b5:$a2: Command successfully executed!
  • 0x13f8:$b1: FastMM Borland Edition
  • 0x2b884:$b2: %s, ClassID: %s
  • 0x6e6f4:$b3: I wasn't able to open the hosts file
  • 0x7c5a0:$b4: #BOT#VisitUrl
  • 0x62bec:$b5: #KCMDDC
00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpJoeSecurity_DarkCometRatYara detected DarkCometKevin Breen <kevin@techanarchy.net>
    00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.cvcvsdf.exe.400000.0.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
      • 0x7be68:$x1: UnActiveOfflineKeylogger
      • 0x7c92c:$x2: BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
      • 0x7bdcc:$x3: ActiveOnlineKeylogger
      • 0x7c814:$x6: BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
      • 0x7c6b5:$s2: Command successfully executed!|
      • 0x6e6f4:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!
      8.2.cvcvsdf.exe.400000.0.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
      • 0x7c79c:$a1: #BOT#URLUpdate
      • 0x7c6b5:$a2: Command successfully executed!
      • 0x13f8:$b1: FastMM Borland Edition
      • 0x2b884:$b2: %s, ClassID: %s
      • 0x6e6f4:$b3: I wasn't able to open the hosts file
      • 0x7c5a0:$b4: #BOT#VisitUrl
      • 0x62bec:$b5: #KCMDDC
      8.2.cvcvsdf.exe.400000.0.raw.unpackJoeSecurity_DarkCometRatYara detected DarkCometKevin Breen <kevin@techanarchy.net>
        8.2.cvcvsdf.exe.400000.0.raw.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          8.2.cvcvsdf.exe.400000.0.raw.unpackDarkComet_1DarkComet RATbotherder https://github.com/botherder
          • 0x7c5b8:$bot1: #BOT#OpenUrl
          • 0x7c634:$bot2: #BOT#Ping
          • 0x7c67c:$bot3: #BOT#RunPrompt
          • 0x7c73c:$bot4: #BOT#SvrUninstall
          • 0x7c874:$bot5: #BOT#URLDownload
          • 0x7c79c:$bot6: #BOT#URLUpdate
          • 0x7c5a0:$bot7: #BOT#VisitUrl
          • 0x7c6e0:$bot8: #BOT#CloseServer
          • 0x7caec:$ddos1: DDOSHTTPFLOOD
          • 0x7cb04:$ddos2: DDOSSYNFLOOD
          • 0x7cb1c:$ddos3: DDOSUDPFLOOD
          • 0x7bdcc:$keylogger1: ActiveOnlineKeylogger
          • 0x7bdee:$keylogger1: ActiveOnlineKeylogger
          • 0x7bdec:$keylogger2: UnActiveOnlineKeylogger
          • 0x7be48:$keylogger3: ActiveOfflineKeylogger
          • 0x7be6a:$keylogger3: ActiveOfflineKeylogger
          • 0x7be68:$keylogger4: UnActiveOfflineKeylogger
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Payment Confirmation.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeAvira: detection malicious, Label: TR/Dropper.Gen
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeReversingLabs: Detection: 47%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Payment Confirmation.exeJoe Sandbox ML: detected
          Source: 3.0.cvcvsdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.2.cvcvsdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.0.cvcvsdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 0.0.Payment Confirmation.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.cvcvsdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.2.cvcvsdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 8.0.cvcvsdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 3.1.cvcvsdf.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 0.2.Payment Confirmation.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Payment Confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0040A490 FindFirstFileA,GetLastError,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00406B58 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047EE4C FindFirstFileA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00465348 FindFirstFileA,

          Networking:

          barindex
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: martinboss.ddns.net
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004727B4 URLDownloadToFileA,ShellExecuteA,RtlExitUserThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00470278 FtpPutFileA,
          Source: global trafficTCP traffic: 192.168.2.6:49722 -> 79.134.225.30:508
          Source: Joe Sandbox ViewIP Address: 79.134.225.30 79.134.225.30
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004727B4 URLDownloadToFileA,ShellExecuteA,RtlExitUserThread,
          Source: unknownDNS traffic detected: queries for: martinboss.ddns.net
          Source: Payment Confirmation.exeString found in binary or memory: http://technohub.in
          Source: Payment Confirmation.exeString found in binary or memory: http://www.technohub.in/

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Contains functionality to capture and log keystrokesShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [ESC]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [F1]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [F2]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [DEL]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [DEL]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [INS]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [SNAPSHOT]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [LEFT]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [RIGHT]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [DOWN]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: [UP]
          Contains functionality to log keystrokesShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047F788 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,
          Contains functionality to log keystrokesShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047F788 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,
          Contains functionality to register a low level keyboard hookShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047FD60 SetWindowsHookExA 0000000D,Function_0007F788,00000000,00000000
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004083D6 OpenClipboard,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00430F5C GetClipboardData,GlobalFix,GlobalUnWire,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00428440 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00455020 GetMessagePos,GetKeyboardState,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047F788 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000003.365577575.00000000023BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
          Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.592032143.000000000238A000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
          Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Yara detected DarkCometShow sources
          Source: Yara matchFile source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY
          Source: Yara matchFile source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment Confirmation.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0044521C NtdllDefWindowProc_A,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0043838C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004304E8 NtdllDefWindowProc_A,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00455220 SetWindowPos,NtdllDefWindowProc_A,GetCapture,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00445968 SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00461974 NtdllDefWindowProc_A,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00445A48 SetActiveWindow,ShowWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_2_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004706C8 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0040811E ExitWindowsEx,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 0_2_0041BC60
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0043E01C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00402360
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0043838C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00406414
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0045E7A4
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004698D4
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_3_0304FB68
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_3_0304FB68
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess token adjusted: Load Driver
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess token adjusted: Security
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: String function: 00407BA8 appears 109 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: String function: 00405470 appears 41 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: String function: 0042121C appears 73 times
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: String function: 0041BC60 appears 72 times
          Source: Payment Confirmation.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cvcvsdf.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Payment Confirmation.exe, 00000000.00000002.344091917.0000000002150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Payment Confirmation.exe
          Source: Payment Confirmation.exe, 00000000.00000000.325924992.000000000043C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Payment Confirmation.exe
          Source: Payment Confirmation.exeBinary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Payment Confirmation.exe
          Source: Payment Confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000008.00000003.365577575.00000000023BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
          Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
          Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
          Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: 00000003.00000002.592032143.000000000238A000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
          Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
          Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
          Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
          Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
          Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
          Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
          Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
          Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
          Source: Payment Confirmation.exe, 00000000.00000002.342440915.000000000043A000.00000004.00020000.sdmp, cvcvsdf.exe, 00000001.00000002.338400368.000000000043A000.00000004.00020000.sdmp, cvcvsdf.exe, 00000007.00000002.367404683.000000000043A000.00000004.00020000.sdmpBinary or memory string: @*\AC:\warka\snakeRat\ssfff\55-ftp\NASHFTP.vbp
          Source: Payment Confirmation.exeBinary or memory string: C*\AC:\warka\snakeRat\ssfff\55-ftp\NASHFTP.vbp
          Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.evad.winEXE@8/1@84/2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004253A8 GetLastError,FormatMessageA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0040A74E GetDiskFreeSpaceA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0041C268 FindResourceA,LoadResource,SizeofResource,LockResource,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004705D0 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-VPUBE8K
          Source: Yara matchFile source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Payment Confirmation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\Payment Confirmation.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile read: C:\Users\user\Desktop\Payment Confirmation.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: C:\Users\user\Desktop\Payment Confirmation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042EB3C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: cvcvsdf.exe.0.drStatic PE information: real checksum: 0x40b44 should be: 0xe266c
          Source: Payment Confirmation.exeStatic PE information: real checksum: 0x40b44 should be: 0xe266c
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 0_2_00403140 push cs; retf
          Source: C:\Users\user\Desktop\Payment Confirmation.exeCode function: 0_2_00403B78 push cs; retf
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004186D8 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004041D0 push eax; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042E1F0 push 0042E21Ch; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042225C push 0042229Fh; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0044A278 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004302E8 push 00430348h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0041639A push 00416412h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0041639C push 00416412h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004324A8 push 004324F4h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0045E4B4 push 0045E4E0h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0044A51C push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042C598 push 0042C615h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00430634 push 00430660h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00408724 push 00408766h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0045E7A4 push ecx; mov dword ptr [esp], eax
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0041086C push 00410898h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0044A818 push 0044A844h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00418934 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00418A54 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00418A98 push ecx; mov dword ptr [esp], edx
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00420B54 push 00420BFFh; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00430C7C push 00430CD6h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00462C08 push 00462F34h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00416D54 push 00416DA1h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047EE4C push 0047EEE8h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00420E54 push 00420E97h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00438F0C push 00438F77h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004670F8 push 00467130h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042B278 push 0042B348h; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004727B4 URLDownloadToFileA,ShellExecuteA,RtlExitUserThread,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the startup folderShow sources
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeJump to dropped file
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeJump to behavior
          Source: C:\Users\user\Desktop\Payment Confirmation.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004705D0 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0045843C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0043B134 IsIconic,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_004571F8 IsIconic,GetCapture,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0043B1B0 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00457B00 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042DCA8 IsIconic,GetWindowPlacement,GetWindowRect,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042EB3C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\Payment Confirmation.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Confirmation.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeWindow / User API: threadDelayed 868
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe TID: 2916Thread sleep time: -13888000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0040A490 FindFirstFileA,GetLastError,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00406B58 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047EE4C FindFirstFileA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00465348 FindFirstFileA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0042EB3C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00407BAE GetProcessHeap,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Contains functionality to inject code into remote processesShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00468550 keybd_event,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0047E068 WSAStartup,socket,WSACleanup,htons,inet_addr,gethostbyname,WSACleanup,RtlExitUserThread,connect,closesocket,RtlExitUserThread,mouse_event,SetCursorPos,mouse_event,mouse_event,SetCursorPos,mouse_event,mouse_event,SetCursorPos,mouse_event,mouse_event,closesocket,RtlExitUserThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
          Source: cvcvsdf.exe, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: cvcvsdf.exe, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Progman
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Progmanjh@OFjj
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndjjh
          Source: cvcvsdf.exe, 00000003.00000002.591760385.0000000000E50000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: cvcvsdf.exe, 00000003.00000002.591760385.0000000000E50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndjhXNF
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndjh
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: ProgmanU
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: ButtonShell_TrayWndj
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_traywndReBarWindow32jh
          Source: cvcvsdf.exe, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_traywnd
          Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndPjjh
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0040BCCC GetLocalTime,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_00470C6C GetUserNameA,LookupAccountNameA,IsValidSid,ConvertSidToStringSidA,GlobalFree,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exeCode function: 3_2_0040E31C GetVersionExA,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Startup Items1Startup Items1Deobfuscate/Decode Files or Information1Input Capture421System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Alternative Protocol1Ingress Tool Transfer21Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsService Execution12LSASS Driver1LSASS Driver1Obfuscated Files or Information2LSASS MemoryAccount Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Application Shimming1Application Shimming1Software Packing1Security Account ManagerSystem Service Discovery1SMB/Windows Admin SharesInput Capture421Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Windows Service12Windows Service12Masquerading1NTDSFile and Directory Discovery2Distributed Component Object ModelClipboard Data2Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronRegistry Run Keys / Startup Folder12Process Injection212Virtualization/Sandbox Evasion2LSA SecretsSystem Information Discovery14SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol111Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder12Process Injection212Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSecurity Software Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemVirtualization/Sandbox Evasion2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowProcess Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356448 Sample: Payment Confirmation.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 23 martinboss.ddns.net 2->23 29 Potential malicious icon found 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for dropped file 2->33 35 13 other signatures 2->35 8 Payment Confirmation.exe 2 2->8         started        11 cvcvsdf.exe 1 2->11         started        signatures3 process4 file5 21 C:\Users\user\AppData\Roaming\...\cvcvsdf.exe, PE32 8->21 dropped 14 cvcvsdf.exe 1 8->14         started        37 Injects a PE file into a foreign processes 11->37 16 cvcvsdf.exe 1 11->16         started        signatures6 process7 process8 18 cvcvsdf.exe 14->18         started        dnsIp9 25 martinboss.ddns.net 79.134.225.30, 49722, 49725, 49726 FINK-TELECOM-SERVICESCH Switzerland 18->25 27 192.168.2.1 unknown unknown 18->27

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Payment Confirmation.exe100%AviraTR/Dropper.Gen
          Payment Confirmation.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe100%AviraTR/Dropper.Gen
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe48%ReversingLabsWin32.Backdoor.DarkComet

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.cvcvsdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          7.2.cvcvsdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          1.0.cvcvsdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          0.0.Payment Confirmation.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          7.0.cvcvsdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          8.2.cvcvsdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.cvcvsdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          8.0.cvcvsdf.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          3.1.cvcvsdf.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
          8.1.cvcvsdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.Payment Confirmation.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          3.2.cvcvsdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://technohub.in0%Avira URL Cloudsafe
          http://www.technohub.in/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          martinboss.ddns.net
          		79.134.225.30
          		truetrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://technohub.inPayment Confirmation.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://www.technohub.in/Payment Confirmation.exefalse
            • Avira URL Cloud: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            79.134.225.30
            		unknownSwitzerland
            		6775FINK-TELECOM-SERVICESCHtrue

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:356448
            Start date:23.02.2021
            Start time:08:06:50
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 29s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:Payment Confirmation.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:25
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.rans.troj.adwa.spyw.evad.winEXE@8/1@84/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 28.8% (good quality ratio 27.1%)
            • Quality average: 74.8%
            • Quality standard deviation: 27.2%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 51.104.139.180, 104.43.139.144, 204.79.197.200, 13.107.21.200, 52.255.188.83, 168.61.161.212, 92.122.145.220, 52.147.198.201, 93.184.221.240, 52.155.217.156, 51.103.5.186, 20.54.26.129, 92.122.213.247, 92.122.213.194, 184.30.24.56, 51.132.208.181
            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, vip2-par02p.wns.notify.trafficmanager.net
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            08:07:43API Interceptor1030x Sleep call for process: cvcvsdf.exe modified
            08:07:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            79.134.225.30JOIN.exeGet hashmaliciousBrowse
              Itinerary.pdf.exeGet hashmaliciousBrowse
                vVH0wIFYFd.exeGet hashmaliciousBrowse
                  GWee9QSphp.exeGet hashmaliciousBrowse
                    s7pnYY2USl.jarGet hashmaliciousBrowse
                      s7pnYY2USl.jarGet hashmaliciousBrowse
                        SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exeGet hashmaliciousBrowse
                          Import and Export Regulation.xlsxGet hashmaliciousBrowse
                            BBdzKOGQ36.exeGet hashmaliciousBrowse
                              BL.exeGet hashmaliciousBrowse
                                Payment Invoice.exeGet hashmaliciousBrowse
                                  Payment Invoice.pdf.exeGet hashmaliciousBrowse
                                    Inquiries_scan_011023783591374376585.exeGet hashmaliciousBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      martinboss.ddns.netJOIN.exeGet hashmaliciousBrowse
                                      • 79.134.225.30

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      FINK-TELECOM-SERVICESCHrjHlt1zz28.exeGet hashmaliciousBrowse
                                      • 79.134.225.49
                                      Deadly Variants of Covid 19.docGet hashmaliciousBrowse
                                      • 79.134.225.49
                                      document.exeGet hashmaliciousBrowse
                                      • 79.134.225.122
                                      5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                      • 79.134.225.105
                                      f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                      • 79.134.225.105
                                      256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                      • 79.134.225.105
                                      JOIN.exeGet hashmaliciousBrowse
                                      • 79.134.225.30
                                      Delivery pdf.exeGet hashmaliciousBrowse
                                      • 79.134.225.25
                                      d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                      • 79.134.225.105
                                      fnfqzfwC44.exeGet hashmaliciousBrowse
                                      • 79.134.225.25
                                      Solicitud de oferta 6100003768.exeGet hashmaliciousBrowse
                                      • 79.134.225.96
                                      Nrfgylra.exeGet hashmaliciousBrowse
                                      • 79.134.225.96
                                      HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                      • 79.134.225.62
                                      HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                      • 79.134.225.62
                                      HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                      • 79.134.225.62
                                      Form pdf.exeGet hashmaliciousBrowse
                                      • 79.134.225.25
                                      Quotation 3342688.exeGet hashmaliciousBrowse
                                      • 79.134.225.120
                                      REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                      • 79.134.225.76
                                      Orden.exeGet hashmaliciousBrowse
                                      • 79.134.225.6
                                      Ordine.exeGet hashmaliciousBrowse
                                      • 79.134.225.11

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Process:C:\Users\user\Desktop\Payment Confirmation.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):909312
                                      Entropy (8bit):5.739183525709254
                                      Encrypted:false
                                      SSDEEP:12288:c1N7GYtRi6Hczy4QufM4zr9H7NH8rxRYAjjUIPg:c7wzyxuU4zZbNM1jUIPg
                                      MD5:800B9D7F3A47C5A18DA78CB6A54F90BE
                                      SHA1:67C825CA6D8F430FDFC4CBCA78C442600DB7CCF0
                                      SHA-256:E6EDF54375A14314AA44DB9FE8CDD48368338E7ED873F25BA2A6A5FF4381D233
                                      SHA-512:3F36217FC2E0AFD41D16EA8E35628B00BD8E094194B892E551BA2B39FFFAF16E67ECE937ADE136FE03286FEF59718A76FC83081A7CB1DD2F8A7EFA811A992E87
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 48%
                                      Reputation:low
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................z................Rich...........................PE..L...Y.._.....................@......X,............@.................................D.......................................D...(...........................................................................8... .......T............................text...T........................... ..`.data...............................@....rsrc............0..................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):5.739183525709254
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.15%
                                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Payment Confirmation.exe
                                      File size:909312
                                      MD5:800b9d7f3a47c5a18da78cb6a54f90be
                                      SHA1:67c825ca6d8f430fdfc4cbca78c442600db7ccf0
                                      SHA256:e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
                                      SHA512:3f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87
                                      SSDEEP:12288:c1N7GYtRi6Hczy4QufM4zr9H7NH8rxRYAjjUIPg:c7wzyxuU4zZbNM1jUIPg
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................z.......................Rich............................PE..L...Y.._.....................@......X,............@

                                      File Icon

                                      Icon Hash:20047c7c70f0e004

                                      Static PE Info

                                      General

                                      Entrypoint:0x402c58
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:
                                      Time Stamp:0x5FD9DF59 [Wed Dec 16 10:20:09 2020 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:d9b63245519b223a1f7026d72643602b

                                      Entrypoint Preview

                                      Instruction
                                      push 00406B94h
                                      call 00007F8D9C9835F5h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      cmp byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      js 00007F8D9C98362Eh
                                      aam 53h
                                      clc
                                      jp 00007F8D9C9835CEh
                                      dec esi
                                      mov ebx, 97158BF6h
                                      int1
                                      not dword ptr [ebp+00h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [esi+41h], cl
                                      push ebx
                                      dec eax
                                      inc esi
                                      push esp
                                      push eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add bh, bh
                                      int3
                                      xor dword ptr [eax], eax
                                      pop es
                                      fadd st(0), st(2)
                                      xor eax, 139DB88Eh
                                      inc edx
                                      test al, 0Eh
                                      inc edx
                                      or esp, ecx
                                      stosd
                                      enter BAC4h, F3h
                                      jl 00007F8D9C9835EAh
                                      sub byte ptr [ecx+47B444AEh], ah
                                      inc ecx
                                      jc 00007F8D9C9835C4h
                                      wait
                                      into
                                      cmp cl, byte ptr [edi-53h]
                                      xor ebx, dword ptr [ecx-48EE309Ah]
                                      or al, 00h
                                      stosb
                                      add byte ptr [eax-2Dh], ah
                                      xchg eax, ebx
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      pop ss
                                      cmp eax, 00720000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [esi+72h], ah
                                      insd
                                      inc ecx
                                      bound ebp, dword ptr [edi+75h]
                                      je 00007F8D9C983602h
                                      or eax, 41001A01h
                                      bound ebp, dword ptr [edi+75h]
                                      je 00007F8D9C983622h
                                      dec esi
                                      inc ecx
                                      push ebx
                                      dec eax
                                      and byte ptr [esi+72h], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x388440x28.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000xa2ea8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x254.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x382540x39000False0.297581722862data5.76638922611IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .data0x3a0000x1ff00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .rsrc0x3c0000xa2ea80xa3000False0.369846086561data5.12810599289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      BSDK0x3c1dc0xa24ccdata
                                      BSDK0xde6a80x29ASCII text, with CRLF line terminators
                                      RT_ICON0xde6d40x130data
                                      RT_ICON0xde8040x2e8data
                                      RT_ICON0xdeaec0x128GLS_BINARY_LSB_FIRST
                                      RT_GROUP_ICON0xdec140x30data
                                      RT_VERSION0xdec440x264dataEnglishUnited States

                                      Imports

                                      DLLImport
                                      MSVBVM60.DLL__vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaAryMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaLateIdCall, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaPut4, __vbaRaiseEvent, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarForInit, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaStrFixstr, __vbaBoolVarNull, _CIsin, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaPutOwner3, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, __vbaObjVar, DllFunctionCall, __vbaVarLateMemSt, __vbaCastObjVar, __vbaRedimPreserve, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaGetOwner3, __vbaStrVarVal, __vbaVarCat, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaR8Str, __vbaVar2Vec, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaI4Var, __vbaVarCmpEq, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaRecDestructAnsi, _CIatan, __vbaUI1Str, __vbaAryCopy, __vbaCastObj, __vbaStrMove, __vbaR8IntI4, __vbaForEachVar, _allmul, __vbaLateIdSt, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

                                      Version Infos

                                      DescriptionData
                                      Translation0x0409 0x04b0
                                      InternalName1
                                      FileVersion1.00
                                      CompanyNameTECHNOHUB TECHNOLOGIES
                                      CommentsNASH FTP VERSION 1.0.0
                                      ProductNameNASH FREE FTP
                                      ProductVersion1.00
                                      OriginalFilename1.exe

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 23, 2021 08:07:45.274120092 CET49722508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:45.351197004 CET5084972279.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:45.955323935 CET49722508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:46.032562971 CET5084972279.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:46.646625996 CET49722508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:46.725698948 CET5084972279.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:46.829035044 CET49725508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:46.908900023 CET5084972579.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:47.517852068 CET49725508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:47.600960016 CET5084972579.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:48.253881931 CET49725508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:48.333935022 CET5084972579.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:48.493331909 CET49726508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:48.572839022 CET5084972679.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:49.127384901 CET49726508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:49.204401016 CET5084972679.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:49.830650091 CET49726508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:49.907689095 CET5084972679.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:50.043519974 CET49728508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:50.120651960 CET5084972879.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:50.644663095 CET49728508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:50.722227097 CET5084972879.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:51.252656937 CET49728508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:51.329705954 CET5084972879.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:51.433896065 CET49730508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:51.511483908 CET5084973079.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:52.018292904 CET49730508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:52.095400095 CET5084973079.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:52.627715111 CET49730508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:52.704982996 CET5084973079.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:52.840053082 CET49731508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:52.922589064 CET5084973179.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:53.424676895 CET49731508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:53.504687071 CET5084973179.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:54.018486977 CET49731508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:54.098535061 CET5084973179.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:54.207840919 CET49732508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:54.285154104 CET5084973279.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:54.799772978 CET49732508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:54.878434896 CET5084973279.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:55.396162033 CET49732508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:55.474953890 CET5084973279.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:55.574055910 CET49733508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:55.655462027 CET5084973379.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:56.159270048 CET49733508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:56.239308119 CET5084973379.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:56.878067970 CET49733508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:56.958292007 CET5084973379.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:57.140614986 CET49734508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:57.217694044 CET5084973479.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:57.878218889 CET49734508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:57.955197096 CET5084973479.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:58.487585068 CET49734508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:58.566756964 CET5084973479.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:58.668698072 CET49735508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:58.745752096 CET5084973579.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:59.378397942 CET49735508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:07:59.455717087 CET5084973579.134.225.30192.168.2.6
                                      Feb 23, 2021 08:07:59.956434965 CET49735508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:00.034888029 CET5084973579.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:00.121334076 CET49736508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:00.200638056 CET5084973679.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:00.711935043 CET49736508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:00.789062977 CET5084973679.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:01.301961899 CET49736508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:01.379132032 CET5084973679.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:01.481987953 CET49737508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:01.562107086 CET5084973779.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:02.066109896 CET49737508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:02.146181107 CET5084973779.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:02.659811974 CET49737508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:02.742487907 CET5084973779.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:02.826824903 CET49738508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:02.903831005 CET5084973879.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:03.409893990 CET49738508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:03.487040997 CET5084973879.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:03.988044024 CET49738508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:04.073004007 CET5084973879.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:04.153270006 CET49739508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:04.235135078 CET5084973979.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:04.738221884 CET49739508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:04.820008993 CET5084973979.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:05.332009077 CET49739508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:05.413285971 CET5084973979.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:05.500704050 CET49740508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:05.582556009 CET5084974079.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:06.097687960 CET49740508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:06.178369045 CET5084974079.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:06.691385031 CET49740508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:06.771500111 CET5084974079.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:06.859509945 CET49741508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:06.936503887 CET5084974179.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:07.441503048 CET49741508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:07.521667004 CET5084974179.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:08.035310030 CET49741508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:08.112411022 CET5084974179.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:08.203289986 CET49742508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:08.281152010 CET5084974279.134.225.30192.168.2.6
                                      Feb 23, 2021 08:08:08.785429001 CET49742508192.168.2.679.134.225.30
                                      Feb 23, 2021 08:08:08.862402916 CET5084974279.134.225.30192.168.2.6

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 23, 2021 08:07:31.546785116 CET5507453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:31.546822071 CET53492838.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:31.569567919 CET53583778.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:31.595554113 CET53550748.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:32.532334089 CET5451353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:32.581161022 CET53545138.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:33.356961012 CET6204453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:33.406233072 CET53620448.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:34.305083036 CET6379153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:34.356946945 CET53637918.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:34.987416029 CET6426753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:35.047049046 CET53642678.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:35.247118950 CET4944853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:35.299757004 CET53494488.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:36.451236010 CET6034253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:36.514520884 CET53603428.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:37.377928019 CET6134653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:37.430246115 CET53613468.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:38.374042988 CET5177453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:38.422550917 CET53517748.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:39.172760010 CET5602353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:39.221329927 CET53560238.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:39.998399973 CET5838453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:40.052440882 CET53583848.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:41.539827108 CET6026153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:41.591310978 CET53602618.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:42.617219925 CET5606153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:42.674478054 CET53560618.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:43.793068886 CET5833653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:43.844515085 CET53583368.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:44.619919062 CET5378153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:44.669038057 CET53537818.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:45.206157923 CET5406453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:45.266907930 CET53540648.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:45.539908886 CET5281153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:45.597114086 CET53528118.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:46.536823034 CET5529953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:46.589545965 CET53552998.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:46.766422033 CET6374553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:46.827474117 CET53637458.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:48.432107925 CET5005553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:48.491969109 CET53500558.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:49.686492920 CET6137453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:49.738003969 CET53613748.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:49.969152927 CET5033953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:50.028769016 CET53503398.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:50.607882023 CET6330753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:50.656481981 CET53633078.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:51.367156982 CET4969453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:51.431777954 CET53496948.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:52.781282902 CET5498253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:52.838727951 CET53549828.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:54.145982027 CET5001053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:54.205889940 CET53500108.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:55.510709047 CET6371853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:55.571289062 CET53637188.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:57.053105116 CET6211653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:57.111020088 CET53621168.8.8.8192.168.2.6
                                      Feb 23, 2021 08:07:58.610317945 CET6381653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:07:58.667474031 CET53638168.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:00.063472986 CET5501453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:00.120590925 CET53550148.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:01.420938015 CET6220853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:01.480880976 CET53622088.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:02.774080038 CET5757453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:02.825578928 CET53575748.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:04.102524996 CET5181853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:04.152319908 CET53518188.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:05.439734936 CET5662853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:05.499820948 CET53566288.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:06.808162928 CET6077853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:06.858426094 CET53607788.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:08.144113064 CET5379953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:08.202327967 CET53537998.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:08.285270929 CET5468353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:08.336926937 CET53546838.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:09.473737955 CET5932953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:09.530750990 CET53593298.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:10.930634975 CET6402153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:10.987613916 CET53640218.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:12.319010019 CET5612953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:12.376049042 CET53561298.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:14.125897884 CET5817753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:14.188676119 CET53581778.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:15.721072912 CET5070053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:15.780385971 CET53507008.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:17.264655113 CET5406953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:17.316565990 CET53540698.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:18.647496939 CET6117853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:18.696165085 CET53611788.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:19.964416027 CET5701753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:20.020870924 CET53570178.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:21.351953030 CET5632753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:21.412421942 CET53563278.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:22.707381964 CET5024353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:22.767571926 CET53502438.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:24.057987928 CET6205553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:24.118077993 CET53620558.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:25.395737886 CET6124953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:25.454222918 CET53612498.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:26.731435061 CET6525253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:26.781805992 CET53652528.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:26.800857067 CET6436753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:26.863466024 CET53643678.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:27.491439104 CET5506653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:27.581167936 CET53550668.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:27.945303917 CET6021153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:27.995989084 CET53602118.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:28.170456886 CET5657053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:28.233465910 CET53565708.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:28.241755009 CET5845453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:28.298862934 CET53584548.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:28.806243896 CET5518053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:28.863424063 CET53551808.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:29.268851042 CET5872153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:29.358316898 CET53587218.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:29.447592974 CET5769153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:29.521596909 CET53576918.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:29.757359028 CET5294353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:29.803540945 CET5948953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:29.816936970 CET53529438.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:29.865108013 CET53594898.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:30.362148046 CET6402253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:30.420394897 CET53640228.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:31.150052071 CET6002353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:31.200783014 CET53600238.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:31.305212975 CET5719353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:31.365034103 CET53571938.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:32.359426022 CET5024853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:32.410923958 CET53502488.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:33.486183882 CET6441353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:33.546222925 CET53644138.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:34.813810110 CET6042953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:34.865504026 CET53604298.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:34.949865103 CET6034553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:35.001399040 CET53603458.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:35.441658974 CET5873053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:35.500091076 CET53587308.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:36.518665075 CET5383053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:36.570158005 CET53538308.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:38.047070026 CET5722653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:38.095921993 CET53572268.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:38.622483969 CET5788053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:38.680929899 CET53578808.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:39.627697945 CET6085053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:39.687787056 CET53608508.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:41.073613882 CET5318753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:41.122194052 CET53531878.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:42.702431917 CET5583053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:42.761286020 CET53558308.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:44.271133900 CET5514553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:44.328437090 CET53551458.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:45.681833029 CET6409153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:45.741550922 CET53640918.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:47.037139893 CET5572853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:47.088871002 CET53557288.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:48.411649942 CET5569453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:48.471918106 CET53556948.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:49.770519972 CET5392653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:49.829307079 CET53539268.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:51.140413046 CET6553153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:51.200211048 CET53655318.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:52.501919985 CET6543753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:52.559010029 CET53654378.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:53.880294085 CET5459053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:53.929353952 CET53545908.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:55.225248098 CET5131853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:55.287211895 CET53513188.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:56.594271898 CET6088853192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:56.655138016 CET53608888.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:57.936106920 CET5847453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:57.995523930 CET53584748.8.8.8192.168.2.6
                                      Feb 23, 2021 08:08:59.288147926 CET6457553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:08:59.348825932 CET53645758.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:00.650860071 CET5909253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:00.699660063 CET53590928.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:01.998353958 CET5748353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:02.060837984 CET53574838.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:03.361493111 CET5383053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:03.421380997 CET53538308.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:04.711440086 CET4980953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:04.770749092 CET53498098.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:06.059376955 CET5281453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:06.107952118 CET53528148.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:07.439800024 CET5106953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:07.491424084 CET53510698.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:11.888250113 CET5652653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:11.949131966 CET53565268.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:14.215146065 CET5051253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:14.274820089 CET53505128.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:15.589412928 CET5167953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:15.646821022 CET53516798.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:16.988843918 CET5607153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:17.040496111 CET53560718.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:17.342309952 CET5895053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:17.393151045 CET53589508.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:18.359960079 CET5703553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:18.422797918 CET53570358.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:19.847336054 CET5412253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:19.907733917 CET53541228.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:21.211339951 CET5675953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:21.270256996 CET53567598.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:22.623347044 CET5922053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:22.674866915 CET53592208.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:24.028367043 CET6221153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:24.088788033 CET53622118.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:25.404438972 CET6203353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:25.453197002 CET53620338.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:26.753979921 CET6124453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:26.810834885 CET53612448.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:28.154974937 CET5369653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:28.206527948 CET53536968.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:29.502564907 CET5073353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:29.562889099 CET53507338.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:30.856758118 CET5577053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:30.915587902 CET53557708.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:32.198609114 CET5452553192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:32.256922007 CET53545258.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:33.567120075 CET6176053192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:33.624037027 CET53617608.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:34.927153111 CET6382253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:34.986808062 CET53638228.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:36.342387915 CET5095753192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:36.401557922 CET53509578.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:37.706017017 CET5966653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:37.760108948 CET53596668.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:39.064377069 CET5222353192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:39.123634100 CET53522238.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:40.407258034 CET6013653192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:40.464591026 CET53601368.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:41.762677908 CET5564953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:41.819736004 CET53556498.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:43.145524979 CET5152453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:43.194669008 CET53515248.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:44.451947927 CET5914153192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:44.511965990 CET53591418.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:45.776679039 CET4968253192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:45.826669931 CET53496828.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:47.092387915 CET4970953192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:47.149457932 CET53497098.8.8.8192.168.2.6
                                      Feb 23, 2021 08:09:48.404412031 CET5938453192.168.2.68.8.8.8
                                      Feb 23, 2021 08:09:48.462491989 CET53593848.8.8.8192.168.2.6

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Feb 23, 2021 08:07:45.206157923 CET192.168.2.68.8.8.80xd9b2Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:46.766422033 CET192.168.2.68.8.8.80x4cfcStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:48.432107925 CET192.168.2.68.8.8.80x7b0bStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:49.969152927 CET192.168.2.68.8.8.80x2dc4Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:51.367156982 CET192.168.2.68.8.8.80x4881Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:52.781282902 CET192.168.2.68.8.8.80x1d0eStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:54.145982027 CET192.168.2.68.8.8.80x44f3Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:55.510709047 CET192.168.2.68.8.8.80x5e4cStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:57.053105116 CET192.168.2.68.8.8.80xb8bdStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:58.610317945 CET192.168.2.68.8.8.80xda71Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:00.063472986 CET192.168.2.68.8.8.80x1e15Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:01.420938015 CET192.168.2.68.8.8.80x6514Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:02.774080038 CET192.168.2.68.8.8.80x7f53Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:04.102524996 CET192.168.2.68.8.8.80xa722Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:05.439734936 CET192.168.2.68.8.8.80x3ff4Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:06.808162928 CET192.168.2.68.8.8.80x30caStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:08.144113064 CET192.168.2.68.8.8.80x337bStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:09.473737955 CET192.168.2.68.8.8.80x982eStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:10.930634975 CET192.168.2.68.8.8.80xc475Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:12.319010019 CET192.168.2.68.8.8.80xcbf7Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:14.125897884 CET192.168.2.68.8.8.80xe579Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:15.721072912 CET192.168.2.68.8.8.80x4ad8Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:17.264655113 CET192.168.2.68.8.8.80xdd90Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:18.647496939 CET192.168.2.68.8.8.80x9949Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:19.964416027 CET192.168.2.68.8.8.80x4fb6Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:21.351953030 CET192.168.2.68.8.8.80xe93Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:22.707381964 CET192.168.2.68.8.8.80x419aStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:24.057987928 CET192.168.2.68.8.8.80xdb1aStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:25.395737886 CET192.168.2.68.8.8.80xe2f3Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:26.731435061 CET192.168.2.68.8.8.80x578eStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:28.241755009 CET192.168.2.68.8.8.80x9933Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:29.757359028 CET192.168.2.68.8.8.80xb6c4Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:31.305212975 CET192.168.2.68.8.8.80xb961Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:33.486183882 CET192.168.2.68.8.8.80x49dfStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:34.949865103 CET192.168.2.68.8.8.80xf99aStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:36.518665075 CET192.168.2.68.8.8.80x6d0bStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:38.047070026 CET192.168.2.68.8.8.80x6c72Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:39.627697945 CET192.168.2.68.8.8.80x2355Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:41.073613882 CET192.168.2.68.8.8.80xfb39Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:42.702431917 CET192.168.2.68.8.8.80xf8e6Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:44.271133900 CET192.168.2.68.8.8.80x4b22Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:45.681833029 CET192.168.2.68.8.8.80xf653Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:47.037139893 CET192.168.2.68.8.8.80xc499Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:48.411649942 CET192.168.2.68.8.8.80x70afStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:49.770519972 CET192.168.2.68.8.8.80x5a34Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:51.140413046 CET192.168.2.68.8.8.80xb366Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:52.501919985 CET192.168.2.68.8.8.80x81afStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:53.880294085 CET192.168.2.68.8.8.80x712bStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:55.225248098 CET192.168.2.68.8.8.80x38c9Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:56.594271898 CET192.168.2.68.8.8.80x622dStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:57.936106920 CET192.168.2.68.8.8.80xb17eStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:59.288147926 CET192.168.2.68.8.8.80x3e14Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:00.650860071 CET192.168.2.68.8.8.80x6718Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:01.998353958 CET192.168.2.68.8.8.80x967bStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:03.361493111 CET192.168.2.68.8.8.80xc85cStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:04.711440086 CET192.168.2.68.8.8.80xbc83Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:06.059376955 CET192.168.2.68.8.8.80xa3bfStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:07.439800024 CET192.168.2.68.8.8.80xf7c8Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:14.215146065 CET192.168.2.68.8.8.80xd9b8Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:15.589412928 CET192.168.2.68.8.8.80x1a8dStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:16.988843918 CET192.168.2.68.8.8.80x92d1Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:18.359960079 CET192.168.2.68.8.8.80xeef5Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:19.847336054 CET192.168.2.68.8.8.80x3ba0Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:21.211339951 CET192.168.2.68.8.8.80xf3d8Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:22.623347044 CET192.168.2.68.8.8.80x91Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:24.028367043 CET192.168.2.68.8.8.80x80feStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:25.404438972 CET192.168.2.68.8.8.80x5d60Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:26.753979921 CET192.168.2.68.8.8.80x34feStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:28.154974937 CET192.168.2.68.8.8.80x6d93Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:29.502564907 CET192.168.2.68.8.8.80xf992Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:30.856758118 CET192.168.2.68.8.8.80xa178Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:32.198609114 CET192.168.2.68.8.8.80x7019Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:33.567120075 CET192.168.2.68.8.8.80xa690Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:34.927153111 CET192.168.2.68.8.8.80xf1b9Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:36.342387915 CET192.168.2.68.8.8.80x69aStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:37.706017017 CET192.168.2.68.8.8.80x11daStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:39.064377069 CET192.168.2.68.8.8.80xeaa5Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:40.407258034 CET192.168.2.68.8.8.80x65a3Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:41.762677908 CET192.168.2.68.8.8.80xf859Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:43.145524979 CET192.168.2.68.8.8.80xea50Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:44.451947927 CET192.168.2.68.8.8.80x70abStandard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:45.776679039 CET192.168.2.68.8.8.80x6010Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:47.092387915 CET192.168.2.68.8.8.80x1c90Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:48.404412031 CET192.168.2.68.8.8.80x1b03Standard query (0)martinboss.ddns.netA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Feb 23, 2021 08:07:45.266907930 CET8.8.8.8192.168.2.60xd9b2No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:46.827474117 CET8.8.8.8192.168.2.60x4cfcNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:48.491969109 CET8.8.8.8192.168.2.60x7b0bNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:50.028769016 CET8.8.8.8192.168.2.60x2dc4No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:51.431777954 CET8.8.8.8192.168.2.60x4881No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:52.838727951 CET8.8.8.8192.168.2.60x1d0eNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:54.205889940 CET8.8.8.8192.168.2.60x44f3No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:55.571289062 CET8.8.8.8192.168.2.60x5e4cNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:57.111020088 CET8.8.8.8192.168.2.60xb8bdNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:07:58.667474031 CET8.8.8.8192.168.2.60xda71No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:00.120590925 CET8.8.8.8192.168.2.60x1e15No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:01.480880976 CET8.8.8.8192.168.2.60x6514No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:02.825578928 CET8.8.8.8192.168.2.60x7f53No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:04.152319908 CET8.8.8.8192.168.2.60xa722No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:05.499820948 CET8.8.8.8192.168.2.60x3ff4No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:06.858426094 CET8.8.8.8192.168.2.60x30caNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:08.202327967 CET8.8.8.8192.168.2.60x337bNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:09.530750990 CET8.8.8.8192.168.2.60x982eNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:10.987613916 CET8.8.8.8192.168.2.60xc475No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:12.376049042 CET8.8.8.8192.168.2.60xcbf7No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:14.188676119 CET8.8.8.8192.168.2.60xe579No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:15.780385971 CET8.8.8.8192.168.2.60x4ad8No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:17.316565990 CET8.8.8.8192.168.2.60xdd90No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:18.696165085 CET8.8.8.8192.168.2.60x9949No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:20.020870924 CET8.8.8.8192.168.2.60x4fb6No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:21.412421942 CET8.8.8.8192.168.2.60xe93No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:22.767571926 CET8.8.8.8192.168.2.60x419aNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:24.118077993 CET8.8.8.8192.168.2.60xdb1aNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:25.454222918 CET8.8.8.8192.168.2.60xe2f3No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:26.781805992 CET8.8.8.8192.168.2.60x578eNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:28.298862934 CET8.8.8.8192.168.2.60x9933No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:29.816936970 CET8.8.8.8192.168.2.60xb6c4No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:31.365034103 CET8.8.8.8192.168.2.60xb961No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:33.546222925 CET8.8.8.8192.168.2.60x49dfNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:35.001399040 CET8.8.8.8192.168.2.60xf99aNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:36.570158005 CET8.8.8.8192.168.2.60x6d0bNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:38.095921993 CET8.8.8.8192.168.2.60x6c72No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:39.687787056 CET8.8.8.8192.168.2.60x2355No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:41.122194052 CET8.8.8.8192.168.2.60xfb39No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:42.761286020 CET8.8.8.8192.168.2.60xf8e6No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:44.328437090 CET8.8.8.8192.168.2.60x4b22No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:45.741550922 CET8.8.8.8192.168.2.60xf653No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:47.088871002 CET8.8.8.8192.168.2.60xc499No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:48.471918106 CET8.8.8.8192.168.2.60x70afNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:49.829307079 CET8.8.8.8192.168.2.60x5a34No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:51.200211048 CET8.8.8.8192.168.2.60xb366No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:52.559010029 CET8.8.8.8192.168.2.60x81afNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:53.929353952 CET8.8.8.8192.168.2.60x712bNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:55.287211895 CET8.8.8.8192.168.2.60x38c9No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:56.655138016 CET8.8.8.8192.168.2.60x622dNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:57.995523930 CET8.8.8.8192.168.2.60xb17eNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:08:59.348825932 CET8.8.8.8192.168.2.60x3e14No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:00.699660063 CET8.8.8.8192.168.2.60x6718No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:02.060837984 CET8.8.8.8192.168.2.60x967bNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:03.421380997 CET8.8.8.8192.168.2.60xc85cNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:04.770749092 CET8.8.8.8192.168.2.60xbc83No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:06.107952118 CET8.8.8.8192.168.2.60xa3bfNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:07.491424084 CET8.8.8.8192.168.2.60xf7c8No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:14.274820089 CET8.8.8.8192.168.2.60xd9b8No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:15.646821022 CET8.8.8.8192.168.2.60x1a8dNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:17.040496111 CET8.8.8.8192.168.2.60x92d1No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:18.422797918 CET8.8.8.8192.168.2.60xeef5No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:19.907733917 CET8.8.8.8192.168.2.60x3ba0No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:21.270256996 CET8.8.8.8192.168.2.60xf3d8No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:22.674866915 CET8.8.8.8192.168.2.60x91No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:24.088788033 CET8.8.8.8192.168.2.60x80feNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:25.453197002 CET8.8.8.8192.168.2.60x5d60No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:26.810834885 CET8.8.8.8192.168.2.60x34feNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:28.206527948 CET8.8.8.8192.168.2.60x6d93No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:29.562889099 CET8.8.8.8192.168.2.60xf992No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:30.915587902 CET8.8.8.8192.168.2.60xa178No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:32.256922007 CET8.8.8.8192.168.2.60x7019No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:33.624037027 CET8.8.8.8192.168.2.60xa690No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:34.986808062 CET8.8.8.8192.168.2.60xf1b9No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:36.401557922 CET8.8.8.8192.168.2.60x69aNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:37.760108948 CET8.8.8.8192.168.2.60x11daNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:39.123634100 CET8.8.8.8192.168.2.60xeaa5No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:40.464591026 CET8.8.8.8192.168.2.60x65a3No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:41.819736004 CET8.8.8.8192.168.2.60xf859No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:43.194669008 CET8.8.8.8192.168.2.60xea50No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:44.511965990 CET8.8.8.8192.168.2.60x70abNo error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:45.826669931 CET8.8.8.8192.168.2.60x6010No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:47.149457932 CET8.8.8.8192.168.2.60x1c90No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)
                                      Feb 23, 2021 08:09:48.462491989 CET8.8.8.8192.168.2.60x1b03No error (0)martinboss.ddns.net79.134.225.30A (IP address)IN (0x0001)

                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: Payment Confirmation.exe PID: 7012 Parent PID: 5880

                                      General

                                      Start time:08:07:38
                                      Start date:23/02/2021
                                      Path:C:\Users\user\Desktop\Payment Confirmation.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Payment Confirmation.exe'
                                      Imagebase:0x400000
                                      File size:909312 bytes
                                      MD5 hash:800B9D7F3A47C5A18DA78CB6A54F90BE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Visual Basic
                                      Reputation:low

                                      Analysis Process: cvcvsdf.exe PID: 7064 Parent PID: 7012

                                      General

                                      Start time:08:07:40
                                      Start date:23/02/2021
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Imagebase:0x400000
                                      File size:909312 bytes
                                      MD5 hash:800B9D7F3A47C5A18DA78CB6A54F90BE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Visual Basic
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 48%, ReversingLabs
                                      Reputation:low

                                      Analysis Process: cvcvsdf.exe PID: 7148 Parent PID: 7064

                                      General

                                      Start time:08:07:42
                                      Start date:23/02/2021
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Imagebase:0x400000
                                      File size:909312 bytes
                                      MD5 hash:800B9D7F3A47C5A18DA78CB6A54F90BE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Yara matches:
                                      • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, Author: botherder https://github.com/botherder
                                      • Rule: DarkComet_3, Description: unknown, Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: DarkComet_2, Description: DarkComet, Source: 00000003.00000002.592032143.000000000238A000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_
                                      Reputation:low

                                      Analysis Process: cvcvsdf.exe PID: 6340 Parent PID: 3440

                                      General

                                      Start time:08:07:52
                                      Start date:23/02/2021
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe'
                                      Imagebase:0x400000
                                      File size:909312 bytes
                                      MD5 hash:800B9D7F3A47C5A18DA78CB6A54F90BE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Visual Basic
                                      Reputation:low

                                      Analysis Process: cvcvsdf.exe PID: 4820 Parent PID: 6340

                                      General

                                      Start time:08:07:56
                                      Start date:23/02/2021
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
                                      Imagebase:0x400000
                                      File size:909312 bytes
                                      MD5 hash:800B9D7F3A47C5A18DA78CB6A54F90BE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Yara matches:
                                      • Rule: DarkComet_2, Description: DarkComet, Source: 00000008.00000003.365577575.00000000023BA000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_
                                      • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                      • Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, Author: botherder https://github.com/botherder
                                      • Rule: DarkComet_3, Description: unknown, Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      Reputation:low

                                      Disassembly

                                      Code Analysis

                                      Reset < >